From: Wouter Wijngaards Date: Wed, 2 Jan 2008 13:48:19 +0000 (+0000) Subject: refused stops retries. X-Git-Tag: release-0.9~113 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7cb0f27ccda517727fb27ddd17861ec69e4cd24;p=thirdparty%2Funbound.git refused stops retries. git-svn-id: file:///svn/unbound/trunk@823 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index d227a3fe0..8a2e490f1 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +2 January 2008: Wouter + - fixup typo in requirements. + - document that 'refused' is a better choice than 'drop' for + the access control list, as refused will stop retries. + 7 December 2007: Wouter - unbound-host has a -d option to show what happens. This can help with debugging (why do I get this answer). diff --git a/doc/unbound.conf.5 b/doc/unbound.conf.5 index badee38bd..daf0d2391 100644 --- a/doc/unbound.conf.5 +++ b/doc/unbound.conf.5 @@ -168,6 +168,9 @@ Deny stops queries from hosts from that netblock. Refuse stops queries too, but sends a DNS rcode REFUSED error message back. Allow gives access to clients from that netblock. By default only localhost is allowed, the rest is refused. +The default is refused, because that is protocol-friendly. The DNS protocol +is not designed to handle dropped packets due to policy, and dropping may +result in (possibly excessive) retried queries. .It \fBchroot:\fR If given a chroot is done to the given directory. The default is "/etc/unbound". If you give "" no chroot is performed.