Commit 7cb14b61 authored by Tinderbox User's avatar Tinderbox User
Browse files

regen master

parent c85b467d
......@@ -4992,6 +4992,12 @@ options {
DNSSEC validation must be enabled for this
option to be effective.
</p>
<p>
This initial implementation only covers synthesis
of answers from NSEC records. Synthesis from NSEC3
is planned for the future. This will also be
controlled by <span class="command"><strong>synth-from-dnssec</strong></span>.
</p>
</li></ul></div>
<p>
</p>
......
......@@ -214,13 +214,17 @@
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> can now synthesize NXDOMAIN responses
from cached DNSSEC-verified records returned in negative or
wildcard responses. This will reduce query loads on
authoritative servers for signed domains: if existing cached
records can be used by the resolver to determine that a name does
not exist in the authorittive domain, then no query needs to
be sent.
<span class="command"><strong>named</strong></span> can now synthesize negative responses
(NXDOMAIN, NODATA, or wildcard answers) from cached DNSSEC-verified
records that were returned in negative or wildcard responses from
authoritative servers.
</p>
<p>
This will reduce query loads on authoritative servers for signed
domains: when existing cached records can be used by the resolver
to determine that a name does not exist in the authorittive domain,
no query needs to be sent. Reducing the number of iterative queries
should also improve resolver performance.
</p>
<p>
This behavior is controlled by the new
......@@ -228,6 +232,11 @@
<span class="command"><strong>synth-from-dnssec</strong></span>. It is enabled by
default.
</p>
<p>
Note: this currently only works for zones signed using NSEC.
Support for zones signed using NSEC3 (without opt-out) is
planned for the future.
</p>
<p>
Thanks to APNIC for sponsoring this work.
</p>
......
......@@ -175,13 +175,17 @@
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> can now synthesize NXDOMAIN responses
from cached DNSSEC-verified records returned in negative or
wildcard responses. This will reduce query loads on
authoritative servers for signed domains: if existing cached
records can be used by the resolver to determine that a name does
not exist in the authorittive domain, then no query needs to
be sent.
<span class="command"><strong>named</strong></span> can now synthesize negative responses
(NXDOMAIN, NODATA, or wildcard answers) from cached DNSSEC-verified
records that were returned in negative or wildcard responses from
authoritative servers.
</p>
<p>
This will reduce query loads on authoritative servers for signed
domains: when existing cached records can be used by the resolver
to determine that a name does not exist in the authorittive domain,
no query needs to be sent. Reducing the number of iterative queries
should also improve resolver performance.
</p>
<p>
This behavior is controlled by the new
......@@ -189,6 +193,11 @@
<span class="command"><strong>synth-from-dnssec</strong></span>. It is enabled by
default.
</p>
<p>
Note: this currently only works for zones signed using NSEC.
Support for zones signed using NSEC3 (without opt-out) is
planned for the future.
</p>
<p>
Thanks to APNIC for sponsoring this work.
</p>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment