Update docs

Update the file and dnssec docs and glarify what is implement and that we only do NSEC.

Update docs
Update the file and dnssec docs and glarify what is implement and that we only do NSEC.
9caa6071 · Miek Gieben · 2eac0389 · 9caa6071 · 9caa6071
Commit 9caa6071 authored Aug 29, 2016 by Miek Gieben
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 5 deletions

middleware/dnssec/README.md middleware/dnssec/README.md +3 -4

middleware/file/README.md middleware/file/README.md +3 -1

No files found.
--- a/middleware/dnssec/README.md
+++ b/middleware/dnssec/README.md
@@ -15,14 +15,13 @@ If keys are not specified (see below), a key is generated and used for all signi
 DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
 signing operations are done online. Authenticated denial of existence is implemented with NSEC black
 lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
-RSA).
+RSA). NSEC3 is *not* supported.
 A signing key can be specified by using the `key` directive.
-WARNING: when a key is generated there is currently no way to extract any key material from CoreDNS, as
+NOTE: Key generation has not been implemented yet.
-this key only lives in memory. See issue <https://github.com/miekg/coredns/issues/211>.
-TODO(miek): think about key rollovers.
+TODO(miek): think about key rollovers, and how to do them automatically.
 ~~~

--- a/middleware/file/README.md
+++ b/middleware/file/README.md
@@ -3,7 +3,9 @@
 `file` enables serving zone data from an RFC 1035-style master file.
 The file middleware is used for an "old-style" DNS server. It serves from a preloaded file that exists
-on disk.
+on disk. If the zone file contains signatures (i.e. is signed, i.e. DNSSEC) correct DNSSEC answers
+are returned. Only NSEC is supported! If you use this setup *you* are responsible for resigning the
+zonefile.
 ## Syntax