From 9af471a0ea7b093be56ae916aebf088d78094616 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Tue, 12 Oct 2021 20:17:26 -0400
Subject: [PATCH] add another step in the dnssec stuff

---
 howto/dns.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/howto/dns.md b/howto/dns.md
index 2a6dba1c..d4e76830 100644
--- a/howto/dns.md
+++ b/howto/dns.md
@@ -120,6 +120,14 @@ With the above, you would have the following in Joker:
 
 And click "save".
 
+Make sure to update the record in the `tor-puppet.git` repository, in:
+
+    modules/unbound/files/torproject.org.key
+
+Copy the latest `dsset` entry in there. Normally, unbound takes care
+of updating that file to chase new versions, but new hosts will need
+that new anchor for bootstrapping.
+
 After a little while, you should be able to check if the new DS record
 works on [DNSviz.net](http://dnsviz.net/), for example, the [DNSviz.net view of
 torproject.net](http://dnsviz.net/d/torproject.net/dnssec/) should be sane.
-- 
GitLab