harden off has more consequences.

git-svn-id: file:///svn/unbound/trunk@732 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/example.conf

@@ -172,7 +172,7 @@ server:
 	# harden-glue: yes
 	
 	# Harden against receiving dnssec-stripped data. If you turn it
-	# off, receiving no dnssec dnskey data (at all) for a trustanchor will 
+	# off, failing to validate dnskey data for a trustanchor will 
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes

doc/unbound.conf.5

@@ -234,12 +234,12 @@ Will trust glue only if it is within the servers authority. Default is on.
 .It \fBharden-dnssec-stripped:\fR <yes or no>
 Require DNSSEC data for trust-anchored zones, if such data is absent,
 the zone becomes bogus. If turned off, and no DNSSEC data is received
-(no DNSKEY data to be precise), then the zone is made insecure, this behaves
-like there is no trust anchor. You could turn this off if you are sometimes
-behind an intrusive firewall (of some sort) that removes DNSSEC data from 
-packets, or a zone changes from signed to unsigned often. If turned off you
-run the risk of a downgrade attack that disables security for a zone. 
-Default is on.
+(or the DNSKEY data fails to validate), then the zone is made insecure, 
+this behaves like there is no trust anchor. You could turn this off if 
+you are sometimes behind an intrusive firewall (of some sort) that 
+removes DNSSEC data from packets, or a zone changes from signed to 
+unsigned to badly signed often. If turned off you run the risk of a 
+downgrade attack that disables security for a zone. Default is on.
 .It \fBdo-not-query-address:\fR <IP address>
 Do not query the given IP address. Can be IP4 or IP6. Append /num to 
 indicate a classless delegation netblock, for example like