- Fix manual to document ratelimit, that it is for target

  nameservers for a domain, and keeps queries limited. Thanks
  to Qifan Zhang, Palo Alto Networks, for the report.

diff --git a/doc/Changelog b/doc/Changelog
index 11ee7a0b58d90531d30dfb9fcaad1dad99691051..44007692944fb952ae4a1e56a33381535dc95852 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -16,6 +16,9 @@
        - Fix to decrement the per-netblock tcp connection limits, so
          it keeps usable. Thanks to Qifan Zhang, Palo Alto Networks,
          for the report.
+       - Fix manual to document ratelimit, that it is for target
+         nameservers for a domain, and keeps queries limited. Thanks
+         to Qifan Zhang, Palo Alto Networks, for the report.
 
 26 May 2026: Wouter
        - Fix for mesh new client and mesh new callback to rollback the

diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst
index 29ecb233e2c5f076f480faf9608bd13c5a67353d..13990fe61bd4a013d602c24a45103b437f2f2498 100644 (file)
--- a/doc/unbound.conf.rst
+++ b/doc/unbound.conf.rst
@@ -3078,6 +3078,18 @@ These options are part of the ``server:`` section.
     overloaded with random names, and keeps unbound from sending traffic to the
     nameservers for those zones.
 
+    It is intended to count the number of queries towards the nameservers
+    for the zone, and keep those queries limited.
+    When there is a delegation that needs a lot of lookups, those are
+    charged in the counters for the destination, the target name, of
+    the NS records.
+    Since that is where the nameserver lookup queries are sent to.
+    That keeps the target, the victim domain, from having many queries.
+    With the :ref:`ratelimit-factor<unbound.conf.ratelimit-factor>`, some
+    genuine queries that are also made to the target zone, can filter
+    through, and then end up in cache, where the genuine answers have
+    a chance to collect, keeping up service to some extent.
+
     .. note:: Configured forwarders are excluded from ratelimiting.
 
     Default: 0