updates in danetool

1 files changed, 30 insertions, 11 deletions

diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi
index cb34077cd7..b063e56358 100644
--- a/doc/invoke-danetool.texi
+++ b/doc/invoke-danetool.texi
@@ -6,7 +6,7 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-danetool.texi)
 # 
-# It has been AutoGen-ed  March  1, 2013 at 05:06:53 PM by AutoGen 5.16
+# It has been AutoGen-ed  March  7, 2013 at 11:03:39 PM by AutoGen 5.16
 # From the definitions    ../src/danetool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -66,7 +66,11 @@ USAGE:  danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
        --ca                   Whether the provided certificate or public key is a Certificate
 Authority.
        --x509                 Use the hash of the X.509 certificate, rather than the public key.
-       --local                The provided certificate or public key is a local entity.
+       --local                This is an alias for 'domain'
+                                - enabled by default
+       --domain               The provided certificate or public key is issued by the local domain.
+                                - disabled as --no-domain
+                                - enabled by default
    -v, --version[=arg]        Output version information and exit
    -h, --help                 Display extended usage information and exit
    -!, --more-help            Extended usage information passed thru pager
@@ -191,8 +195,22 @@ This option forces the generated record to contain the hash of the full X.509 ce
 @anchor{danetool local}
 @subsubheading local option
 
-This is the ``the provided certificate or public key is a local entity.'' option.
-DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity.
+This is an alias for the domain option,
+@pxref{danetool domain, the domain option documentation}.
+
+@anchor{danetool domain}
+@subsubheading domain option
+
+This is the ``the provided certificate or public key is issued by the local domain.'' option.
+
+@noindent
+This option has some usage constraints.  It:
+@itemize @bullet
+@item
+is enabled by default.
+@end itemize
+
+DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.
 @anchor{danetool exit status}
 @subsubheading danetool exit status
 
@@ -211,26 +229,27 @@ The operation failed or the command syntax was not valid.
 @subsubheading danetool Examples
 @subsubheading DANE TLSA RR generation
 
-To create a DANE TLSA resource record for a CA signed certificate use the following commands.
-
+To create a DANE TLSA resource record for a certificate (or public key) 
+that was issued localy and may or may not be signed by a CA use the following command.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
 @end example
 
-For a self signed certificate use:
+To create a DANE TLSA resource record for a CA signed certificate, which will
+be marked as such use the following command.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
-  --local
+  --no-domain
 @end example
 
-The latter is useful to add in your DNS entry even if your certificate is signed 
+The former is useful to add in your DNS entry even if your certificate is signed 
 by a CA. That way even users who do not trust your CA will be able to verify your
 certificate using DANE.
 
-In order to create a record for the signer of your certificate use:
+In order to create a record for the CA signer of your certificate use the following.
 @example
 $ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
-  --ca
+  --ca --no-domain
 @end example
 
 To read a server's DANE TLSA entry, use: