From: Wouter Wijngaards Date: Mon, 12 Mar 2018 08:21:44 +0000 (+0000) Subject: - Added documentation for aggressive-nsec: yes. X-Git-Tag: release-1.7.0rc3~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e6c2e37caf239851c8c4a12cc0e36e3af587725;p=thirdparty%2Funbound.git - Added documentation for aggressive-nsec: yes. git-svn-id: file:///svn/unbound/trunk@4575 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 7a02715dd..905442ebe 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +12 March 2018: Wouter + - Added documentation for aggressive-nsec: yes. + 9 March 2018: Wouter - Fix #3598: Fix swig build issue on rhel6 based system. configure --disable-swig-version-check stops the swig version check. diff --git a/doc/example.conf.in b/doc/example.conf.in index e764b50f1..dae86fb6f 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -380,6 +380,10 @@ server: # This option only has effect when qname-minimisation is enabled. # qname-minimisation-strict: no + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + # aggressive-nsec: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 90a9a9fa8..edde384ee 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -725,6 +725,12 @@ potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. This option only has effect when qname-minimisation is enabled. Default is off. .TP +.B aggressive\-nsec: \fI +Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN +and other denials, using information from previous NXDOMAINs answers. +Default is off. It helps to reduce the query rate towards targets that get +a very high nonexistant name lookup rate. +.TP .B private\-address: \fI Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network, and are not allowed to be returned for