upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
unbound/doc/plan
Wouter Wijngaards 05cd134de9 Do not mark additional section items bogus. 
git-svn-id: file:///svn/unbound/trunk@1222 be551aaa-1e26-0410-a405-d3ace91eadb9
2008-09-02 14:35:13 +00:00

104 lines
4.5 KiB
Text
Raw Blame History

Plan for Unbound 1.1.
2 month project writeup.
- immediate attention: done
- security issues: 1 week.
- remote control: 2 week
- improvements: 1 week
- draft-mitigation: 2 week
total 6 of 8 weeks; 2 weeks for maintenance activities.
*** Immediate attention
- DLV
- Plus aggressive negative caching for NSEC DLV repository.
- filter out overreaching NSEC records.
- dev/log(syslog) opened before chroot.
- Fixup rrset security updates overwriting 2181 trust status.
This makes validated to be insecure data just as worthless as
nonvalidated data, and 2181 rules prevent cache overwrites to them.
- use setresuid/setresgid, more secure.
- make realclean works better, by Robert Edmonds.
- nicer logfile message classification as notice, info, debug.
- bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
- bug #203: nicer do-auto log message when user sets incompatible options.
- bug #204: variable name ameliorated in log.c.
- bug #206: in iana_update, no egrep, but awk use.
- fixup update-anchor.sh to work both in BSD shell and bash.
(done)
*** Security issues
+ current NS query retry is an option, default off, experimental on,
because of the added load to 3rd parties.
+ block nonRD queries, acl like.
what about our authority features, those are allowed.
+ DoS vector, flush more.
50% of max is for run-to-completion
50% rest is for lifo queue with 100-200 msec timeout.
+ records in the additional section should not be marked bogus
if they have no signer or a different signed. Validate if you can,
otherwise leave unchecked.
* block DNS rebinding attacks, block all A records from 1918 IP blocks,
like dnswall does. Allow certain subdomains to do it, config options.
one option that controls on/off of all private space.
note in config/man that we may consider turning on by default.
*** Remote control feature
* remote control using a TCP unbound-control commandline app.
* secure remote control w. TSIG. Or TLS.
* Nicer statistics (over that unbound-control app for ease)
stats display added over threads, displayed in rddtool easy format.
* option for extended statistics. If enabled (not by default) collect print
rcode, uptime, spoofnearmisses, cache size, qtype,
bits(RD, CD, DO, EDNS-present, AD)query, (Secure, Bogus)reply.
perhaps also see which slow auth servers cause >1sec values.
stats-file possible with key: value or key=value lines in it.
stats on SIGUSR1. addup stats over threads.
* remote control to add/remove localinfo, redirects.
* remote control to load/store cache contents
* remote control to start, stop, reload.
* remote control to flush names or domains (all under a name) from the
cache. Include NSes. And the A, AAAA for its NSes.
* remote control to see delegation; what servers would be used to get
data for a name.
*** Improvements
* fallback to noEDNS if all queries are dropped.
* dnssec lameness fixen. Check to make sure.
* negative caching to avoid DS queries, NSEC, NSEC3 (w params).
* SHA256 supported fully.
* Make stub to localhost on different port work.
* IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).
cumbersome to reverse notate by hand for the operator. For local-data.
local-reverse-data: "1.2.3.4 mypc.example.com"
*** from draft resolver-mitigation
* Should be an option? (Not right now)
* direct queries for NS records
* careful caching, only NS query causes referral caching.
* direct queries for A, AAAA in-bailiwick from a referral.
* trouble counter, cache wipe threshold.
* 0x20 default with fallback?
* off-path validation?
* root NS, root glue validation after prime
* ignore bogus nameservers, pretend they always return a servfail.
*** Features features, for later
* dTLS, TLS, look to need special port numbers, cert storage, recent libssl.
* aggressive negative caching for NSEC, NSEC3.
* multiple queries per question, server exploration, server selection.
* NSID support.
* support TSIG on queries, for validating resolver deployment.
* private TTL
* retry-mode, where a bogus result triggers a retry-mode query, where a list
of responses over a time interval is collected, and each is validated.
or try in TCP mode. Do not 'try all servers several times', since we must
not create packet storms with operator errors.
* draft-timers
* Windows port features
o on windows version, implement that OS ancillary data capabilities for
interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg.
o local-zone directive with authority service, full authority server
is a non-goal.
Reference in a new issue View git blame Copy permalink