From: Wouter Wijngaards Date: Thu, 1 Nov 2007 16:05:55 +0000 (+0000) Subject: harden off has more consequences. X-Git-Tag: release-0.6~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e9277fc201ffa56841fc2a448e4df5939c0c185d;p=thirdparty%2Funbound.git harden off has more consequences. git-svn-id: file:///svn/unbound/trunk@732 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/example.conf b/doc/example.conf index 932fdf618..df51d8647 100644 --- a/doc/example.conf +++ b/doc/example.conf @@ -172,7 +172,7 @@ server: # harden-glue: yes # Harden against receiving dnssec-stripped data. If you turn it - # off, receiving no dnssec dnskey data (at all) for a trustanchor will + # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. # harden-dnssec-stripped: yes diff --git a/doc/unbound.conf.5 b/doc/unbound.conf.5 index 65bc29c21..c3e3f2a6e 100644 --- a/doc/unbound.conf.5 +++ b/doc/unbound.conf.5 @@ -234,12 +234,12 @@ Will trust glue only if it is within the servers authority. Default is on. .It \fBharden-dnssec-stripped:\fR Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes bogus. If turned off, and no DNSSEC data is received -(no DNSKEY data to be precise), then the zone is made insecure, this behaves -like there is no trust anchor. You could turn this off if you are sometimes -behind an intrusive firewall (of some sort) that removes DNSSEC data from -packets, or a zone changes from signed to unsigned often. If turned off you -run the risk of a downgrade attack that disables security for a zone. -Default is on. +(or the DNSKEY data fails to validate), then the zone is made insecure, +this behaves like there is no trust anchor. You could turn this off if +you are sometimes behind an intrusive firewall (of some sort) that +removes DNSSEC data from packets, or a zone changes from signed to +unsigned to badly signed often. If turned off you run the risk of a +downgrade attack that disables security for a zone. Default is on. .It \fBdo-not-query-address:\fR Do not query the given IP address. Can be IP4 or IP6. Append /num to indicate a classless delegation netblock, for example like