From: Wouter Wijngaards Date: Fri, 6 Oct 2023 14:40:34 +0000 (+0200) Subject: Update doc/unbound.conf.5.in X-Git-Tag: release-1.19.0rc1~29^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F944%2Fhead;p=thirdparty%2Funbound.git Update doc/unbound.conf.5.in Co-authored-by: Yorgos Thessalonikefs --- diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index b56fe20bb..e709725b1 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1303,12 +1303,17 @@ the clients, and then Unbound provides them with DNSSEC protection. The default value is "no". .TP .B disable\-edns\-do: \fI -Disable the EDNS DO flag in upstream requests. This can be helpful for -devices that cannot handle DNSSEC information. But it should not be enabled -otherwise, because that would stop DNSSEC validation. The DNSSEC validation -would not work for Unbound itself, and also not for downstream users. -When the option is enabled, queriers that set the DO flag receive no EDNS +Disable the EDNS DO flag in upstream requests. +It breaks DNSSEC validation for Unbound's clients. +This results in the upstream name servers to not include DNSSEC records in +their replies and could be helpful for devices that cannot handle DNSSEC +information. +When the option is enabled, clients that set the DO flag receive no EDNS record in the response to indicate the lack of support to them. +If this option is enabled but Unbound is already configured for DNSSEC +validation (i.e., the validator module is enabled; default) this option is +implicitly turned off with a warning as to not break DNSSEC validation in +Unbound. Default is no. .TP .B serve\-expired: \fI