From 1a74f6c55b3c390384dbf603d88bfcedc11c05ff Mon Sep 17 00:00:00 2001
From: Lexi Winter <ivy@FreeBSD.org>
Date: Tue, 3 Jun 2025 11:38:48 +0100
Subject: README: mention tkey-gssapi-keytab

---
 README | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/README b/README
index 6b25e9d..d7246bb 100644
--- a/README
+++ b/README
@@ -67,10 +67,20 @@ BIND + Kerberos configuration
 -----------------------------
 
 if you want to use the default (and only) Kerberos dns-01 challenge, you must
-configure your DNS server to accept Kerberos-authenticated nsupdates.
+configure your DNS server to accept Kerberos-authenticated dynamic updates.
 
-in BIND, an update policy like this will allow any host to update ACME
-challenges for its own hostname:
+first, tell BIND where to load its Kerberos keytab from:
+
+options {
+        tkey-gssapi-keytab "/usr/local/etc/namedb/krb5.keytab";
+};
+
+the keytab MUST contain a server key for "DNS/name.of.server@<realm>", where
+"name.of.server" MUST be the SOA MNAME for the zone(s) you want to update.
+this is not configurable, it's a requirement of how the protocol works.
+
+an update policy like this will allow any host to update ACME challenges for
+its own hostname:
 
 	update-policy {
 		# note: "EXAMPLE.ORG" is the Kerberos realm, not the DNS zone!
-- 
cgit v1.2.3