resolved: update RFCs list and TODO list

2 files changed, 14 insertions, 17 deletions

diff --git a/src/resolve/RFCs b/src/resolve/RFCs
index 33f4dd9cb6..22004a00cd 100644
--- a/src/resolve/RFCs
+++ b/src/resolve/RFCs
@@ -13,14 +13,14 @@ Y https://tools.ietf.org/html/rfc1123 → Requirements for Internet Hosts -- App
 Y https://tools.ietf.org/html/rfc1536 → Common DNS Implementation Errors and Suggested Fixes
 Y https://tools.ietf.org/html/rfc1876 → A Means for Expressing Location Information in the Domain Name System
 Y https://tools.ietf.org/html/rfc2181 → Clarifications to the DNS Specification
-  https://tools.ietf.org/html/rfc2308 → Negative Caching of DNS Queries (DNS NCACHE)
+Y https://tools.ietf.org/html/rfc2308 → Negative Caching of DNS Queries (DNS NCACHE)
 Y https://tools.ietf.org/html/rfc2782 → A DNS RR for specifying the location of services (DNS SRV)
 D https://tools.ietf.org/html/rfc3492 → Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)
 Y https://tools.ietf.org/html/rfc3596 → DNS Extensions to Support IP Version 6
 Y https://tools.ietf.org/html/rfc3597 → Handling of Unknown DNS Resource Record (RR) Types
-  https://tools.ietf.org/html/rfc4033 → DNS Security Introduction and Requirements
-  https://tools.ietf.org/html/rfc4034 → Resource Records for the DNS Security Extensions
-  https://tools.ietf.org/html/rfc4035 → Protocol Modifications for the DNS Security Extensions
+Y https://tools.ietf.org/html/rfc4033 → DNS Security Introduction and Requirements
+Y https://tools.ietf.org/html/rfc4034 → Resource Records for the DNS Security Extensions
+Y https://tools.ietf.org/html/rfc4035 → Protocol Modifications for the DNS Security Extensions
 ! https://tools.ietf.org/html/rfc4183 → A Suggested Scheme for DNS Resolution of Networks and Gateways
 Y https://tools.ietf.org/html/rfc4255 → Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
 Y https://tools.ietf.org/html/rfc4343 → Domain Name System (DNS) Case Insensitivity Clarification
@@ -31,26 +31,26 @@ Y https://tools.ietf.org/html/rfc4509 → Use of SHA-256 in DNSSEC Delegation Si
 ~ https://tools.ietf.org/html/rfc4697 → Observed DNS Resolution Misbehavior
 Y https://tools.ietf.org/html/rfc4795 → Link-Local Multicast Name Resolution (LLMNR)
 Y https://tools.ietf.org/html/rfc5011 → Automated Updates of DNS Security (DNSSEC) Trust Anchors
-  https://tools.ietf.org/html/rfc5155 → DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
+Y https://tools.ietf.org/html/rfc5155 → DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
 Y https://tools.ietf.org/html/rfc5452 → Measures for Making DNS More Resilient against Forged Answers
 Y https://tools.ietf.org/html/rfc5702 → Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
 Y https://tools.ietf.org/html/rfc5890 → Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework
 Y https://tools.ietf.org/html/rfc5891 → Internationalized Domain Names in Applications (IDNA): Protocol
 Y https://tools.ietf.org/html/rfc5966 → DNS Transport over TCP - Implementation Requirements
 Y https://tools.ietf.org/html/rfc6303 → Locally Served DNS Zones
-  https://tools.ietf.org/html/rfc6604 → xNAME RCODE and Status Bits Clarification
+Y https://tools.ietf.org/html/rfc6604 → xNAME RCODE and Status Bits Clarification
 Y https://tools.ietf.org/html/rfc6605 → Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
   https://tools.ietf.org/html/rfc6672 → DNAME Redirection in the DNS
 ! https://tools.ietf.org/html/rfc6731 → Improved Recursive DNS Server Selection for Multi-Interfaced Nodes
 Y https://tools.ietf.org/html/rfc6761 → Special-Use Domain Names
   https://tools.ietf.org/html/rfc6762 → Multicast DNS
   https://tools.ietf.org/html/rfc6763 → DNS-Based Service Discovery
-  https://tools.ietf.org/html/rfc6781 → DNSSEC Operational Practices, Version 2
-  https://tools.ietf.org/html/rfc6840 → Clarifications and Implementation Notes for DNS Security (DNSSEC)
+~ https://tools.ietf.org/html/rfc6781 → DNSSEC Operational Practices, Version 2
+Y https://tools.ietf.org/html/rfc6840 → Clarifications and Implementation Notes for DNS Security (DNSSEC)
 Y https://tools.ietf.org/html/rfc6891 → Extension Mechanisms for DNS (EDNS(0))
 Y https://tools.ietf.org/html/rfc6944 → Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status
 Y https://tools.ietf.org/html/rfc6975 → Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC)
-  https://tools.ietf.org/html/rfc7129 → Authenticated Denial of Existence in the DNS
+Y https://tools.ietf.org/html/rfc7129 → Authenticated Denial of Existence in the DNS
 Y https://tools.ietf.org/html/rfc7646 → Definition and Use of DNSSEC Negative Trust Anchors
 ~ https://tools.ietf.org/html/rfc7719 → DNS Terminology
 
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 2ac085dfd3..43fb365d68 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -35,17 +35,14 @@
  *
  * TODO:
  *
- *   - wildcard zones compatibility (NSEC/NSEC3 wildcard check is missing)
- *   - multi-label zone compatibility
- *   - cname/dname compatibility
- *   - nxdomain on qname
  *   - bus calls to override DNSEC setting per interface
  *   - log all DNSSEC downgrades
+ *   - log all RRs that failed validation
  *   - enable by default
- *
- *   - RFC 4035, Section 5.3.4 (When receiving a positive wildcard reply, use NSEC to ensure it actually really applies)
- *   - RFC 6840, Section 4.1 (ensure we don't get fed a glue NSEC from the parent zone)
- *   - RFC 6840, Section 4.3 (check for CNAME on NSEC too)
+ *   - Allow clients to request DNSSEC even if DNSSEC is off
+ *   - find public DNAME test domain
+ *   - make sure when getting an NXDOMAIN response through CNAME, we still process the first CNAMEs in the packet
+ *   - flush cache when DNSSEC setting changes
  * */
 
 #define VERIFY_RRS_MAX 256