TODO items. o #define BIT_... different on bigendian and smallendian systems so that the htons on flags is not needed to send a message from the cache. o speed up pkt domain name decompression loop detection using counter perhaps. o detect OS/400 pthreads implementation that allows upgrading to writelock on pthreads rwlocks and use it to examine-rd before storing-wr rrset cache. o understand synthesized DNAMEs, so those TTL=0 packets are cached properly. o understand NSEC/NSEC3, aggressive negative caching, so that updates to NSEC/NSEC3 will result in proper negative responses. o scrubber has slow pkt_subdomain and pkt_strict_subdomain functions. o get serverselection algorithm out of local optimum. make subtargets to get rtt info for a couple of targets, like fetch-policy. or send out multiple queries to multiple servers. o configuration option where port 53 is used for send and receive, no other ports are used. o (option) to not send replies to clients after a timeout of (say 5 secs) has passed, but keep task active for later retries by client. o private TTL feature o pretend-dnssec-unaware, and pretend-edns-unaware modes for debug/workshops. o delegpt use rbtree for ns-list, to avoid slowdown for very large NS sets. o reprime and refresh oft used data before timeout. o retain prime results in a overlaid roothints file. o store primed key data in a overlaid keyhints file (sort of like drafttimers). o windows version, auto update feature, a query to check for the version. o autoreport of problems o command the server with TSIG inband. get-config, clearcache, get stats, get memstats, get ..., reload, clear one zone from cache o watch for spoof nearmisses. Keep counter of nearmisses and print that in the stats lines, operator can determine what level is a redalert. o improve compression of DNS packets by first puttig uncompressible rrs, then compress to their rdata. o NSID rfc 5001 support. o timers rfc 5011 support. o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator. o grab ports nonconsequtive and change the set after a while (change within a given range). Could be bad for OS if wrong port. unsure if it helps secure. o make timeout backoffs randomized (a couple percent random) to spread traffic. o inspect date on executable, then warn user in log if its more than 1 year. o proactively prime root, stubs and trust anchors, feature. early failure, faster on first query, but more traffic. o use privilege separation, to change privilege options during reload securely not needed. o On Windows use CryptGenRandom() to get random seed for arc4random. o Think about intermediate firewalls dropping EDNS UDP & handling that. detect nonEDNS middlebox by timeout on edns queries, and fallback to nonEDNS when appropriate. o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve. o library add function to get signature data (or whole reply message). o library add function to validate input from app that is signed. o add dynamic-update requests (making a dynupd request) to libunbound api. o in an ipv6 connected only environment unbound cannot use outgoing IP6 to send to ip4to6 mapped hosts, need ip4to6map of NS and disable V6ONLY socket option. o support multiple dns messages in a TCP query stream for the unbound server. o SIG(0) and TSIG. o support OPT record placement on recv anywhere in the additional section. o add local-file: config with authority features. o option to make local-data answers be secure for libunbound (default=no)