Document the behavior of the max-signature-cache-entries setting.

Update documentation with a few things I learned during a debugging
session with great help on IRC.

If you use NSEC narrow mode and handle queries that generates a lot of
signatures, e.g. because of random subdomain queries this can cause
the cache to grow very large.

Also document the surprising cache eviction policy of dropping all
cache entries when the maximum cache size is hit.

diff --git a/docs/settings.rst b/docs/settings.rst
index 682238d7c857af555c421dc4fb32b19662f91b7a..6db6c37500689272f7b382e209eb46e06378c7fb 100644 (file)
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1007,7 +1007,9 @@ situation hopeless and respawn.
 -  Integer
 -  Default: 2^31-1 (on most systems), 2^63-1 (on ILP64 systems)
 
-Maximum number of signatures cache entries
+Maximum number of DNSSEC signature cache entries. This cache is
+automatically reset once per week or when the cache is full. If you
+use NSEC narrow mode, this cache can grow large.
 
 .. _setting-max-tcp-connection-duration: