-If this option is set then lookup results marked with an AA bit
-(Authoratative Answer) are trusted when they come from one
-of the listed domains, as if they were marked as having been
-DNSSEC-verified.
-
-Use this option only if you talk directly to the resolver
-for your local domains, and list only it.
-It is needed when the resolver does not return an AD bit
-for its local domains.
-The first SOA or NS record appearing in the results is compared
-against the option value.
-
+If this option is set then lookup results marked with the AA bit
+(Authoritative Answer) are trusted the same way as if they were
+DNSSEC-verified. The authority section's name of the answer must
+match with this expanded domain list.
+
+Use this option only if you talk directly to a resolver that is
+authoritative for some zones and does not set the AD (Authentic Data)
+bit in the answer. Some DNS servers may have an configuration option to
+mark the answers from their own zones as verified (they set the AD bit).
+Others do not have this option. It is considered as poor practice using
+a resolver that is an authoritative server for some zones.
+
+Use this option only if you really have to (e.g. if you want
+to use DANE for remote delivery to a server that is listed in the DNS
+zones that your resolver is authoritative for).
+
+If the DNS answer packet has the AA bit set and contains resource record
+in the answer section, the name of the first NS record appearing in the
+authority section is compared against the list. If the answer packet is
+authoritative but the answer section is empty, the name of the first SOA
+record in the authoritative section is used instead.