Rename option and adapt docs to reflect that.

This remains complicated to docuemnt.

diff --git a/pdns/recursordist/aggressive_nsec.cc b/pdns/recursordist/aggressive_nsec.cc
index 24f014edbb13549a201e79fd9cf2722d17724ba6..c82ff698da2d4a20c4f693f0064143dbf986bf5d 100644 (file)
--- a/pdns/recursordist/aggressive_nsec.cc
+++ b/pdns/recursordist/aggressive_nsec.cc
@@ -244,7 +244,7 @@ static bool commonPrefixIsLong(const string& one, const string& two, size_t boun
       }
       continue;
     }
-    // bytes differ, lets look at the bits
+    // bytes differ, let's look at the bits
     for (ssize_t j = CHAR_BIT - 1; j >= 0; j--) {
       const auto bit1 = byte1 & (1 << j);
       const auto bit2 = byte2 & (1 << j);

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 16adaeda49a2ca95a1efaee71fcb62fc695a33d4..50ee0ff90b521a4e411368c914b6616fc0830659 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -42,21 +42,24 @@ In this case the address ``128.66.1.2`` is excluded from the addresses allowed a
 The number of records to cache in the aggressive cache. If set to a value greater than 0, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in :rfc:`8198`.
 To use this, DNSSEC processing or validation must be enabled by setting `dnssec`_ to ``process``, ``log-fail`` or ``validate``.
 
-.. _setting-aggressive-cache-max-nsec3-zone-size:
+.. _setting-aggressive-cache-max-nsec3-hit-ratio:
 
-``aggressive-cache-max-nsec3-zone-size``
+``aggressive-cache-min-nsec3-hit-ratio``
 ----------------------------------------
 
 .. versionadded: 4.9.0
 
 - Integer
-- Default: 1000
+- Default: 2000
 
-The maximum (estimated) zone size (number of names) for which to put NSEC3 entries into the aggressive NSEC cache.
-For large zones the effectiveness of the NSEC3 cache is reduced since the names are replaced by hashes, which are random by nature.
-This setting avoids doing unneccesary work for such large zones.
+The limit for which to put NSEC3 records into the aggressive cache.
+A value of ``n`` means that an NSEC3 record is only put into the aggressive cache if the estimated probability of a random name hitting the NSEC3 record is higher than ``1/n``.
+A higher ``n`` will cause more records to be put into the aggressive cache, e.g. a value of 4000 will cause records to be put in the aggressive cache even if the estimated probability of hitting them is twice as low as would be the case for ``n=2000``.
 A value of 0 means no NSEC3 records will be put into the aggressive cache.
 
+For large zones the effectiveness of the NSEC3 cache is reduced since each NSEC3 record only covers a randomly distributed subset of all possible names.
+This setting avoids doing unneccessary work for such large zones.
+
 .. _setting-allow-from:
 
 ``allow-from``

diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc
index 211d7616397f60e9f43c1c65e23f7b1843b0bd3d..7a5beab8be526b35be0e4a295c6584083fe14947 100644 (file)
--- a/pdns/recursordist/rec-main.cc
+++ b/pdns/recursordist/rec-main.cc
@@ -1713,9 +1713,9 @@ static int serviceMain(int argc, char* argv[], Logr::log_t log)
     }
   }
 
-  AggressiveNSECCache::s_maxNSEC3CommonPrefix = static_cast<uint8_t>(std::round(std::log2(::arg().asNum("aggressive-cache-max-nsec3-zone-size"))));
-  SLOG(g_log << Logger::Debug << "NSEC3 aggressive cache tuning: aggressive-cache-max-nsec3-zone-size: " << ::arg().asNum("aggressive-cache-max-nsec3-zone-size") << " max common prefix bits: " << std::to_string(AggressiveNSECCache::s_maxNSEC3CommonPrefix) << endl,
-       log->info(Logr::Debug, "NSEC3 aggressive cache tuning", "aggressive-cache-max-nsec3-zone-size", Logging::Loggable(::arg().asNum("aggressive-cache-max-nsec3-zone-size")), "maxCommonPrefixBits", Logging::Loggable(AggressiveNSECCache::s_maxNSEC3CommonPrefix)));
+  AggressiveNSECCache::s_maxNSEC3CommonPrefix = static_cast<uint8_t>(std::round(std::log2(::arg().asNum("aggressive-cache-min-nsec3-hit-ratio"))));
+  SLOG(g_log << Logger::Debug << "NSEC3 aggressive cache tuning: aggressive-cache-min-nsec3-hit-ratio: " << ::arg().asNum("aggressive-cache-min-nsec3-hit-ratio") << " max common prefix bits: " << std::to_string(AggressiveNSECCache::s_maxNSEC3CommonPrefix) << endl,
+       log->info(Logr::Debug, "NSEC3 aggressive cache tuning", "aggressive-cache-min-nsec3-hit-ratio", Logging::Loggable(::arg().asNum("aggressive-cache-min-nsec3-hit-ratio")), "maxCommonPrefixBits", Logging::Loggable(AggressiveNSECCache::s_maxNSEC3CommonPrefix)));
 
   {
     SuffixMatchNode dontThrottleNames;
@@ -2832,7 +2832,7 @@ int main(int argc, char** argv)
     ::arg().setSwitch("extended-resolution-errors", "If set, send an EDNS Extended Error extension on resolution failures, like DNSSEC validation errors") = "no";
 
     ::arg().set("aggressive-nsec-cache-size", "The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC processing or validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198") = "100000";
-    ::arg().set("aggressive-cache-max-nsec3-zone-size", "The maximum estimated size of a zone to store NSEC3 records into the aggressive cache") = "2000";
+    ::arg().set("aggressive-cache-min-nsec3-hit-ratio", "The minimum expected hit ratio to store NSEC3 records into the aggressive cache") = "2000";
 
     ::arg().set("edns-padding-from", "List of netmasks (proxy IP in case of proxy-protocol presence, client IP otherwise) for which EDNS padding will be enabled in responses, provided that 'edns-padding-mode' applies") = "";
     ::arg().set("edns-padding-mode", "Whether to add EDNS padding to all responses ('always') or only to responses for queries containing the EDNS padding option ('padded-queries-only', the default). In both modes, padding will only be added to responses for queries coming from `edns-padding-from`_ sources") = "padded-queries-only";