general.rst revision 1.1.1.4 
1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12.. General:
13
14General DNS Reference Information
15=================================
16
17.. _rfcs:
18
19Requests for Comment (RFCs)
20~~~~~~~~~~~~~~~~~~~~~~~~~~~
21
22Specification documents for the Internet protocol suite, including the
23DNS, are published as part of the `Request for Comments`_ (RFCs) series
24of technical notes. The standards themselves are defined by the
25`Internet Engineering Task Force`_ (IETF) and the `Internet Engineering
26Steering Group`_ (IESG). RFCs can be viewed online at:
27https://www.rfc-editor.org/.
28
29While reading RFCs, please keep in mind that :rfc:`not all RFCs are
30standards <1796>`, and also that the validity of documents does change
31over time. Every RFC needs to be interpreted in the context of other
32documents.
33
34BIND 9 strives for strict compliance with IETF standards. To the best
35of our knowledge, BIND 9 complies with the following RFCs, with
36the caveats and exceptions listed in the numbered notes below. Many
37of these RFCs were written by current or former ISC staff members.
38The list is non-exhaustive.
39
40.. _Internet Engineering Steering Group: https://www.ietf.org/about/groups/iesg/
41.. _Internet Engineering Task Force: https://www.ietf.org/about/
42.. _Request for Comments: https://www.ietf.org/standards/rfcs/
43
44Some of these RFCs, though DNS-related, are not concerned with implementing
45software.
46
47Protocol Specifications
48-----------------------
49
50:rfc:`1034` - P. Mockapetris. *Domain Names ��� Concepts and Facilities.* November
511987.
52
53:rfc:`1035` - P. Mockapetris. *Domain Names ��� Implementation and Specification.*
54November 1987. [#rfc1035_1]_ [#rfc1035_2]_
55
56:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR
57Definitions.* October 1990.
58
59:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994.
60
61:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of
62Geographical Location.* November 1994.
63
64:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing
65Location Information in the Domain Name System.* January 1996.
66
67:rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996.
68
69:rfc:`1995` - M. Ohta. *Incremental Zone Transfer in DNS.* August 1996.
70
71:rfc:`1996` - P. Vixie. *A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY).*
72August 1996.
73
74:rfc:`2136` - P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. *Dynamic Updates in the
75Domain Name System (DNS UPDATE).* April 1997.
76
77:rfc:`2163` - A. Allocchio. *Using the Internet DNS to Distribute MIXER
78Conformant Global Address Mapping (MCGAM).* January 1998.
79
80:rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997.
81
82:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November
831997.
84
85:rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998.
86
87:rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name
88System (DNS).* March 1999.
89
90:rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the
91Location of Services (DNS SRV).* February 2000.
92
93:rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).*
94September 2000.
95
96:rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).*
97September 2000. [#rfc2931]_
98
99:rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.*
100November 2000.
101
102:rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
103System (DNS).* May 2001.
104
105:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June
1062001.
107
108:rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001.
109
110:rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver
111Message Size Requirements.* December 2001.
112
113:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain.
114*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name
115System (DNS).* August 2002. [#rfc3363]_
116
117:rfc:`3403` - M. Mealling.
118*Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System
119(DNS) Database.*
120October 2002.
121
122:rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for
123Internationalized Domain Names in Applications (IDNA).* March 2003.
124
125:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens.
126*Basic Socket Interface Extensions for IPv6.* March 2003.
127
128:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of
129Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label
130Switching (MPLS) Traffic Engineering.* March 2003.
131
132:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to
133Support IP Version 6.* October 2003.
134
135:rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.*
136September 2003.
137
138:rfc:`3645` - S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. *Generic
139Security Service Algorithm for Secret Key Transaction Authentication for
140DNS (GSS-TSIG).* October 2003.
141
142:rfc:`4025` - M. Richardson. *A Method for Storing IPsec Keying Material in
143DNS.* March 2005.
144
145:rfc:`4033` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *DNS Security
146Introduction and Requirements.* March 2005.
147
148:rfc:`4034` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Resource Records for
149the DNS Security Extensions.* March 2005.
150
151:rfc:`4035` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Protocol
152Modifications for the DNS Security Extensions.* March 2005.
