downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not
supported.</para>
- <para>If set to false, DNS lookups are not DNSSEC validated. In this mode, or when set to
- <literal>allow-downgrade</literal> and the downgrade has happened, the resolver becomes
- security-unaware and all forwarded queries have DNSSEC OK (DO) bit unset.</para>
+ <para>If set to false, DNS lookups are not DNSSEC validated.</para>
<para>Note that DNSSEC validation requires retrieval of additional DNS data, and thus results in a
small DNS lookup time penalty.</para>