a1c71a3
diff --git a/validator/val_utils.c b/validator/val_utils.c
a1c71a3
index e3677e1..e4eff1b 100644
a1c71a3
--- a/validator/val_utils.c
a1c71a3
+++ b/validator/val_utils.c
a1c71a3
@@ -54,6 +54,7 @@
a1c71a3
 #include "util/net_help.h"
a1c71a3
 #include "util/module.h"
a1c71a3
 #include "util/regional.h"
a1c71a3
+#include "util/config_file.h"
a1c71a3
 #include "sldns/wire2str.h"
a1c71a3
 #include "sldns/parseutil.h"
a1c71a3
 
a1c71a3
@@ -914,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index)
a1c71a3
 }
a1c71a3
 
a1c71a3
 void
a1c71a3
-val_check_nonsecure(struct val_env* ve, struct reply_info* rep) 
a1c71a3
+val_check_nonsecure(struct module_env* env, struct reply_info* rep) 
a1c71a3
 {
a1c71a3
 	size_t i;
a1c71a3
 	/* authority */
a1c71a3
@@ -955,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
a1c71a3
 		}
a1c71a3
 	}
a1c71a3
 	/* additional */
a1c71a3
-	if(!ve->clean_additional)
a1c71a3
+	if(!env->cfg->val_clean_additional)
a1c71a3
 		return;
a1c71a3
 	for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
a1c71a3
 		if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
a1c71a3
diff --git a/validator/val_utils.h b/validator/val_utils.h
a1c71a3
index 051824a..649adc2 100644
a1c71a3
--- a/validator/val_utils.h
a1c71a3
+++ b/validator/val_utils.h
a1c71a3
@@ -306,10 +306,10 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index);
a1c71a3
  * So that unsigned data does not get let through to clients, when we have
a1c71a3
  * found the data to be secure.
a1c71a3
  *
a1c71a3
- * @param ve: validator environment with cleaning options.
a1c71a3
+ * @param env: environment with cleaning options.
a1c71a3
  * @param rep: reply to dump all nonsecure stuff out of.
a1c71a3
  */
a1c71a3
-void val_check_nonsecure(struct val_env* ve, struct reply_info* rep);
a1c71a3
+void val_check_nonsecure(struct module_env* env, struct reply_info* rep);
a1c71a3
 
a1c71a3
 /**
a1c71a3
  * Mark all unchecked rrset entries not below a trust anchor as indeterminate.
a1c71a3
diff --git a/validator/validator.c b/validator/validator.c
a1c71a3
index e8b6317..5f4a1eb 100644
a1c71a3
--- a/validator/validator.c
a1c71a3
+++ b/validator/validator.c
a1c71a3
@@ -113,8 +113,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
a1c71a3
 {
a1c71a3
 	int c;
a1c71a3
 	val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
a1c71a3
-	val_env->clean_additional = cfg->val_clean_additional;
a1c71a3
-	val_env->permissive_mode = cfg->val_permissive_mode;
a1c71a3
 	if(!env->anchors)
a1c71a3
 		env->anchors = anchors_create();
a1c71a3
 	if(!env->anchors) {
a1c71a3
@@ -171,7 +169,6 @@ val_init(struct module_env* env, int id)
a1c71a3
 	}
a1c71a3
 	env->modinfo[id] = (void*)val_env;
a1c71a3
 	env->need_to_validate = 1;
a1c71a3
-	val_env->permissive_mode = 0;
a1c71a3
 	lock_basic_init(&val_env->bogus_lock);
a1c71a3
 	lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
a1c71a3
 		sizeof(val_env->num_rrset_bogus));
a1c71a3
@@ -619,9 +616,11 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
a1c71a3
 		}
a1c71a3
 	}
a1c71a3
 
a1c71a3
-	/* attempt to validate the ADDITIONAL section rrsets */
a1c71a3
-	if(!ve->clean_additional)
a1c71a3
+	/* If set, the validator should clean the additional section of
a1c71a3
+	 * secure messages. */
a1c71a3
+	if(!env->cfg->val_clean_additional)
a1c71a3
 		return 1;
a1c71a3
+	/* attempt to validate the ADDITIONAL section rrsets */
a1c71a3
 	for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 
a1c71a3
 		i<chase_reply->rrset_count; i++) {
a1c71a3
 		s = chase_reply->rrsets[i];
a1c71a3
@@ -2129,7 +2128,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
a1c71a3
 		 * a different signer name). And drop additional rrsets
a1c71a3
 		 * that are not secure (if clean-additional option is set) */
a1c71a3
 		/* this may cause the msg to be marked bogus */
a1c71a3
-		val_check_nonsecure(ve, vq->orig_msg->rep);
a1c71a3
+		val_check_nonsecure(qstate->env, vq->orig_msg->rep);
a1c71a3
 		if(vq->orig_msg->rep->security == sec_status_secure) {
a1c71a3
 			log_query_info(VERB_DETAIL, "validation success", 
a1c71a3
 				&qstate->qinfo);
a1c71a3
@@ -2170,8 +2169,14 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
a1c71a3
 				free(err);
a1c71a3
 			}
a1c71a3
 		}
a1c71a3
+		/*
a1c71a3
+		 * If set, the validator will not make messages bogus, instead
a1c71a3
+		 * indeterminate is issued, so that no clients receive SERVFAIL.
a1c71a3
+		 * This allows an operator to run validation 'shadow' without
a1c71a3
+		 * hurting responses to clients.
a1c71a3
+		 */
a1c71a3
 		/* If we are in permissive mode, bogus gets indeterminate */
a1c71a3
-		if(ve->permissive_mode)
a1c71a3
+		if(qstate->env->cfg->val_permissive_mode)
a1c71a3
 			vq->orig_msg->rep->security = sec_status_indeterminate;
a1c71a3
 	}
a1c71a3
 
a1c71a3
diff --git a/validator/validator.h b/validator/validator.h
a1c71a3
index 23d3072..9a59107 100644
a1c71a3
--- a/validator/validator.h
a1c71a3
+++ b/validator/validator.h
a1c71a3
@@ -93,19 +93,6 @@ struct val_env {
a1c71a3
 	 * seconds. */
a1c71a3
 	uint32_t bogus_ttl;
a1c71a3
 
a1c71a3
-	/** If set, the validator should clean the additional section of
a1c71a3
-	 * secure messages.
a1c71a3
-	 */
a1c71a3
-	int clean_additional;
a1c71a3
-
a1c71a3
-	/**
a1c71a3
-	 * If set, the validator will not make messages bogus, instead
a1c71a3
-	 * indeterminate is issued, so that no clients receive SERVFAIL.
a1c71a3
-	 * This allows an operator to run validation 'shadow' without
a1c71a3
-	 * hurting responses to clients.
a1c71a3
-	 */
a1c71a3
-	int permissive_mode;
a1c71a3
-
a1c71a3
 	/**
a1c71a3
 	 * Number of entries in the NSEC3 maximum iteration count table.
a1c71a3
 	 * Keep this table short, and sorted by size