153
154:rfc:`4255` - J. Schlyter and W. Griffin. *Using DNS to Securely Publish Secure
155Shell (SSH) Key Fingerprints.* January 2006.
156
157:rfc:`4343` - D. Eastlake, 3rd. *Domain Name System (DNS) Case Insensitivity
158Clarification.* January 2006.
159
160:rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006.
161
162:rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and
163DNSSEC On-line Signing.* April 2006. [#rfc4470]_
164
165:rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer
166(DS) Resource Records (RRs).* May 2006.
167
168:rfc:`4592` - E. Lewis. *The Role of Wildcards in the Domain Name System.* July 2006.
169
170:rfc:`4635` - D. Eastlake, 3rd. *HMAC SHA (Hashed Message Authentication
171Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006.
172
173:rfc:`4701` - M. Stapp, T. Lemon, and A. Gustafsson. *A DNS Resource Record
174(RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID
175RR).* October 2006.
176
177:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_
178
179:rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007.
180
181:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.*
182
183:rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security
184(DNSSEC) Hashed Authenticated Denial of Existence.* March 2008.
185
186:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP)
187Domain Name System (DNS) Extension.* April 2008.
188
189:rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More
190Resilient Against Forged Answers.* January 2009. [#rfc5452]_
191
192:rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and
193RRSIG Resource Records for DNSSEC.* October 2009.
194
195:rfc:`5891` - J. Klensin.
196*Internationalized Domain Names in Applications (IDNA): Protocol.*
197August 2010
198
199:rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).*
200June 2010.
201
202:rfc:`5952` - S. Kawamura and M. Kawashima. *A Recommendation for IPv6 Address
203Text Representation.* August 2010.
204
205:rfc:`6052` - C. Bao, C. Huitema, M. Bagnulo, M. Boucadair, and X. Li. *IPv6
206Addressing of IPv4/IPv6 Translators.* October 2010.
207
208:rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum.
209*DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to
210IPv4 Servers.* April 2011. [#rfc6147]_
211
212:rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.*
213April 2012.
214
215:rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital
216Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_
217
218:rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.*
219June 2012.
220
221:rfc:`6698` - P. Hoffman and J. Schlyter. *The DNS-Based Authentication of
222Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.*
223August 2012.
224
225:rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry
226Updates.* August 2012. [#rfc6725]_
227
228:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS
229Resource Records for the Identifier-Locator Network Protocol (ILNP).*
230November 2012.
231
232:rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and
233Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_
234
235:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS
236(EDNS(0)).* April 2013.
237
238:rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses
239in the DNS.* October 2013.
240
241:rfc:`7208` - S. Kitterman.
242*Sender Policy Framework (SPF) for Authorizing Use of Domains in Email,
243Version 1.*
244April 2014.
245
246:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.*
247July 2014.
248
249:rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC
250Delegation Trust Maintenance.* September 2014. [#rfc7344]_
251
252:rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March
2532015.
254
255:rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier
256(URI) DNS Resource Record.* June 2015.
257
258:rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key
259Rollover Timing Considerations.* October 2015.
260
261:rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D.
262Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016.
263
264:rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis.
265*The edns-tcp-keepalive EDNS0 Option.* April 2016.
266
267:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_
268
269:rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE)
270Bindings for OpenPGP.* August 2016.
271
272:rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the
273Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_
274
275:rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm
276(EdDSA) for DNSSEC.* February 2017.
277
278:rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements
279and Usage Guidance for DNSSEC.* June 2019.
280
281:rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews.
282*DNS Certification Authority Authorization (CAA) Resource Record.*
283November 2019.
284
285:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson,
286and B. Wellington.
287*Secret Key Transaction Authentication for DNS (TSIG).*
288November 2020.
289
290Best Current Practice RFCs
291--------------------------
292
293:rfc:`2219` - M. Hamilton and R. Wright. *Use of DNS Aliases for Network Services.*
294October 1997.
295
296:rfc:`2317` - H. Eidnes, G. de Groot, and P. Vixie. *Classless IN-ADDR.ARPA Delegation.*
297March 1998.
298
299:rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June
3001999. [#rfc2606]_
301
302:rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.*
303September 2004.
