Update docs

Update the file and dnssec docs and glarify what is implement and that
we only do NSEC.

2 files changed, 6 insertions, 5 deletions

diff --git a/middleware/dnssec/README.md b/middleware/dnssec/README.md
index 3b90be46d..c16b38583 100644
--- a/middleware/dnssec/README.md
+++ b/middleware/dnssec/README.md
@@ -15,14 +15,13 @@ If keys are not specified (see below), a key is generated and used for all signi
 DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
 signing operations are done online. Authenticated denial of existence is implemented with NSEC black
 lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
-RSA).
+RSA). NSEC3 is *not* supported.
 
 A signing key can be specified by using the `key` directive.
 
-WARNING: when a key is generated there is currently no way to extract any key material from CoreDNS, as
-this key only lives in memory. See issue <https://github.com/miekg/coredns/issues/211>.
+NOTE: Key generation has not been implemented yet.
 
-TODO(miek): think about key rollovers.
+TODO(miek): think about key rollovers, and how to do them automatically.
 
 
 ~~~
diff --git a/middleware/file/README.md b/middleware/file/README.md
index e32eca05e..1a04cb3d6 100644
--- a/middleware/file/README.md
+++ b/middleware/file/README.md
@@ -3,7 +3,9 @@
 `file` enables serving zone data from an RFC 1035-style master file.
 
 The file middleware is used for an "old-style" DNS server. It serves from a preloaded file that exists
-on disk.
+on disk. If the zone file contains signatures (i.e. is signed, i.e. DNSSEC) correct DNSSEC answers
+are returned. Only NSEC is supported! If you use this setup *you* are responsible for resigning the
+zonefile.
 
 ## Syntax