improve dnssec-enable and dnssec-validation documentation

This is for #37362 Okayed via jabber No CHANGES entry
2026-06-12 17:39:59 -04:00 · 2015-09-08 15:53:58 -04:00 · 2015-09-08 15:53:58 -04:00 · 320d0e0496
commit 320d0e0496
parent a3f3394f6c
1 changed files with 13 additions and 2 deletions
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -6671,8 +6671,11 @@ options {
 	      <term><command>dnssec-enable</command></term>
 	      <listitem>
 		<para>
-		  Enable DNSSEC support in <command>named</command>.  Unless set to <userinput>yes</userinput>,
-		  <command>named</command> behaves as if it does not support DNSSEC.
+		  This indicates whether DNSSEC-related resource
+		  records are to be returned by <command>named</command>.
+		  If set to <userinput>no</userinput>,
+		  <command>named</command> will not return DNSSEC-related
+		  resource records unless specifically queried for.
 		  The default is <userinput>yes</userinput>.
 		</para>
 	      </listitem>
@ -6695,6 +6698,14 @@ options {
 		  <command>managed-keys</command> statement.  The default
 		  is <userinput>yes</userinput>.
 		</para>
+		<note>
+		  <para>
+		    Whenever the resolver sends out queries to an
+		    EDNS-compliant server, it always sets the DO bit
+		    indicating it can support DNSSEC responses even if
+		    <command>dnssec-validation</command> is off.
+		  </para>
+		</note>
 	      </listitem>
 	    </varlistentry>