general.rst revision 1.1.1.4
1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12.. General: 13 14General DNS Reference Information 15================================= 16 17.. _rfcs: 18 19Requests for Comment (RFCs) 20~~~~~~~~~~~~~~~~~~~~~~~~~~~ 21 22Specification documents for the Internet protocol suite, including the 23DNS, are published as part of the `Request for Comments`_ (RFCs) series 24of technical notes. The standards themselves are defined by the 25`Internet Engineering Task Force`_ (IETF) and the `Internet Engineering 26Steering Group`_ (IESG). RFCs can be viewed online at: 27https://www.rfc-editor.org/. 28 29While reading RFCs, please keep in mind that :rfc:`not all RFCs are 30standards <1796>`, and also that the validity of documents does change 31over time. Every RFC needs to be interpreted in the context of other 32documents. 33 34BIND 9 strives for strict compliance with IETF standards. To the best 35of our knowledge, BIND 9 complies with the following RFCs, with 36the caveats and exceptions listed in the numbered notes below. Many 37of these RFCs were written by current or former ISC staff members. 38The list is non-exhaustive. 39 40.. _Internet Engineering Steering Group: https://www.ietf.org/about/groups/iesg/ 41.. _Internet Engineering Task Force: https://www.ietf.org/about/ 42.. _Request for Comments: https://www.ietf.org/standards/rfcs/ 43 44Some of these RFCs, though DNS-related, are not concerned with implementing 45software. 46 47Protocol Specifications 48----------------------- 49 50:rfc:`1034` - P. Mockapetris. *Domain Names ��� Concepts and Facilities.* November 511987. 52 53:rfc:`1035` - P. Mockapetris. *Domain Names ��� Implementation and Specification.* 54November 1987. [#rfc1035_1]_ [#rfc1035_2]_ 55 56:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR 57Definitions.* October 1990. 58 59:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994. 60 61:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of 62Geographical Location.* November 1994. 63 64:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing 65Location Information in the Domain Name System.* January 1996. 66 67:rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996. 68 69:rfc:`1995` - M. Ohta. *Incremental Zone Transfer in DNS.* August 1996. 70 71:rfc:`1996` - P. Vixie. *A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY).* 72August 1996. 73 74:rfc:`2136` - P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. *Dynamic Updates in the 75Domain Name System (DNS UPDATE).* April 1997. 76 77:rfc:`2163` - A. Allocchio. *Using the Internet DNS to Distribute MIXER 78Conformant Global Address Mapping (MCGAM).* January 1998. 79 80:rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997. 81 82:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November 831997. 84 85:rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998. 86 87:rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name 88System (DNS).* March 1999. 89 90:rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the 91Location of Services (DNS SRV).* February 2000. 92 93:rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).* 94September 2000. 95 96:rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).* 97September 2000. [#rfc2931]_ 98 99:rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.* 100November 2000. 101 102:rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name 103System (DNS).* May 2001. 104 105:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June 1062001. 107 108:rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001. 109 110:rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver 111Message Size Requirements.* December 2001. 112 113:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain. 114*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name 115System (DNS).* August 2002. [#rfc3363]_ 116 117:rfc:`3403` - M. Mealling. 118*Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System 119(DNS) Database.* 120October 2002. 121 122:rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for 123Internationalized Domain Names in Applications (IDNA).* March 2003. 124 125:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens. 126*Basic Socket Interface Extensions for IPv6.* March 2003. 127 128:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of 129Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label 130Switching (MPLS) Traffic Engineering.* March 2003. 131 132:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to 133Support IP Version 6.* October 2003. 134 135:rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.* 136September 2003. 137 138:rfc:`3645` - S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. *Generic 139Security Service Algorithm for Secret Key Transaction Authentication for 140DNS (GSS-TSIG).* October 2003. 141 142:rfc:`4025` - M. Richardson. *A Method for Storing IPsec Keying Material in 143DNS.* March 2005. 144 145:rfc:`4033` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *DNS Security 146Introduction and Requirements.* March 2005. 147 148:rfc:`4034` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Resource Records for 149the DNS Security Extensions.* March 2005. 150 151:rfc:`4035` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Protocol 152Modifications for the DNS Security Extensions.* March 2005. 153 154:rfc:`4255` - J. Schlyter and W. Griffin. *Using DNS to Securely Publish Secure 155Shell (SSH) Key Fingerprints.* January 2006. 156 157:rfc:`4343` - D. Eastlake, 3rd. *Domain Name System (DNS) Case Insensitivity 158Clarification.* January 2006. 159 160:rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006. 161 162:rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and 163DNSSEC On-line Signing.* April 2006. [#rfc4470]_ 164 165:rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer 166(DS) Resource Records (RRs).* May 2006. 167 168:rfc:`4592` - E. Lewis. *The Role of Wildcards in the Domain Name System.* July 2006. 169 170:rfc:`4635` - D. Eastlake, 3rd. *HMAC SHA (Hashed Message Authentication 171Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006. 172 173:rfc:`4701` - M. Stapp, T. Lemon, and A. Gustafsson. *A DNS Resource Record 174(RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID 175RR).* October 2006. 176 177:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_ 178 179:rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007. 180 181:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.* 182 183:rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security 184(DNSSEC) Hashed Authenticated Denial of Existence.* March 2008. 185 186:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP) 187Domain Name System (DNS) Extension.* April 2008. 188 189:rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More 190Resilient Against Forged Answers.* January 2009. [#rfc5452]_ 191 192:rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and 193RRSIG Resource Records for DNSSEC.* October 2009. 194 195:rfc:`5891` - J. Klensin. 196*Internationalized Domain Names in Applications (IDNA): Protocol.* 197August 2010 198 199:rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).* 200June 2010. 201 202:rfc:`5952` - S. Kawamura and M. Kawashima. *A Recommendation for IPv6 Address 203Text Representation.* August 2010. 204 205:rfc:`6052` - C. Bao, C. Huitema, M. Bagnulo, M. Boucadair, and X. Li. *IPv6 206Addressing of IPv4/IPv6 Translators.* October 2010. 207 208:rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum. 209*DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to 210IPv4 Servers.* April 2011. [#rfc6147]_ 211 212:rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.* 213April 2012. 214 215:rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital 216Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_ 217 218:rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.* 219June 2012. 220 221:rfc:`6698` - P. Hoffman and J. Schlyter. *The DNS-Based Authentication of 222Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.* 223August 2012. 224 225:rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry 226Updates.* August 2012. [#rfc6725]_ 227 228:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS 229Resource Records for the Identifier-Locator Network Protocol (ILNP).* 230November 2012. 231 232:rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and 233Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_ 234 235:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS 236(EDNS(0)).* April 2013. 237 238:rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses 239in the DNS.* October 2013. 240 241:rfc:`7208` - S. Kitterman. 242*Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, 243Version 1.* 244April 2014. 245 246:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.* 247July 2014. 248 249:rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC 250Delegation Trust Maintenance.* September 2014. [#rfc7344]_ 251 252:rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March 2532015. 254 255:rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier 256(URI) DNS Resource Record.* June 2015. 257 258:rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key 259Rollover Timing Considerations.* October 2015. 260 261:rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. 262Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. 263 264:rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis. 265*The edns-tcp-keepalive EDNS0 Option.* April 2016. 266 267:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_ 268 269:rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE) 270Bindings for OpenPGP.* August 2016. 271 272:rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the 273Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ 274 275:rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm 276(EdDSA) for DNSSEC.* February 2017. 277 278:rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements 279and Usage Guidance for DNSSEC.* June 2019. 280 281:rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews. 282*DNS Certification Authority Authorization (CAA) Resource Record.* 283November 2019. 284 285:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, 286and B. Wellington. 287*Secret Key Transaction Authentication for DNS (TSIG).* 288November 2020. 289 290Best Current Practice RFCs 291-------------------------- 292 293:rfc:`2219` - M. Hamilton and R. Wright. *Use of DNS Aliases for Network Services.* 294October 1997. 