diff --git a/doc/Changelog b/doc/Changelog index 7a02715dd..905442ebe 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +12 March 2018: Wouter + - Added documentation for aggressive-nsec: yes. + 9 March 2018: Wouter - Fix #3598: Fix swig build issue on rhel6 based system. configure --disable-swig-version-check stops the swig version check. diff --git a/doc/example.conf.in b/doc/example.conf.in index e764b50f1..dae86fb6f 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -380,6 +380,10 @@ server: # This option only has effect when qname-minimisation is enabled. # qname-minimisation-strict: no + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + # aggressive-nsec: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 90a9a9fa8..edde384ee 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -725,6 +725,12 @@ potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. This option only has effect when qname-minimisation is enabled. Default is off. .TP +.B aggressive\-nsec: \fI +Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN +and other denials, using information from previous NXDOMAINs answers. +Default is off. It helps to reduce the query rate towards targets that get +a very high nonexistant name lookup rate. +.TP .B private\-address: \fI Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network, and are not allowed to be returned for