Document incompatibility between loading TAs from disk and runtime managemen

diff --git a/pdns/recursordist/docs/dnssec.rst b/pdns/recursordist/docs/dnssec.rst
index 7c54102c644fe024e0922111d629b0be29c747e7..6d8dc52cf2715ef4bcca0e363b21c7157e1b241f 100644 (file)
--- a/pdns/recursordist/docs/dnssec.rst
+++ b/pdns/recursordist/docs/dnssec.rst
@@ -103,7 +103,9 @@ Now (re)start the recursor to load these trust anchors.
 Reading trust anchors from files
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Since version 4.2.0 of the PowerDNS Recursor, it is also possible to read the Trust Anchors from a BIND-style zonefile.
+.. versionadded:: 4.2.0
+
+It is also possible to read the Trust Anchors from a BIND-style zonefile using the :func:`readTrustAnchorsFromFile` in the :ref:`setting-lua-config-file`.
 Only the DS and DNSKEY records from this file are read.
 This file is (by default) re-read every 24 hours for updates.
 Debian and its derivatives ship the ``dns-root-data`` package that contains the DNSSEC root trust anchors in ``/usr/share/dns/root.key``.
@@ -115,6 +117,11 @@ To only use the distribution-provided Trust Anchors, add the following to the :r
   clearTA() -- Remove built-in trust-anchors
   readTrustAnchorsFromFile("/usr/share/dns/root.key") -- Use these keys
 
+.. note::
+  When using :func:`readTrustAnchorsFromFile`, any runtime changes to Trust Anchors (see below) will be overwritten when the file is refreshed.
+  To prevent this, set the ``interval`` parameter to ``0``.
+  This will **disable** automatic reloading of the file.
+
 Runtime Configuration of Trust Anchors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 To change or add trust anchors at runtime, use the :doc:`manpages/rec_control.1` tool.