Disable NSEC Aggressive Cache (synth-from-dnssec) by default

It was found that NSEC Aggressive Caching has a significant performance impact on BIND 9 when used as recursor. This commit disables the synth-from-dnssec configuration option by default to provide immediate remedy for people running BIND 9.12+. The NSEC Aggressive Cache will be enabled again after a proper fix will be prepared. (cherry picked from commit a20c42dca6)
2026-03-21 01:50:07 -04:00 · 2019-10-28 15:04:38 -05:00 · 2019-10-28 15:04:38 -05:00 · b97004be30
commit b97004be30
parent 4fb9ef674f
2 changed files with 4 additions and 2 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -197,7 +197,7 @@ options {\n\
 #	sortlist <none>\n\
 	stale-answer-enable false;\n\
 	stale-answer-ttl 1; /* 1 second */\n\
-	synth-from-dnssec yes;\n\
+	synth-from-dnssec no;\n\
 #	topology <none>\n\
 	transfer-format many-answers;\n\
 	v6-bias 50;\n\
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -6812,7 +6812,9 @@ options {
 		<para>
 		  Synthesize answers from cached NSEC, NSEC3 and
 		  other RRsets that have been proved to be correct
-		  using DNSSEC.  The default is <command>yes</command>.
+		  using DNSSEC.  The default is <command>no</command>,
+		  but it will become <command>yes</command> again
+		  in the future releases.
 		</para>
 		<para>
 		  Note: