- RFC 7958 is now out, updated docs for unbound-anchor.

git-svn-id: file:///svn/unbound/trunk@3839 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,4 +1,7 @@
-29 August 2016: Ralph
+1 September 2016: Wouter
+	- RFC 7958 is now out, updated docs for unbound-anchor.
+
+29 August 2016: Wouter
 	- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
 	  Siewior.
 	- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.

doc/unbound-anchor.8.in

@@ -16,6 +16,8 @@
 .SH "DESCRIPTION"
 .B Unbound\-anchor
 performs setup or update of the root trust anchor for DNSSEC validation.
+The program fetches the trust anchor with the method from RFC7958 when
+regular RFC5011 update fails to bring it up to date.
 It can be run (as root) from the commandline, or run as part of startup
 scripts.  Before you start the \fIunbound\fR(8) DNS server.
 .P
@@ -39,8 +41,8 @@ update certificate files.
 .P
 It tests if the root anchor file works, and if not, and an update is possible,
 attempts to update the root anchor using the root update certificate.
-It performs a https fetch of root-anchors.xml and checks the results, if
+It performs a https fetch of root-anchors.xml and checks the results (RFC7958), 
-all checks are successful, it updates the root anchor file.  Otherwise
+if all checks are successful, it updates the root anchor file.  Otherwise
 the root anchor file is unchanged.  It performs RFC5011 tracking if the
 DNSSEC information available via the DNS makes that possible.
 .P

smallapp/unbound-anchor.c

@@ -37,7 +37,8 @@
  * \file
  *
  * This file checks to see that the current 5011 keys work to prime the
- * current root anchor.  If not a certificate is used to update the anchor.
+ * current root anchor.  If not a certificate is used to update the anchor,
+ * with RFC7958 https xml fetch.
  *
  * This is a concept solution for distribution of the DNSSEC root
  * trust anchor.  It is a small tool, called "unbound-anchor", that
@@ -47,7 +48,7 @@
  * Management-Abstract:
  *    * first run: fill root.key file with hardcoded DS record.
  *    * mostly: use RFC5011 tracking, quick . DNSKEY UDP query.
- *    * failover: use builtin certificate, do https and update.
+ *    * failover: use RFC7958 builtin certificate, do https and update.
  * Special considerations:
  *    * 30-days RFC5011 timer saves a lot of https traffic.
  *    * DNSKEY probe must be NOERROR, saves a lot of https traffic.
@@ -77,7 +78,7 @@
  * the file contains a list of normal DNSKEY/DS records, and uses that to
  * bootstrap 5011 (the KSK is made VALID).
  *
- * The certificate update is done by fetching root-anchors.xml and
+ * The certificate RFC7958 update is done by fetching root-anchors.xml and
  * root-anchors.p7s via SSL.  The HTTPS certificate can be logged but is
  * not validated (https for channel security; the security comes from the
  * certificate).  The 'data.iana.org' domain name A and AAAA are resolved