From: Otto Moerbeek Date: Tue, 5 Nov 2019 13:02:44 +0000 (+0100) Subject: Updated docs for nothing-below-nxdomain X-Git-Tag: dnsdist-1.4.0~17^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e28746dbc11b386d31b4bb6c6123bb351ebb3cf;p=thirdparty%2Fpdns.git Updated docs for nothing-below-nxdomain --- diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index ba7770d4bc..a7f84a2812 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1138,14 +1138,30 @@ Number of milliseconds to wait for a remote authoritative server to respond. -------------------------- .. versionadded:: 4.3.0 -- Boolean -- Default: true +- One of ``no``, ``dnssec``, ``yes``, String +- Default: ``dnssec`` -Enables :rfc:`8020` handling of cached NXDOMAIN responses. +The type of :rfc:`8020` handling of cached NXDOMAIN responses. This RFC specifies that NXDOMAIN means that the DNS tree under the denied name MUST be empty. When an NXDOMAIN exists in the cache for a shorter name than the qname, no lookup is done and an NXDOMAIN is sent to the client. -For instance, when ``foo.example.net`` is negatively cached, any query matching ``*.foo.example.net`` will be answered with NXDOMAIN directly without consulting authoritative servers. +For instance, when ``foo.example.net`` is negatively cached, any query +matching ``*.foo.example.net`` will be answered with NXDOMAIN directly +without consulting authoritative servers. + +no +~~ +No :rfc:`8020` processing is done. + +dnssec +~~~~~~ +:rfc:`8020` processing is only done for NXDOMAIN records that are +DNSSEC validated. + +yes +~~~ +:rfc:`8020` procssing is done for any non-Bogus NXDOMAIN record +available in the cache. .. _setting-nsec3-max-iterations: