refused stops retries.

git-svn-id: file:///svn/unbound/trunk@823 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index d227a3fe0ffdcb14338b61bebd30a03f08f154a0..8a2e490f16646c84355138ea6e5efd4aea3b3c76 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+2 January 2008: Wouter
+       - fixup typo in requirements.
+       - document that 'refused' is a better choice than 'drop' for 
+         the access control list, as refused will stop retries.
+
 7 December 2007: Wouter
        - unbound-host has a -d option to show what happens. This can help
          with debugging (why do I get this answer).

diff --git a/doc/unbound.conf.5 b/doc/unbound.conf.5
index badee38bd4c6d211c13e4c8c0eb5502e8585cfba..daf0d23913fcb64b9c9b712b79e95bcb6ec146e3 100644 (file)
--- a/doc/unbound.conf.5
+++ b/doc/unbound.conf.5
@@ -168,6 +168,9 @@ Deny stops queries from hosts from that netblock.
 Refuse stops queries too, but sends a DNS rcode REFUSED error message back.
 Allow gives access to clients from that netblock.
 By default only localhost is allowed, the rest is refused.
+The default is refused, because that is protocol-friendly. The DNS protocol
+is not designed to handle dropped packets due to policy, and dropping may 
+result in (possibly excessive) retried queries.
 .It \fBchroot:\fR <directory>
 If given a chroot is done to the given directory. The default is 
 "/etc/unbound". If you give "" no chroot is performed.