upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-15 16:48:05 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update doc/unbound.conf.5.in

Browse source 
Co-authored-by: Yorgos Thessalonikefs <george@nlnetlabs.nl>
This commit is contained in:
Wouter Wijngaards 2023-10-06 16:40:34 +02:00 committed by GitHub
parent c8ae3de610
commit b05154218c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
doc/unbound.conf.5.in
View file

@ -1303,12 +1303,17 @@ the clients, and then Unbound provides them with DNSSEC protection.
The default value is "no".
.TP
.B disable\-edns\-do: \fI<yes or no>
Disable the EDNS DO flag in upstream requests. This can be helpful for
devices that cannot handle DNSSEC information. But it should not be enabled
otherwise, because that would stop DNSSEC validation. The DNSSEC validation
would not work for Unbound itself, and also not for downstream users.
When the option is enabled, queriers that set the DO flag receive no EDNS
Disable the EDNS DO flag in upstream requests.
It breaks DNSSEC validation for Unbound's clients.
This results in the upstream name servers to not include DNSSEC records in
their replies and could be helpful for devices that cannot handle DNSSEC
information.
When the option is enabled, clients that set the DO flag receive no EDNS
record in the response to indicate the lack of support to them.
If this option is enabled but Unbound is already configured for DNSSEC
validation (i.e., the validator module is enabled; default) this option is
implicitly turned off with a warning as to not break DNSSEC validation in
Unbound.
Default is no.
.TP
.B serve\-expired: \fI<yes or no>