--- /dev/null
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _config-cache-prefill:
+
+Cache prefilling
+================
+
+This provides ability to periodically prefill the DNS cache by importing root zone data obtained over HTTPS.
+
+Intended users of this module are big resolver operators which will benefit from decreased latencies and smaller amount of traffic towards DNS root servers.
+
+
+.. option:: cache/prefill: <list>
+ .. option:: origin: <zone name>
+
+ Name of the zone, only root zone import is supported at the moment.
+
+ .. option:: url: <url string>
+
+ URL of a file in :rfc:`1035` zone file format.
+
+ .. option:: refresh-interval: <time ms|s|m|h|d>
+ :default: 1d
+
+ Time between zone data refresh attempts.
+
+ .. option:: ca-file: <path>
+
+ Path to CA certificate bundle used to authenticate the HTTPS connection (optional, system-wide store will be used if not specified)
+
+.. code-block:: yaml
+
+ cache:
+ prefill:
+ - origin: "."
+ url: https://www.internic.net/domain/root.zone
+ refresh-interval: 12h
+ ca-file: /etc/pki/tls/certs/ca-bundle.crt
+
+This configuration downloads the zone file from URL `https://www.internic.net/domain/root.zone` and imports it into the cache every day. The HTTPS connection is authenticated using a CA certificate from file `/etc/pki/tls/certs/ca-bundle.crt` and signed zone content is validated using DNSSEC.
+
+The root zone to be imported must be signed using DNSSEC and the resolver must have a valid DNSSEC configuration.
+
+
+Dependencies
+------------
+
+Prefilling depends on the lua-http_ library.
+
+.. _lua-http: https://luarocks.org/modules/daurnimator/http