From: W.C.A. Wijngaards Date: Wed, 27 May 2026 11:24:44 +0000 (+0200) Subject: - Fix manual to document ratelimit, that it is for target X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=963cd68535cdfb9ae136ef7607ecac211e24f756;p=thirdparty%2Funbound.git - Fix manual to document ratelimit, that it is for target nameservers for a domain, and keeps queries limited. Thanks to Qifan Zhang, Palo Alto Networks, for the report. --- diff --git a/doc/Changelog b/doc/Changelog index 11ee7a0b5..440076929 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -16,6 +16,9 @@ - Fix to decrement the per-netblock tcp connection limits, so it keeps usable. Thanks to Qifan Zhang, Palo Alto Networks, for the report. + - Fix manual to document ratelimit, that it is for target + nameservers for a domain, and keeps queries limited. Thanks + to Qifan Zhang, Palo Alto Networks, for the report. 26 May 2026: Wouter - Fix for mesh new client and mesh new callback to rollback the diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst index 29ecb233e..13990fe61 100644 --- a/doc/unbound.conf.rst +++ b/doc/unbound.conf.rst @@ -3078,6 +3078,18 @@ These options are part of the ``server:`` section. overloaded with random names, and keeps unbound from sending traffic to the nameservers for those zones. + It is intended to count the number of queries towards the nameservers + for the zone, and keep those queries limited. + When there is a delegation that needs a lot of lookups, those are + charged in the counters for the destination, the target name, of + the NS records. + Since that is where the nameserver lookup queries are sent to. + That keeps the target, the victim domain, from having many queries. + With the :ref:`ratelimit-factor`, some + genuine queries that are also made to the target zone, can filter + through, and then end up in cache, where the genuine answers have + a chance to collect, keeping up service to some extent. + .. note:: Configured forwarders are excluded from ratelimiting. Default: 0