- Fix #3299 - forward CNAME daisy chain is not working

git-svn-id: file:///svn/unbound/trunk@4409 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index e93336117fc1bcc2fd1088b264a54815921ed9a5..66b79bbb2b73002ad9a2f872cca5b8b4a7dffa7d 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+30 November 2017: Wouter 
+       - Fix #3299 - forward CNAME daisy chain is not working
+
 14 November 2017: Wouter 
        - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
          set for stub zone.  It no longer searches for DNSSEC information.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 4088c77e547399b1dc4aaa4896e0ceb38dac5308..b7890a211e848f0250f329df813711e6c76b78cc 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1394,6 +1394,9 @@ forward the queries to. The servers listed as \fBforward\-host:\fR and
 those servers are not authority servers, but are (just like unbound is)
 recursive servers too; unbound does not perform recursion itself for the
 forward zone, it lets the remote server do it.  Class IN is assumed.
+CNAMEs are chased by unbound itself, asking the remote server for every
+name in the indirection chain, to protect the local cache from illegal
+indirect referenced items.
 A forward\-zone entry with name "." and a forward\-addr target will
 forward all queries to that other server (unless it can answer from
 the cache).