update

doc/misc/rfc-compliance

@@ -28,11 +28,7 @@ or Best Current Practice (BCP) documents.  The list is non exhaustive.
   RFC2230
   RFC2308
   RFC2536
-  RFC2538
   RFC2539
-  RFC2671
-  RFC2672
-  RFC2673
   RFC2782
   RFC2915
   RFC2930
@@ -55,11 +51,47 @@ or Best Current Practice (BCP) documents.  The list is non exhaustive.
   RFC4074
   RFC4255
   RFC4294 - Section 5.1 [8]
+  RFC4343
+  RFC4398
+  RFC4408
+  RFC4431
+  RFC4470 [9]
+  RFC4509
+  RFC4635
+  RFC4701
+  RFC4892
+  RFC4955 [10]
+  RFC5001
+  RFC5011
+  RFC5155
+  RFC5205
+  RFC5452 [11]
+  RFC5702
+  RFC5933 [12]
+  RFC5936
+  RFC5952
+  RFC5966
+  RFC6052
+  RFC6147 [13]
+  RFC6303
+  RFC6605 [14]
+  RFC6672
+  RFC6698
+  RFC6742
+  RFC6840 [15]
+  RFC6844
+  RFC6891
+  RFC7314
+  RFC7314
 
 The following DNS related RFC have been obsoleted
 
   RFC2535 (Obsoleted by 4034, 4035) [3] [4]
   RFC2537 (Obsoleted by 3110)
+  RFC2538 (Obsoleted by 4398)
+  RFC2671 (Obsoleted by 6891)
+  RFC2672 (Obsoleted by 6672)
+  RFC2673 (Obsoleted by 6891)
   RFC3008 (Obsoleted by 4034, 4035)
   RFC3152 (Obsoleted by 3596)
   RFC3445 (Obsoleted by 4034, 4035)
@@ -72,17 +104,18 @@ The following DNS related RFC have been obsoleted
 [1] Queries to zones that have failed to load return SERVFAIL rather
 than a non-authoritative response.  This is considered a feature.
 
-[2] CLASS ANY queries are not supported.  This is considered a feature.
+[2] CLASS ANY queries are not supported.  This is considered a
+feature.
 
 [3] Wildcard records are not supported in DNSSEC secure zones.
 
-[4] Servers authoritative for secure zones being resolved by BIND 9
+[4] Servers authoritative for secure zones being resolved by BIND
-must support EDNS0 (RFC2671), and must return all relevant SIGs and
+9 must support EDNS0 (RFC2671), and must return all relevant SIGs
-NXTs in responses rather than relying on the resolving server to
+and NXTs in responses rather than relying on the resolving server
-perform separate queries for missing SIGs and NXTs.
+to perform separate queries for missing SIGs and NXTs.
 
-[5] When receiving a query signed with a SIG(0), the server will only
+[5] When receiving a query signed with a SIG(0), the server will
-be able to verify the signature if it has the key in its local
+only be able to verify the signature if it has the key in its local
 authoritative data; it will not do recursion or validation to
 retrieve unknown keys.
 
@@ -93,3 +126,29 @@ host and nslookup at compile time.  ACE labels are supported
 everywhere with or without --with-idn.
 
 [8] Section 5.1 - DNAME records are fully supported.
+
+[9] Minimally Covering NSEC Record are accepted but not generated.
+
+[10] Will interoperate with correctly designed experiments.
+
+[11] Named only uses ports to extend the id space, address are not
+used.
+
+[12] Conditional on the OpenSSL library being linked against
+supporting GOST.
+
+[13] Section 5.5 does not match reality.  Named uses the presence
+of DO=1 to detect if validation may be occuring.  CD has no bearing
+on whether validation is occuring or not.
+
+[14] Conditional on the OpenSSL library being linked against
+supporting ECDSA.
+
+[15] Section 5.9 - Always set CD=1 on queries.  This is *not* done as
+it prevents DNSSEC working correctly through another recursive server.
+
+When talking to a recurive server the best algorithm to do is send
+CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive
+server has a bad clock and/or bad trust anchor.  Alternatively one
+can send CD=1 then CD=0 on validation failure in case the recursive
+server is under attack or there is stale / bogus authoritative data.