From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 30 Jan 2025 15:26:31 +0000 (+0100)
Subject: - Fix #986: Resolving sas.com with dnssec-validation fails though
X-Git-Tag: release-1.23.0rc1~51
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=01cea4d5be596432773591d8fce13c83618b8bae;p=thirdparty%2Funbound.git

- Fix #986: Resolving sas.com with dnssec-validation fails though
  signed delegations seem to be (mostly) correct.
---

diff --git a/doc/Changelog b/doc/Changelog
index 47fcb6604..b33dfa8e8 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+30 January 2025: Wouter
+	- Fix #986: Resolving sas.com with dnssec-validation fails though
+	  signed delegations seem to be (mostly) correct.
+
 29 January 2025: Yorgos
 	- Make the default value of module-config "validator iterator"
 	  regardless of compilation options. --enable-subnet would implicitly
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index cc109f0b5..2e8c87e40 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1111,7 +1111,7 @@ This works by first choosing only the strongest DS digest type as per RFC 4509
 (Unbound treats the highest algorithm as the strongest) and then
 expecting signatures from all the advertised signing algorithms from the chosen
 DS(es) to be present.
-If no, allows any algorithm to validate the zone.
+If no, allows any one supported algorithm to validate the zone, even if other advertised algorithms are broken.
 Default is no.
 RFC 6840 mandates that zone signers must produce zones signed with all
 advertised algorithms, but sometimes they do not.