From: Matt Nordhoff <mnordhoff@mattnordhoff.com>
Date: Mon, 8 Mar 2021 13:45:17 +0000 (+0000)
Subject: docs: Explain what DNSSEC settings aggressive NSEC requires
X-Git-Tag: rec-4.5.0-beta1~38^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F10153%2Fhead;p=thirdparty%2Fpdns.git

docs: Explain what DNSSEC settings aggressive NSEC requires
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index b9e79acb5b..663ad025c6 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -5528,7 +5528,7 @@ int main(int argc, char **argv)
 
     ::arg().setSwitch("extended-resolution-errors", "If set, send an EDNS Extended Error extension on resolution failures, like DNSSEC validation errors")="no";
 
-    ::arg().setSwitch("aggressive-nsec-cache-size", "The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198")="100000";
+    ::arg().setSwitch("aggressive-nsec-cache-size", "The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC processing or validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198")="100000";
 
     ::arg().setCmd("help","Provide a helpful message");
     ::arg().setCmd("version","Print version string");
diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 078a616bf6..cb6f863496 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -30,8 +30,8 @@ variable to act as base setting. This is mostly useful for
 -  Integer
 -  Default: 100000
 
-The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in :rfc:`8198`.
-This setting requires DNSSEC validation to be enabled via the `dnssec`_ setting.
+The number of records to cache in the aggressive cache. If set to a value greater than 0, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in :rfc:`8198`.
+To use this, DNSSEC processing or validation must be enabled by setting `dnssec`_ to ``process``, ``log-fail`` or ``validate``.
 
 .. _setting-allow-from: