FEATURES revision 238106
1Unbound Features 2 3(C) Copyright 2008, Wouter Wijngaards, NLnet Labs. 4 5 6This document describes the features and RFCs that unbound 7adheres to, and which ones are decided to be out of scope. 8 9 10Big Features 11------------ 12Recursive service. 13Caching service. 14Forwarding and stub zones. 15Very limited authoritative service. 16DNSSEC Validation options. 17EDNS0, NSEC3, IPv6, DNAME, Unknown-RR-types. 18RSASHA256, GOST, ECDSA, SHA384 DNSSEC algorithms. 19 20Details 21------- 22Processing support 23RFC 1034-1035: as a recursive, caching server. Not authoritative. 24 including CNAMEs, referrals, wildcards, classes, ... 25 AAAA type, and IP6 dual stack support. 26 type ANY queries are supported, class ANY queries are supported. 27RFC 4033-4035: as a validating caching server (unbound daemon). 28 as a validating stub (libunbound). 29RFC 1918. 30RFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or 31 dynamic update services are appropriate. 32RFC 2181: completely, including the trust model, keeping rrsets together. 33RFC 2308: TTL directive, and the rest of the RFC too. 34RFC 2671: EDNS0 support, default advertisement 4Kb size. 35RFC 2672: DNAME support. 36RFC 3597: Unknown RR type support. 37RFC 4343: case insensitive handling of domain names. 38RFC 4509: SHA256 DS hash. 39RFC 4592: wildcards. 40RFC 4697: No DNS Resolution Misbehavior. 41RFC 5011: update of trust anchors with timers. 42RFC 5155: NSEC3, NSEC3PARAM types 43RFC 5358: reflectors-are-evil: access control list for recursive 44 service. In fact for all DNS service so cache snooping is halted. 45RFC 5452: forgery resilience. all recommendations followed. 46RFC 5702: RSASHA256 signature algorithm. 47RFC 5933: GOST signature algorithm. 48RFC 6303: default local zones. 49 It is possible to block zones or return an address for localhost. 50 This is a very limited authoritative service. Defaults as in draft. 51RFC 6604: xNAME RCODE and status bits. 52RFC 6605: ECDSA signature algorithm, SHA384 DS hash. 53 54chroot and drop-root-privileges support, default enabled in config file. 55 56AD bit in query can be used to request AD bit in response (w/o using DO bit). 57CD bit in query can be used to request bogus data. 58UDP and TCP service is provided downstream. 59UDP and TCP are used to request from upstream servers. 60SSL wrapped TCP service can be used upstream and provided downstream. 61Multiple queries can be made over a TCP stream. 62 63No TSIG support at this time. 64No SIG0 support at this time. 65No dTLS support at this time. 66This is not a DNS statistics package, but some operationally useful 67values are provided via unbound-control stats. 68TXT RRs from the Chaos class (id.server, hostname.bind, ...) are supported. 69 70draft-0x20: implemented, use caps-for-id option to enable use. 71 Also implements bitwise echo of the query to support downstream 0x20. 72draft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to 73 a safety belt list. 74draft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured 75 as trust anchors. Also DNSKEYs are allowed, by the way. 76draft-ietf-dnsext-dnssec-bis-updates: supported. 77 78Record type syntax support, extensive, from lib ldns. 79For these types only syntax and parsing support is needed. 80RFC 1034-1035: basic RR types. 81RFC 1183: RP, AFSDB, X25, ISDN, RT 82RFC 1706: NSAP 83RFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete). 842163: PX 85AAAA type 861876: LOC type 872782: SRV type 882915: NAPTR type. 892230: KX type. 902538: CERT type. 912672: DNAME type. 92OPT type 933123: APL 94SSHFP type 954025: IPSECKEY 964033-4035: DS, RRSIG, NSEC, DNSKEY 974701: DHCID 985155: NSEC3, NSEC3PARAM 994408: SPF 100 101