From 56618c31f62b0ed8af2c392071af0ca519c64b13 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 24 Mar 2014 21:13:49 +0000
Subject: [PATCH] Add dnssec-check-unsigned to example config file.

---
 dnsmasq.conf.example | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 4f2bcf3..206f4d1 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -25,6 +25,14 @@
 #conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
 #dnssec
 
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS 
+# record somewhere between the root and the domain does not exist. 
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
+
 # Uncomment this to filter useless windows-originated DNS requests
 # which can trigger dial-on-demand links needlessly.
 # Note that (amongst other things) this blocks all SRV requests,