diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 6fc046e950..e291dc88d0 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -9843,18 +9843,36 @@ deny-answer-aliases { "example.net"; }; NSDNAME triggers match names of authoritative servers - for the query name, a parent of the query name, a CNAME for - query name, or a parent of a CNAME. - They are encoded as subdomains of - rpz-nsdname relativized - to the RPZ origin name. - NSIP triggers match IP addresses in A and - AAAA RRsets for domains that can be checked against NSDNAME - policy records. - The nsdname-enable phrase turns NSDNAME + for the query name, a parent of the query name, a CNAME + for query name, or a parent of a CNAME. They are + encoded as subdomains of rpz-nsdname + relativized to the RPZ origin name. NSIP triggers match + IP addresses in A and AAAA RRsets for domains that can + be checked against NSDNAME policy records. The + nsdname-enable phrase turns NSDNAME triggers off or on for a single policy zone or all zones. + + If authoritative nameservers for the query name are not + yet known, named will recursively + look up the authoritative servers for the query name + before applying an RPZ-NSDNAME rule. + This can cause a processing delay. To speed up + processing at the cost of precision, the + nsdname-wait-recurse option + can be used: when set to no, + RPZ-NSDNAME rules will only be applied when authoritative + servers for the query name have already been looked up and + cached. If authoritative servers for the query name + are not in the cache, then the RPZ-NSDNAME rule will be + ignored, but the authoritative servers for the query name + will be looked up in the background, and the rule will be + applied to subsequent queries. The default is + yes, meaning RPZ-NSDNAME + rules should always be applied even if authoritative + servers for the query name need to be looked up first. +