- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing

  Underneath" for the harden-below-nxdomain option.

git-svn-id: file:///svn/unbound/trunk@3927 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index d7053db1e455fb0ce5d945cfe2f20bc6215d35ca..71838be3493ae25b2698fe9ad7e7ba87e128b8f2 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+21 November 2016: Wouter
+       - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
+         Underneath" for the harden-below-nxdomain option.
+
 10 November 2016: Ralph
        - Fix #1155: test status code of unbound-control in 04-checkconf,
          not the status code from the tee command.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 40e6235e28b0b6b49b65981fa5a4690574aa06dd..4355d3c43d951e0de4540d708961c03fcd11d02c 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -624,7 +624,8 @@ unsigned to badly signed often. If turned off you run the risk of a
 downgrade attack that disables security for a zone. Default is on.
 .TP
 .B harden\-below\-nxdomain: \fI<yes or no>
-From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
+From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"),
+returns nxdomain to queries for a name
 below another name that is already known to be nxdomain.  DNSSEC mandates
 noerror for empty nonterminals, hence this is possible.  Very old software
 might return nxdomain for empty nonterminals (that usually happen for reverse
@@ -632,7 +633,6 @@ IP address lookups), and thus may be incompatible with this.  To try to avoid
 this only DNSSEC-secure nxdomains are used, because the old software does not
 have DNSSEC.  Default is off.
 The nxdomain must be secure, this means nsec3 with optout is insufficient.
-Currently, draft\-ietf\-dnsop\-nxdomain\-cut promotes this technique.
 .TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for