- Fix #986: Resolving sas.com with dnssec-validation fails though

  signed delegations seem to be (mostly) correct.

diff --git a/doc/Changelog b/doc/Changelog
index 47fcb66045b53db42ea4aa2b1b8ac8918eac8b9f..b33dfa8e82194a5ea6d5ea75bb0f5e177fd8e8bb 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+30 January 2025: Wouter
+       - Fix #986: Resolving sas.com with dnssec-validation fails though
+         signed delegations seem to be (mostly) correct.
+
 29 January 2025: Yorgos
        - Make the default value of module-config "validator iterator"
          regardless of compilation options. --enable-subnet would implicitly

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index cc109f0b5d500b0c4dc510db52414cc14391a738..2e8c87e4043673f6536b1a2fc68b566069d9b8c9 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1111,7 +1111,7 @@ This works by first choosing only the strongest DS digest type as per RFC 4509
 (Unbound treats the highest algorithm as the strongest) and then
 expecting signatures from all the advertised signing algorithms from the chosen
 DS(es) to be present.
-If no, allows any algorithm to validate the zone.
+If no, allows any one supported algorithm to validate the zone, even if other advertised algorithms are broken.
 Default is no.
 RFC 6840 mandates that zone signers must produce zones signed with all
 advertised algorithms, but sometimes they do not.