Mention that "tls" options defaults are outside of our control

We have to mention that every option within a "tls" clause has
defaults out of our control as some platforms have means for defining
encryption policies globally for any application on the system.

In order to comply with these policies, we have not to modify TLS
contexts settings, unless we have to do so according to the options
specified within "tls" clauses.

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index bed3ed0140b5b3076756c21ce79752e36b4fa19c..63beef4cbb9b411f15c74a9a488a47035fcdb98c 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4802,6 +4802,13 @@ The following options can be specified in a ``tls`` statement:
     or the TLS certificate and key pair is planned to be used across
     multiple BIND instances.
 
+The options described above are used to control different aspects of
+TLS functioning. Thus, most of them have no well-defined default
+values, as these depend on the cryptographic library version in use
+and system-wide cryptographic policy. On the other hand, by specifying
+the needed options one could have a uniform configuration deployable
+across a range of platforms.
+
 There are two built-in TLS connection configurations: ``ephemeral``,
 uses a temporary key and certificate created for the current ``named``
 session only, and ``none``, which can be used when setting up an HTTP