xref: /netbsd-src/external/mpl/bind/dist/doc/arm/general.rst (revision 9689912e6b171cbda866ec33f15ae94a04e2c02d) 
1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12.. General:
13
14General DNS Reference Information
15=================================
16
17.. _rfcs:
18
19Requests for Comment (RFCs)
20~~~~~~~~~~~~~~~~~~~~~~~~~~~
21
22Specification documents for the Internet protocol suite, including the
23DNS, are published as part of the `Request for Comments`_ (RFCs) series
24of technical notes. The standards themselves are defined by the
25`Internet Engineering Task Force`_ (IETF) and the `Internet Engineering
26Steering Group`_ (IESG). RFCs can be viewed online at:
27https://www.rfc-editor.org/.
28
29While reading RFCs, please keep in mind that :rfc:`not all RFCs are
30standards <1796>`, and also that the validity of documents does change
31over time. Every RFC needs to be interpreted in the context of other
32documents.
33
34BIND 9 strives for strict compliance with IETF standards. To the best
35of our knowledge, BIND 9 complies with the following RFCs, with
36the caveats and exceptions listed in the numbered notes below. Many
37of these RFCs were written by current or former ISC staff members.
38The list is non-exhaustive.
39
40.. _Internet Engineering Steering Group: https://www.ietf.org/about/groups/iesg/
41.. _Internet Engineering Task Force: https://www.ietf.org/about/
42.. _Request for Comments: https://www.ietf.org/standards/rfcs/
43
44Some of these RFCs, though DNS-related, are not concerned with implementing
45software.
46
47Protocol Specifications
48-----------------------
49
50:rfc:`1034` - P. Mockapetris. *Domain Names — Concepts and Facilities.* November
511987.
52
53:rfc:`1035` - P. Mockapetris. *Domain Names — Implementation and Specification.*
54November 1987. [#rfc1035_1]_ [#rfc1035_2]_
55
56:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR
57Definitions.* October 1990.
58
59:rfc:`1521` - N. Borenstein, N. Freed - *MIME (Multipurpose Internet Mail Extensions)
60Part One: Mechanisms for Specifying and Describing the Format of Internet Message
61Bodies.* September 1993. [#rfc1521]_
62
63:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994.
64
65:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of
66Geographical Location.* November 1994.
67
68:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing
69Location Information in the Domain Name System.* January 1996.
70
71:rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996.
72
73:rfc:`1995` - M. Ohta. *Incremental Zone Transfer in DNS.* August 1996.
74
75:rfc:`1996` - P. Vixie. *A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY).*
76August 1996.
77
78:rfc:`2136` - P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. *Dynamic Updates in the
79Domain Name System (DNS UPDATE).* April 1997.
80
81:rfc:`2163` - A. Allocchio. *Using the Internet DNS to Distribute MIXER
82Conformant Global Address Mapping (MCGAM).* January 1998.
83
84:rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997.
85
86:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November
871997.
88
89:rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998.
90
91:rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name
92System (DNS).* March 1999.
93
94:rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the
95Location of Services (DNS SRV).* February 2000.
96
97:rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).*
98September 2000.
99
100:rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).*
101September 2000. [#rfc2931]_
102
103:rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.*
104November 2000.
105
106:rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
107System (DNS).* May 2001.
108
109:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June
1102001.
111
112:rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001.
113
114:rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver
115Message Size Requirements.* December 2001.
116
117:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain.
118*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name
119System (DNS).* August 2002. [#rfc3363]_
120
121:rfc:`3403` - M. Mealling.
122*Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System
123(DNS) Database.*
124October 2002.
125
126:rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for
127Internationalized Domain Names in Applications (IDNA).* March 2003. [#idna]_
128
129:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens.
130*Basic Socket Interface Extensions for IPv6.* March 2003.
131
132:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of
133Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label
134Switching (MPLS) Traffic Engineering.* March 2003.
135
136:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to
137Support IP Version 6.* October 2003.
138
139:rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.*
140September 2003.
141
142:rfc:`3645` - S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. *Generic
143Security Service Algorithm for Secret Key Transaction Authentication for
144DNS (GSS-TSIG).* October 2003.
145
146:rfc:`4025` - M. Richardson. *A Method for Storing IPsec Keying Material in
147DNS.* March 2005.
148
149:rfc:`4033` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *DNS Security
150Introduction and Requirements.* March 2005.
151
152:rfc:`4034` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Resource Records for
153the DNS Security Extensions.* March 2005.
154
155:rfc:`4035` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Protocol
156Modifications for the DNS Security Extensions.* March 2005.
157
158:rfc:`4255` - J. Schlyter and W. Griffin. *Using DNS to Securely Publish Secure
159Shell (SSH) Key Fingerprints.* January 2006.
160
161:rfc:`4343` - D. Eastlake, 3rd. *Domain Name System (DNS) Case Insensitivity
162Clarification.* January 2006.
