- Added documentation for aggressive-nsec: yes.

git-svn-id: file:///svn/unbound/trunk@4575 be551aaa-1e26-0410-a405-d3ace91eadb9
2024-09-21 14:47:09 +00:00 · 2018-03-12 08:21:44 +00:00 · 2018-03-12 08:21:44 +00:00 · 5e6c2e37ca
commit 5e6c2e37ca
parent b8c60d092f
3 changed files with 13 additions and 0 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+12 March 2018: Wouter
+	- Added documentation for aggressive-nsec: yes.
+
 9 March 2018: Wouter
 	- Fix #3598: Fix swig build issue on rhel6 based system.
 	  configure --disable-swig-version-check stops the swig version check.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -380,6 +380,10 @@ server:
 	# This option only has effect when qname-minimisation is enabled.
 	# qname-minimisation-strict: no

+	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+	# and other denials, using information from previous NXDOMAINs answers.
+	# aggressive-nsec: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -725,6 +725,12 @@ potentially broken nameservers. A lot of domains will not be resolvable when
 this option in enabled. Only use if you know what you are doing.
 This option only has effect when qname-minimisation is enabled. Default is off.
 .TP
+.B aggressive\-nsec: \fI<yes or no>
+Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+and other denials, using information from previous NXDOMAINs answers.
+Default is off.  It helps to reduce the query rate towards targets that get
+a very high nonexistant name lookup rate.
+.TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
 on your private network, and are not allowed to be returned for