1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 .. General: 13 14 General DNS Reference Information 15 ================================= 16 17 .. _rfcs: 18 19 Requests for Comment (RFCs) 20 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 21 22 Specification documents for the Internet protocol suite, including the 23 DNS, are published as part of the `Request for Comments`_ (RFCs) series 24 of technical notes. The standards themselves are defined by the 25 `Internet Engineering Task Force`_ (IETF) and the `Internet Engineering 26 Steering Group`_ (IESG). RFCs can be viewed online at: 27 https://www.rfc-editor.org/. 28 29 While reading RFCs, please keep in mind that :rfc:`not all RFCs are 30 standards <1796>`, and also that the validity of documents does change 31 over time. Every RFC needs to be interpreted in the context of other 32 documents. 33 34 BIND 9 strives for strict compliance with IETF standards. To the best 35 of our knowledge, BIND 9 complies with the following RFCs, with 36 the caveats and exceptions listed in the numbered notes below. Many 37 of these RFCs were written by current or former ISC staff members. 38 The list is non-exhaustive. 39 40 .. _Internet Engineering Steering Group: https://www.ietf.org/about/groups/iesg/ 41 .. _Internet Engineering Task Force: https://www.ietf.org/about/ 42 .. _Request for Comments: https://www.ietf.org/process/rfcs/ 43 44 Some of these RFCs, though DNS-related, are not concerned with implementing 45 software. 46 47 Protocol Specifications 48 ----------------------- 49 50 :rfc:`1034` - P. Mockapetris. *Domain Names Concepts and Facilities.* November 51 1987. 52 53 :rfc:`1035` - P. Mockapetris. *Domain Names Implementation and Specification.* 54 November 1987. [#rfc1035_1]_ [#rfc1035_2]_ 55 56 :rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR 57 Definitions.* October 1990. 58 59 :rfc:`1521` - N. Borenstein, N. Freed - *MIME (Multipurpose Internet Mail Extensions) 60 Part One: Mechanisms for Specifying and Describing the Format of Internet Message 61 Bodies.* September 1993. [#rfc1521]_ 62 63 :rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994. 64 65 :rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of 66 Geographical Location.* November 1994. 67 68 :rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing 69 Location Information in the Domain Name System.* January 1996. 70 71 :rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996. 72 73 :rfc:`1995` - M. Ohta. *Incremental Zone Transfer in DNS.* August 1996. 74 75 :rfc:`1996` - P. Vixie. *A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY).* 76 August 1996. 77 78 :rfc:`2136` - P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. *Dynamic Updates in the 79 Domain Name System (DNS UPDATE).* April 1997. 80 81 :rfc:`2163` - A. Allocchio. *Using the Internet DNS to Distribute MIXER 82 Conformant Global Address Mapping (MCGAM).* January 1998. 83 84 :rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997. 85 86 :rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November 87 1997. 88 89 :rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998. 90 91 :rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name 92 System (DNS).* March 1999. 93 94 :rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the 95 Location of Services (DNS SRV).* February 2000. 96 97 :rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).* 98 September 2000. 99 100 :rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).* 101 September 2000. [#rfc2931]_ 102 103 :rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.* 104 November 2000. 105 106 :rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name 107 System (DNS).* May 2001. 108 109 :rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June 110 2001. 111 112 :rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001. 113 114 :rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver 115 Message Size Requirements.* December 2001. 116 117 :rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain. 118 *Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name 119 System (DNS).* August 2002. [#rfc3363]_ 120 121 :rfc:`3403` - M. Mealling. 122 *Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System 123 (DNS) Database.* 124 October 2002. 125 126 :rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for 127 Internationalized Domain Names in Applications (IDNA).* March 2003. [#idna]_ 128 129 :rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens. 130 *Basic Socket Interface Extensions for IPv6.* March 2003. 131 132 :rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of 133 Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label 134 Switching (MPLS) Traffic Engineering.* March 2003. 135 136 :rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to 137 Support IP Version 6.* October 2003. 138 139 :rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.* 140 September 2003. 141 142 :rfc:`3645` - S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. *Generic 143 Security Service Algorithm for Secret Key Transaction Authentication for 144 DNS (GSS-TSIG).* October 2003. 145 146 :rfc:`4025` - M. Richardson. *A Method for Storing IPsec Keying Material in 147 DNS.* March 2005. 148 149 :rfc:`4033` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *DNS Security 150 Introduction and Requirements.* March 2005. 151 152 :rfc:`4034` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Resource Records for 153 the DNS Security Extensions.* March 2005. 154 155 :rfc:`4035` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Protocol 156 Modifications for the DNS Security Extensions.* March 2005. 157 158 :rfc:`4255` - J. Schlyter and W. Griffin. *Using DNS to Securely Publish Secure 159 Shell (SSH) Key Fingerprints.* January 2006. 160 161 :rfc:`4343` - D. Eastlake, 3rd. *Domain Name System (DNS) Case Insensitivity 162 Clarification.* January 2006. 163 164 :rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006. 