<varlistentry>
<term><varname>DNSSEC=</varname></term>
<listitem><para>Takes a boolean argument or
- <literal>downgrade-ok</literal>. If true all DNS lookups are
+ <literal>allow-downgrade</literal>. If true all DNS lookups are
DNSSEC-validated locally (excluding LLMNR and Multicast
DNS). If a response for a lookup request is detected invalid
this is returned as lookup failure to applications. Note that
this mode requires a DNS server that supports DNSSEC. If the
DNS server does not properly support DNSSEC all validations
- will fail. If set to <literal>downgrade-ok</literal> DNSSEC
+ will fail. If set to <literal>allow-downgrade</literal> DNSSEC
validation is attempted, but if the server does not support
DNSSEC properly, DNSSEC mode is automatically disabled. Note
that this mode makes DNSSEC validation vulnerable to
lookups will fail, as it cannot be proved anymore whether
lookups are correctly signed, or validly unsigned. If
<varname>DNSSEC=</varname> is set to
- <literal>downgrade-ok</literal> the resolver will
+ <literal>allow-downgrade</literal> the resolver will
automatically turn off DNSSEC validation in such a case.</para>
<para>Client programs looking up DNS data will be informed
DNSSEC correctly, and where software or trust anchor updates
happen regularly. On other systems it is recommended to set
<varname>DNSSEC=</varname> to
- <literal>downgrade-ok</literal>.</para>
+ <literal>allow-downgrade</literal>.</para>
</listitem>
</varlistentry>
* DNSSEC properly, downgrade to non-DNSSEC operation. Of
* course, we then are vulnerable to a downgrade attack, but
* that's life and what is configured. */
- DNSSEC_DOWNGRADE_OK,
+ DNSSEC_ALLOW_DOWNGRADE,
/* Insist on DNSSEC server support, and rather fail than downgrading. */
DNSSEC_YES,
* this means we cannot do any DNSSEC logic
* anymore. */
- if (t->scope->dnssec_mode == DNSSEC_DOWNGRADE_OK) {
+ if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
/* We are in downgrade mode. In this
* case, synthesize an unsigned empty
* response, so that the any lookup
dns_server_packet_rrsig_missing(t->server);
- if (t->scope->dnssec_mode == DNSSEC_DOWNGRADE_OK) {
+ if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
/* Downgrading is OK? If so, just consider the information unsigned */