]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
improve dnssec-enable and dnssec-validation documentation
authorJeremy C. Reed <jreed@isc.org>
Tue, 8 Sep 2015 19:53:58 +0000 (15:53 -0400)
committerJeremy C. Reed <jreed@isc.org>
Tue, 8 Sep 2015 19:53:58 +0000 (15:53 -0400)
This is for #37362
Okayed via jabber
No CHANGES entry

doc/arm/Bv9ARM-book.xml

index d64de21fa90fffcf28d516a92b160fef78edfdab..37618d920520a308ed938345b18371cdf028bc0c 100644 (file)
@@ -6867,8 +6867,11 @@ options {
              <term><command>dnssec-enable</command></term>
              <listitem>
                <para>
-                 Enable DNSSEC support in <command>named</command>.  Unless set to <userinput>yes</userinput>,
-                 <command>named</command> behaves as if it does not support DNSSEC.
+                 This indicates whether DNSSEC-related resource
+                 records are to be returned by <command>named</command>.
+                 If set to <userinput>no</userinput>,
+                 <command>named</command> will not return DNSSEC-related
+                 resource records unless specifically queried for.
                  The default is <userinput>yes</userinput>.
                </para>
              </listitem>
@@ -6891,6 +6894,14 @@ options {
                  <command>managed-keys</command> statement.  The default
                  is <userinput>yes</userinput>.
                </para>
+               <note>
+                 <para>
+                   Whenever the resolver sends out queries to an
+                   EDNS-compliant server, it always sets the DO bit
+                   indicating it can support DNSSEC responses even if
+                   <command>dnssec-validation</command> is off.
+                 </para>
+               </note>
              </listitem>
            </varlistentry>