- Change aggressive-nsec default to yes.

doc/Changelog

@@ -2,6 +2,7 @@
 	- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
 	- Merge PR #616: Update ratelimit logic. It also introduces
 	  ratelimit-backoff and ip-ratelimit-backoff configuration options.
+	- Change aggressive-nsec default to yes.
 
 1 February 2022: George
 	- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA

doc/example.conf.in

@@ -442,7 +442,7 @@ server:
 
 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 	# and other denials, using information from previous NXDOMAINs answers.
-	# aggressive-nsec: no
+	# aggressive-nsec: yes
 
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.

doc/unbound.conf.5.in

@@ -973,7 +973,7 @@ This option only has effect when qname-minimisation is enabled. Default is no.
 .B aggressive\-nsec: \fI<yes or no>
 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 and other denials, using information from previous NXDOMAINs answers.
-Default is no.  It helps to reduce the query rate towards targets that get
+Default is yes.  It helps to reduce the query rate towards targets that get
 a very high nonexistent name lookup rate.
 .TP
 .B private\-address: \fI<IP address or subnet>

testdata/root_key_sentinel.rpl

@@ -175,11 +175,11 @@ REPLY QR RD RA AD DO NXDOMAIN
 SECTION QUESTION
 root-key-sentinel-not-ta-20326.	IN	A
 SECTION AUTHORITY
-.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400
-.			86400	IN	RRSIG	SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg==
 .			86400	IN	NSEC	aaa. NS SOA RRSIG NSEC DNSKEY
 .			86400	IN	RRSIG	NSEC 8 0 86400 20180506050000 20180423040000 39570 . E1FeP4/GvcPksKXgas9pslduWU6+cqqSoJpgtCeymd6t7MORbnsQJdUo rjqbRtxvOOnv5g4uVZdv0krSc/eqw8HWEiCW0oZWYLcz+h8eI4htt4uv 8LciVgQn3Aspic2b8uWdPTJUPuc94esn5AJZDMK9VOTwZD2UVqbv/k9U 4LG0o56yRQshYTG2hiutFXLYmzFe2YmKct6G7W50O7s5hwxTqqRwv9av 1Q3UZUj/ZARNt9z53pygJsDPDX+L2q4lowtiHJCRPjijm8K3Bwb8uFsG 3YB20K9d3krack9c6gAMJzpgeuFQ/b2HxiZMJPvJ3tHqIhDn0U5qoZdT Xq0WTw==
 room.			86400	IN	NSEC	rs. NS DS RRSIG NSEC
 room.			86400	IN	RRSIG	NSEC 8 1 86400 20180506050000 20180423040000 39570 . Fmhf8s0yVixynVdO6VWLEctcvb7+3UK9gu+9BhUPBS0SNedhMwfyiYaR MzWU9P99gVYUT1G/vXRqbAabtD3Ccnt/ydUBguZq3pV5GL+7czeEbZ5z 8/LlS+wyw2OTe4DOKzBZ7oZAA/r/Tz2bhVA6kNyIKFXAmBXuh7I5Ty7H elbIWh7Lq7QjZwN9LL4M1kSNePH2cmS3Lu/scRf3m3fN/70sgoYzKNB7 +Hbi/YjXBbRIcj7tHA6iMoZLGPXRMJdb6NqJNIaDIDtOA95cFa4oRx2P usBW9lpXG0YY+KDm1J6UjxUP7TIn0yXt+c0vy2cz7zu++ZEkdU29WtBG dUQEaA==
+.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400
+.			86400	IN	RRSIG	SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg==
 ENTRY_END
 SCENARIO_END

util/config_file.c

@@ -260,7 +260,7 @@ config_create(void)
 	cfg->val_log_level = 0;
 	cfg->val_log_squelch = 0;
 	cfg->val_permissive_mode = 0;
-	cfg->aggressive_nsec = 0;
+	cfg->aggressive_nsec = 1;
 	cfg->ignore_cd = 0;
 	cfg->serve_expired = 0;
 	cfg->serve_expired_ttl = 0;