1933707f3SsthenUnbound Features 2933707f3Ssthen 3933707f3Ssthen(C) Copyright 2008, Wouter Wijngaards, NLnet Labs. 4933707f3Ssthen 5933707f3Ssthen 6933707f3SsthenThis document describes the features and RFCs that unbound 7933707f3Ssthenadheres to, and which ones are decided to be out of scope. 8933707f3Ssthen 9933707f3Ssthen 10933707f3SsthenBig Features 11933707f3Ssthen------------ 12933707f3SsthenRecursive service. 13933707f3SsthenCaching service. 14933707f3SsthenForwarding and stub zones. 15d8d14d0cSsthenVery limited authoritative service. 16933707f3SsthenDNSSEC Validation options. 17d8d14d0cSsthenEDNS0, NSEC3, IPv6, DNAME, Unknown-RR-types. 18d8d14d0cSsthenRSASHA256, GOST, ECDSA, SHA384 DNSSEC algorithms. 19933707f3Ssthen 20933707f3SsthenDetails 21933707f3Ssthen------- 22933707f3SsthenProcessing support 23933707f3SsthenRFC 1034-1035: as a recursive, caching server. Not authoritative. 24933707f3Ssthen including CNAMEs, referrals, wildcards, classes, ... 25d8d14d0cSsthen AAAA type, and IP6 dual stack support. 26d8d14d0cSsthen type ANY queries are supported, class ANY queries are supported. 27229e174cSsthenRFC 1123, 6.1 Requirements for DNS of internet hosts. 28933707f3SsthenRFC 4033-4035: as a validating caching server (unbound daemon). 29933707f3Ssthen as a validating stub (libunbound). 30933707f3SsthenRFC 1918. 31933707f3SsthenRFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or 32933707f3Ssthen dynamic update services are appropriate. 33d8d14d0cSsthenRFC 2181: completely, including the trust model, keeping rrsets together. 34d8d14d0cSsthenRFC 2308: TTL directive, and the rest of the RFC too. 35d8d14d0cSsthenRFC 2671: EDNS0 support, default advertisement 4Kb size. 36d8d14d0cSsthenRFC 2672: DNAME support. 37d8d14d0cSsthenRFC 3597: Unknown RR type support. 38d8d14d0cSsthenRFC 4343: case insensitive handling of domain names. 39d8d14d0cSsthenRFC 4509: SHA256 DS hash. 40d8d14d0cSsthenRFC 4592: wildcards. 41d8d14d0cSsthenRFC 4697: No DNS Resolution Misbehavior. 42*cddcdaaaSsthenRFC 5001: DNS Name Server Identifier (NSID) Option 43d8d14d0cSsthenRFC 5011: update of trust anchors with timers. 44d8d14d0cSsthenRFC 5155: NSEC3, NSEC3PARAM types 45d8d14d0cSsthenRFC 5358: reflectors-are-evil: access control list for recursive 46d8d14d0cSsthen service. In fact for all DNS service so cache snooping is halted. 47d8d14d0cSsthenRFC 5452: forgery resilience. all recommendations followed. 48d8d14d0cSsthenRFC 5702: RSASHA256 signature algorithm. 49d8d14d0cSsthenRFC 5933: GOST signature algorithm. 50d8d14d0cSsthenRFC 6303: default local zones. 51d8d14d0cSsthen It is possible to block zones or return an address for localhost. 52d8d14d0cSsthen This is a very limited authoritative service. Defaults as in draft. 53d8d14d0cSsthenRFC 6604: xNAME RCODE and status bits. 54d8d14d0cSsthenRFC 6605: ECDSA signature algorithm, SHA384 DS hash. 55933707f3Ssthen 56933707f3Ssthenchroot and drop-root-privileges support, default enabled in config file. 57933707f3Ssthen 58933707f3SsthenAD bit in query can be used to request AD bit in response (w/o using DO bit). 59933707f3SsthenCD bit in query can be used to request bogus data. 60933707f3SsthenUDP and TCP service is provided downstream. 61933707f3SsthenUDP and TCP are used to request from upstream servers. 62d8d14d0cSsthenSSL wrapped TCP service can be used upstream and provided downstream. 63933707f3SsthenMultiple queries can be made over a TCP stream. 64933707f3Ssthen 65933707f3SsthenNo TSIG support at this time. 66933707f3SsthenNo SIG0 support at this time. 67933707f3SsthenNo dTLS support at this time. 68933707f3SsthenThis is not a DNS statistics package, but some operationally useful 69d8d14d0cSsthenvalues are provided via unbound-control stats. 70d8d14d0cSsthenTXT RRs from the Chaos class (id.server, hostname.bind, ...) are supported. 71933707f3Ssthen 72d8d14d0cSsthendraft-0x20: implemented, use caps-for-id option to enable use. 73d8d14d0cSsthen Also implements bitwise echo of the query to support downstream 0x20. 74933707f3Ssthendraft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to 75933707f3Ssthen a safety belt list. 76933707f3Ssthendraft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured 77933707f3Ssthen as trust anchors. Also DNSKEYs are allowed, by the way. 78d8d14d0cSsthendraft-ietf-dnsext-dnssec-bis-updates: supported. 79933707f3Ssthen 80933707f3SsthenRecord type syntax support, extensive, from lib ldns. 81933707f3SsthenFor these types only syntax and parsing support is needed. 82933707f3SsthenRFC 1034-1035: basic RR types. 83933707f3SsthenRFC 1183: RP, AFSDB, X25, ISDN, RT 84933707f3SsthenRFC 1706: NSAP 85933707f3SsthenRFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete). 86933707f3Ssthen2163: PX 87933707f3SsthenAAAA type 88933707f3Ssthen1876: LOC type 89933707f3Ssthen2782: SRV type 90933707f3Ssthen2915: NAPTR type. 91933707f3Ssthen2230: KX type. 92933707f3Ssthen2538: CERT type. 93933707f3Ssthen2672: DNAME type. 94933707f3SsthenOPT type 95933707f3Ssthen3123: APL 96229e174cSsthen3596: AAAA 97933707f3SsthenSSHFP type 98933707f3Ssthen4025: IPSECKEY 99933707f3Ssthen4033-4035: DS, RRSIG, NSEC, DNSKEY 100933707f3Ssthen4701: DHCID 101933707f3Ssthen5155: NSEC3, NSEC3PARAM 102933707f3Ssthen4408: SPF 103229e174cSsthen6944: DNSKEY algorithm status 104933707f3Ssthen 105