diff --git a/validator/val_utils.c b/validator/val_utils.c

index e3677e1..e4eff1b 100644

--- a/validator/val_utils.c

+++ b/validator/val_utils.c

@@ -54,6 +54,7 @@

 #include "util/net_help.h"

 #include "util/module.h"

 #include "util/regional.h"

+#include "util/config_file.h"

 #include "sldns/wire2str.h"

 #include "sldns/parseutil.h"

@@ -914,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index)

 }

 void

-val_check_nonsecure(struct val_env* ve, struct reply_info* rep) 

+val_check_nonsecure(struct module_env* env, struct reply_info* rep) 

 {

 	size_t i;

 	/* authority */

@@ -955,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)

 		}

 	}

 	/* additional */

-	if(!ve->clean_additional)

+	if(!env->cfg->val_clean_additional)

 		return;

 	for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {

 		if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)

diff --git a/validator/val_utils.h b/validator/val_utils.h

index 051824a..649adc2 100644

--- a/validator/val_utils.h

+++ b/validator/val_utils.h

@@ -306,10 +306,10 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index);

  * So that unsigned data does not get let through to clients, when we have

  * found the data to be secure.

  *

- * @param ve: validator environment with cleaning options.

+ * @param env: environment with cleaning options.

  * @param rep: reply to dump all nonsecure stuff out of.

  */

-void val_check_nonsecure(struct val_env* ve, struct reply_info* rep);

+void val_check_nonsecure(struct module_env* env, struct reply_info* rep);

 /**

  * Mark all unchecked rrset entries not below a trust anchor as indeterminate.

diff --git a/validator/validator.c b/validator/validator.c

index e8b6317..5f4a1eb 100644

--- a/validator/validator.c

+++ b/validator/validator.c

@@ -113,8 +113,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,

 {

 	int c;

 	val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;

-	val_env->clean_additional = cfg->val_clean_additional;

-	val_env->permissive_mode = cfg->val_permissive_mode;

 	if(!env->anchors)

 		env->anchors = anchors_create();

 	if(!env->anchors) {

@@ -171,7 +169,6 @@ val_init(struct module_env* env, int id)

 	}

 	env->modinfo[id] = (void*)val_env;

 	env->need_to_validate = 1;

-	val_env->permissive_mode = 0;

 	lock_basic_init(&val_env->bogus_lock);

 	lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,

 		sizeof(val_env->num_rrset_bogus));

@@ -619,9 +616,11 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,

 		}

 	}

-	/* attempt to validate the ADDITIONAL section rrsets */

-	if(!ve->clean_additional)

+	/* If set, the validator should clean the additional section of

+	 * secure messages. */

+	if(!env->cfg->val_clean_additional)

 		return 1;

+	/* attempt to validate the ADDITIONAL section rrsets */

 	for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 

 		i<chase_reply->rrset_count; i++) {

 		s = chase_reply->rrsets[i];

@@ -2129,7 +2128,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,

 		 * a different signer name). And drop additional rrsets

 		 * that are not secure (if clean-additional option is set) */

 		/* this may cause the msg to be marked bogus */

-		val_check_nonsecure(ve, vq->orig_msg->rep);

+		val_check_nonsecure(qstate->env, vq->orig_msg->rep);

 		if(vq->orig_msg->rep->security == sec_status_secure) {

 			log_query_info(VERB_DETAIL, "validation success", 

 				&qstate->qinfo);

@@ -2170,8 +2169,14 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,

 				free(err);

 			}

 		}

+		/*

+		 * If set, the validator will not make messages bogus, instead

+		 * indeterminate is issued, so that no clients receive SERVFAIL.

+		 * This allows an operator to run validation 'shadow' without

+		 * hurting responses to clients.

+		 */

 		/* If we are in permissive mode, bogus gets indeterminate */

-		if(ve->permissive_mode)

+		if(qstate->env->cfg->val_permissive_mode)

 			vq->orig_msg->rep->security = sec_status_indeterminate;

 	}

diff --git a/validator/validator.h b/validator/validator.h

index 23d3072..9a59107 100644

--- a/validator/validator.h

+++ b/validator/validator.h

@@ -93,19 +93,6 @@ struct val_env {

 	 * seconds. */

 	uint32_t bogus_ttl;

-	/** If set, the validator should clean the additional section of

-	 * secure messages.

-	 */

-	int clean_additional;

-

-	/**

-	 * If set, the validator will not make messages bogus, instead

-	 * indeterminate is issued, so that no clients receive SERVFAIL.

-	 * This allows an operator to run validation 'shadow' without

-	 * hurting responses to clients.

-	 */

-	int permissive_mode;

-

 	/**

 	 * Number of entries in the NSEC3 maximum iteration count table.

 	 * Keep this table short, and sorted by size