BIND 10 Y4 Recursive Resolver Work ---- BIND 10 has a resolver that does basic DNS recursive resolution, with caching. However, it has a number of missing features, most notably support for DNSSEC validation. These features are necessary in a modern resolver. In addition to missing features, BIND 10 aspires to make DNS resolution more manageable by adding features to figure out what a server is doing during the resolution process. It also intends to create a comprehensive testing tool to thoroughly verify the resolution process of BIND 10 as well other resolvers. [ I have flagged items which are lower-priority with a star, *. These are included for completeness, and because other people may consider these very important indeed. ] 1. Comprehensive functional test suite ---- The intention is to create a system to test recursive resolution completely, with all of the many permutations of delegation, lameness, IPv4/IPv6, firewalls, EDNS0 support, expired signatures, and so on. A test system simulating any environment and running a DNS resolver in specific scenarios will be created. Some ideas are outlined here: http://bind10.isc.org/wiki/TestingRecursion The intention is for this to be generally usable with any DNS resolver, and for the suite to be released separately from BIND 10. Work about developing a functional test suite 1.1 Design test framework [3d] 1.2 Define test language [3d] 1.3 Implement test framework [10d] 1.4 Define initial set of specific tests [5d] 1.5 Add support for BIND 10 testing [3d] 1.6 Add support for BIND 9 testing [3d] 2. Securing the non-DNSSEC resolution process ---- BIND 10 needs to fully implement the recommendations of RFC 5452, to protect against Kaminsky-style attacks. Work about securing the non-DNSSEC resolution process 2.1 Query port randomization [10d] 2.2 Define ports to avoid [5d] 2.3 Pre-defined list of ports [2d] 2.4 Query port bootstrapping issue [3d] 2.5 Accept only in-domain records [3d] 2.6 Source IP randomization [5d] (*) 3. Other stuff ---- We have some other odds & ends to complete, such as root priming equivalent to that described in draft-ietf-dnsop-resolver-priming. We should also add a way to handle ICMP port unreachable messages (typically by using connected UDP sockets, but there are other possible techniques). Additional resolution work 3.1 Root priming [5d] 3.2 ICMP port unreachable collecting [3d] (*) 3.3 Set up & maintain recursive performance tests [10d] 4. Server capability tracking ---- BIND 10 should track the capabilities of each server and cache this information for a period of time. This includes things like lameness, EDNS0 support, and so on. Work on server capability tracking 4.1 Document & define server capability methods in BIND 9 [2d] 4.2 Document & define server capability requirements [3d] 4.3 Implement server capability database [5d] 4.4 Modify resolver to use server capability database [5d] 5. Trust anchor management ---- We need ways to manage trust anchors, including RFC 5011 support. Work on trust anchor management 5.1 Support manual trust anchor configuration [3d] 5.2 RFC 5011 support [15d] 6. EDNS0 enhancements ---- BIND 9 has reasonable EDNS0 support, but it is ad-hoc and needs to redesigned from first principles. In order to insure that we do more good than bad, we nee to simulate a wide range of scenarios. Because of this, the work should occur after the functional test suite is usable. [ Note... some internal discussion about this is covered in Michael's wiki page here: https://etherpad.isc.org/p/mgraff-edns-retry ] Work on EDNS0 enhancements 6.1 Develop improved EDNS0 algorithms [10d] (*) 6.2 Implement improved EDNS0 algorithms [10d] (*) 7. Query tracing ---- Given the large number of queries that may be involved in getting the answers for any one user query, plus the interaction with the cache, plus the way queries are handled concurrently - sometimes also consolidated - it is very difficult to debug server operations. We want the ability to see what the resolver is doing for any specific query. Work on query tracing 7.1 Design and document administrator interface [4d] 7.2 Modify BIND 10 to support query tracing [8d] 8. Cache-specific improvements ---- Ultimately we want BIND 10 to treat the cache as an object - something that can be created, stored, loaded, moved, changed. As an intermediate step, providing more cache control is necessary. Cache-specific work 8.1 Ability to insert, remove, or modify cache entries [3d] 8.2 Ability to load and save cache [10d] (*) 8.3 Ability to migrate cache between machines [15d] (*) 9. DNSSEC validation ---- The DNSSEC validation as described in RFC 4033/4034/4035 needs to be implemented. RFC 5155 (NSEC3) also needs to be supported. DNSSEC validation work 9.1 Signature verification [5d] 9.2 Modify cache to track RR security status, expire properly [10d] 9.3 CD/AD bit handling [3d] 9.4 checking RRSIG RR validity [10d] 9.5 DNSKEY fetching [5d] 9.6 NSEC handling [5d] 9.7 NSEC3 handling [10d]