From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 30 Nov 2017 08:34:20 +0000 (+0000)
Subject: - Fix #3299 - forward CNAME daisy chain is not working
X-Git-Tag: release-1.7.0rc1~149
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aeeb123b1e46a05662917458a896e0f27fcf06bc;p=thirdparty%2Funbound.git

- Fix #3299 - forward CNAME daisy chain is not working


git-svn-id: file:///svn/unbound/trunk@4409 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index e93336117..66b79bbb2 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+30 November 2017: Wouter 
+	- Fix #3299 - forward CNAME daisy chain is not working
+
 14 November 2017: Wouter 
 	- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
 	  set for stub zone.  It no longer searches for DNSSEC information.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 4088c77e5..b7890a211 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1394,6 +1394,9 @@ forward the queries to. The servers listed as \fBforward\-host:\fR and
 those servers are not authority servers, but are (just like unbound is)
 recursive servers too; unbound does not perform recursion itself for the
 forward zone, it lets the remote server do it.  Class IN is assumed.
+CNAMEs are chased by unbound itself, asking the remote server for every
+name in the indirection chain, to protect the local cache from illegal
+indirect referenced items.
 A forward\-zone entry with name "." and a forward\-addr target will
 forward all queries to that other server (unless it can answer from
 the cache).