From: Arsen Stasic Date: Thu, 19 Sep 2019 14:51:54 +0000 (+0000) Subject: Improve wording in man page X-Git-Tag: release-1.9.6rc1~106^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F80%2Fhead;p=thirdparty%2Funbound.git Improve wording in man page Make it more consistent throughout the man page. If a config option can either be *yes* or *no* use exact these terms and not something like *on* which could be easily read as *no*. --- diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index b1d8c7900..5be74503a 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -775,7 +775,7 @@ wise to send these, and could be necessary for operation if TSIG or EDNS payload is very large. .TP .B harden\-glue: \fI -Will trust glue only if it is within the servers authority. Default is on. +Will trust glue only if it is within the servers authority. Default is yes. .TP .B harden\-dnssec\-stripped: \fI Require DNSSEC data for trust\-anchored zones, if such data is absent, @@ -785,7 +785,7 @@ this behaves like there is no trust anchor. You could turn this off if you are sometimes behind an intrusive firewall (of some sort) that removes DNSSEC data from packets, or a zone changes from signed to unsigned to badly signed often. If turned off you run the risk of a -downgrade attack that disables security for a zone. Default is on. +downgrade attack that disables security for a zone. Default is yes. .TP .B harden\-below\-nxdomain: \fI From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"), @@ -795,7 +795,7 @@ noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not -have DNSSEC. Default is on. +have DNSSEC. Default is yes. The nxdomain must be secure, this means nsec3 with optout is insufficient. .TP .B harden\-referral\-path: \fI @@ -974,10 +974,10 @@ It is possible to use wildcards with this statement, the wildcard is expanded on start and on reload. .TP .B trust\-anchor\-signaling: \fI -Send RFC8145 key tag query after trust anchor priming. Default is on. +Send RFC8145 key tag query after trust anchor priming. Default is yes. .TP .B root\-key\-sentinel: \fI -Root key trust anchor sentinel. Default is on. +Root key trust anchor sentinel. Default is yes. .TP .B dlv\-anchor\-file: \fI This option was used during early days DNSSEC deployment when no parent-side