From: Remi Gacogne Date: Tue, 5 Jan 2021 14:49:52 +0000 (+0100) Subject: rec: Document the aggressive NSEC caching setting X-Git-Tag: dnsdist-1.6.0-alpha2~12^2~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b1ca71cecd756db99d64af22c3b893c98846322;p=thirdparty%2Fpdns.git rec: Document the aggressive NSEC caching setting --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 17755c5bd6..125cfebc7a 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -5516,7 +5516,7 @@ int main(int argc, char **argv) ::arg().setSwitch("extended-resolution-errors", "If set, send an EDNS Extended Error extension on resolution failures, like DNSSEC validation errors")="no"; - ::arg().setSwitch("aggressive-nsec", "If set, and DNSSEC validation is enabled, the recursor will look at cached NSEC and NSEC3 records to generate negative answers, as defined in rfc8198")="no"; + ::arg().setSwitch("aggressive-nsec", "If set, and DNSSEC validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198")="no"; ::arg().setCmd("help","Provide a helpful message"); ::arg().setCmd("version","Print version string"); diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 10b2689177..39dfc9abe2 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -20,6 +20,19 @@ variable to act as base setting. This is mostly useful for forward-zones = foo.example.com=192.168.100.1; forward-zones += bar.example.com=[1234::abcde]:5353; + +.. _setting-aggressive-nsec: + +``aggressive-nsec`` +------------------- +.. versionadded:: 4.5.0 + +- Boolean +- Default: no + +If set, and DNSSEC validation is enabled, the recursor cache NSEC and NSEC3 records to generate negative answers, and use cached wildcards to synthesize positive answsers, as defined in :rfc:`8198`. +This setting requires DNSSEC validation to be enabled via the `dnssec_` setting. + .. _setting-allow-from: ``allow-from``