165 166 :rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and 167 DNSSEC On-line Signing.* April 2006. [#rfc4470]_ 168 169 :rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer 170 (DS) Resource Records (RRs).* May 2006. 171 172 :rfc:`4592` - E. Lewis. *The Role of Wildcards in the Domain Name System.* July 2006. 173 174 :rfc:`4635` - D. Eastlake, 3rd. *HMAC SHA (Hashed Message Authentication 175 Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006. 176 177 :rfc:`4701` - M. Stapp, T. Lemon, and A. Gustafsson. *A DNS Resource Record 178 (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID 179 RR).* October 2006. 180 181 :rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_ 182 183 :rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007. 184 185 :rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.* 186 187 :rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security 188 (DNSSEC) Hashed Authenticated Denial of Existence.* March 2008. 189 190 :rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP) 191 Domain Name System (DNS) Extension.* April 2008. 192 193 :rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More 194 Resilient Against Forged Answers.* January 2009. [#rfc5452]_ 195 196 :rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and 197 RRSIG Resource Records for DNSSEC.* October 2009. 198 199 :rfc:`5891` - J. Klensin. 200 *Internationalized Domain Names in Applications (IDNA): Protocol.* 201 August 2010 [#idna]_ 202 203 :rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).* 204 June 2010. 205 206 :rfc:`5952` - S. Kawamura and M. Kawashima. *A Recommendation for IPv6 Address 207 Text Representation.* August 2010. 208 209 :rfc:`6052` - C. Bao, C. Huitema, M. Bagnulo, M. Boucadair, and X. Li. *IPv6 210 Addressing of IPv4/IPv6 Translators.* October 2010. 211 212 :rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum. 213 *DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to 214 IPv4 Servers.* April 2011. [#rfc6147]_ 215 216 :rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.* 217 April 2012. 218 219 :rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital 220 Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_ 221 222 :rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.* 223 June 2012. 224 225 :rfc:`6698` - P. Hoffman and J. Schlyter. *The DNS-Based Authentication of 226 Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.* 227 August 2012. 228 229 :rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry 230 Updates.* August 2012. [#rfc6725]_ 231 232 :rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS 233 Resource Records for the Identifier-Locator Network Protocol (ILNP).* 234 November 2012. 235 236 :rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and 237 Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_ 238 239 :rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS 240 (EDNS(0)).* April 2013. 241 242 :rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses 243 in the DNS.* October 2013. 244 245 :rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6 246 Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_ 247 248 :rfc:`7208` - S. Kitterman. 249 *Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, 250 Version 1.* 251 April 2014. 252 253 :rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.* 254 July 2014. 255 256 :rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC 257 Delegation Trust Maintenance.* September 2014. [#rfc7344]_ 258 259 :rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March 260 2015. 261 262 :rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier 263 (URI) DNS Resource Record.* June 2015. 264 265 :rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key 266 Rollover Timing Considerations.* October 2015. 267 268 :rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. 269 Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. 270 271 :rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis. 272 *The edns-tcp-keepalive EDNS0 Option.* April 2016. 273 274 :rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_ 275 276 :rfc:`7858` - Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, 277 and P. Hoffman. *Specification for DNS over Transport Layer Security (TLS).* 278 May 2016. [#noencryptedfwd]_ 279 280 :rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE) 281 Bindings for OpenPGP.* August 2016. 282 283 :rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the 284 Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ 285 286 :rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm 287 (EdDSA) for DNSSEC.* February 2017. 288 289 :rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).* 290 October 2018. [#noencryptedfwd]_ 291 292 :rfc:`8509` - G. Huston, J. Damas, W. Kumari. *A Root Key Trust Anchor Sentinel 293 for DNSSEC.* December 2018. 294 295 :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements 296 and Usage Guidance for DNSSEC.* June 2019. 297 298 :rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews. 299 *DNS Certification Authority Authorization (CAA) Resource Record.* 300 November 2019. 301 302 :rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name 303 'ipv4only.arpa'.* August 2020. 304 305 :rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, 306 and B. Wellington. 307 *Secret Key Transaction Authentication for DNS (TSIG).* 308 November 2020. 309 310 :rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin. 311 *DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_ 312 313 :rfc:`9432` - P. van Dijk, L. Peltan, O. Sury, W. Toorop, C.R. Monshouwer, 314 P. Thomassen, A. Sargsyan. *DNS Catalog Zones.* July 2023. 315 316 :rfc:`9460` - B. Schwartz, M. Bishop and E. Nygren, *Service Binding and 317 Parameter Specification via the DNS (SVCB and HTTPS Resource Records).* 318 November 2023. [#rfc9460]_ 319 320 Best Current Practice RFCs 321 -------------------------- 322 323 :rfc:`2219` - M. Hamilton and R. Wright. *Use of DNS Aliases for Network Services.