295 296:rfc:`2317` - H. Eidnes, G. de Groot, and P. Vixie. *Classless IN-ADDR.ARPA Delegation.* 297March 1998. 298 299:rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June 3001999. [#rfc2606]_ 301 302:rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.* 303September 2004. 304 305:rfc:`5625` - R. Bellis. *DNS Proxy Implementation Guidelines.* August 2009. 306 307:rfc:`6303` - M. Andrews. *Locally Served DNS Zones.* July 2011. 308 309:rfc:`7793` - M. Andrews. *Adding 100.64.0.0/10 Prefixes to the IPv4 310Locally-Served DNS Zones Registry.* May 2016. 311 312:rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS 313Servers: Failure to Communicate.* September 2020. 314 315For Your Information 316-------------------- 317 318:rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.* 319April 1989. 320 321:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and 322Support.* October 1989. 323 324:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely 325Deployed DNS Software.* October 1993. 326 327:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS 328Implementation Errors and Suggested Fixes.* October 1993. 329 330:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February 3311996. 332 333:rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address 334Aggregation and Renumbering.* July 2000. [#rfc2874]_ 335 336:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System 337(DNS).* August 2004. 338 339:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for 340IPv6 Addresses.* June 2005. 341 342:rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation 343(DLV) DNS Resource Record.* February 2006. [#rfc4431]_ 344 345:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism 346Identifying a Name Server Instance.* June 2007. 347 348:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational 349Practices, Version 2.* December 2012. 350 351:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence 352in the DNS.* February 2014. 353 354:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation 355(DLV) to Historic Status.* March 2020. 356 357Notes 358~~~~~ 359 360.. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather 361 than a non-authoritative response. This is considered a feature. 362 363.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a 364 feature. 365 366.. [#rfc2931] When receiving a query signed with a SIG(0), the server is 367 only able to verify the signature if it has the key in its local 368 authoritative data; it cannot do recursion or validation to 369 retrieve unknown keys. 370 371.. [#rfc2874] Compliance is with loading and serving of A6 records only. 372 A6 records were moved to the experimental category by :rfc:`3363`. 373 374.. [#rfc4431] Compliance is with loading and serving of DLV records only. 375 DLV records were moved to the historic category by :rfc:`8749`. 376 377.. [#rfc4470] Minimally Covering NSEC records are accepted but not generated. 378 379.. [#rfc4955] BIND 9 interoperates with correctly designed experiments. 380 381.. [#rfc5452] ``named`` only uses ports to extend the ID space; addresses are not 382 used. 383 384.. [#rfc6147] Section 5.5 does not match reality. ``named`` uses the presence 385 of DO=1 to detect if validation may be occurring. CD has no bearing 386 on whether validation occurs. 387 388.. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against 389 a supporting ECDSA. 390 391.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`. 392 393.. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as 394 it prevents DNSSEC from working correctly through another recursive server. 395 396 When talking to a recursive server, the best algorithm is to send 397 CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive 398 server has a bad clock and/or bad trust anchor. Alternatively, one 399 can send CD=1 then CD=0 on validation failure, in case the recursive 400 server is under attack or there is stale/bogus authoritative data. 401 402.. [#rfc7344] Updating of parent zones is not yet implemented. 403 404.. [#rfc7830] ``named`` does not currently encrypt DNS requests, so the PAD option 405 is accepted but not returned in responses. 406 407.. [#rfc3363] Section 4 is ignored. 408 409.. [#rfc2606] This does not apply to DNS server implementations. 410 411.. [#rfc1521] Only the Base 64 encoding specification is supported. 412 413.. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within 414 dig, host, and nslookup at compile time. ACE labels are supported 415 everywhere with or without ``--with-libidn2``. 416 417.. [#rfc4294] Section 5.1 - DNAME records are fully supported. 418 419.. [#rfc8078] Updating of parent zones is not yet implemented. 420 421.. _internet_drafts: 422 423Internet Drafts 424~~~~~~~~~~~~~~~ 425 426Internet Drafts (IDs) are rough-draft working documents of the Internet 427Engineering Task Force (IETF). They are, in essence, RFCs in the preliminary 428stages of development. Implementors are cautioned not to regard IDs as 429archival, and they should not be quoted or cited in any formal documents 430unless accompanied by the disclaimer that they are "works in progress." 431IDs have a lifespan of six months, after which they are deleted unless 432updated by their authors. 433