From c42db89ff992037841e7937059db952571af86fa Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Tue, 23 Jul 2019 21:15:43 +0200
Subject: [PATCH] doc: Add example for generating a secret key with knot DNS.

* doc/guix.texi (DNS Services): Add an example and more context to the
includes field of the knot-configuration record.
---
 doc/guix.texi | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 107c16b8db..8c5fa5f741 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -20598,6 +20598,21 @@ thus not visible in @file{/gnu/store}---e.g., you could store secret
 key configuration in @file{/etc/knot/secrets.conf} and add this file
 to the @code{includes} list.
 
+One can generate a secret tsig key (for nsupdate and zone transfers with the
+keymgr command from the knot package.  Note that the package is not automatically
+installed by the service.  The following example shows how to generate a new
+tsig key:
+
+@example
+keymgr -t mysecret > /etc/knot/secrets.conf
+chmod 600 /etc/knot/secrets.conf
+@end example
+
+Also note that the generated key will be named @var{mysecret}, so it is the
+name that needs to be used in the @var{key} field of the
+@code{knot-acl-configuration} record and in other places that need to refer
+to that key.
+
 It can also be used to add configuration not supported by this interface.
 
 @item @code{listen-v4} (default: @code{"0.0.0.0"})