Upstream changed the default for the DNSSEC option to "allow-downgrade" and that is whats everywhere is documented. Debian overrides it to "no". Bastian -- Prepare for tomorrow -- get ready. -- Edith Keeler, "The City On the Edge of Forever", stardate unknown