From: Wouter Wijngaards Date: Mon, 21 Nov 2016 09:53:43 +0000 (+0000) Subject: - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing X-Git-Tag: release-1.6.0rc1~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3132937112c7da66f2b51e41a64a397538c24abd;p=thirdparty%2Funbound.git - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing Underneath" for the harden-below-nxdomain option. git-svn-id: file:///svn/unbound/trunk@3927 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index d7053db1e..71838be34 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +21 November 2016: Wouter + - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing + Underneath" for the harden-below-nxdomain option. + 10 November 2016: Ralph - Fix #1155: test status code of unbound-control in 04-checkconf, not the status code from the tee command. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 40e6235e2..4355d3c43 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -624,7 +624,8 @@ unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. .TP .B harden\-below\-nxdomain: \fI -From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name +From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"), +returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse @@ -632,7 +633,6 @@ IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. The nxdomain must be secure, this means nsec3 with optout is insufficient. -Currently, draft\-ietf\-dnsop\-nxdomain\-cut promotes this technique. .TP .B harden\-referral\-path: \fI Harden the referral path by performing additional queries for