1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12.. General: 13 14General DNS Reference Information 15================================= 16 17.. _rfcs: 18 19Requests for Comment (RFCs) 20~~~~~~~~~~~~~~~~~~~~~~~~~~~ 21 22Specification documents for the Internet protocol suite, including the 23DNS, are published as part of the `Request for Comments`_ (RFCs) series 24of technical notes. The standards themselves are defined by the 25`Internet Engineering Task Force`_ (IETF) and the `Internet Engineering 26Steering Group`_ (IESG). RFCs can be viewed online at: 27https://www.rfc-editor.org/. 28 29While reading RFCs, please keep in mind that :rfc:`not all RFCs are 30standards <1796>`, and also that the validity of documents does change 31over time. Every RFC needs to be interpreted in the context of other 32documents. 33 34BIND 9 strives for strict compliance with IETF standards. To the best 35of our knowledge, BIND 9 complies with the following RFCs, with 36the caveats and exceptions listed in the numbered notes below. Many 37of these RFCs were written by current or former ISC staff members. 38The list is non-exhaustive. 39 40.. _Internet Engineering Steering Group: https://www.ietf.org/about/groups/iesg/ 41.. _Internet Engineering Task Force: https://www.ietf.org/about/ 42.. _Request for Comments: https://www.ietf.org/standards/rfcs/ 43 44Some of these RFCs, though DNS-related, are not concerned with implementing 45software. 46 47Protocol Specifications 48----------------------- 49 50:rfc:`1034` - P. Mockapetris. *Domain Names ��� Concepts and Facilities.* November 511987. 52 53:rfc:`1035` - P. Mockapetris. *Domain Names ��� Implementation and Specification.* 54November 1987. [#rfc1035_1]_ [#rfc1035_2]_ 55 56:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR 57Definitions.* October 1990. 58 59:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994. 60 61:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of 62Geographical Location.* November 1994. 63 64:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing 65Location Information in the Domain Name System.* January 1996. 66 67:rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996. 68 69:rfc:`1995` - M. Ohta. *Incremental Zone Transfer in DNS.* August 1996. 70 71:rfc:`1996` - P. Vixie. *A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY).* 72August 1996. 73 74:rfc:`2136` - P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. *Dynamic Updates in the 75Domain Name System (DNS UPDATE).* April 1997. 76 77:rfc:`2163` - A. Allocchio. *Using the Internet DNS to Distribute MIXER 78Conformant Global Address Mapping (MCGAM).* January 1998. 79 80:rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997. 81 82:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November 831997. 84 85:rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998. 86 87:rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name 88System (DNS).* March 1999. 89 90:rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the 91Location of Services (DNS SRV).* February 2000. 92 93:rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).* 94September 2000. 95 96:rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).* 97September 2000. [#rfc2931]_ 98 99:rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.* 100November 2000. 101 102:rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name 103System (DNS).* May 2001. 104 105:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June 1062001. 107 108:rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001. 109 110:rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver 111Message Size Requirements.* December 2001. 112 113:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain. 114*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name 115System (DNS).* August 2002. [#rfc3363]_ 116 117:rfc:`3403` - M. Mealling. 118*Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System 119(DNS) Database.* 120October 2002. 121 122:rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for 123Internationalized Domain Names in Applications (IDNA).* March 2003. 124 125:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens. 126*Basic Socket Interface Extensions for IPv6.* March 2003. 127 128:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of 129Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label 130Switching (MPLS) Traffic Engineering.* March 2003. 131 132:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to 133Support IP Version 6.* October 2003. 134 135:rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.* 136September 2003. 137 138:rfc:`3645` - S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. *Generic 139Security Service Algorithm for Secret Key Transaction Authentication for 140DNS (GSS-TSIG).* October 2003. 141 142:rfc:`4025` - M. Richardson. *A Method for Storing IPsec Keying Material in 143DNS.* March 2005. 144 145:rfc:`4033` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *DNS Security 146Introduction and Requirements.* March 2005. 147 148:rfc:`4034` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Resource Records for 149the DNS Security Extensions.* March 2005. 150 151:rfc:`4035` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Protocol 152Modifications for the DNS Security Extensions.* March 2005. 153 154:rfc:`4255` - J. Schlyter and W. Griffin. *Using DNS to Securely Publish Secure 155Shell (SSH) Key Fingerprints.* January 2006. 156 157:rfc:`4343` - D. Eastlake, 3rd. *Domain Name System (DNS) Case Insensitivity 158Clarification.* January 2006. 159 160:rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006. 161 162:rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and 163DNSSEC On-line Signing.* April 2006. [#rfc4470]_ 164 165:rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer 166(DS) Resource Records (RRs).* May 2006. 167 168:rfc:`4592` - E. Lewis. *The Role of Wildcards in the Domain Name System.* July 2006. 169 170:rfc:`4635` - D. Eastlake, 3rd. *HMAC SHA (Hashed Message Authentication 171Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006. 172 173:rfc:`4701` - M. Stapp, T. Lemon, and A. Gustafsson. *A DNS Resource Record 174(RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID 175RR).* October 2006. 176 177:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_ 178 179:rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007. 180 181:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.* 182 183:rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security 184(DNSSEC) Hashed Authenticated Denial of Existence.* March 2008. 185 186:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP) 187Domain Name System (DNS) Extension.* April 2008. 188 189:rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More 190Resilient Against Forged Answers.* January 2009. [#rfc5452]_ 191 192:rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and 193RRSIG Resource Records for DNSSEC.* October 2009. 194 195:rfc:`5891` - J. Klensin. 196*Internationalized Domain Names in Applications (IDNA): Protocol.* 197August 2010 198 199:rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).* 200June 2010. 201 202:rfc:`5952` - S. Kawamura and M. Kawashima. *A Recommendation for IPv6 Address 203Text Representation.* August 2010. 204 205:rfc:`6052` - C. Bao, C. Huitema, M. Bagnulo, M. Boucadair, and X. Li. *IPv6 206Addressing of IPv4/IPv6 Translators.* October 2010. 207 208:rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum. 209*DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to 210IPv4 Servers.* April 2011. [#rfc6147]_ 211 212:rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.* 213April 2012. 214 215:rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital 216Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_ 217 218:rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.* 219June 2012. 220 221:rfc:`6698` - P. Hoffman and J. Schlyter. *The DNS-Based Authentication of 222Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.* 223August 2012. 224 225:rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry 226Updates.* August 2012. [#rfc6725]_ 227 228:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS 229Resource Records for the Identifier-Locator Network Protocol (ILNP).* 230November 2012. 231 232:rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and 233Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_ 234 235:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS 236(EDNS(0)).* April 2013. 237 238:rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses 239in the DNS.* October 2013. 240 241:rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6 242Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_ 243 244:rfc:`7208` - S. Kitterman. 245*Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, 246Version 1.* 247April 2014. 248 249:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.* 250July 2014. 251 252:rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC 253Delegation Trust Maintenance.* September 2014. [#rfc7344]_ 254 255:rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March 2562015. 257 258:rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier 259(URI) DNS Resource Record.* June 2015. 260 261:rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key 262Rollover Timing Considerations.* October 2015. 263 264:rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. 265Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. 266 267:rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis. 268*The edns-tcp-keepalive EDNS0 Option.* April 2016. 269 270:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_ 271 272:rfc:`7858` - Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, 273and P. Hoffman. *Specification for DNS over Transport Layer Security (TLS).* 274May 2016. [#noencryptedfwd]_ 275 276:rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE) 277Bindings for OpenPGP.* August 2016. 278 279:rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the 280Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ 281 282:rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm 283(EdDSA) for DNSSEC.* February 2017. 284 285:rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).* 286October 2018. [#noencryptedfwd]_ 287 288:rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements 289and Usage Guidance for DNSSEC.* June 2019. 290 291:rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews. 292*DNS Certification Authority Authorization (CAA) Resource Record.* 293November 2019. 294 295:rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name 296'ipv4only.arpa'.* August 2020. 297 298:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, 299and B. Wellington. 300*Secret Key Transaction Authentication for DNS (TSIG).* 301November 2020. 302 303:rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin. 304*DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_ 305 306Best Current Practice RFCs 307-------------------------- 308 309:rfc:`2219` - M. Hamilton and R. Wright. *Use of DNS Aliases for Network Services.