mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Added nsdname-wait-recurse documentation to ARM

Browse Source
This commit is contained in:
Diego Fronza
2020-03-11 16:58:36 -03:00
parent 2822b01636
commit 4e8f8da661
1 changed files with 27 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
doc/arm/Bv9ARM-book.xml
View File

@@ -9843,18 +9843,36 @@ deny-answer-aliases { "example.net"; };
<listitem> <listitem>
<para> <para>
NSDNAME triggers match names of authoritative servers NSDNAME triggers match names of authoritative servers
for the query name, a parent of the query name, a CNAME for for the query name, a parent of the query name, a CNAME
query name, or a parent of a CNAME. for query name, or a parent of a CNAME. They are
They are encoded as subdomains of encoded as subdomains of <command>rpz-nsdname</command>
<command>rpz-nsdname</command> relativized relativized to the RPZ origin name. NSIP triggers match
to the RPZ origin name. IP addresses in A and AAAA RRsets for domains that can
NSIP triggers match IP addresses in A and be checked against NSDNAME policy records. The
AAAA RRsets for domains that can be checked against NSDNAME <command>nsdname-enable</command> phrase turns NSDNAME
policy records.
The <command>nsdname-enable</command> phrase turns NSDNAME
triggers off or on for a single policy zone or all triggers off or on for a single policy zone or all
zones. zones.
</para> </para>
<para>
If authoritative nameservers for the query name are not
yet known, <command>named</command> will recursively
look up the authoritative servers for the query name
before applying an RPZ-NSDNAME rule.
This can cause a processing delay. To speed up
processing at the cost of precision, the
<command>nsdname-wait-recurse</command> option
can be used: when set to <userinput>no</userinput>,
RPZ-NSDNAME rules will only be applied when authoritative
servers for the query name have already been looked up and
cached. If authoritative servers for the query name
are not in the cache, then the RPZ-NSDNAME rule will be
ignored, but the authoritative servers for the query name
will be looked up in the background, and the rule will be
applied to subsequent queries. The default is
<userinput>yes</userinput>, meaning RPZ-NSDNAME
rules should always be applied even if authoritative
servers for the query name need to be looked up first.
</para>
</listitem> </listitem>
</varlistentry> </varlistentry>