--- a/bin/dnsvi	Fri May 30 14:44:16 2014 +0200
+++ b/bin/dnsvi	Fri May 30 14:51:24 2014 +0200
@@ -125,6 +125,29 @@
 The name of the key file we need for TSIG (the AXFR will use it,
 as well as the update).
 
+To create such a key you may use 
+
+    dnssec-keygen -a HMAC-MD5 -b 512 -n USER heiko
+
+Then copy the resulting files somewhere (you'll need both files).
+On the server side include the key into to configuration:
+
+    key "<name>" {
+	algorithm   HMAC-MD5;
+	secret	    "<the secret from the created key file>"
+    };
+
+Per zone you should use 
+
+    zone "<zone>" {
+	...
+	update-policy {
+	    grant local-ddns zonesub any;   // support for -l
+	    grant <key-name> zonesub;	    // support for -k
+	};
+	...
+    };
+
 =item B<-d>
 
 This option enables debugging of C<nsupdate>. (default: off)