rec: Document the aggressive NSEC caching setting

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 17755c5bd68a413a0fc39d06a12e3b7f14f303ef..125cfebc7a82c9e9a61d5d9fa330b95beb00fa31 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -5516,7 +5516,7 @@ int main(int argc, char **argv)
 
     ::arg().setSwitch("extended-resolution-errors", "If set, send an EDNS Extended Error extension on resolution failures, like DNSSEC validation errors")="no";
 
-    ::arg().setSwitch("aggressive-nsec", "If set, and DNSSEC validation is enabled, the recursor will look at cached NSEC and NSEC3 records to generate negative answers, as defined in rfc8198")="no";
+    ::arg().setSwitch("aggressive-nsec", "If set, and DNSSEC validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198")="no";
 
     ::arg().setCmd("help","Provide a helpful message");
     ::arg().setCmd("version","Print version string");

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 10b268917731e23931fa7220793a1e46ab740231..39dfc9abe29880a5482bcc7a35c69e075c5ad8d8 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -20,6 +20,19 @@ variable to act as base setting. This is mostly useful for
   forward-zones = foo.example.com=192.168.100.1;
   forward-zones += bar.example.com=[1234::abcde]:5353;
 
+
+.. _setting-aggressive-nsec:
+
+``aggressive-nsec``
+-------------------
+.. versionadded:: 4.5.0
+
+-  Boolean
+-  Default: no
+
+If set, and DNSSEC validation is enabled, the recursor cache NSEC and NSEC3 records to generate negative answers, and use cached wildcards to synthesize positive answsers, as defined in :rfc:`8198`.
+This setting requires DNSSEC validation to be enabled via the `dnssec_` setting.
+
 .. _setting-allow-from:
 
 ``allow-from``