Add dnssec-check-unsigned to example config file.

author: Simon Kelley <simon@thekelleys.org.uk> 2014-03-24 21:13:49 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> 2014-03-24 21:13:49 +0000
commit: 56618c31f62b0ed8af2c392071af0ca519c64b13 (patch)
tree: fc3e2e64855d9c3c4c75b5a6ba35927a1ab0dcaa
parent: 604f7598c2265e334de05ed25d8e4e2a01de36cd (diff)
download: dnsmasq-56618c31f62b0ed8af2c392071af0ca519c64b13.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 4f2bcf3..206f4d1 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -25,6 +25,14 @@
 #conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
 #dnssec
 
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS 
+# record somewhere between the root and the domain does not exist. 
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
+
 # Uncomment this to filter useless windows-originated DNS requests
 # which can trigger dial-on-demand links needlessly.
 # Note that (amongst other things) this blocks all SRV requests,
author	Simon Kelley <simon@thekelleys.org.uk>	2014-03-24 21:13:49 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	2014-03-24 21:13:49 +0000
commit	56618c31f62b0ed8af2c392071af0ca519c64b13 (patch)
tree	fc3e2e64855d9c3c4c75b5a6ba35927a1ab0dcaa
parent	604f7598c2265e334de05ed25d8e4e2a01de36cd (diff)
download	dnsmasq-56618c31f62b0ed8af2c392071af0ca519c64b13.tar.gz