Disable NSEC Aggressive Cache (synth-from-dnssec) by default

It was found that NSEC Aggressive Caching has a significant performance impact
on BIND 9 when used as recursor.  This commit disables the synth-from-dnssec
configuration option by default to provide immediate remedy for people running
BIND 9.12+.  The NSEC Aggressive Cache will be enabled again after a proper fix
will be prepared.

diff --git a/bin/named/config.c b/bin/named/config.c
index 48c84b2d98497a91b929a4140c2f1a7dbcbf05f6..17141ea16a0a4a3ece2207876abe36dca45e66de 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -193,7 +193,7 @@ options {\n\
 #      sortlist <none>\n\
        stale-answer-enable false;\n\
        stale-answer-ttl 1; /* 1 second */\n\
-       synth-from-dnssec yes;\n\
+       synth-from-dnssec no;\n\
 #      topology <none>\n\
        transfer-format many-answers;\n\
        v6-bias 50;\n\

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f1722e104cfb9953eb9e41bd2b17a969cbd9e4ff..048a415339410168ff22a35e5c1255469e42f78b 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6768,7 +6768,9 @@ options {
                <para>
                  Synthesize answers from cached NSEC, NSEC3 and
                  other RRsets that have been proved to be correct
-                 using DNSSEC.  The default is <command>yes</command>.
+                 using DNSSEC.  The default is <command>no</command>,
+                 but it will become <command>yes</command> again
+                 in the future releases.
                </para>
                <para>
                  Note: