Upstream changed the default for the DNSSEC option to "allow-downgrade" and that is whats everywhere is documented. Debian overrides it to "no".
Bastian
--
Prepare for tomorrow -- get ready.
-- Edith Keeler, "The City On the Edge of Forever",
stardate unknown
