diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2014-03-24 21:13:49 +0000 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2014-03-24 21:13:49 +0000 |
commit | 56618c31f62b0ed8af2c392071af0ca519c64b13 (patch) | |
tree | fc3e2e64855d9c3c4c75b5a6ba35927a1ab0dcaa | |
parent | 604f7598c2265e334de05ed25d8e4e2a01de36cd (diff) | |
download | dnsmasq-56618c31f62b0ed8af2c392071af0ca519c64b13.tar.gz |
Add dnssec-check-unsigned to example config file.
-rw-r--r-- | dnsmasq.conf.example | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example index 4f2bcf3..206f4d1 100644 --- a/dnsmasq.conf.example +++ b/dnsmasq.conf.example @@ -25,6 +25,14 @@ #conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf #dnssec +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + # Uncomment this to filter useless windows-originated DNS requests # which can trigger dial-on-demand links needlessly. # Note that (amongst other things) this blocks all SRV requests, |