* 310October 1997. 311 312:rfc:`2317` - H. Eidnes, G. de Groot, and P. Vixie. *Classless IN-ADDR.ARPA Delegation.* 313March 1998. 314 315:rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June 3161999. [#rfc2606]_ 317 318:rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.* 319September 2004. 320 321:rfc:`5625` - R. Bellis. *DNS Proxy Implementation Guidelines.* August 2009. 322 323:rfc:`6303` - M. Andrews. *Locally Served DNS Zones.* July 2011. 324 325:rfc:`7793` - M. Andrews. *Adding 100.64.0.0/10 Prefixes to the IPv4 326Locally-Served DNS Zones Registry.* May 2016. 327 328:rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS 329Servers: Failure to Communicate.* September 2020. 330 331For Your Information 332-------------------- 333 334:rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.* 335April 1989. 336 337:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and 338Support.* October 1989. 339 340:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely 341Deployed DNS Software.* October 1993. 342 343:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS 344Implementation Errors and Suggested Fixes.* October 1993. 345 346:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February 3471996. 348 349:rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address 350Aggregation and Renumbering.* July 2000. [#rfc2874]_ 351 352:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System 353(DNS).* August 2004. 354 355:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for 356IPv6 Addresses.* June 2005. 357 358:rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation 359(DLV) DNS Resource Record.* February 2006. [#rfc4431]_ 360 361:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism 362Identifying a Name Server Instance.* June 2007. 363 364:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational 365Practices, Version 2.* December 2012. 366 367:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence 368in the DNS.* February 2014. 369 370:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation 371(DLV) to Historic Status.* March 2020. 372 373Notes 374~~~~~ 375 376.. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather 377 than a non-authoritative response. This is considered a feature. 378 379.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a 380 feature. 381 382.. [#rfc2931] When receiving a query signed with a SIG(0), the server is 383 only able to verify the signature if it has the key in its local 384 authoritative data; it cannot do recursion or validation to 385 retrieve unknown keys. 386 387.. [#rfc2874] Compliance is with loading and serving of A6 records only. 388 A6 records were moved to the experimental category by :rfc:`3363`. 389 390.. [#rfc4431] Compliance is with loading and serving of DLV records only. 391 DLV records were moved to the historic category by :rfc:`8749`. 392 393.. [#rfc4470] Minimally Covering NSEC records are accepted but not generated. 394 395.. [#rfc4955] BIND 9 interoperates with correctly designed experiments. 396 397.. [#rfc5452] :iscman:`named` only uses ports to extend the ID space; addresses are not 398 used. 399 400.. [#rfc6147] Section 5.5 does not match reality. :iscman:`named` uses the presence 401 of DO=1 to detect if validation may be occurring. CD has no bearing 402 on whether validation occurs. 403 404.. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against 405 a supporting ECDSA. 406 407.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`. 408 409.. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as 410 it prevents DNSSEC from working correctly through another recursive server. 411 412 When talking to a recursive server, the best algorithm is to send 413 CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive 414 server has a bad clock and/or bad trust anchor. Alternatively, one 415 can send CD=1 then CD=0 on validation failure, in case the recursive 416 server is under attack or there is stale/bogus authoritative data. 417 418.. [#rfc7344] Updating of parent zones is not yet implemented. 419 420.. [#rfc7830] :iscman:`named` does not currently encrypt DNS requests, so the PAD option 421 is accepted but not returned in responses. 422 423.. [#rfc3363] Section 4 is ignored. 424 425.. [#rfc2606] This does not apply to DNS server implementations. 426 427.. [#rfc1521] Only the Base 64 encoding specification is supported. 428 429.. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within 430 dig, host, and nslookup at compile time. ACE labels are supported 431 everywhere with or without ``--with-libidn2``. 432 433.. [#rfc4294] Section 5.1 - DNAME records are fully supported. 434 435.. [#rfc7050] RFC 7050 is updated by RFC 8880. 436 437.. [#noencryptedfwd] Forwarding DNS queries over encrypted transports is not 438 supported yet. 439 440.. [#rfc8078] Updating of parent zones is not yet implemented. 441 442.. [#rfc9103] Strict TLS and Mutual TLS authentication mechanisms are 443 not supported yet. 444 445.. _internet_drafts: 446 447Internet Drafts 448~~~~~~~~~~~~~~~ 449 450Internet Drafts (IDs) are rough-draft working documents of the Internet 451Engineering Task Force (IETF). They are, in essence, RFCs in the preliminary 452stages of development. Implementors are cautioned not to regard IDs as 453archival, and they should not be quoted or cited in any formal documents 454unless accompanied by the disclaimer that they are "works in progress." 455IDs have a lifespan of six months, after which they are deleted unless 456updated by their authors. 457