This repository has been archived by the owner on Jul 28, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathTODO
136 lines (117 loc) · 6.24 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
The TODO's here are for delphinusdnsd which is the successor of wildcarddnsd.
Please see https://delphinusdns.org for updates/news.
For 1.9.0 release
- change the zebra striped shared memory to a finer grained linked list which
will mmap the shared memory 200x or however many slots there is. This
simplifies and is more secure, but there is coding overhead. Every year
delphinusdnsd gets a little better.
- TKEY (RFC 2930) support
- clean up the Open Source portion immensely making it easier for porting to
the Windows Operating System
- start the EDWIN project (Windows Operating System port)
- switch to cmake (for windows even too)
For 1.8.0 release
- Shape up the NSEC code as it seems NSEC is having a renaissance, at least
to have replicant compatibility for NSEC [DONE]
- filter input to dddctl query for escape codes. [DONE]
- make delphinusdnsd not restart the entire daemon upon axfr, just merge or
internally build a new database and switch them. [DONE]
- partially rewrite AXFR code.
- fix the TXT RR problem (DNSSEC) [DONE]
- make a forked tcp accept process for TCP engine which should allow us
to drop the "inet" pledge from this. The descriptor is passed
from a "stdio inet sendfd" listener process to these. This should make
better security preventing someone to overflow something to write a socket
outwards. [DONE]
- much like on the TCP engine make an AXFR accept process allowing us to
drop the "inet" pledge. [DONE]
- give the raxfr (replicant engine) a forked helper that opens sockets for it
and once open passes them back to replicant engine. This allows us to drop
the "inet" pledge.
- refactor the TLS code
- implement algorithm 15 (Ed25519) [DONE]
- implement algorithm 16 (Ed448) this is dependant on support by LibreSSL
- fix negative lookup of riscv64.delphinusdns.org replies SERVFAIL see:
https://dnsviz.net/d/riscv64.delphinusdns.org/dnssec/ (jul 26, 2023)
yet nonexist.delphinusdns.org (see same dnsviz) works. [DONE]
- add OPENPGPKEY RR (RFC 7929 (experimental))
- add SMIMEA RR (RFC 8162 - (experimental based on TLSA RR))
- add CERT RR (RFC 4398 (standard)) [DONE]
For 1.7.0 release
- EUI48 and EUI64 support (RFC 7043) [DONE]
- HTTPS/SVCB support (RFC 9460, based off draft) [DONE]
- Add cookies to the forward mode, so that we can get rid of x20 entirely.
For 1.6.0 release
- filter input to dddctl query for escape codes.
- Shape up the NSEC code as it seems NSEC is having a renaissance, at least
to have replicant compatibility for NSEC
- display statistics via the UNIX socket, now possible with the cortex process.
- DNS Update (RFC 2136 and 3007) must be Secure with TSIG, and do DNSSEC signing
- add DNS64 (RFC 6147) capability to forwarding mode
- add DNS over TLS (RFC 7858) capability to forwarding mode
- fudgesize in forwarding mode for setting higher FUDGE value [DONE]
- ntphack in main daemon for allowing *.ntp.org through [DONE]
- rdomains throughout the daemon (forwarding and especially main daemon) [DONE]
- setproctitle setting of an identifier for identifying a delphinusdnsd when
many are in the system, also dddctl should be modified to set up killing such
an ident (ie. /var/run/delphinusdnsd-${ID}.sock) [DONE]
- fix CNAME answers [DONE]
- fix/add wildcard support including AXFR [DONE]
- HTTPS/SVCB, CDS/CDNSKEY and LOC RR support [DONE CDS/CDNSKEY/LOC]
- change the repo to github fully instead of mirror'ing it [DONE]
- add Ricardo Santos to have access to the tree [DONE]
For 1.5.0 release
- make sure an RRset has the same TTL, we don't need TTL in a single RR because
the set requires per RFC 2181 section 5.2 to be the same in the RRset. [DONE]
- CAA RR support [DONE]
- a github mirrored copy [DONE]
- an OpenBSD port/package starting with 1.4.1 release
- fix the DNSSEC and delphinusdnsd(?) code so that an algorithm rollover works
[POSSIBLY DONE]
- filter input to dddctl query for escape codes.
- inside axfrloop the axfr child is chrooted, which gives it GMT timezone, this
could have effects on sending notifies, noticed at 00:47 in a +1 timezone,
add the timeinfo as a variable before chroot'ing. [DONE axfr.c 1.41]
- Shape up the NSEC code as it seems NSEC is having a renaissance, at least
to have replicant compatibility for NSEC
- get rid of zincludes and incorporate them into mzone blocks (for masters)
- display statistics via the UNIX socket, now possible with the cortex process.
- get started with DNS Update (RFC 2136 and 3007) must be Secure with TSIG
- simple DNS forwarding (with TSIG) is kinda what I want too [DONE]
For 1.4.0 release
- a github mirrored copy
- fix the DNSSEC code so that a KSK key rollover is allowed [DONE]
- TSIG support would still be nice [DONE]
- CAA RR support
- More ciphers for signing (GOST, ECDSA, Elliptic Curves) [ECDSA DONE]
- Replicant AXFR mode (with TSIG) [DONE]
- Redo TCP support [DONE]
For 1.3.0 release
- fix the DNSSEC code so that a key rollover is allowed [PARTIALLY DONE]
- sign zones immediately at startup which doesn't require a zonesigner
this would be coupled with a dynamic dns system which automatically adds/up-
dates new NSEC3 and RRSIG's for new records.
- TSIG support would still be nice
For 1.2.0 release
- sign zones immediately at startup which doesn't require a zonesigner
this would be coupled with a dynamic dns system which automatically adds/up-
dates new NSEC3 and RRSIG's for new records.
- TSIG support would still be nice
- allow AXFR to bind to port 53 and pass it from main engine to axfr engine
via descriptor passing [DONE]
- CNAME's with DNSSEC are broken, due to a missing RRSIG, recursive servers
return SERVFAIL [DONE]
For 1.1.0 release
- either a zonesigner (instead of relying on BIND's) or [DONE]
- signing zones immediately at startup which doesn't require a zonesigner
- TSIG support would still be nice
- allow AXFR to bind to port 53 and pass it from main engine to axfr engine
via descriptor passing
For 1.0.0 release
- TSIG (RFC 2845) support
- partition the struct domain, so that we have selective sizes based on
what records exist. This is a lot of work but will make records under 44KB
again. [DONE]
- DNSSEC (RFC 4034 / DNSKEY RR, DS RR, RRSIG RR, NSEC RR) [DONE]
- Notify needs to be rewritten for allowing notifies to different replicants.
- A zone signer possibly written in ruby. [PARTIALLY DONE]