From 779ad90f9a8e1c36c2581ff2b9170931a710f289 Mon Sep 17 00:00:00 2001
From: Anthony Romano <anthony.romano@coreos.com>
Date: Tue, 2 Aug 2016 16:01:24 -0700
Subject: [PATCH] Documentation: update clustering guide about PKI SRV record
 forging

---
 Documentation/op-guide/clustering.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Documentation/op-guide/clustering.md b/Documentation/op-guide/clustering.md
index 83cb074f2..9f29a2ddd 100644
--- a/Documentation/op-guide/clustering.md
+++ b/Documentation/op-guide/clustering.md
@@ -357,6 +357,8 @@ To help clients discover the etcd cluster, the following DNS SRV records are loo
 
 If `_etcd-client-ssl._tcp.example.com` is found, clients will attempt to communicate with the etcd cluster over SSL/TLS.
 
+If etcd is using TLS without a custom certificate authority, the discovery domain (e.g., example.com) must match the SRV record domain (e.g., infra1.example.com). This is to mitigate attacks that forge SRV records to point to a different domain; the domain would have a valid certificate under PKI but be controlled by an unknown third party.
+
 #### Create DNS SRV records
 
 ```