163
164:rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006.
165
166:rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and
167DNSSEC On-line Signing.* April 2006. [#rfc4470]_
168
169:rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer
170(DS) Resource Records (RRs).* May 2006.
171
172:rfc:`4592` - E. Lewis. *The Role of Wildcards in the Domain Name System.* July 2006.
173
174:rfc:`4635` - D. Eastlake, 3rd. *HMAC SHA (Hashed Message Authentication
175Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006.
176
177:rfc:`4701` - M. Stapp, T. Lemon, and A. Gustafsson. *A DNS Resource Record
178(RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID
179RR).* October 2006.
180
181:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_
182
183:rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007.
184
185:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.*
186
187:rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security
188(DNSSEC) Hashed Authenticated Denial of Existence.* March 2008.
189
190:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP)
191Domain Name System (DNS) Extension.* April 2008.
192
193:rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More
194Resilient Against Forged Answers.* January 2009. [#rfc5452]_
195
196:rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and
197RRSIG Resource Records for DNSSEC.* October 2009.
198
199:rfc:`5891` - J. Klensin.
200*Internationalized Domain Names in Applications (IDNA): Protocol.*
201August 2010 [#idna]_
202
203:rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).*
204June 2010.
205
206:rfc:`5952` - S. Kawamura and M. Kawashima. *A Recommendation for IPv6 Address
207Text Representation.* August 2010.
208
209:rfc:`6052` - C. Bao, C. Huitema, M. Bagnulo, M. Boucadair, and X. Li. *IPv6
210Addressing of IPv4/IPv6 Translators.* October 2010.
211
212:rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum.
213*DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to
214IPv4 Servers.* April 2011. [#rfc6147]_
215
216:rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.*
217April 2012.
218
219:rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital
220Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_
221
222:rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.*
223June 2012.
224
225:rfc:`6698` - P. Hoffman and J. Schlyter. *The DNS-Based Authentication of
226Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.*
227August 2012.
228
229:rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry
230Updates.* August 2012. [#rfc6725]_
231
232:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS
233Resource Records for the Identifier-Locator Network Protocol (ILNP).*
234November 2012.
235
236:rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and
237Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_
238
239:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS
240(EDNS(0)).* April 2013.
241
242:rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses
243in the DNS.* October 2013.
244
245:rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6
246Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_
247
248:rfc:`7208` - S. Kitterman.
249*Sender Policy Framework (SPF) for Authorizing Use of Domains in Email,
250Version 1.*
251April 2014.
252
253:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.*
254July 2014.
255
256:rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC
257Delegation Trust Maintenance.* September 2014. [#rfc7344]_
258
259:rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March
2602015.
261
262:rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier
263(URI) DNS Resource Record.* June 2015.
264
265:rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key
266Rollover Timing Considerations.* October 2015.
267
268:rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D.
269Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016.
270
271:rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis.
272*The edns-tcp-keepalive EDNS0 Option.* April 2016.
273
274:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_
275
276:rfc:`7858` - Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels,
277and P. Hoffman. *Specification for DNS over Transport Layer Security (TLS).*
278May 2016. [#noencryptedfwd]_
279
280:rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE)
281Bindings for OpenPGP.* August 2016.
282
283:rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the
284Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_
285
286:rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm
287(EdDSA) for DNSSEC.* February 2017.
288
289:rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).*
290October 2018. [#noencryptedfwd]_
291
292:rfc:`8509` - G. Huston, J. Damas, W. Kumari. *A Root Key Trust Anchor Sentinel
293for DNSSEC.* December 2018.
294
295:rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements
296and Usage Guidance for DNSSEC.* June 2019.
297
298:rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews.
299*DNS Certification Authority Authorization (CAA) Resource Record.*
300November 2019.
301
302:rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name
303'ipv4only.arpa'.* August 2020.
304
305:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson,
306and B. Wellington.
307*Secret Key Transaction Authentication for DNS (TSIG).*
308November 2020.
309
310:rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin.
311*DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_
312
313:rfc:`9432` - P. van Dijk, L. Peltan, O. Sury, W. Toorop, C.R. Monshouwer,
314P. Thomassen, A. Sargsyan. *DNS Catalog Zones.* July 2023.
315
316:rfc:`9460` - B. Schwartz, M. Bishop and E. Nygren, *Service Binding and
317Parameter Specification via the DNS (SVCB and HTTPS Resource Records).*
318November 2023. [#rfc9460]_
319
320Best Current Practice RFCs
321--------------------------
322
323:rfc:`2219` - M. Hamilton and R. Wright. *Use of DNS Aliases for Network Services.*
324October 1997.
325
326:rfc:`2317` - H. Eidnes, G. de Groot, and P. Vixie. *Classless IN-ADDR.ARPA Delegation.*
327March 1998.
328
329:rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June
3301999. [#rfc2606]_
331
332:rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.*
333September 2004.