* 324 October 1997. 325 326 :rfc:`2317` - H. Eidnes, G. de Groot, and P. Vixie. *Classless IN-ADDR.ARPA Delegation.* 327 March 1998. 328 329 :rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June 330 1999. [#rfc2606]_ 331 332 :rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.* 333 September 2004. 334 335 :rfc:`5625` - R. Bellis. *DNS Proxy Implementation Guidelines.* August 2009. 336 337 :rfc:`6303` - M. Andrews. *Locally Served DNS Zones.* July 2011. 338 339 :rfc:`7793` - M. Andrews. *Adding 100.64.0.0/10 Prefixes to the IPv4 340 Locally-Served DNS Zones Registry.* May 2016. 341 342 :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS 343 Servers: Failure to Communicate.* September 2020. 344 345 :rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022. 346 347 For Your Information 348 -------------------- 349 350 :rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.* 351 April 1989. 352 353 :rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and 354 Support.* October 1989. 355 356 :rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely 357 Deployed DNS Software.* October 1993. 358 359 :rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS 360 Implementation Errors and Suggested Fixes.* October 1993. 361 362 :rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February 363 1996. 364 365 :rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address 366 Aggregation and Renumbering.* July 2000. [#rfc2874]_ 367 368 :rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System 369 (DNS).* August 2004. 370 371 :rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for 372 IPv6 Addresses.* June 2005. 373 374 :rfc:`4294` - J. Loughney, Ed. - *IPv6 Node Requirements.* April 2006. [#rfc4294]_ 375 376 :rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation 377 (DLV) DNS Resource Record.* February 2006. [#rfc4431]_ 378 379 :rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism 380 Identifying a Name Server Instance.* June 2007. 381 382 :rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational 383 Practices, Version 2.* December 2012. 384 385 :rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence 386 in the DNS.* February 2014. 387 388 :rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation 389 (DLV) to Historic Status.* March 2020. 390 391 Notes 392 ~~~~~ 393 394 .. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather 395 than a non-authoritative response. This is considered a feature. 396 397 .. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a 398 feature. 399 400 .. [#rfc2931] When receiving a query signed with a SIG(0), the server is 401 only able to verify the signature if it has the key in its local 402 authoritative data; it cannot do recursion or validation to 403 retrieve unknown keys. 404 405 .. [#rfc2874] Compliance is with loading and serving of A6 records only. 406 A6 records were moved to the experimental category by :rfc:`3363`. 407 408 .. [#rfc4431] Compliance is with loading and serving of DLV records only. 409 DLV records were moved to the historic category by :rfc:`8749`. 410 411 .. [#rfc4470] Minimally Covering NSEC records are accepted but not generated. 412 413 .. [#rfc4955] BIND 9 interoperates with correctly designed experiments. 414 415 .. [#rfc5452] :iscman:`named` only uses ports to extend the ID space; addresses are not 416 used. 417 418 .. [#rfc6147] Section 5.5 does not match reality. :iscman:`named` uses the presence 419 of DO=1 to detect if validation may be occurring. CD has no bearing 420 on whether validation occurs. 421 422 .. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against 423 a supporting ECDSA. 424 425 .. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`. 426 427 .. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as 428 it prevents DNSSEC from working correctly through another recursive server. 429 430 When talking to a recursive server, the best algorithm is to send 431 CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive 432 server has a bad clock and/or bad trust anchor. Alternatively, one 433 can send CD=1 then CD=0 on validation failure, in case the recursive 434 server is under attack or there is stale/bogus authoritative data. 435 436 .. [#rfc7344] Updating of parent zones is not yet implemented. 437 438 .. [#rfc7830] :iscman:`named` does not currently encrypt DNS requests, so the PAD option 439 is accepted but not returned in responses. 440 441 .. [#rfc3363] Section 4 is ignored. 442 443 .. [#rfc2606] This does not apply to DNS server implementations. 444 445 .. [#rfc1521] Only the Base 64 encoding specification is supported. 446 447 .. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within 448 dig, host, and nslookup at compile time. ACE labels are supported 449 everywhere with or without ``--with-libidn2``. 450 451 .. [#rfc4294] Section 5.1 - DNAME records are fully supported. 452 453 .. [#rfc7050] :rfc:`7050` is updated by :rfc:`8880`. 454 455 .. [#noencryptedfwd] Forwarding DNS queries over encrypted transports is not 456 supported yet. 457 458 .. [#rfc8078] Updating of parent zones is not yet implemented. 459 460 .. [#rfc9103] Strict TLS and Mutual TLS authentication mechanisms are 461 not supported yet. 462 463 .. [#rfc9460] Additional section processing is not supported for HTTPS and 464 SVCB records. 465 466 .. _internet_drafts: 467 468 Internet Drafts 469 ~~~~~~~~~~~~~~~ 470 471 Internet Drafts (IDs) are rough-draft working documents of the Internet 472 Engineering Task Force (IETF). They are, in essence, RFCs in the preliminary 473 stages of development. Implementors are cautioned not to regard IDs as 474 archival, and they should not be quoted or cited in any formal documents 475 unless accompanied by the disclaimer that they are "works in progress." 476 IDs have a lifespan of six months, after which they are deleted unless 477 updated by their authors. 478
Indexes created Tue Mar 03 05:31:39 UTC 2026