document the two new auth settings

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 9a6466515f7afcd89dcaaab204d3ac66dc62f54e..7ffae6de30a6c0157f16e9e80c9581aee6a676b4 100644 (file)
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -1158,6 +1158,7 @@ openssl
 opensuse
 openwall
 Opmeer
+OPNUM
 optcode
 Opteron
 optmem

diff --git a/docs/settings.rst b/docs/settings.rst
index 693ee3061c9c7bb63c6a55bdef4072c988f133b6..a5930e7eaf5ab873187e212f7bbc0c3812740735 100644 (file)
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1253,6 +1253,31 @@ prevent-self-notification to "no".
 
 Turn on operating as a primary. See :ref:`primary-operation`.
 
+.. _setting-proxy-protocol-from
+
+``proxy-protocol-from``
+-----------------------
+.. versionadded:: 4.6.0
+
+-  IP addresses or netmasks, separated by commas
+-  Default: empty
+
+Ranges that are required to send a Proxy Protocol version 2 header in front of UDP and TCP queries, to pass the original source and destination addresses and ports to the Authoritative.
+Queries that are not prefixed with such a header will not be accepted from clients in these ranges. Queries prefixed by headers from clients that are not listed in these ranges will be dropped.
+
+Note that once a Proxy Protocol header has been received, the source address from the proxy header instead of the address of the proxy will be checked against primary addresses sending NOTIFYs, and the ACLs for any client requesting AXFRs.
+
+.. _setting-proxy-protocol-maximum-size:
+
+``proxy-protocol-maximum-size``
+-------------------------------
+.. versionadded:: 4.6.0
+
+-  Integer
+-  Default: 512
+
+The maximum size, in bytes, of a Proxy Protocol payload (header, addresses and ports, and TLV values). Queries with a larger payload will be dropped.
+
 .. _setting-query-cache-ttl:
 
 ``query-cache-ttl``