--- embedaddon/dnsmasq/dnsmasq.conf.example	2013/07/29 19:37:40	1.1.1.1
+++ embedaddon/dnsmasq/dnsmasq.conf.example	2014/06/15 16:31:38	1.1.1.2
@@ -20,6 +20,18 @@
 # Never forward addresses in the non-routed address spaces.
 #bogus-priv
 
+# Uncomment these to enable DNSSEC validation and caching:
+# (Requires dnsmasq to be built with DNSSEC option.)
+#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#dnssec
+
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS 
+# record somewhere between the root and the domain does not exist. 
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
 
 # Uncomment this to filter useless windows-originated DNS requests
 # which can trigger dial-on-demand links needlessly.