Updated docs for nothing-below-nxdomain

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index ba7770d4bce4d84d6fe68f7a3ffab0d5adfbd829..a7f84a28128ae6abc8d13681f289c2acc1d3366a 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -1138,14 +1138,30 @@ Number of milliseconds to wait for a remote authoritative server to respond.
 --------------------------
 .. versionadded:: 4.3.0
 
-- Boolean
-- Default: true
+- One of ``no``, ``dnssec``, ``yes``, String
+- Default: ``dnssec``
 
-Enables :rfc:`8020` handling of cached NXDOMAIN responses.
+The type of :rfc:`8020` handling of cached NXDOMAIN responses.
 This RFC specifies that NXDOMAIN means that the DNS tree under the denied name MUST be empty.
 When an NXDOMAIN exists in the cache for a shorter name than the qname, no lookup is done and an NXDOMAIN is sent to the client.
 
-For instance, when ``foo.example.net`` is negatively cached, any query matching ``*.foo.example.net`` will be answered with NXDOMAIN directly without consulting authoritative servers.
+For instance, when ``foo.example.net`` is negatively cached, any query
+matching ``*.foo.example.net`` will be answered with NXDOMAIN directly
+without consulting authoritative servers.
+
+no
+~~
+No :rfc:`8020` processing is done.
+
+dnssec
+~~~~~~
+:rfc:`8020` processing is only done for NXDOMAIN records that are
+DNSSEC validated.
+
+yes
+~~~
+:rfc:`8020` procssing is done for any non-Bogus NXDOMAIN record
+available in the cache.
 
 .. _setting-nsec3-max-iterations: