From a20c42dca68737ca341bd24fff403cf5c7940aa1 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Mon, 28 Oct 2019 15:04:38 -0500
Subject: [PATCH] Disable NSEC Aggressive Cache (synth-from-dnssec) by default

It was found that NSEC Aggressive Caching has a significant performance impact
on BIND 9 when used as recursor.  This commit disables the synth-from-dnssec
configuration option by default to provide immediate remedy for people running
BIND 9.12+.  The NSEC Aggressive Cache will be enabled again after a proper fix
will be prepared.
---
 bin/named/config.c      | 2 +-
 doc/arm/Bv9ARM-book.xml | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/bin/named/config.c b/bin/named/config.c
index 48c84b2d984..17141ea16a0 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -193,7 +193,7 @@ options {\n\
 #	sortlist <none>\n\
 	stale-answer-enable false;\n\
 	stale-answer-ttl 1; /* 1 second */\n\
-	synth-from-dnssec yes;\n\
+	synth-from-dnssec no;\n\
 #	topology <none>\n\
 	transfer-format many-answers;\n\
 	v6-bias 50;\n\
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f1722e104cf..048a4153394 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6768,7 +6768,9 @@ options {
 		<para>
 		  Synthesize answers from cached NSEC, NSEC3 and
 		  other RRsets that have been proved to be correct
-		  using DNSSEC.  The default is <command>yes</command>.
+		  using DNSSEC.  The default is <command>no</command>,
+		  but it will become <command>yes</command> again
+		  in the future releases.
 		</para>
 		<para>
 		  Note:
-- 
2.47.3