unbound: Add support for DLV (DNSSEC Lookaside Validation)

Fixes #392.
author: Tobias Brunner <tobias@strongswan.org> 2013-08-29 09:04:36 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2013-10-11 15:45:25 +0200
commit: 6ecf1aab35dbf8d7c245935558570295a0352c83 (patch)
tree: fbf2c77e0f5de1b8e342c4b50d1a3b9bd916ebc9 /man
parent: 1ff63f153e5b551ee7ba0670ea4cc8b151432bc5 (diff)
download: strongswan-6ecf1aab35dbf8d7c245935558570295a0352c83.tar.bz2
strongswan-6ecf1aab35dbf8d7c245935558570295a0352c83.tar.xz
1 files changed, 9 insertions, 1 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index e8dbe63f8..0fb239adc 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -886,7 +886,15 @@ File to read pseudo random bytes from, instead of @urandom_device@
 File to read DNS resolver configuration from
 .TP
 .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
-File to read DNSSEC trust anchors from (usually root zone KSK)
+File to read DNSSEC trust anchors from (usually root zone KSK). The format of
+the file is the standard DNS Zone file format, anchors can be stored as DS or
+DNSKEY entries in the file.
+.TP
+.BR libstrongswan.plugins.unbound.dlv_anchors
+File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
+the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
+is then used as a root trusted DLV, this means that it is a lookaside for
+the root.
 .SS libtls section
 .TP
 .BR libtls.cipher
author	Tobias Brunner <tobias@strongswan.org>	2013-08-29 09:04:36 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2013-10-11 15:45:25 +0200
commit	6ecf1aab35dbf8d7c245935558570295a0352c83 (patch)
tree	fbf2c77e0f5de1b8e342c4b50d1a3b9bd916ebc9 /man
parent	1ff63f153e5b551ee7ba0670ea4cc8b151432bc5 (diff)
download	strongswan-6ecf1aab35dbf8d7c245935558570295a0352c83.tar.bz2 strongswan-6ecf1aab35dbf8d7c245935558570295a0352c83.tar.xz