regen master

doc/arm/Bv9ARM.ch06.html

@@ -4992,6 +4992,12 @@ options {
                         DNSSEC validation must be enabled for this
                         option to be effective.
                       </p>
+                      <p>
+                        This initial implementation only covers synthesis
+                        of answers from NSEC records.  Synthesis from NSEC3
+                        is planned for the future.  This will also be
+                        controlled by <span class="command"><strong>synth-from-dnssec</strong></span>.
+                      </p>
                     </li></ul></div>
 <p>
                 </p>

doc/arm/Bv9ARM.ch09.html

@@ -214,13 +214,17 @@
       </li>
 <li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> can now synthesize NXDOMAIN responses
-	  from cached DNSSEC-verified records returned in negative or
-	  wildcard responses.  This will reduce query loads on
-	  authoritative servers for signed domains: if existing cached
-	  records can be used by the resolver to determine that a name does
-	  not exist in the authorittive domain, then no query needs to
-	  be sent.
+	  <span class="command"><strong>named</strong></span> can now synthesize negative responses
+	  (NXDOMAIN, NODATA, or wildcard answers) from cached DNSSEC-verified
+	  records that were returned in negative or wildcard responses from
+	  authoritative servers.
+	</p>
+	<p>
+	  This will reduce query loads on authoritative servers for signed
+	  domains: when existing cached records can be used by the resolver
+	  to determine that a name does not exist in the authorittive domain,
+	  no query needs to be sent. Reducing the number of iterative queries
+	  should also improve resolver performance.
 	</p>
 	<p>
 	  This behavior is controlled by the new
@@ -228,6 +232,11 @@
 	  <span class="command"><strong>synth-from-dnssec</strong></span>.  It is enabled by
 	  default.
 	</p>
+	<p>
+	  Note: this currently only works for zones signed using NSEC.
+	  Support for zones signed using NSEC3 (without opt-out) is
+	  planned for the future.
+	</p>
 	<p>
 	  Thanks to APNIC for sponsoring this work.
 	</p>

doc/arm/notes.html

@@ -175,13 +175,17 @@
       </li>
 <li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> can now synthesize NXDOMAIN responses
-	  from cached DNSSEC-verified records returned in negative or
-	  wildcard responses.  This will reduce query loads on
-	  authoritative servers for signed domains: if existing cached
-	  records can be used by the resolver to determine that a name does
-	  not exist in the authorittive domain, then no query needs to
-	  be sent.
+	  <span class="command"><strong>named</strong></span> can now synthesize negative responses
+	  (NXDOMAIN, NODATA, or wildcard answers) from cached DNSSEC-verified
+	  records that were returned in negative or wildcard responses from
+	  authoritative servers.
+	</p>
+	<p>
+	  This will reduce query loads on authoritative servers for signed
+	  domains: when existing cached records can be used by the resolver
+	  to determine that a name does not exist in the authorittive domain,
+	  no query needs to be sent. Reducing the number of iterative queries
+	  should also improve resolver performance.
 	</p>
 	<p>
 	  This behavior is controlled by the new
@@ -189,6 +193,11 @@
 	  <span class="command"><strong>synth-from-dnssec</strong></span>.  It is enabled by
 	  default.
 	</p>
+	<p>
+	  Note: this currently only works for zones signed using NSEC.
+	  Support for zones signed using NSEC3 (without opt-out) is
+	  planned for the future.
+	</p>
 	<p>
 	  Thanks to APNIC for sponsoring this work.
 	</p>