From 4321a363a42c627f8e2813bdf7842406a9bc1c47 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 4 Apr 2017 13:39:33 +0000
Subject: [PATCH] - Fix #1244: document that use of chroot requires trust
 anchor file to   be under chroot.

git-svn-id: file:///svn/unbound/trunk@4087 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog         | 4 ++++
 doc/unbound.conf.5.in | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/Changelog b/doc/Changelog
index d1e4a81f1..f9cc66a57 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+4 April 2017: Wouter
+	- Fix #1244: document that use of chroot requires trust anchor file to
+	  be under chroot.
+
 3 April 2017: Ralph
 	- Do not add current time twice to TTL before ECS cache store.
 	- Do not touch rrset cache after ECS cache message generation.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index e937b824b..7054a7ac7 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -785,7 +785,8 @@ frequently.  The initial file can be one with contents as described in
 \fBtrust\-anchor\-file\fR.  The file is written to when the anchor is updated,
 so the unbound user must have write permission.  Write permission to the file,
 but also to the directory it is in (to create a temporary file, which is
-necessary to deal with filesystem full events).
+necessary to deal with filesystem full events), it must also be inside the
+chroot (if that is used).
 .TP
 .B trust\-anchor: \fI<"Resource Record">
 A DS or DNSKEY RR for a key to use for validation. Multiple entries can be