diff --git a/doc/Changelog b/doc/Changelog index fda3185c8..a9d4b8efc 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,7 @@ - added fedora init and specfile to contrib (by Paul Wouters). - added configure check for ldns 1.4.0 (using its compat funcs). - neater comments in worker.h. + - removed doc/plan and updated doc/TODO. 12 November 2008: Wouter - add unbound-control manpage to makedist replace list. diff --git a/doc/TODO b/doc/TODO index b2ceecbd1..ad103d59d 100644 --- a/doc/TODO +++ b/doc/TODO @@ -2,9 +2,6 @@ TODO items. These are interesting todo items. o understand synthesized DNAMEs, so those TTL=0 packets are cached properly. o NSEC/NSEC3 aggressive negative caching, so that updates to NSEC/NSEC3 will result in proper negative responses. -o get serverselection algorithm out of local optimum. - make subtargets to get rtt info for a couple of targets, like fetch-policy. - or send out multiple queries to multiple servers. o (option) where port 53 is used for send and receive, no other ports are used. o (option) to not send replies to clients after a timeout of (say 5 secs) has passed, but keep task active for later retries by client. @@ -17,8 +14,6 @@ o (option) store primed key data in a overlaid keyhints file (sort of like draft o windows version, auto update feature, a query to check for the version. o command the server with TSIG inband. get-config, clearcache, get stats, get memstats, get ..., reload, clear one zone from cache -o watch for spoof nearmisses. Keep counter of nearmisses and print that - in the stats lines, operator can determine what level is a redalert. o NSID rfc 5001 support. o timers rfc 5011 support. o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator. @@ -26,7 +21,6 @@ o make timeout backoffs randomized (a couple percent random) to spread traffic. o inspect date on executable, then warn user in log if its more than 1 year. o (option) proactively prime root, stubs and trust anchors, feature. early failure, faster on first query, but more traffic. -o On Windows use CryptGenRandom() to get random seed for arc4random. o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve. o library add function to validate input from app that is signed. o add dynamic-update requests (making a dynupd request) to libunbound api. @@ -38,36 +32,31 @@ o (option) to make chroot: copy all needed files into jail (or make jail) perhaps also print reminder to link /dev/random and sysloghack. o overhaul outside-network servicedquery to merge with udpwait and tcpwait, to make timers in servicedquery independent of udpwait queues. -o 0x20 fallback so it can be enabled without trouble. o check into rebinding ports for efficiency, configure time test. o EVP hardware crypto support. +o option to ignore all inception and expiration dates for rrsigs. +o option to use builtin ldns explicitly. Or stop shipping builtin tarball. +o cleaner code; return and func statements on newline. +o memcached module that sits before validator module; checks for memcached + data (on local lan), stores recursion lookup. Provides one cache for + multiple resolver machines, coherent reply content in anycast setup. -Features soon after 1.0. -o zone name appending for local-data. Perhaps read zonefiles. Perhaps it is - too much authority feature creep. +*** Features features, for later +* dTLS, TLS, look to need special port numbers, cert storage, recent libssl. +* aggressive negative caching for NSEC, NSEC3. +* multiple queries per question, server exploration, server selection. +* NSID support. +* support TSIG on queries, for validating resolver deployment. +* private TTL +* retry-mode, where a bogus result triggers a retry-mode query, where a list + of responses over a time interval is collected, and each is validated. + or try in TCP mode. Do not 'try all servers several times', since we must + not create packet storms with operator errors. +* draft-timers +* Windows port features o on windows version, implement that OS ancillary data capabilities for interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg. -o (option) for extended statistics. If enabled (not by default) collect print - rcode, uptime, spoofnearmisses, cache size, qtype, - bits(RD, CD, DO, EDNS-present, AD)query, (Secure, Bogus)reply. - perhaps also see which slow auth servers cause >1sec values. - stats-file possible with key: value or key=value lines in it. - stats on SIGUSR1. addup stats over threads. - -For 1.x; features that have been requested during the beta test. -o command channel for couple of tasks. Like rndc. unbound-control - o see delegation; what servers would be used to get data for a name. - o force stats display; easier than parsing logfiles. - stats display added over threads, displayed in rddtool easy format. - o flush names or domains (all under a name) from the cache. Include NSes. - And the A, AAAA for its NSes. - o add/del static preload data to change the domain redirections. - o and maybe also start, stop, reload. -o option to disable cache snooping from the clients (the nonRD queries), - with allow, refused, drop choices. -o EDNS fallback after timeout (firewall drops all edns traffic problem). -o IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?). - cumbersome to reverse notate by hand for the operator. -o DLV -o look at dTLS, TLS ease of implementation. +o local-zone directive with authority service, full authority server + is a non-goal. +o configure option to force use of builtin ldns tarball. diff --git a/doc/plan b/doc/plan deleted file mode 100644 index 90f1599d5..000000000 --- a/doc/plan +++ /dev/null @@ -1,105 +0,0 @@ -Plan for Unbound 1.1. - -2 month project writeup. -- immediate attention: done -+ security issues: 1 week. -+ remote control: 2 week -- improvements: 1 week -- draft-mitigation: 2 week -total 6 of 8 weeks; 2 weeks for maintenance activities. - -*** Immediate attention -- DLV -- Plus aggressive negative caching for NSEC DLV repository. -- filter out overreaching NSEC records. -- dev/log(syslog) opened before chroot. -- Fixup rrset security updates overwriting 2181 trust status. - This makes validated to be insecure data just as worthless as - nonvalidated data, and 2181 rules prevent cache overwrites to them. -- use setresuid/setresgid, more secure. -- make realclean works better, by Robert Edmonds. -- nicer logfile message classification as notice, info, debug. -- bug #208: extra rc.d unbound flexibility for freebsd/nanobsd. -- bug #203: nicer do-auto log message when user sets incompatible options. -- bug #204: variable name ameliorated in log.c. -- bug #206: in iana_update, no egrep, but awk use. -- fixup update-anchor.sh to work both in BSD shell and bash. -(done) - -*** Security issues -+ current NS query retry is an option, default off, experimental on, - because of the added load to 3rd parties. -+ block nonRD queries, acl like. - what about our authority features, those are allowed. -+ DoS vector, flush more. - 50% of max is for run-to-completion - 50% rest is for lifo queue with 100-200 msec timeout. -+ records in the additional section should not be marked bogus - if they have no signer or a different signed. Validate if you can, - otherwise leave unchecked. -+ block DNS rebinding attacks, block all A records from 1918 IP blocks, -like dnswall does. Allow certain subdomains to do it, config options. - one option that controls on/off of all private space. - note in config/man that we may consider turning on by default. - -*** Remote control feature -+ remote control using a TCP unbound-control commandline app. -+ secure remote control w. TSIG. Or TLS. -+ Nicer statistics (over that unbound-control app for ease) - stats display added over threads, displayed in rddtool easy format. -+ option for extended statistics. If enabled (not by default) collect print - rcode, uptime, spoofnearmisses, cache size, qtype, - bits(RD, CD, DO, EDNS-present, AD)query, (Secure, Bogus)reply. - stats-file possible with key: value or key=value lines in it. - addup stats over threads. -not stats on SIGUSR1. perhaps also see which slow auth servers cause >1sec values. -+ remote control to add/remove localinfo, redirects. -+ remote control to load/store cache contents -+ remote control to start, stop, reload. -+ remote control to flush names or domains (all under a name) from the - cache. Include NSes. And the A, AAAA for its NSes. -+ remote control to see delegation; what servers would be used to get - data for a name. - -*** Improvements -+ fallback to noEDNS if all queries are dropped. -+ dnssec lameness fixen. Check to make sure. -+ negative caching to avoid DS queries, NSEC, NSEC3 (w params). -+ SHA256 supported fully. -+ Make stub to localhost on different port work. -+ IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?). - cumbersome to reverse notate by hand for the operator. For local-data. - local-data-ptr: "1.2.3.4 mypc.example.com" -+ dns-0x20 fallback. - -*** from draft resolver-mitigation -+ option harden-referral-path -+ direct queries for NS records -+ careful caching, only NS query causes referral caching. -+ direct queries for A, AAAA in-bailiwick from a referral. -+ trouble counter, cache wipe threshold. - -+ off-path validation -+ root NS, root glue validation after prime -+ ignore bogus nameservers, pretend they always return a servfail. - - -*** Features features, for later -* dTLS, TLS, look to need special port numbers, cert storage, recent libssl. -* aggressive negative caching for NSEC, NSEC3. -* multiple queries per question, server exploration, server selection. -* NSID support. -* support TSIG on queries, for validating resolver deployment. -* private TTL -* retry-mode, where a bogus result triggers a retry-mode query, where a list - of responses over a time interval is collected, and each is validated. - or try in TCP mode. Do not 'try all servers several times', since we must - not create packet storms with operator errors. -* draft-timers -* Windows port features -o on windows version, implement that OS ancillary data capabilities for - interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg. -o local-zone directive with authority service, full authority server - is a non-goal. -o configure option to force use of builtin ldns tarball. -