wireguard: update TODO list for WireGuard devices

(cherry picked from commit 3990c92fbf)

src/devices/nm-device-wireguard.c

@@ -37,9 +37,6 @@ _LOG_DECLARE_SELF(NMDeviceWireGuard);
 
 /*****************************************************************************/
 
-/* TODO: ensure externally-managed works. Both after start of NM and
- *   when adding a wg link with NM running. */
-
 /* TODO: activate profile with peer preshared-key-flags=2. On first activation, the secret is
  *   requested (good). Enter it and connect. Reactivate the profile, now there is no password
  *   prompt, as the secret is cached (good??). */
@@ -47,7 +44,15 @@ _LOG_DECLARE_SELF(NMDeviceWireGuard);
 /* TODO: unlike for other VPNs, we don't inject a direct route to the peers. That means,
  *   you might get a routing sceneraio where the peer (VPN server) is reachable via the VPN.
  *   How we handle adding routes to external gateway for other peers, has severe issues
-*    as well. I think the only solution is https://www.wireguard.com/netns/#improving-the-classic-solutions */
+ *   as well. We may use policy-routing like wg-quick does. See also disussions at
+ *   https://www.wireguard.com/netns/#improving-the-classic-solutions */
+
+/* TODO: honor the TTL of DNS to determine when to retry resolving endpoints. */
+
+/* TODO: when we get multiple IP addresses when resolving a peer endpoint. We currently
+ *   just take the first from GAI. We should only accept AAAA/IPv6 if we also have a suitable
+ *   IPv6 address. The problem is, that we have to recheck that when IP addressing on other
+ *   interfaces changes. This makes it almost too cumbersome to implement. */
 
 /*****************************************************************************/