From 6ca48bc8ef85b318248110be3ebcd3a12f5b0c0f Mon Sep 17 00:00:00 2001 From: Peter Thomassen Date: Fri, 9 Sep 2016 15:14:13 -0300 Subject: [PATCH] Docs: clarify that recursor does not do DNSSEC for zones from auth-zones setting --- docs/markdown/recursor/dnssec.md | 4 ++-- docs/markdown/recursor/settings.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/markdown/recursor/dnssec.md b/docs/markdown/recursor/dnssec.md index 9f604c405c..fbc59e45cf 100644 --- a/docs/markdown/recursor/dnssec.md +++ b/docs/markdown/recursor/dnssec.md @@ -17,8 +17,8 @@ AD bits in queries. In this mode, the behaviour is equal to the PowerDNS Recurso The default mode. In this mode the Recursor acts as a "security aware, non-validating" nameserver, meaning it will set the DO-bit on outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a -DO-bit in the query). It will not do any validation in this mode, not even when -requested by the client. +DO-bit in the query), except for zones provided through the `auth-zones` setting. +It will not do any validation in this mode, not even when requested by the client. ## `process` When `dnssec` is set to `process` the behaviour is similar to [`process-no-validate`](#process-no-validate). diff --git a/docs/markdown/recursor/settings.md b/docs/markdown/recursor/settings.md index b8d81e478c..1ce258c29a 100644 --- a/docs/markdown/recursor/settings.md +++ b/docs/markdown/recursor/settings.md @@ -88,7 +88,7 @@ have to tick an 'RFC 2181 compliant' box. * Comma separated list of 'zonename=filename' pairs * Available since: 3.1 -Zones read from these files (in BIND format) are served authoritatively. Example: +Zones read from these files (in BIND format) are served authoritatively. DNSSEC is not supported. Example: `auth-zones=example.org=/var/zones/example.org, powerdns.com=/var/zones/powerdns.com`. ## `carbon-interval` -- 2.47.2