From 02cda2bc580b8a4a241c2ab79187b6b31624cc57 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 29 Aug 2016 14:13:37 +0200
Subject: [PATCH] DNSSEC: Document interaction with forward-zones

---
 docs/markdown/recursor/settings.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/markdown/recursor/settings.md b/docs/markdown/recursor/settings.md
index 5fd2fa51e..6850ac0e3 100644
--- a/docs/markdown/recursor/settings.md
+++ b/docs/markdown/recursor/settings.md
@@ -305,6 +305,11 @@ or on the command line:
 Forwarded queries have the 'recursion desired' bit set to 0, meaning that this
 setting is intended to forward queries to authoritative servers.
 
+**IMPORTANT**: When using DNSSEC validation (which is default), forwards to non-delegated (e.g. internal) zones that have a DNSSEC signed parent zone will validate as Bogus.
+To prevent this, add a Negative Trust Anchor (NTA) for this zone in the [`lua-config-file`](#lua-config-file) with `addNTA("your.zone", "A comment")`.
+If this forwarded zone is signed, instead of adding NTA, add the DS record to the [`lua-config-file`](#lua-config-file).
+See the [recursor DNSSEC](dnssec.md) documentation for more information.
+
 ## `forward-zones-file`
 * Path
 * Available since: 3.1.5
@@ -318,6 +323,8 @@ Default behaviour without '+' is as with [`forward-zones`](#forward-zones).
 
 Comments are allowed since version 4.0.0. Everything behind '#' is ignored.
 
+The DNSSEC notes from [`forward-zones`](#forward-zones) apply here as well.
+
 ## `forward-zones-recurse`
 * 'zonename=IP' pairs, comma separated
 * Available since: 3.2
@@ -326,6 +333,8 @@ Like regular [`forward-zones`](#forward-zones), but forwarded queries have the
 'recursion desired' bit set to 1, meaning that this setting is intended to
 forward queries to other recursive servers.
 
+The DNSSEC notes from [`forward-zones`](#forward-zones) apply here as well.
+
 ## `hint-file`
 * Path
 * Available since: 2.9.19
-- 
2.40.0