Plan for Unbound 1.1. 2 month project writeup. - immediate attention: done - security issues: 1 week. - remote control: 2 week - improvements: 1 week - draft-mitigation: 2 week total 6 of 8 weeks; 2 weeks for maintenance activities. *** Immediate attention - DLV - Plus aggressive negative caching for NSEC DLV repository. - filter out overreaching NSEC records. - dev/log(syslog) opened before chroot. - Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - use setresuid/setresgid, more secure. - make realclean works better, by Robert Edmonds. - nicer logfile message classification as notice, info, debug. - bug #208: extra rc.d unbound flexibility for freebsd/nanobsd. - bug #203: nicer do-auto log message when user sets incompatible options. - bug #204: variable name ameliorated in log.c. - bug #206: in iana_update, no egrep, but awk use. - fixup update-anchor.sh to work both in BSD shell and bash. (done) *** Security issues + current NS query retry is an option, default off, experimental on, because of the added load to 3rd parties. + block nonRD queries, acl like. what about our authority features, those are allowed. + DoS vector, flush more. 50% of max is for run-to-completion 50% rest is for lifo queue with 100-200 msec timeout. + records in the additional section should not be marked bogus if they have no signer or a different signed. Validate if you can, otherwise leave unchecked. + block DNS rebinding attacks, block all A records from 1918 IP blocks, like dnswall does. Allow certain subdomains to do it, config options. one option that controls on/off of all private space. note in config/man that we may consider turning on by default. *** Remote control feature * remote control using a TCP unbound-control commandline app. * secure remote control w. TSIG. Or TLS. * Nicer statistics (over that unbound-control app for ease) stats display added over threads, displayed in rddtool easy format. * option for extended statistics. If enabled (not by default) collect print rcode, uptime, spoofnearmisses, cache size, qtype, bits(RD, CD, DO, EDNS-present, AD)query, (Secure, Bogus)reply. perhaps also see which slow auth servers cause >1sec values. stats-file possible with key: value or key=value lines in it. stats on SIGUSR1. addup stats over threads. * remote control to add/remove localinfo, redirects. * remote control to load/store cache contents * remote control to start, stop, reload. * remote control to flush names or domains (all under a name) from the cache. Include NSes. And the A, AAAA for its NSes. * remote control to see delegation; what servers would be used to get data for a name. *** Improvements * fallback to noEDNS if all queries are dropped. * dnssec lameness fixen. Check to make sure. * negative caching to avoid DS queries, NSEC, NSEC3 (w params). * SHA256 supported fully. * Make stub to localhost on different port work. * IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?). cumbersome to reverse notate by hand for the operator. For local-data. local-reverse-data: "1.2.3.4 mypc.example.com" * dns-0x20 fallback TODO item. Consider. *** from draft resolver-mitigation * Should be an option? (Not right now) * direct queries for NS records * careful caching, only NS query causes referral caching. * direct queries for A, AAAA in-bailiwick from a referral. * trouble counter, cache wipe threshold. * 0x20 default with fallback? * off-path validation? * root NS, root glue validation after prime * ignore bogus nameservers, pretend they always return a servfail. *** Features features, for later * dTLS, TLS, look to need special port numbers, cert storage, recent libssl. * aggressive negative caching for NSEC, NSEC3. * multiple queries per question, server exploration, server selection. * NSID support. * support TSIG on queries, for validating resolver deployment. * private TTL * retry-mode, where a bogus result triggers a retry-mode query, where a list of responses over a time interval is collected, and each is validated. or try in TCP mode. Do not 'try all servers several times', since we must not create packet storms with operator errors. * draft-timers * Windows port features o on windows version, implement that OS ancillary data capabilities for interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg. o local-zone directive with authority service, full authority server is a non-goal.