doc updates

git-svn-id: file:///svn/unbound/trunk@1304 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,6 @@
+15 October 2008: Wouter
+	- better documentation for 0x20; remove fallback TODO, it is done.
+
 14 October 2008: Wouter
 	- fwd_three.tpkg test was flaky.  If the three requests hit the
 	  wrong threads by chance (or bad OS) then the test would fail.

doc/example.conf.in

@@ -238,16 +238,12 @@ server:
 
         # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
-	# Default off, because it burdens the authority servers, and it is
-	# not RFC standard, and could be slower.  Experimental option.
+	# Default off, because the lookups burden the server.  Experimental 
+	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no
 
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
-	# Disabled by default, because some caching forwarders may not
-	# support this (if you have forward-zones). Most authority servers do.
 	# This feature is an experimental implementation of draft dns-0x20.
-	# It is known that some authority servers do not support 0x20, and
-	# resolution will fail for them. A solution is on the TODO list.
 	# use-caps-for-id: no
 	
 	# Enforce privacy of these addresses. Strips them away from answers. 

doc/plan

@@ -70,15 +70,14 @@ not	stats on SIGUSR1. perhaps also see which slow auth servers cause >1sec value
 + IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).
   cumbersome to reverse notate by hand for the operator. For local-data.
   local-data-ptr: "1.2.3.4 mypc.example.com"
-+ dns-0x20 fallback TODO item. Consider.
++ dns-0x20 fallback.
 
 *** from draft resolver-mitigation
-* Should be an option?   (Not right now)
-* direct queries for NS records
++ option harden-referral-path
++ direct queries for NS records
 * careful caching, only NS query causes referral caching.
 * direct queries for A, AAAA in-bailiwick from a referral.
 * trouble counter, cache wipe threshold.
-* 0x20 default with fallback?
 
 * off-path validation? 
 * root NS, root glue validation after prime

doc/unbound.conf.5.in

@@ -420,9 +420,7 @@ extra query load that is generated.  Experimental option.
 Use 0x20-encoded random bits in the query to foil spoof attempts.
 This perturbs the lowercase and uppercase of query names sent to 
 authority servers and checks if the reply still has the correct casing. 
-Disabled by default, because some caching forwarders may not
-support this. It is known that some authority servers do not support 0x20, 
-and resolution will fail for them. A solution is on the TODO list.
+Disabled by default. 
 This feature is an experimental implementation of draft dns\-0x20.
 .TP
 .B private\-address: \fI<IP address or subnet>