# harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
- # off, receiving no dnssec dnskey data (at all) for a trustanchor will
+ # off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
# harden-dnssec-stripped: yes
.It \fBharden-dnssec-stripped:\fR <yes or no>
Require DNSSEC data for trust-anchored zones, if such data is absent,
the zone becomes bogus. If turned off, and no DNSSEC data is received
-(no DNSKEY data to be precise), then the zone is made insecure, this behaves
-like there is no trust anchor. You could turn this off if you are sometimes
-behind an intrusive firewall (of some sort) that removes DNSSEC data from
-packets, or a zone changes from signed to unsigned often. If turned off you
-run the risk of a downgrade attack that disables security for a zone.
-Default is on.
+(or the DNSKEY data fails to validate), then the zone is made insecure,
+this behaves like there is no trust anchor. You could turn this off if
+you are sometimes behind an intrusive firewall (of some sort) that
+removes DNSSEC data from packets, or a zone changes from signed to
+unsigned to badly signed often. If turned off you run the risk of a
+downgrade attack that disables security for a zone. Default is on.
.It \fBdo-not-query-address:\fR <IP address>
Do not query the given IP address. Can be IP4 or IP6. Append /num to
indicate a classless delegation netblock, for example like
projects / thirdparty / unbound.git / commitdiff