334
335:rfc:`5625` - R. Bellis. *DNS Proxy Implementation Guidelines.* August 2009.
336
337:rfc:`6303` - M. Andrews. *Locally Served DNS Zones.* July 2011.
338
339:rfc:`7793` - M. Andrews. *Adding 100.64.0.0/10 Prefixes to the IPv4
340Locally-Served DNS Zones Registry.* May 2016.
341
342:rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS
343Servers: Failure to Communicate.* September 2020.
344
345:rfc:`9276` - W. Hardaker and V. Dukhovni. *Guidance for NSEC3 Parameter Settings.* August 2022.
346
347For Your Information
348--------------------
349
350:rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.*
351April 1989.
352
353:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and
354Support.* October 1989.
355
356:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely
357Deployed DNS Software.* October 1993.
358
359:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS
360Implementation Errors and Suggested Fixes.* October 1993.
361
362:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February
3631996.
364
365:rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address
366Aggregation and Renumbering.* July 2000. [#rfc2874]_
367
368:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System
369(DNS).* August 2004.
370
371:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for
372IPv6 Addresses.* June 2005.
373
374:rfc:`4294` - J. Loughney, Ed. - *IPv6 Node Requirements.* April 2006. [#rfc4294]_
375
376:rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation
377(DLV) DNS Resource Record.* February 2006. [#rfc4431]_
378
379:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism
380Identifying a Name Server Instance.* June 2007.
381
382:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational
383Practices, Version 2.* December 2012.
384
385:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence
386in the DNS.* February 2014.
387
388:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation
389(DLV) to Historic Status.* March 2020.
390
391Notes
392~~~~~
393
394.. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather
395   than a non-authoritative response. This is considered a feature.
396
397.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a
398   feature.
399
400.. [#rfc2931] When receiving a query signed with a SIG(0), the server is
401   only able to verify the signature if it has the key in its local
402   authoritative data; it cannot do recursion or validation to
403   retrieve unknown keys.
404
405.. [#rfc2874] Compliance is with loading and serving of A6 records only.
406   A6 records were moved to the experimental category by :rfc:`3363`.
407
408.. [#rfc4431] Compliance is with loading and serving of DLV records only.
409   DLV records were moved to the historic category by :rfc:`8749`.
410
411.. [#rfc4470] Minimally Covering NSEC records are accepted but not generated.
412
413.. [#rfc4955] BIND 9 interoperates with correctly designed experiments.
414
415.. [#rfc5452] :iscman:`named` only uses ports to extend the ID space; addresses are not
416   used.
417
418.. [#rfc6147] Section 5.5 does not match reality. :iscman:`named` uses the presence
419   of DO=1 to detect if validation may be occurring. CD has no bearing
420   on whether validation occurs.
421
422.. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against
423   a supporting ECDSA.
424
425.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`.
426
427.. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as
428   it prevents DNSSEC from working correctly through another recursive server.
429
430   When talking to a recursive server, the best algorithm is to send
431   CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive
432   server has a bad clock and/or bad trust anchor. Alternatively, one
433   can send CD=1 then CD=0 on validation failure, in case the recursive
434   server is under attack or there is stale/bogus authoritative data.
435
436.. [#rfc7344] Updating of parent zones is not yet implemented.
437
438.. [#rfc7830] :iscman:`named` does not currently encrypt DNS requests, so the PAD option
439   is accepted but not returned in responses.
440
441.. [#rfc3363] Section 4 is ignored.
442
443.. [#rfc2606] This does not apply to DNS server implementations.
444
445.. [#rfc1521] Only the Base 64 encoding specification is supported.
446
447.. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within
448   dig, host, and nslookup at compile time.  ACE labels are supported
449   everywhere with or without ``--with-libidn2``.
450
451.. [#rfc4294] Section 5.1 - DNAME records are fully supported.
452
453.. [#rfc7050] :rfc:`7050` is updated by :rfc:`8880`.
454
455.. [#noencryptedfwd] Forwarding DNS queries over encrypted transports is not
456   supported yet.
457
458.. [#rfc8078] Updating of parent zones is not yet implemented.
459
460.. [#rfc9103] Strict TLS and Mutual TLS authentication mechanisms are
461   not supported yet.
462
463.. [#rfc9460] Additional section processing is not supported for HTTPS and
464   SVCB records.
465
466.. _internet_drafts:
467
468Internet Drafts
469~~~~~~~~~~~~~~~
470
471Internet Drafts (IDs) are rough-draft working documents of the Internet
472Engineering Task Force (IETF). They are, in essence, RFCs in the preliminary
473stages of development. Implementors are cautioned not to regard IDs as
474archival, and they should not be quoted or cited in any formal documents
475unless accompanied by the disclaimer that they are "works in progress."
476IDs have a lifespan of six months, after which they are deleted unless
477updated by their authors.
478