[apple/network_cmds.git] / unbound / doc / TODO

TODO items. These are interesting todo items.
o understand synthesized DNAMEs, so those TTL=0 packets are cached properly.
o NSEC/NSEC3 aggressive negative caching, so that updates to NSEC/NSEC3 
  will result in proper negative responses.
o (option) where port 53 is used for send and receive, no other ports are used.
o (option) to not send replies to clients after a timeout of (say 5 secs) has
  passed, but keep task active for later retries by client.
o (option) private TTL feature (always report TTL x in answers).
o (option) pretend-dnssec-unaware, and pretend-edns-unaware modes for workshops.
o delegpt use rbtree for ns-list, to avoid slowdown for very large NS sets.
o (option) reprime and refresh oft used data before timeout.
o (option) retain prime results in a overlaid roothints file.
o (option) store primed key data in a overlaid keyhints file (sort of like drafttimers).
o windows version, auto update feature, a query to check for the version.
o command the server with TSIG inband. get-config, clearcache, 
	get stats, get memstats, get ..., reload, clear one zone from cache
o NSID rfc 5001 support.
o timers rfc 5011 support.
o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator.
o make timeout backoffs randomized (a couple percent random) to spread traffic.
o inspect date on executable, then warn user in log if its more than 1 year.
o (option) proactively prime root, stubs and trust anchors, feature.
  early failure, faster on first query, but more traffic.
o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve.
o library add function to validate input from app that is signed.
o add dynamic-update requests (making a dynupd request) to libunbound api.
o SIG(0) and TSIG.
o support OPT record placement on recv anywhere in the additional section. 
o add local-file: config with authority features.
o (option) to make local-data answers be secure for libunbound (default=no)
o (option) to make chroot: copy all needed files into jail (or make jail)
	perhaps also print reminder to link /dev/random and sysloghack.
o overhaul outside-network servicedquery to merge with udpwait and tcpwait,
  to make timers in servicedquery independent of udpwait queues.
o check into rebinding ports for efficiency, configure time test.
o EVP hardware crypto support.
o option to ignore all inception and expiration dates for rrsigs.
o cleaner code; return and func statements on newline.
o memcached module that sits before validator module; checks for memcached
  data (on local lan), stores recursion lookup.  Provides one cache for multiple resolver machines, coherent reply content in anycast setup.
o no openssl_add_all_algorithms, but only the ones necessary, less space.
o listen to NOTIFY messages for zones and flush the cache for that zone
  if received.  Useful when also having a stub to that auth server.
  Needs proper protection, TSIG, in place.
o winevent - do not go more than 64 fds (by polling with select one by
  one), win95/98 have 100fd limit in the kernel, so this ruins w9x portability.

*** Features features, for later
* dTLS, TLS, look to need special port numbers, cert storage, recent libssl.
* aggressive negative caching for NSEC, NSEC3.
* multiple queries per question, server exploration, server selection.
* support TSIG on queries, for validating resolver deployment.
* retry-mode, where a bogus result triggers a retry-mode query, where a list
  of responses over a time interval is collected, and each is validated.
  or try in TCP mode. Do not 'try all servers several times', since we must
  not create packet storms with operator errors.
o on windows version, implement that OS ancillary data capabilities for
  interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg.
o local-zone directive with authority service, full authority server 
  is a non-goal.
o infra and lame cache: easier size config (in Mb), show usage in graphs.
- store time of dump in cachedumps, so that on a load the ttls can be
  compared to the absolute time, and now-expired items can be dealt with.

later
- selective verbosity; ubcontrol trace example.com
- cache fork-dump, pre-load
- for fwds, send queries to N servers in fwd-list, use first reply.
  document high scalable, high available unbound setup onepager.
- prefetch DNSKEY when DS in delegation seen (nonCD, underTA).
- use libevent if available on system by default(?), default outgoing 256to1024

