xref: /freebsd/contrib/unbound/doc/FEATURES (revision 640235e2c2ba32947f7c59d168437ffa1280f1e6)
1Unbound Features
2
3(C) Copyright 2008, Wouter Wijngaards, NLnet Labs.
4
5
6This document describes the features and RFCs that unbound
7adheres to, and which ones are decided to be out of scope.
8
9
10Big Features
11------------
12Recursive service.
13Caching service.
14Forwarding and stub zones.
15Very limited authoritative service.
16DNSSEC Validation options.
17EDNS0, NSEC3, IPv6, DNAME, Unknown-RR-types.
18RSASHA256, GOST, ECDSA, SHA384 DNSSEC algorithms.
19
20Details
21-------
22Processing support
23RFC 1034-1035: as a recursive, caching server. Not authoritative.
24  including CNAMEs, referrals, wildcards, classes, ...
25  AAAA type, and IP6 dual stack support.
26  type ANY queries are supported, class ANY queries are supported.
27RFC 1123, 6.1 Requirements for DNS of internet hosts.
28RFC 4033-4035: as a validating caching server (unbound daemon).
29  as a validating stub (libunbound).
30RFC 1918.
31RFC 1995, 1996, 2136: not authoritative, so no AXFR, IXFR, NOTIFY or
32  dynamic update services are appropriate.
33RFC 2181: completely, including the trust model, keeping rrsets together.
34RFC 2308: TTL directive, and the rest of the RFC too.
35RFC 2671: EDNS0 support, default advertisement 4Kb size.
36RFC 2672: DNAME support.
37RFC 3597: Unknown RR type support.
38RFC 4343: case insensitive handling of domain names.
39RFC 4509: SHA256 DS hash.
40RFC 4592: wildcards.
41RFC 4697: No DNS Resolution Misbehavior.
42RFC 5011: update of trust anchors with timers.
43RFC 5155: NSEC3, NSEC3PARAM types
44RFC 5358: reflectors-are-evil: access control list for recursive
45  service. In fact for all DNS service so cache snooping is halted.
46RFC 5452: forgery resilience. all recommendations followed.
47RFC 5702: RSASHA256 signature algorithm.
48RFC 5933: GOST signature algorithm.
49RFC 6303: default local zones.
50  It is possible to block zones or return an address for localhost.
51  This is a very limited authoritative service. Defaults as in draft.
52RFC 6604: xNAME RCODE and status bits.
53RFC 6605: ECDSA signature algorithm, SHA384 DS hash.
54
55chroot and drop-root-privileges support, default enabled in config file.
56
57AD bit in query can be used to request AD bit in response (w/o using DO bit).
58CD bit in query can be used to request bogus data.
59UDP and TCP service is provided downstream.
60UDP and TCP are used to request from upstream servers.
61SSL wrapped TCP service can be used upstream and provided downstream.
62Multiple queries can be made over a TCP stream.
63
64No TSIG support at this time.
65No SIG0 support at this time.
66No dTLS support at this time.
67This is not a DNS statistics package, but some operationally useful
68values are provided via unbound-control stats.
69TXT RRs from the Chaos class (id.server, hostname.bind, ...) are supported.
70
71draft-0x20: implemented, use caps-for-id option to enable use.
72  Also implements bitwise echo of the query to support downstream 0x20.
73draft-ietf-dnsop-resolver-priming(-00): can prime and can fallback to
74  a safety belt list.
75draft-ietf-dnsop-dnssec-trust-anchor(-01): DS records can be configured
76  as trust anchors. Also DNSKEYs are allowed, by the way.
77draft-ietf-dnsext-dnssec-bis-updates: supported.
78
79Record type syntax support, extensive, from lib ldns.
80For these types only syntax and parsing support is needed.
81RFC 1034-1035: basic RR types.
82RFC 1183: RP, AFSDB, X25, ISDN, RT
83RFC 1706: NSAP
84RFC 2535: KEY, SIG, NXT: treated as unknown data, syntax is parsed (obsolete).
852163: PX
86AAAA type
871876: LOC type
882782: SRV type
892915: NAPTR type.
902230: KX type.
912538: CERT type.
922672: DNAME type.
93OPT type
943123: APL
953596: AAAA
96SSHFP type
974025: IPSECKEY
984033-4035: DS, RRSIG, NSEC, DNSKEY
994701: DHCID
1005155: NSEC3, NSEC3PARAM
1014408: SPF
1026944: DNSKEY algorithm status
103
104