+12 March 2018: Wouter
+ - Added documentation for aggressive-nsec: yes.
+
9 March 2018: Wouter
- Fix #3598: Fix swig build issue on rhel6 based system.
configure --disable-swig-version-check stops the swig version check.
# This option only has effect when qname-minimisation is enabled.
# qname-minimisation-strict: no
+ # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+ # and other denials, using information from previous NXDOMAINs answers.
+ # aggressive-nsec: no
+
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
this option in enabled. Only use if you know what you are doing.
This option only has effect when qname-minimisation is enabled. Default is off.
.TP
+.B aggressive\-nsec: \fI<yes or no>
+Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+and other denials, using information from previous NXDOMAINs answers.
+Default is off. It helps to reduce the query rate towards targets that get
+a very high nonexistant name lookup rate.
+.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
on your private network, and are not allowed to be returned for
projects / thirdparty / unbound.git / commitdiff
