Docs: clarify that recursor does not do DNSSEC for zones from auth-zones setting

diff --git a/docs/markdown/recursor/dnssec.md b/docs/markdown/recursor/dnssec.md
index 9f604c405c6efc10a110a2041ab47ff4f6eed322..fbc59e45cf81fdf83d6cf0f18bfa06e5613adaa0 100644 (file)
--- a/docs/markdown/recursor/dnssec.md
+++ b/docs/markdown/recursor/dnssec.md
@@ -17,8 +17,8 @@ AD bits in queries. In this mode, the behaviour is equal to the PowerDNS Recurso
 The default mode. In this mode the Recursor acts as a "security aware, non-validating"
 nameserver, meaning it will set the DO-bit on outgoing queries and will provide
 DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a
-DO-bit in the query). It will not do any validation in this mode, not even when
-requested by the client.
+DO-bit in the query), except for zones provided through the `auth-zones` setting. 
+It will not do any validation in this mode, not even when requested by the client.
 
 ## `process`
 When `dnssec` is set to `process` the behaviour is similar to [`process-no-validate`](#process-no-validate).

diff --git a/docs/markdown/recursor/settings.md b/docs/markdown/recursor/settings.md
index b8d81e478c8e632f2e9edf824b6058d6b724cdfd..1ce258c29a1b30beebcc9ee6b121080f530f2806 100644 (file)
--- a/docs/markdown/recursor/settings.md
+++ b/docs/markdown/recursor/settings.md
@@ -88,7 +88,7 @@ have to tick an 'RFC 2181 compliant' box.
 * Comma separated list of 'zonename=filename' pairs
 * Available since: 3.1
 
-Zones read from these files (in BIND format) are served authoritatively. Example:
+Zones read from these files (in BIND format) are served authoritatively. DNSSEC is not supported. Example:
 `auth-zones=example.org=/var/zones/example.org, powerdns.com=/var/zones/powerdns.com`.
 
 ## `carbon-interval`