304
305:rfc:`5625` - R. Bellis. *DNS Proxy Implementation Guidelines.* August 2009.
306
307:rfc:`6303` - M. Andrews. *Locally Served DNS Zones.* July 2011.
308
309:rfc:`7793` - M. Andrews. *Adding 100.64.0.0/10 Prefixes to the IPv4
310Locally-Served DNS Zones Registry.* May 2016.
311
312:rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS
313Servers: Failure to Communicate.* September 2020.
314
315For Your Information
316--------------------
317
318:rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.*
319April 1989.
320
321:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and
322Support.* October 1989.
323
324:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely
325Deployed DNS Software.* October 1993.
326
327:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS
328Implementation Errors and Suggested Fixes.* October 1993.
329
330:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February
3311996.
332
333:rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address
334Aggregation and Renumbering.* July 2000. [#rfc2874]_
335
336:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System
337(DNS).* August 2004.
338
339:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for
340IPv6 Addresses.* June 2005.
341
342:rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation
343(DLV) DNS Resource Record.* February 2006. [#rfc4431]_
344
345:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism
346Identifying a Name Server Instance.* June 2007.
347
348:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational
349Practices, Version 2.* December 2012.
350
351:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence
352in the DNS.* February 2014.
353
354:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation
355(DLV) to Historic Status.* March 2020.
356
357Notes
358~~~~~
359
360.. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather
361   than a non-authoritative response. This is considered a feature.
362
363.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a
364   feature.
365
366.. [#rfc2931] When receiving a query signed with a SIG(0), the server is
367   only able to verify the signature if it has the key in its local
368   authoritative data; it cannot do recursion or validation to
369   retrieve unknown keys.
370
371.. [#rfc2874] Compliance is with loading and serving of A6 records only.
372   A6 records were moved to the experimental category by :rfc:`3363`.
373
374.. [#rfc4431] Compliance is with loading and serving of DLV records only.
375   DLV records were moved to the historic category by :rfc:`8749`.
376
377.. [#rfc4470] Minimally Covering NSEC records are accepted but not generated.
378
379.. [#rfc4955] BIND 9 interoperates with correctly designed experiments.
380
381.. [#rfc5452] ``named`` only uses ports to extend the ID space; addresses are not
382   used.
383
384.. [#rfc6147] Section 5.5 does not match reality. ``named`` uses the presence
385   of DO=1 to detect if validation may be occurring. CD has no bearing
386   on whether validation occurs.
387
388.. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against
389   a supporting ECDSA.
390
391.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`.
392
393.. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as
394   it prevents DNSSEC from working correctly through another recursive server.
395
396   When talking to a recursive server, the best algorithm is to send
397   CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive
398   server has a bad clock and/or bad trust anchor. Alternatively, one
399   can send CD=1 then CD=0 on validation failure, in case the recursive
400   server is under attack or there is stale/bogus authoritative data.
401
402.. [#rfc7344] Updating of parent zones is not yet implemented.
403
404.. [#rfc7830] ``named`` does not currently encrypt DNS requests, so the PAD option
405   is accepted but not returned in responses.
406
407.. [#rfc3363] Section 4 is ignored.
408
409.. [#rfc2606] This does not apply to DNS server implementations.
410
411.. [#rfc1521] Only the Base 64 encoding specification is supported.
412
413.. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within
414   dig, host, and nslookup at compile time.  ACE labels are supported
415   everywhere with or without ``--with-libidn2``.
416
417.. [#rfc4294] Section 5.1 - DNAME records are fully supported.
418
419.. [#rfc8078] Updating of parent zones is not yet implemented.
420
421.. _internet_drafts:
422
423Internet Drafts
424~~~~~~~~~~~~~~~
425
426Internet Drafts (IDs) are rough-draft working documents of the Internet
427Engineering Task Force (IETF). They are, in essence, RFCs in the preliminary
428stages of development. Implementors are cautioned not to regard IDs as
429archival, and they should not be quoted or cited in any formal documents
430unless accompanied by the disclaimer that they are "works in progress."
431IDs have a lifespan of six months, after which they are deleted unless
432updated by their authors.
433