doc nicer.

git-svn-id: file:///svn/unbound/trunk@1004 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,6 @@
+29 February 2008: Wouter
+	- documentation update.
+
 28 February 2008: Wouter
 	- fixed memory leaks in libunbound (during cancellation and wait).
 	- libunbound returns the answer packet in full.

doc/README

@@ -4,7 +4,7 @@ http://unbound.net
 
 This software is under BSD license, see LICENSE for details.
 
-* Download the latest version of this software from 
+* Download the latest release version of this software from 
   	http://unbound.net 
   or get a beta version from the svn repository at 
   	http://unbound.net/svn/
@@ -15,10 +15,6 @@ This software is under BSD license, see LICENSE for details.
   * libevent	http://www.monkey.org/~provos/libevent/		(BSD license)
     (optional) can use builtin alternative instead.
 
-* Create build environment 
-  * run libtoolize -c if config.sub is missing, or run glibtoolize.
-  * autoreconf (autoheader && autoconf), if ./configure is missing.
-
 * Make and install: ./configure; make; make install
   * Use GNU make; default on linux, often called 'gmake' on BSD and Solaris.
   * --with-ldns=/path/to/ldns
@@ -74,6 +70,7 @@ o If you are not receiving the correct source IP address on replies (e.g.
 
 Acknowledgements
 ----------------
+o Unbound was written in portable C by Wouter Wijngaards (NLnet Labs).
 o Thanks to David Blacka and Matt Larson (Verisign) for the unbound-java
   prototype. Design and code from that prototype has been used to create
   this program. Such as the iterator state machine and the cache design.

doc/README.svn

@@ -1,8 +1,8 @@
 README.svn
 
 For a svn checkout
-* Create build environment - see README.
+* configure script, aclocal.m4, as well as yacc/lex output files are
-  * possibly copy aclocal.m4 from your autoconf/libtool setup.
+  committed to the repository.
 
 * Note changes in the Changelog.
 * Every check-in a postcommit hook is run

doc/TODO

@@ -1,43 +1,32 @@
 TODO items.
 o understand synthesized DNAMEs, so those TTL=0 packets are cached properly.
-o understand NSEC/NSEC3, aggressive negative caching, so that updates to
+o NSEC/NSEC3 aggressive negative caching, so that updates to NSEC/NSEC3 
-  NSEC/NSEC3 will result in proper negative responses.
+  will result in proper negative responses.
 o get serverselection algorithm out of local optimum.
   make subtargets to get rtt info for a couple of targets, like fetch-policy.
   or send out multiple queries to multiple servers.
-o configuration option where port 53 is used for send and receive, no other
+o (option) where port 53 is used for send and receive, no other ports are used.
-  ports are used.
 o (option) to not send replies to clients after a timeout of (say 5 secs) has
   passed, but keep task active for later retries by client.
-o private TTL feature
+o (option) private TTL feature (always report TTL x in answers).
-o pretend-dnssec-unaware, and pretend-edns-unaware modes for debug/workshops.
+o (option) pretend-dnssec-unaware, and pretend-edns-unaware modes for workshops.
 o delegpt use rbtree for ns-list, to avoid slowdown for very large NS sets.
-o reprime and refresh oft used data before timeout.
+o (option) reprime and refresh oft used data before timeout.
-o retain prime results in a overlaid roothints file.
+o (option) retain prime results in a overlaid roothints file.
-o store primed key data in a overlaid keyhints file (sort of like drafttimers).
+o (option) store primed key data in a overlaid keyhints file (sort of like drafttimers).
 o windows version, auto update feature, a query to check for the version.
-o autoreport of problems
 o command the server with TSIG inband. get-config, clearcache, 
 	get stats, get memstats, get ..., reload, clear one zone from cache
 o watch for spoof nearmisses. Keep counter of nearmisses and print that
   in the stats lines, operator can determine what level is a redalert.
-o improve compression of DNS packets by first putting uncompressible rrs, then
-  compress to their rdata. Messes up the ordering of RRs, so bad for interop.
 o NSID rfc 5001 support.
 o timers rfc 5011 support.
 o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator.
-o grab ports nonconsequtive and change the set after a while (change within
-  a given range). Could be bad for OS if wrong port. unsure if it helps secure.
 o make timeout backoffs randomized (a couple percent random) to spread traffic.
 o inspect date on executable, then warn user in log if its more than 1 year.
-o proactively prime root, stubs and trust anchors, feature.
+o (option) proactively prime root, stubs and trust anchors, feature.
   early failure, faster on first query, but more traffic.
-o use privilege separation, to change privilege options during reload securely
-  not needed.
 o On Windows use CryptGenRandom() to get random seed for arc4random.
-o Think about intermediate firewalls dropping EDNS UDP & handling that.
-  detect nonEDNS middlebox by timeout on edns queries, and fallback to
-  nonEDNS when appropriate.
 o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve.
 o library add function to get signature data (or whole reply message).
 o library add function to validate input from app that is signed.
@@ -49,4 +38,4 @@ o support multiple dns messages in a TCP query stream for the unbound server.
 o SIG(0) and TSIG.
 o support OPT record placement on recv anywhere in the additional section. 
 o add local-file: config with authority features.
-o option to make local-data answers be secure for libunbound (default=no)
+o (option) to make local-data answers be secure for libunbound (default=no)

doc/unbound-host.1

@@ -83,7 +83,8 @@ Uses the specified unbound.conf to prime
 .IR libunbound (3).
 .SH "EXAMPLES"
 .LP
-Some examples of use.
+Some examples of use. The keys shown below are fakes, thus a security failure
+is encountered.
 .P
 $ unbound\-host www.example.com
 .P

doc/unbound.conf.5

@@ -608,8 +608,9 @@ In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer
 supported. Very large data and high TCP loads are exceptional for the DNS.
 DNSSEC validation is enabled, just add trust anchors.
-If you do not have to worry about programs using more than 1 meg of memory,
+If you do not have to worry about programs using more than 3 Mb of memory,
-the below example is not for you. Use the defaults to receive full service.
+the below example is not for you. Use the defaults to receive full service,
+which on BSD-32bit tops out at 30-40 Mb after heavy usage. 
 .P
 .nf
 # example settings that reduce memory usage
@@ -619,19 +620,19 @@ server:
 	incoming\-num\-tcp: 1
 	outgoing\-range: 1	# uses less memory, but less port randomness.
 	msg\-buffer\-size: 8192   # note this limits service, 'no huge stuff'.
-	msg\-cache\-size: 102400  # 100 Kb.
+	msg\-cache\-size: 100k
 	msg\-cache\-slabs: 1
-	rrset\-cache\-size: 102400  # 100 Kb.
+	rrset\-cache\-size: 100k
 	rrset\-cache\-slabs: 1
 	infra\-cache\-numhosts: 200
-	infra\-cache\-numlame: 10
+	infra\-cache\-slabs: 1
-	key\-cache\-size: 102400  # 100 Kb.
+	infra\-cache\-lame\-size: 1k
+	key\-cache\-size: 100k
 	key\-cache\-slabs: 1
 	num\-queries\-per\-thread: 30
 	target\-fetch\-policy: "2 1 0 0 0 0"
 	harden\-large\-queries: "yes"
 	harden\-short\-bufsize: "yes"
-	do\-ip6: no	# save a bit of memory if not used.
 .fi
 .SH "FILES"
 .TP