[master] add nsip-wait-recurse release note

370c6e0a · Evan Hunt · 5ac42705 · 370c6e0a · 370c6e0a
Commit 370c6e0a authored May 05, 2016 by Evan Hunt
--- a/CHANGES
+++ b/CHANGES
@@ -12,7 +12,7 @@

 4356.	[func]		Add the ability to specify whether to wait for
 			nameserver addresses to be looked up or not to
-			rpz with a new modifying directive 'nsip-wait-recurse'.
+			RPZ with a new modifying directive 'nsip-wait-recurse'.
 			[RT #35009]

 4355.	[func]		"pkcs11-list" now displays the extractability

--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -649,6 +649,20 @@
 	  on Linux is now supported.
 	</para>
      </listitem>
+      <listitem>
+	<para>
+	  A new <option>nsip-wait-recurse</option> directive has been
+	  added to RPZ, specifying whether to look up unknown name server
+	  IP addresses and wait for a response before applying RPZ-NSIP rules.
+	  The default is <userinput>yes</userinput>. If set to
+	  <userinput>no</userinput>, <command>named</command> will only
+	  apply RPZ-NSIP rules to servers whose addresses are already cached.
+	  The addresses will be looked up in the background so the rule can
+	  be applied on subsequent queries. This improves performance when
+	  the cache is cold, at the cost of temporary imprecision in applying
+	  policy directives. [RT #35009]
+	</para>
+      </listitem>
      <listitem>
 	<para>
 	  Within the <option>response-policy</option> option, it is now