This software is under BSD license, see LICENSE for details.
-* Download the latest version of this software from
+* Download the latest release version of this software from
http://unbound.net
or get a beta version from the svn repository at
http://unbound.net/svn/
* libevent http://www.monkey.org/~provos/libevent/ (BSD license)
(optional) can use builtin alternative instead.
-* Create build environment
- * run libtoolize -c if config.sub is missing, or run glibtoolize.
- * autoreconf (autoheader && autoconf), if ./configure is missing.
-
* Make and install: ./configure; make; make install
* Use GNU make; default on linux, often called 'gmake' on BSD and Solaris.
* --with-ldns=/path/to/ldns
Acknowledgements
----------------
+o Unbound was written in portable C by Wouter Wijngaards (NLnet Labs).
o Thanks to David Blacka and Matt Larson (Verisign) for the unbound-java
prototype. Design and code from that prototype has been used to create
this program. Such as the iterator state machine and the cache design.
TODO items.
o understand synthesized DNAMEs, so those TTL=0 packets are cached properly.
-o understand NSEC/NSEC3, aggressive negative caching, so that updates to
- NSEC/NSEC3 will result in proper negative responses.
+o NSEC/NSEC3 aggressive negative caching, so that updates to NSEC/NSEC3
+ will result in proper negative responses.
o get serverselection algorithm out of local optimum.
make subtargets to get rtt info for a couple of targets, like fetch-policy.
or send out multiple queries to multiple servers.
-o configuration option where port 53 is used for send and receive, no other
- ports are used.
+o (option) where port 53 is used for send and receive, no other ports are used.
o (option) to not send replies to clients after a timeout of (say 5 secs) has
passed, but keep task active for later retries by client.
-o private TTL feature
-o pretend-dnssec-unaware, and pretend-edns-unaware modes for debug/workshops.
+o (option) private TTL feature (always report TTL x in answers).
+o (option) pretend-dnssec-unaware, and pretend-edns-unaware modes for workshops.
o delegpt use rbtree for ns-list, to avoid slowdown for very large NS sets.
-o reprime and refresh oft used data before timeout.
-o retain prime results in a overlaid roothints file.
-o store primed key data in a overlaid keyhints file (sort of like drafttimers).
+o (option) reprime and refresh oft used data before timeout.
+o (option) retain prime results in a overlaid roothints file.
+o (option) store primed key data in a overlaid keyhints file (sort of like drafttimers).
o windows version, auto update feature, a query to check for the version.
-o autoreport of problems
o command the server with TSIG inband. get-config, clearcache,
get stats, get memstats, get ..., reload, clear one zone from cache
o watch for spoof nearmisses. Keep counter of nearmisses and print that
in the stats lines, operator can determine what level is a redalert.
-o improve compression of DNS packets by first putting uncompressible rrs, then
- compress to their rdata. Messes up the ordering of RRs, so bad for interop.
o NSID rfc 5001 support.
o timers rfc 5011 support.
o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator.
-o grab ports nonconsequtive and change the set after a while (change within
- a given range). Could be bad for OS if wrong port. unsure if it helps secure.
o make timeout backoffs randomized (a couple percent random) to spread traffic.
o inspect date on executable, then warn user in log if its more than 1 year.
-o proactively prime root, stubs and trust anchors, feature.
+o (option) proactively prime root, stubs and trust anchors, feature.
early failure, faster on first query, but more traffic.
-o use privilege separation, to change privilege options during reload securely
- not needed.
o On Windows use CryptGenRandom() to get random seed for arc4random.
-o Think about intermediate firewalls dropping EDNS UDP & handling that.
- detect nonEDNS middlebox by timeout on edns queries, and fallback to
- nonEDNS when appropriate.
o library add convenience functions for A, AAAA, PTR, getaddrinfo, libresolve.
o library add function to get signature data (or whole reply message).
o library add function to validate input from app that is signed.
o SIG(0) and TSIG.
o support OPT record placement on recv anywhere in the additional section.
o add local-file: config with authority features.
-o option to make local-data answers be secure for libunbound (default=no)
+o (option) to make local-data answers be secure for libunbound (default=no)
levels are lower, notable very large data and a high TCP load are no longer
supported. Very large data and high TCP loads are exceptional for the DNS.
DNSSEC validation is enabled, just add trust anchors.
-If you do not have to worry about programs using more than 1 meg of memory,
-the below example is not for you. Use the defaults to receive full service.
+If you do not have to worry about programs using more than 3 Mb of memory,
+the below example is not for you. Use the defaults to receive full service,
+which on BSD-32bit tops out at 30-40 Mb after heavy usage.
.P
.nf
# example settings that reduce memory usage
incoming\-num\-tcp: 1
outgoing\-range: 1 # uses less memory, but less port randomness.
msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
- msg\-cache\-size: 102400 # 100 Kb.
+ msg\-cache\-size: 100k
msg\-cache\-slabs: 1
- rrset\-cache\-size: 102400 # 100 Kb.
+ rrset\-cache\-size: 100k
rrset\-cache\-slabs: 1
infra\-cache\-numhosts: 200
- infra\-cache\-numlame: 10
- key\-cache\-size: 102400 # 100 Kb.
+ infra\-cache\-slabs: 1
+ infra\-cache\-lame\-size: 1k
+ key\-cache\-size: 100k
key\-cache\-slabs: 1
num\-queries\-per\-thread: 30
target\-fetch\-policy: "2 1 0 0 0 0"
harden\-large\-queries: "yes"
harden\-short\-bufsize: "yes"
- do\-ip6: no # save a bit of memory if not used.
.fi
.SH "FILES"
.TP
projects / thirdparty / unbound.git / commitdiff
