From 320d0e0496376e4f43eefa40c0619ee627bfc81c Mon Sep 17 00:00:00 2001
From: "Jeremy C. Reed" <jreed@isc.org>
Date: Tue, 8 Sep 2015 15:53:58 -0400
Subject: [PATCH] improve dnssec-enable and dnssec-validation documentation

This is for #37362
Okayed via jabber
No CHANGES entry
---
 doc/arm/Bv9ARM-book.xml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 25e26ad383..7ebf09c736 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6671,8 +6671,11 @@ options {
 	      <term><command>dnssec-enable</command></term>
 	      <listitem>
 		<para>
-		  Enable DNSSEC support in <command>named</command>.  Unless set to <userinput>yes</userinput>,
-		  <command>named</command> behaves as if it does not support DNSSEC.
+		  This indicates whether DNSSEC-related resource
+		  records are to be returned by <command>named</command>.
+		  If set to <userinput>no</userinput>,
+		  <command>named</command> will not return DNSSEC-related
+		  resource records unless specifically queried for.
 		  The default is <userinput>yes</userinput>.
 		</para>
 	      </listitem>
@@ -6695,6 +6698,14 @@ options {
 		  <command>managed-keys</command> statement.  The default
 		  is <userinput>yes</userinput>.
 		</para>
+		<note>
+		  <para>
+		    Whenever the resolver sends out queries to an
+		    EDNS-compliant server, it always sets the DO bit
+		    indicating it can support DNSSEC responses even if
+		    <command>dnssec-validation</command> is off.
+		  </para>
+		</note>
 	      </listitem>
 	    </varlistentry>