1238106SdesUnbound Features 2238106Sdes 3238106Sdes(C) Copyright 2008, Wouter Wijngaards, NLnet Labs. 4238106Sdes 5238106Sdes 6238106SdesThis document describes the features and RFCs that unbound 7238106Sdesadheres to, and which ones are decided to be out of scope. 8238106Sdes 9238106Sdes 10238106SdesBig Features 11238106Sdes------------ 12238106SdesRecursive service. 13238106SdesCaching service. 14238106SdesForwarding and stub zones. 15238106SdesVery limited authoritative service. 16238106SdesDNSSEC Validation options. 17238106SdesEDNS0, NSEC3, IPv6, DNAME, Unknown-RR-types. 18238106SdesRSASHA256, GOST, ECDSA, SHA384 DNSSEC algorithms. 19238106Sdes 20238106SdesDetails 21238106Sdes------- 22238106SdesProcessing support 23238106SdesRFC 1034-1035: as a recursive, caching server. Not authoritative. 24238106Sdes including CNAMEs, referrals, wildcards, classes, ... 25238106Sdes AAAA type, and IP6 dual stack support. 26238106Sdes type ANY queries are supported, class ANY queries are supported. 27249141SdesRFC 1123, 6.1 Requirements for DNS of internet hosts. 28238106SdesRFC 4033-4035: as a validating caching server (unbound daemon). 29238106Sdes as a validating stub (libunbound). 30238106SdesRFC 1918. 31238106SdesRFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or 32238106Sdes dynamic update services are appropriate. 33238106SdesRFC 2181: completely, including the trust model, keeping rrsets together. 34238106SdesRFC 2308: TTL directive, and the rest of the RFC too. 35238106SdesRFC 2671: EDNS0 support, default advertisement 4Kb size. 36238106SdesRFC 2672: DNAME support. 37238106SdesRFC 3597: Unknown RR type support. 38238106SdesRFC 4343: case insensitive handling of domain names. 39238106SdesRFC 4509: SHA256 DS hash. 40238106SdesRFC 4592: wildcards. 41238106SdesRFC 4697: No DNS Resolution Misbehavior. 42238106SdesRFC 5011: update of trust anchors with timers. 43238106SdesRFC 5155: NSEC3, NSEC3PARAM types 44238106SdesRFC 5358: reflectors-are-evil: access control list for recursive 45238106Sdes service. In fact for all DNS service so cache snooping is halted. 46238106SdesRFC 5452: forgery resilience. all recommendations followed. 47238106SdesRFC 5702: RSASHA256 signature algorithm. 48238106SdesRFC 5933: GOST signature algorithm. 49238106SdesRFC 6303: default local zones. 50238106Sdes It is possible to block zones or return an address for localhost. 51238106Sdes This is a very limited authoritative service. Defaults as in draft. 52238106SdesRFC 6604: xNAME RCODE and status bits. 53238106SdesRFC 6605: ECDSA signature algorithm, SHA384 DS hash. 54238106Sdes 55238106Sdeschroot and drop-root-privileges support, default enabled in config file. 56238106Sdes 57238106SdesAD bit in query can be used to request AD bit in response (w/o using DO bit). 58238106SdesCD bit in query can be used to request bogus data. 59238106SdesUDP and TCP service is provided downstream. 60238106SdesUDP and TCP are used to request from upstream servers. 61238106SdesSSL wrapped TCP service can be used upstream and provided downstream. 62238106SdesMultiple queries can be made over a TCP stream. 63238106Sdes 64238106SdesNo TSIG support at this time. 65238106SdesNo SIG0 support at this time. 66238106SdesNo dTLS support at this time. 67238106SdesThis is not a DNS statistics package, but some operationally useful 68238106Sdesvalues are provided via unbound-control stats. 69238106SdesTXT RRs from the Chaos class (id.server, hostname.bind, ...) are supported. 70238106Sdes 71238106Sdesdraft-0x20: implemented, use caps-for-id option to enable use. 72238106Sdes Also implements bitwise echo of the query to support downstream 0x20. 73238106Sdesdraft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to 74238106Sdes a safety belt list. 75238106Sdesdraft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured 76238106Sdes as trust anchors. Also DNSKEYs are allowed, by the way. 77238106Sdesdraft-ietf-dnsext-dnssec-bis-updates: supported. 78238106Sdes 79238106SdesRecord type syntax support, extensive, from lib ldns. 80238106SdesFor these types only syntax and parsing support is needed. 81238106SdesRFC 1034-1035: basic RR types. 82238106SdesRFC 1183: RP, AFSDB, X25, ISDN, RT 83238106SdesRFC 1706: NSAP 84238106SdesRFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete). 85238106Sdes2163: PX 86238106SdesAAAA type 87238106Sdes1876: LOC type 88238106Sdes2782: SRV type 89238106Sdes2915: NAPTR type. 90238106Sdes2230: KX type. 91238106Sdes2538: CERT type. 92238106Sdes2672: DNAME type. 93238106SdesOPT type 94238106Sdes3123: APL 95249141Sdes3596: AAAA 96238106SdesSSHFP type 97238106Sdes4025: IPSECKEY 98238106Sdes4033-4035: DS, RRSIG, NSEC, DNSKEY 99238106Sdes4701: DHCID 100238106Sdes5155: NSEC3, NSEC3PARAM 101238106Sdes4408: SPF 102269257Sdes6944: DNSKEY algorithm status 103238106Sdes 104