Add warnings and caveats for --proxy-dnssec.

commit: 91102ad5ebf5f618dd1879aacb0a84eb2b1d82b2 [log] [tgz]
author: Simon Kelley <simon@thekelleys.org.uk> Sun Jan 05 21:58:00 2020 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> Sun Jan 05 21:58:00 2020 +0000
tree: c6378352f8b19bd6bfebac5061968d3429b78cbf
parent: 378fa56888767ff58762a338c3425647b98bf59e [diff] [blame]
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 197d9de..744eb5e 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8

@@ -771,9 +771,12 @@
 unprivileged user that dnsmasq runs as.
 .TP
 .B --proxy-dnssec
-Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.  This is an 
+Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients.  This is an 
 alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between 
-dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
+dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the
+Authenticated Data bit correctly in all cases is not technically possible. If the AD bit is to be relied upon
+when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation
+within dnsmasq is a better option. See --dnssec for details.
 .TP
 .B --dnssec-debug
 Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries,
commit	91102ad5ebf5f618dd1879aacb0a84eb2b1d82b2	[log] [tgz]
author	Simon Kelley <simon@thekelleys.org.uk>	Sun Jan 05 21:58:00 2020 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	Sun Jan 05 21:58:00 2020 +0000
tree	c6378352f8b19bd6bfebac5061968d3429b78cbf
parent	378fa56888767ff58762a338c3425647b98bf59e [diff] [blame]