From 2600d92e597307d7de1c87d7caa6d85e29712e28 Mon Sep 17 00:00:00 2001 From: Matt Nordhoff Date: Mon, 8 Mar 2021 13:45:17 +0000 Subject: [PATCH] docs: Explain what DNSSEC settings aggressive NSEC requires --- pdns/pdns_recursor.cc | 2 +- pdns/recursordist/docs/settings.rst | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index b9e79acb5b..663ad025c6 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -5528,7 +5528,7 @@ int main(int argc, char **argv) ::arg().setSwitch("extended-resolution-errors", "If set, send an EDNS Extended Error extension on resolution failures, like DNSSEC validation errors")="no"; - ::arg().setSwitch("aggressive-nsec-cache-size", "The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198")="100000"; + ::arg().setSwitch("aggressive-nsec-cache-size", "The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC processing or validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198")="100000"; ::arg().setCmd("help","Provide a helpful message"); ::arg().setCmd("version","Print version string"); diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 078a616bf6..cb6f863496 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -30,8 +30,8 @@ variable to act as base setting. This is mostly useful for - Integer - Default: 100000 -The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in :rfc:`8198`. -This setting requires DNSSEC validation to be enabled via the `dnssec`_ setting. +The number of records to cache in the aggressive cache. If set to a value greater than 0, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in :rfc:`8198`. +To use this, DNSSEC processing or validation must be enabled by setting `dnssec`_ to ``process``, ``log-fail`` or ``validate``. .. _setting-allow-from: -- 2.47.2