1Unbound Features 2 3(C) Copyright 2008, Wouter Wijngaards, NLnet Labs. 4 5 6This document describes the features and RFCs that unbound 7adheres to, and which ones are decided to be out of scope. 8 9 10Big Features 11------------ 12Recursive service. 13Caching service. 14Forwarding and stub zones. 15No authoritative service. 16DNSSEC Validation options. 17EDNS0, NSEC3, Unknown-RR-types. 18 19 20Details 21------- 22Processing support 23RFC 1034-1035: as a recursive, caching server. Not authoritative. 24 including CNAMEs, referrals, wildcards, classes, ... 25RFC 4033-4035: as a validating caching server (unbound daemon). 26 as a validating stub (libunbound). 27RFC 1918. 28RFC 2181: completely, including the trust model, keeping rrsets together. 29RFC 2672: DNAME support. 30RFC 3597: Unknown RR type support. 31RFC 2671: EDNS0 support, default advertisement 4Kb size. 32RFC 5155: NSEC3, NSEC3PARAM types 33AAAA type. and IP6 dual stack support. 34type ANY queries are supported. 35RFC 2308: TTL directive, and the rest of the RFC too. 36RFC 4592: wildcards. 37 38RFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or 39 dynamic update services are appropriate. 40 41chroot and drop-root-privileges support, default enabled in config file. 42 43AD bit in query can be used to request AD bit in response (w/o using DO bit). 44CD bit in query can be used to request bogus data. 45UDP and TCP service is provided downstream. 46UDP and TCP are used to request from upstream servers. 47Multiple queries can be made over a TCP stream. 48 49No TSIG support at this time. 50No SIG0 support at this time. 51No dTLS support at this time. 52This is not a DNS statistics package, but some operationally useful 53values are provided. 54TXT RRs from the Chaos class (id.server, hostname.bind, ...) supported. 55 56draft-forgery-resilience: all recommendations followed. 57draft-0x20: experimental implementation (incomplete). 58 implements bitwise echo of the query to support downstream 0x20. 59draft-ietf-dnsop-default-local-zones is fully supported (-04). 60 It is possible to block zones or return an address for localhost. 61 This is a very limited authoritative service. Defaults as in draft. 62draft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to 63 a safety belt list. 64draft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured 65 as trust anchors. Also DNSKEYs are allowed, by the way. 66draft-ietf-dnsop-reflectors-are-evil: access control list for recursive 67 service. In fact for all DNS service so cache snooping is halted. 68 69Record type syntax support, extensive, from lib ldns. 70For these types only syntax and parsing support is needed. 71RFC 1034-1035: basic RR types. 72RFC 1183: RP, AFSDB, X25, ISDN, RT 73RFC 1706: NSAP 74RFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete). 752163: PX 76AAAA type 771876: LOC type 782782: SRV type 792915: NAPTR type. 802230: KX type. 812538: CERT type. 822672: DNAME type. 83OPT type 843123: APL 85SSHFP type 864025: IPSECKEY 874033-4035: DS, RRSIG, NSEC, DNSKEY 884701: DHCID 895155: NSEC3, NSEC3PARAM 904408: SPF 91 92