unbound/doc/plan

Plan for Unbound 1.1.

2 month project writeup.
- immediate attention: done
- security issues:      1 week.
- remote control:	2 week
- improvements:		1 week
- draft-mitigation:	2 week
total 6 of 8 weeks; 2 weeks for maintenance activities.

*** Immediate attention
- DLV
- Plus aggressive negative caching for NSEC DLV repository.
- filter out overreaching NSEC records.
- dev/log(syslog) opened before chroot.
- Fixup rrset security updates overwriting 2181 trust status.
  This makes validated to be insecure data just as worthless as
  nonvalidated data, and 2181 rules prevent cache overwrites to them.
- use setresuid/setresgid, more secure.
- make realclean works better, by Robert Edmonds.
- nicer logfile message classification as notice, info, debug.
- bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
- bug #203: nicer do-auto log message when user sets incompatible options.
- bug #204: variable name ameliorated in log.c.
- bug #206: in iana_update, no egrep, but awk use.
- fixup update-anchor.sh to work both in BSD shell and bash.
(done)

*** Security issues
+ current NS query retry is an option, default off, experimental on,
  because of the added load to 3rd parties.
+ block nonRD queries, acl like.
	what about our authority features, those are allowed.
+ DoS vector, flush more.
	50% of max is for run-to-completion
	50% rest is for lifo queue with 100-200 msec timeout.
+ records in the additional section should not be marked bogus
  if they have no signer or a different signed. Validate if you can,
  otherwise leave unchecked.
* block DNS rebinding attacks, block all A records from 1918 IP blocks,
like dnswall does.  Allow certain subdomains to do it, config options.
	one option that controls on/off of all private space.
	note in config/man that we may consider turning on by default.

*** Remote control feature
* remote control using a TCP unbound-control commandline app.  
* secure remote control w. TSIG.  Or TLS.
* Nicer statistics (over that unbound-control app for ease)
    stats display added over threads, displayed in rddtool easy format.
* option for extended statistics. If enabled (not by default) collect print
        rcode, uptime, spoofnearmisses, cache size, qtype,
	bits(RD, CD, DO, EDNS-present, AD)query, (Secure, Bogus)reply.
	perhaps also see which slow auth servers cause >1sec values.
	stats-file possible with key: value or key=value lines in it.
	stats on SIGUSR1. addup stats over threads.
* remote control to add/remove localinfo, redirects.
* remote control to load/store cache contents
* remote control to start, stop, reload.
* remote control to flush names or domains (all under a name) from the 
   cache. Include NSes. And the A, AAAA for its NSes.
* remote control to see delegation; what servers would be used to get 
  data for a name.

*** Improvements
* fallback to noEDNS if all queries are dropped.
* dnssec lameness fixen. Check to make sure.
* negative caching to avoid DS queries, NSEC, NSEC3 (w params).
* SHA256 supported fully.
* Make stub to localhost on different port work.
* IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).
  cumbersome to reverse notate by hand for the operator. For local-data.
  local-reverse-data: "1.2.3.4 mypc.example.com"

*** from draft resolver-mitigation
* Should be an option?   (Not right now)
* direct queries for NS records
	* careful caching, only NS query causes referral caching.
* direct queries for A, AAAA in-bailiwick from a referral.
* trouble counter, cache wipe threshold.
* 0x20 default with fallback?

* off-path validation? 
* root NS, root glue validation after prime
* ignore bogus nameservers, pretend they always return a servfail.


*** Features features, for later
* dTLS, TLS, look to need special port numbers, cert storage, recent libssl.
* aggressive negative caching for NSEC, NSEC3.
* multiple queries per question, server exploration, server selection.
* NSID support.
* support TSIG on queries, for validating resolver deployment.
* private TTL
* retry-mode, where a bogus result triggers a retry-mode query, where a list
  of responses over a time interval is collected, and each is validated.
  or try in TCP mode. Do not 'try all servers several times', since we must
  not create packet storms with operator errors.
* draft-timers
* Windows port features
o on windows version, implement that OS ancillary data capabilities for
  interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg.
o local-zone directive with authority service, full authority server 
  is a non-goal.