From eebea43b84f64815d74289cd8ff2e5946baa1893 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 27 Feb 2019 18:28:04 +0000 Subject: [PATCH] Update README to document root anchor storage directory on Windows. This fixes Stubby issue #153. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 565310c7..c777f507 100644 --- a/README.md +++ b/README.md @@ -134,9 +134,9 @@ format. Note that this is different than the format of BIND.keys. When the root trust anchor is not installed in the default location and a DNSSEC query is done, getdns will try to use the trust anchors published here: http://data.iana.org/root-anchors/root-anchors.xml . It will validate these anchors with the ICANN Certificate Authority certificate following the procedure described in [RFC7958]. -The `root-anchors.xml` and `root-anchors.p7s` S/MIME signature will be cached in the `$HOME/.getdns` directory. +The `root-anchors.xml` and `root-anchors.p7s` S/MIME signature will be cached in the `$HOME/.getdns` directory on Unixes, and the `%appdata%\getdns` directory on Windows. -When using trust-anchors from the `root-anchors.xml` file, getdns will track the keys in the root DNSKEY rrset and store a copy in $HOME/.getdns/root.key. +When using trust-anchors from the `root-anchors.xml` file, getdns will track the keys in the root DNSKEY rrset and store a copy in `$HOME/.getdns/root.key` on Unixes, and `%appdata%\getdns\root.key` on Windows. Only when the KSK DNSKEY's change, a new version of `root-anchors.xml` is tried to be retrieved from [data.iana.org](https://data.iana.org/root-anchors/). A installed trust-anchor from the default location (`/etc/unbound/getdns-root.key`) that fails to validate the root DNSKEY RRset, will also trigger the "Zero configuration DNSSEC" procedure described above.