diff --git a/doc/Changelog b/doc/Changelog index c5658988f..ea5f8314d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,7 @@ - Merge PR #532 from Shchelk: Fix: buffer overflow bug. - Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and ip-ratelimit-backoff configuration options. + - Change aggressive-nsec default to yes. 1 February 2022: George - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA diff --git a/doc/example.conf.in b/doc/example.conf.in index 64f4cd988..76ac604f9 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -442,7 +442,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. - # aggressive-nsec: no + # aggressive-nsec: yes # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index bb556300b..756c02855 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -973,7 +973,7 @@ This option only has effect when qname-minimisation is enabled. Default is no. .B aggressive\-nsec: \fI Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAINs answers. -Default is no. It helps to reduce the query rate towards targets that get +Default is yes. It helps to reduce the query rate towards targets that get a very high nonexistent name lookup rate. .TP .B private\-address: \fI diff --git a/testdata/root_key_sentinel.rpl b/testdata/root_key_sentinel.rpl index 1b66c5aac..2310953ad 100644 --- a/testdata/root_key_sentinel.rpl +++ b/testdata/root_key_sentinel.rpl @@ -175,11 +175,11 @@ REPLY QR RD RA AD DO NXDOMAIN SECTION QUESTION root-key-sentinel-not-ta-20326. IN A SECTION AUTHORITY -. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400 -. 86400 IN RRSIG SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg== . 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY . 86400 IN RRSIG NSEC 8 0 86400 20180506050000 20180423040000 39570 . E1FeP4/GvcPksKXgas9pslduWU6+cqqSoJpgtCeymd6t7MORbnsQJdUo rjqbRtxvOOnv5g4uVZdv0krSc/eqw8HWEiCW0oZWYLcz+h8eI4htt4uv 8LciVgQn3Aspic2b8uWdPTJUPuc94esn5AJZDMK9VOTwZD2UVqbv/k9U 4LG0o56yRQshYTG2hiutFXLYmzFe2YmKct6G7W50O7s5hwxTqqRwv9av 1Q3UZUj/ZARNt9z53pygJsDPDX+L2q4lowtiHJCRPjijm8K3Bwb8uFsG 3YB20K9d3krack9c6gAMJzpgeuFQ/b2HxiZMJPvJ3tHqIhDn0U5qoZdT Xq0WTw== room. 86400 IN NSEC rs. NS DS RRSIG NSEC room. 86400 IN RRSIG NSEC 8 1 86400 20180506050000 20180423040000 39570 . Fmhf8s0yVixynVdO6VWLEctcvb7+3UK9gu+9BhUPBS0SNedhMwfyiYaR MzWU9P99gVYUT1G/vXRqbAabtD3Ccnt/ydUBguZq3pV5GL+7czeEbZ5z 8/LlS+wyw2OTe4DOKzBZ7oZAA/r/Tz2bhVA6kNyIKFXAmBXuh7I5Ty7H elbIWh7Lq7QjZwN9LL4M1kSNePH2cmS3Lu/scRf3m3fN/70sgoYzKNB7 +Hbi/YjXBbRIcj7tHA6iMoZLGPXRMJdb6NqJNIaDIDtOA95cFa4oRx2P usBW9lpXG0YY+KDm1J6UjxUP7TIn0yXt+c0vy2cz7zu++ZEkdU29WtBG dUQEaA== +. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400 +. 86400 IN RRSIG SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg== ENTRY_END SCENARIO_END diff --git a/util/config_file.c b/util/config_file.c index 6fa1d114f..969d664b4 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -260,7 +260,7 @@ config_create(void) cfg->val_log_level = 0; cfg->val_log_squelch = 0; cfg->val_permissive_mode = 0; - cfg->aggressive_nsec = 0; + cfg->aggressive_nsec = 1; cfg->ignore_cd = 0; cfg->serve_expired = 0; cfg->serve_expired_ttl = 0;