1 files changed, 20 insertions, 2 deletions

diff --git a/network/dnscrypt-wrapper/README.Slackware b/network/dnscrypt-wrapper/README.Slackware
index 0c162404a3e1..b302317d4609 100644
--- a/network/dnscrypt-wrapper/README.Slackware
+++ b/network/dnscrypt-wrapper/README.Slackware
@@ -24,10 +24,28 @@ keys, and a provider certificate. These can all be generated manually (see
 automatically by configuring /etc/default/dnscrypt-wrapper and running
 
     /etc/rc.d/rc.dnscrypt-wrapper generate-keys
+    /etc/rc.d/rc.dnscrypt-wrapper generate-cryptkeys
     /etc/rc.d/rc.dnscrypt-wrapper generate-cert
 
-You will need to note the provider key fingerprint(s) when running that
-command, since clients will need it for verification.
+You will need to note the provider key fingerprint(s) and/or stamp(s) when
+running that command, since clients will need them for
+identification/verification. Automatically generated keys have a 24-hour expiry
+period by default. Unless you change this to something longer in
+/etc/default/dnscrypt-wrapper, you will almost certainly need a key rotation
+mechanism to automatically update the encryption key and certificate. This can
+be done by running
+
+    /etc/rc.d/rc.dnscrypt-wrapper rotate-keys
+
+This command backs up the old key/cert, creates a new key/cert, and restarts a
+running server to support both old and new key/cert. Since clients typically
+fetch new certificates hourly, support for the old key/cert should be removed
+an hour after the keys are rotated by restarting the server:
+
+    /etc/rc.d/rc.dnscrypt-wrapper restart
+
+Typically one cron job, run daily, would rotate the keys, and another, run an
+hour later, would restart the server.
 
 In order for clients to forward queries through dnscrypt-wrapper, they will
 need to run dnscrypt-proxy configured to connect to the server running