djb: 

end-to-end nym-based security -- done

try to get the root authorities to set up a secure, usable NS-list system
have dnscache-conf keep track of copies of dnsroots.global
incorporate automatic NS-list upgrades	-- open

consider dead-server table in dnscache or in kernel -- tbd (partially implemented now in v34). 
	feh: could use hostname in ./root/#servers similar to tinydns 
			 but each lookup requires a stat of name ... ugh.
		could use cdb instead; kept in memory upon start.
		could use an alarm signal to re-read while running.

feh:

IPv6 lookups -- done
maybe reverse IPv6 lookups; what a mess -- done
DNS over IPv6 -- done

- tinydns:
	tinydns with CurveDNS -- done
	DNSSEC for tinydns (Peter Conrad ?) -- tbd

- dnscache:
	DNSSEC verification for dnscache -- tbd
	TLS support for dnscache (for client access only [TCP/UDP ?]) -- tbd

- dns* resolvers:
	Add EDNS0 capability -- partially done

- multicast support for all servers

