Disable NSEC Aggressive Cache (synth-from-dnssec) by default

It was found that NSEC Aggressive Caching has a significant performance impact
on BIND 9 when used as recursor.  This commit disables the synth-from-dnssec
configuration option by default to provide immediate remedy for people running
BIND 9.12+.  The NSEC Aggressive Cache will be enabled again after a proper fix
will be prepared.

(cherry picked from commit a20c42dca68737ca341bd24fff403cf5c7940aa1)

diff --git a/bin/named/config.c b/bin/named/config.c
index 706d4181d883be79e6f7b3b6c1d1837b15993f7a..55b1e2dded2d39d931316cf86f691f76eec782f8 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -197,7 +197,7 @@ options {\n\
 #      sortlist <none>\n\
        stale-answer-enable false;\n\
        stale-answer-ttl 1; /* 1 second */\n\
-       synth-from-dnssec yes;\n\
+       synth-from-dnssec no;\n\
 #      topology <none>\n\
        transfer-format many-answers;\n\
        v6-bias 50;\n\

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 1009d2035418614331738b83ccd1b489eabc1f93..46b96ad4b73546d95fabe760da459e7b2f331b79 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6812,7 +6812,9 @@ options {
                <para>
                  Synthesize answers from cached NSEC, NSEC3 and
                  other RRsets that have been proved to be correct
-                 using DNSSEC.  The default is <command>yes</command>.
+                 using DNSSEC.  The default is <command>no</command>,
+                 but it will become <command>yes</command> again
+                 in the future releases.
                </para>
                <para>
                  Note: