[apple/network_cmds.git] / unbound / doc / FEATURES

Unbound Features

(C) Copyright 2008, Wouter Wijngaards, NLnet Labs.


This document describes the features and RFCs that unbound 
adheres to, and which ones are decided to be out of scope.


Big Features
------------
Recursive service.
Caching service.
Forwarding and stub zones.
Very limited authoritative service.
DNSSEC Validation options.
EDNS0, NSEC3, IPv6, DNAME, Unknown-RR-types.
RSASHA256, GOST, ECDSA, SHA384 DNSSEC algorithms.

Details
-------
Processing support
RFC 1034-1035: as a recursive, caching server. Not authoritative.
  including CNAMEs, referrals, wildcards, classes, ...
  AAAA type, and IP6 dual stack support.
  type ANY queries are supported, class ANY queries are supported.
RFC 1123, 6.1 Requirements for DNS of internet hosts.
RFC 4033-4035: as a validating caching server (unbound daemon). 
  as a validating stub (libunbound).
RFC 1918.
RFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or
  dynamic update services are appropriate.
RFC 2181: completely, including the trust model, keeping rrsets together.
RFC 2308: TTL directive, and the rest of the RFC too.
RFC 2671: EDNS0 support, default advertisement 4Kb size. 
RFC 2672: DNAME support.
RFC 3597: Unknown RR type support.
RFC 4343: case insensitive handling of domain names.
RFC 4509: SHA256 DS hash.
RFC 4592: wildcards.
RFC 4697: No DNS Resolution Misbehavior.
RFC 5011: update of trust anchors with timers.
RFC 5155: NSEC3, NSEC3PARAM types
RFC 5358: reflectors-are-evil: access control list for recursive
  service. In fact for all DNS service so cache snooping is halted.
RFC 5452: forgery resilience. all recommendations followed.
RFC 5702: RSASHA256 signature algorithm. 
RFC 5933: GOST signature algorithm.
RFC 6303: default local zones.
  It is possible to block zones or return an address for localhost.
  This is a very limited authoritative service. Defaults as in draft.
RFC 6604: xNAME RCODE and status bits.
RFC 6605: ECDSA signature algorithm, SHA384 DS hash.

chroot and drop-root-privileges support, default enabled in config file.

AD bit in query can be used to request AD bit in response (w/o using DO bit).
CD bit in query can be used to request bogus data.
UDP and TCP service is provided downstream.
UDP and TCP are used to request from upstream servers.
SSL wrapped TCP service can be used upstream and provided downstream.
Multiple queries can be made over a TCP stream.

No TSIG support at this time.
No SIG0 support at this time.
No dTLS support at this time.
This is not a DNS statistics package, but some operationally useful
values are provided via unbound-control stats.
TXT RRs from the Chaos class (id.server, hostname.bind, ...) are supported.

draft-0x20: implemented, use caps-for-id option to enable use.
  Also implements bitwise echo of the query to support downstream 0x20.
draft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to 
  a safety belt list.
draft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured 
  as trust anchors. Also DNSKEYs are allowed, by the way.
draft-ietf-dnsext-dnssec-bis-updates: supported.

Record type syntax support, extensive, from lib ldns.
For these types only syntax and parsing support is needed.
RFC 1034-1035: basic RR types.
RFC 1183: RP, AFSDB, X25, ISDN, RT
RFC 1706: NSAP
RFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete).
2163: PX
AAAA type
1876: LOC type
2782: SRV type
2915: NAPTR type.
2230: KX type.
2538: CERT type.
2672: DNAME type.
OPT type
3123: APL
3596: AAAA
SSHFP type
4025: IPSECKEY
4033-4035: DS, RRSIG, NSEC, DNSKEY
4701: DHCID
5155: NSEC3, NSEC3PARAM
4408: SPF
6944: DNSKEY algorithm status
Commit	Line	Data
89c4ed63 A	1	Unbound Features
	2
	3	(C) Copyright 2008, Wouter Wijngaards, NLnet Labs.
	4
	5
	6	This document describes the features and RFCs that unbound
	7	adheres to, and which ones are decided to be out of scope.
	8
	9
	10	Big Features
	11	------------
	12	Recursive service.
	13	Caching service.
	14	Forwarding and stub zones.
	15	Very limited authoritative service.
	16	DNSSEC Validation options.
	17	EDNS0, NSEC3, IPv6, DNAME, Unknown-RR-types.
	18	RSASHA256, GOST, ECDSA, SHA384 DNSSEC algorithms.
	19
	20	Details
	21	-------
	22	Processing support
	23	RFC 1034-1035: as a recursive, caching server. Not authoritative.
	24	including CNAMEs, referrals, wildcards, classes, ...
	25	AAAA type, and IP6 dual stack support.
	26	type ANY queries are supported, class ANY queries are supported.
	27	RFC 1123, 6.1 Requirements for DNS of internet hosts.
	28	RFC 4033-4035: as a validating caching server (unbound daemon).
	29	as a validating stub (libunbound).
	30	RFC 1918.
	31	RFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or
	32	dynamic update services are appropriate.
	33	RFC 2181: completely, including the trust model, keeping rrsets together.
	34	RFC 2308: TTL directive, and the rest of the RFC too.
	35	RFC 2671: EDNS0 support, default advertisement 4Kb size.
	36	RFC 2672: DNAME support.
	37	RFC 3597: Unknown RR type support.
	38	RFC 4343: case insensitive handling of domain names.
	39	RFC 4509: SHA256 DS hash.
	40	RFC 4592: wildcards.
	41	RFC 4697: No DNS Resolution Misbehavior.
	42	RFC 5011: update of trust anchors with timers.
	43	RFC 5155: NSEC3, NSEC3PARAM types
	44	RFC 5358: reflectors-are-evil: access control list for recursive
	45	service. In fact for all DNS service so cache snooping is halted.
	46	RFC 5452: forgery resilience. all recommendations followed.
	47	RFC 5702: RSASHA256 signature algorithm.
	48	RFC 5933: GOST signature algorithm.
	49	RFC 6303: default local zones.
	50	It is possible to block zones or return an address for localhost.
	51	This is a very limited authoritative service. Defaults as in draft.
	52	RFC 6604: xNAME RCODE and status bits.
	53	RFC 6605: ECDSA signature algorithm, SHA384 DS hash.
	54
	55	chroot and drop-root-privileges support, default enabled in config file.
	56
	57	AD bit in query can be used to request AD bit in response (w/o using DO bit).
	58	CD bit in query can be used to request bogus data.
	59	UDP and TCP service is provided downstream.
	60	UDP and TCP are used to request from upstream servers.
	61	SSL wrapped TCP service can be used upstream and provided downstream.
	62	Multiple queries can be made over a TCP stream.
	63
	64	No TSIG support at this time.
65	No SIG0 support at this time.
66	No dTLS support at this time.
67	This is not a DNS statistics package, but some operationally useful
68	values are provided via unbound-control stats.
69	TXT RRs from the Chaos class (id.server, hostname.bind, ...) are supported.
70
71	draft-0x20: implemented, use caps-for-id option to enable use.
72	Also implements bitwise echo of the query to support downstream 0x20.
73	draft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to
74	a safety belt list.
75	draft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured
76	as trust anchors. Also DNSKEYs are allowed, by the way.
77	draft-ietf-dnsext-dnssec-bis-updates: supported.
78
79	Record type syntax support, extensive, from lib ldns.
80	For these types only syntax and parsing support is needed.
81	RFC 1034-1035: basic RR types.
82	RFC 1183: RP, AFSDB, X25, ISDN, RT
83	RFC 1706: NSAP
84	RFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete).
85	2163: PX
86	AAAA type
87	1876: LOC type
88	2782: SRV type
89	2915: NAPTR type.
90	2230: KX type.
91	2538: CERT type.
92	2672: DNAME type.
93	OPT type
94	3123: APL
95	3596: AAAA
96	SSHFP type
97	4025: IPSECKEY
98	4033-4035: DS, RRSIG, NSEC, DNSKEY
99	4701: DHCID
100	5155: NSEC3, NSEC3PARAM
101	4408: SPF
102	6944: DNSKEY algorithm status
103