improve dnssec-enable and dnssec-validation documentation

This is for #37362
Okayed via jabber
No CHANGES entry

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index eb374ed07098e3d244d1a8cbbe1d608125b39f7d..888593d241d37427f006826e065b89bde5343c00 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6433,8 +6433,11 @@ options {
              <term><command>dnssec-enable</command></term>
              <listitem>
                <para>
-                 Enable DNSSEC support in <command>named</command>.  Unless set to <userinput>yes</userinput>,
-                 <command>named</command> behaves as if it does not support DNSSEC.
+                 This indicates whether DNSSEC-related resource
+                 records are to be returned by <command>named</command>.
+                 If set to <userinput>no</userinput>,
+                 <command>named</command> will not return DNSSEC-related
+                 resource records unless specifically queried for.
                  The default is <userinput>yes</userinput>.
                </para>
              </listitem>
@@ -6457,6 +6460,14 @@ options {
                  <command>managed-keys</command> statement.  The default
                  is <userinput>yes</userinput>.
                </para>
+               <note>
+                 <para>
+                   Whenever the resolver sends out queries to an
+                   EDNS-compliant server, it always sets the DO bit
+                   indicating it can support DNSSEC responses even if
+                   <command>dnssec-validation</command> is off.
+                 </para>
+               </note>
              </listitem>
            </varlistentry>