From: Peter Thomassen <peter@desec.io>
Date: Fri, 9 Sep 2016 18:14:13 +0000 (-0300)
Subject: Docs: clarify that recursor does not do DNSSEC for zones from auth-zones setting
X-Git-Tag: dnsdist-1.1.0-beta2~129^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F4449%2Fhead;p=thirdparty%2Fpdns.git

Docs: clarify that recursor does not do DNSSEC for zones from auth-zones setting
---

diff --git a/docs/markdown/recursor/dnssec.md b/docs/markdown/recursor/dnssec.md
index 9f604c405c..fbc59e45cf 100644
--- a/docs/markdown/recursor/dnssec.md
+++ b/docs/markdown/recursor/dnssec.md
@@ -17,8 +17,8 @@ AD bits in queries. In this mode, the behaviour is equal to the PowerDNS Recurso
 The default mode. In this mode the Recursor acts as a "security aware, non-validating"
 nameserver, meaning it will set the DO-bit on outgoing queries and will provide
 DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a
-DO-bit in the query). It will not do any validation in this mode, not even when
-requested by the client.
+DO-bit in the query), except for zones provided through the `auth-zones` setting. 
+It will not do any validation in this mode, not even when requested by the client.
 
 ## `process`
 When `dnssec` is set to `process` the behaviour is similar to [`process-no-validate`](#process-no-validate).
diff --git a/docs/markdown/recursor/settings.md b/docs/markdown/recursor/settings.md
index b8d81e478c..1ce258c29a 100644
--- a/docs/markdown/recursor/settings.md
+++ b/docs/markdown/recursor/settings.md
@@ -88,7 +88,7 @@ have to tick an 'RFC 2181 compliant' box.
 * Comma separated list of 'zonename=filename' pairs
 * Available since: 3.1
 
-Zones read from these files (in BIND format) are served authoritatively. Example:
+Zones read from these files (in BIND format) are served authoritatively. DNSSEC is not supported. Example:
 `auth-zones=example.org=/var/zones/example.org, powerdns.com=/var/zones/powerdns.com`.
 
 ## `carbon-interval`