From: Ondřej Surý Date: Mon, 28 Oct 2019 20:04:38 +0000 (-0500) Subject: Disable NSEC Aggressive Cache (synth-from-dnssec) by default X-Git-Tag: v9.15.6~49^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a20c42dca68737ca341bd24fff403cf5c7940aa1;p=thirdparty%2Fbind9.git Disable NSEC Aggressive Cache (synth-from-dnssec) by default It was found that NSEC Aggressive Caching has a significant performance impact on BIND 9 when used as recursor. This commit disables the synth-from-dnssec configuration option by default to provide immediate remedy for people running BIND 9.12+. The NSEC Aggressive Cache will be enabled again after a proper fix will be prepared. --- diff --git a/bin/named/config.c b/bin/named/config.c index 48c84b2d984..17141ea16a0 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -193,7 +193,7 @@ options {\n\ # sortlist \n\ stale-answer-enable false;\n\ stale-answer-ttl 1; /* 1 second */\n\ - synth-from-dnssec yes;\n\ + synth-from-dnssec no;\n\ # topology \n\ transfer-format many-answers;\n\ v6-bias 50;\n\ diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index f1722e104cf..048a4153394 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -6768,7 +6768,9 @@ options { Synthesize answers from cached NSEC, NSEC3 and other RRsets that have been proved to be correct - using DNSSEC. The default is yes. + using DNSSEC. The default is no, + but it will become yes again + in the future releases. Note: