From fc5fba0fbf6c6769e294b8c021010cc8e30ad8c9 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Tue, 8 Jun 2021 15:24:53 -0700
Subject: [PATCH] client/tailscale: document SetDNS more

Updates #1235

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 client/tailscale/tailscale.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/client/tailscale/tailscale.go b/client/tailscale/tailscale.go
index fe71c841d..f32771488 100644
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -257,7 +257,20 @@ func Logout(ctx context.Context) error {
 	return err
 }
 
-// SetDNS adds a DNS TXT record.
+// SetDNS adds a DNS TXT record for the given domain name, containing
+// the provided TXT value. The intended use case is answering
+// LetsEncrypt/ACME dns-01 challenges.
+//
+// The control plane will only permit SetDNS requests with very
+// specific names and values. The name should be
+// "_acme-challenge." + your node's MagicDNS name. It's expected that
+// clients cache the certs from LetsEncrypt (or whichever CA is
+// providing them) and only request new ones as needed; the control plane
+// rate limits SetDNS requests.
+//
+// This is a low-level interface; it's expected that most Tailscale
+// users use a higher level interface to getting/using TLS
+// certificates.
 func SetDNS(ctx context.Context, name, value string) error {
 	v := url.Values{}
 	v.Set("name", name)