[1] BIND-like query logging to see who's looking up what and when
[2] more logging about stuff like SERVFAIL and REFUSED responses
[3] a Makefile that works without gnumake
Commit	Line	Data
89c4ed63 A	1	TODO items. These are interesting todo items.
	2	o understand synthesized DNAMEs, so those TTL=0 packets are cached properly.
	3	o NSEC/NSEC3 aggressive negative caching, so that updates to NSEC/NSEC3
	4	will result in proper negative responses.
	5	o (option) where port 53 is used for send and receive, no other ports are used.
	6	o (option) to not send replies to clients after a timeout of (say 5 secs) has
	7	passed, but keep task active for later retries by client.
	8	o (option) private TTL feature (always report TTL x in answers).
	9	o (option) pretend-dnssec-unaware, and pretend-edns-unaware modes for workshops.
	10	o delegpt use rbtree for ns-list, to avoid slowdown for very large NS sets.
	11	o (option) reprime and refresh oft used data before timeout.
	12	o (option) retain prime results in a overlaid roothints file.
	13	o (option) store primed key data in a overlaid keyhints file (sort of like drafttimers).
	14	o windows version, auto update feature, a query to check for the version.
	15	o command the server with TSIG inband. get-config, clearcache,
	16	get stats, get memstats, get ..., reload, clear one zone from cache
	17	o NSID rfc 5001 support.
	18	o timers rfc 5011 support.
	19	o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator.
	20	o make timeout backoffs randomized (a couple percent random) to spread traffic.
	21	o inspect date on executable, then warn user in log if its more than 1 year.
	22	o (option) proactively prime root, stubs and trust anchors, feature.
	23	early failure, faster on first query, but more traffic.
	24	o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve.
	25	o library add function to validate input from app that is signed.
	26	o add dynamic-update requests (making a dynupd request) to libunbound api.
	27	o SIG(0) and TSIG.
	28	o support OPT record placement on recv anywhere in the additional section.
	29	o add local-file: config with authority features.
	30	o (option) to make local-data answers be secure for libunbound (default=no)
	31	o (option) to make chroot: copy all needed files into jail (or make jail)
	32	perhaps also print reminder to link /dev/random and sysloghack.
	33	o overhaul outside-network servicedquery to merge with udpwait and tcpwait,
	34	to make timers in servicedquery independent of udpwait queues.
	35	o check into rebinding ports for efficiency, configure time test.
	36	o EVP hardware crypto support.
	37	o option to ignore all inception and expiration dates for rrsigs.
	38	o cleaner code; return and func statements on newline.
	39	o memcached module that sits before validator module; checks for memcached
	40	data (on local lan), stores recursion lookup. Provides one cache for multiple resolver machines, coherent reply content in anycast setup.
	41	o no openssl_add_all_algorithms, but only the ones necessary, less space.
	42	o listen to NOTIFY messages for zones and flush the cache for that zone
	43	if received. Useful when also having a stub to that auth server.
	44	Needs proper protection, TSIG, in place.
	45	o winevent - do not go more than 64 fds (by polling with select one by
	46	one), win95/98 have 100fd limit in the kernel, so this ruins w9x portability.
	47
	48	*** Features features, for later
	49	* dTLS, TLS, look to need special port numbers, cert storage, recent libssl.
	50	* aggressive negative caching for NSEC, NSEC3.
	51	* multiple queries per question, server exploration, server selection.
	52	* support TSIG on queries, for validating resolver deployment.
	53	* retry-mode, where a bogus result triggers a retry-mode query, where a list
	54	of responses over a time interval is collected, and each is validated.
	55	or try in TCP mode. Do not 'try all servers several times', since we must
	56	not create packet storms with operator errors.
	57	o on windows version, implement that OS ancillary data capabilities for
	58	interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg.
	59	o local-zone directive with authority service, full authority server
	60	is a non-goal.
	61	o infra and lame cache: easier size config (in Mb), show usage in graphs.
	62	- store time of dump in cachedumps, so that on a load the ttls can be
	63	compared to the absolute time, and now-expired items can be dealt with.
	64
65	later
66	- selective verbosity; ubcontrol trace example.com
67	- cache fork-dump, pre-load
68	- for fwds, send queries to N servers in fwd-list, use first reply.
69	document high scalable, high available unbound setup onepager.
70	- prefetch DNSKEY when DS in delegation seen (nonCD, underTA).
71	- use libevent if available on system by default(?), default outgoing 256to1024
72
73	[1] BIND-like query logging to see who's looking up what and when
74	[2] more logging about stuff like SERVFAIL and REFUSED responses
75	[3] a Makefile that works without gnumake
76