<refsect1>
<title>Options</title>
+ <para>The following options are available in the <literal>[Resolve]</literal> section:</para>
+
<variablelist class='network-directives'>
<varlistentry>
<listitem><para>Takes a boolean argument or
<literal>allow-downgrade</literal>. If true all DNS lookups are
DNSSEC-validated locally (excluding LLMNR and Multicast
- DNS). If a response for a lookup request is detected invalid
- this is returned as lookup failure to applications. Note that
+ DNS). If the response to a lookup request is detected to be invalid
+ a lookup failure is returned to applications. Note that
this mode requires a DNS server that supports DNSSEC. If the
DNS server does not properly support DNSSEC all validations
will fail. If set to <literal>allow-downgrade</literal> DNSSEC
is built into the resolver, additional trust anchors may be
defined with
<citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- Trust anchors may change in regular intervals, and old trust
+ Trust anchors may change at regular intervals, and old trust
anchors may be revoked. In such a case DNSSEC validation is
not possible until new trust anchors are configured locally or
the resolver software package is updated with the new root
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Cache=</varname></term>
+ <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got
+ queried earlier will return the previous result as long as it is still valid, and thus does not result in a new
+ network request. Be aware that that turning off caching comes at a performance penalty, which is particularly
+ high when DNSSEC is used.</para>
+
+ <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address
+ (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>