diff --git a/doc/Changelog b/doc/Changelog index 60ea99829..4ef7bf16d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +15 October 2008: Wouter + - better documentation for 0x20; remove fallback TODO, it is done. + 14 October 2008: Wouter - fwd_three.tpkg test was flaky. If the three requests hit the wrong threads by chance (or bad OS) then the test would fail. diff --git a/doc/example.conf.in b/doc/example.conf.in index 96fffacdf..ebe78a313 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -238,16 +238,12 @@ server: # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). - # Default off, because it burdens the authority servers, and it is - # not RFC standard, and could be slower. Experimental option. + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. # harden-referral-path: no # Use 0x20-encoded random bits in the query to foil spoof attempts. - # Disabled by default, because some caching forwarders may not - # support this (if you have forward-zones). Most authority servers do. # This feature is an experimental implementation of draft dns-0x20. - # It is known that some authority servers do not support 0x20, and - # resolution will fail for them. A solution is on the TODO list. # use-caps-for-id: no # Enforce privacy of these addresses. Strips them away from answers. diff --git a/doc/plan b/doc/plan index 38723dc3f..e7f12b928 100644 --- a/doc/plan +++ b/doc/plan @@ -70,15 +70,14 @@ not stats on SIGUSR1. perhaps also see which slow auth servers cause >1sec value + IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?). cumbersome to reverse notate by hand for the operator. For local-data. local-data-ptr: "1.2.3.4 mypc.example.com" -+ dns-0x20 fallback TODO item. Consider. ++ dns-0x20 fallback. *** from draft resolver-mitigation -* Should be an option? (Not right now) -* direct queries for NS records - * careful caching, only NS query causes referral caching. ++ option harden-referral-path ++ direct queries for NS records +* careful caching, only NS query causes referral caching. * direct queries for A, AAAA in-bailiwick from a referral. * trouble counter, cache wipe threshold. -* 0x20 default with fallback? * off-path validation? * root NS, root glue validation after prime diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index ef5a037a4..389f0f13b 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -420,9 +420,7 @@ extra query load that is generated. Experimental option. Use 0x20-encoded random bits in the query to foil spoof attempts. This perturbs the lowercase and uppercase of query names sent to authority servers and checks if the reply still has the correct casing. -Disabled by default, because some caching forwarders may not -support this. It is known that some authority servers do not support 0x20, -and resolution will fail for them. A solution is on the TODO list. +Disabled by default. This feature is an experimental implementation of draft dns\-0x20. .TP .B private\-address: \fI