diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst index bd913dd300..70799e0f54 100644 --- a/doc/arm/advanced.rst +++ b/doc/arm/advanced.rst @@ -117,7 +117,7 @@ Incremental Zone Transfers (IXFR) The incremental zone transfer (IXFR) protocol is a way for secondary servers to transfer only changed data, instead of having to transfer an entire -zone. The IXFR protocol is specified in :rfc:`1995`. See :ref:`proposed_standards`. +zone. The IXFR protocol is specified in :rfc:`1995`. When acting as a primary server, BIND 9 supports IXFR for those zones where the necessary change history information is available. These include primary @@ -812,9 +812,6 @@ understand the binary label format at all anymore, and return an error if one is given. In particular, an authoritative BIND 9 name server will not load a zone file containing binary labels. -For an overview of the format and structure of IPv6 addresses, see -:ref:`ipv6addresses`. - Address Lookups Using AAAA Records ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 16bdde269a..c1808886be 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -14,50 +14,6 @@ General DNS Reference Information ================================= -.. _ipv6addresses: - -IPv6 Addresses (AAAA) ---------------------- - -IPv6 addresses are 128-bit identifiers, for interfaces and sets of -interfaces, which were introduced in the DNS to facilitate scalable -Internet routing. There are three types of addresses: *Unicast*, an -identifier for a single interface; *Anycast*, an identifier for a set of -interfaces; and *Multicast*, an identifier for a set of interfaces. Here -we describe the global Unicast address scheme. For more information, see -:rfc:`3587`, "IPv6 Global Unicast Address Format." - -IPv6 unicast addresses consist of a *global routing prefix*, a *subnet -identifier*, and an *interface identifier*. - -The global routing prefix is provided by the upstream provider or ISP, -and roughly corresponds to the IPv4 *network* section of the address -range. The subnet identifier is for local subnetting, much like -subnetting an IPv4 /16 network into /24 subnets. The interface -identifier is the address of an individual interface on a given network; -in IPv6, addresses belong to interfaces rather than to machines. - -The subnetting capability of IPv6 is much more flexible than that of -IPv4; subnetting can be carried out on bit boundaries, in much the same -way as Classless InterDomain Routing (CIDR), and the DNS PTR -representation ("nibble" format) makes setting up reverse zones easier. - -The interface identifier must be unique on the local link, and is -usually generated automatically by the IPv6 implementation, although it -is usually possible to override the default setting if necessary. A -typical IPv6 address might look like: -``2001:db8:201:9:a00:20ff:fe81:2b32``. - -IPv6 address specifications often contain long strings of zeros, so the -architects have included a shorthand for specifying them. The double -colon (``::``) indicates the longest possible string of zeros that can -fit, and can be used only once in an address. - -.. _bibliography: - -Bibliography (and Suggested Reading) ------------------------------------- - .. _rfcs: Requests for Comment (RFCs) @@ -88,30 +44,25 @@ The list is non-exhaustive. Some of these RFCs, though DNS-related, are not concerned with implementing software. -Internet Standards ------------------- +Protocol Specifications +----------------------- :rfc:`1034` - P. Mockapetris. *Domain Names — Concepts and Facilities.* November 1987. :rfc:`1035` - P. Mockapetris. *Domain Names — Implementation and Specification.* -November 1987. [1] [2] +November 1987. [#rfc1035_1]_ [#rfc1035_2]_ -:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and -Support.* October 1989. +:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR +Definitions.* October 1990. -:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to -Support IP Version 6.* October 2003. +:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994. -:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.* +:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of +Geographical Location.* November 1994. -:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS -(EDNS(0)).* April 2013. - -.. _proposed_standards: - -Proposed Standards ------------------- +:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing +Location Information in the Domain Name System.* January 1996. :rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996. @@ -128,6 +79,9 @@ Conformant Global Address Mapping (MCGAM).* January 1998. :rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997. +:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November +1997. + :rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998. :rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name @@ -136,14 +90,11 @@ System (DNS).* March 1999. :rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the Location of Services (DNS SRV).* February 2000. -:rfc:`2845` - P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. *Secret Key -Transaction Authentication for DNS (TSIG).* May 2000. - :rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).* September 2000. :rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).* -September 2000. [3] +September 2000. [#rfc2931]_ :rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.* November 2000. @@ -151,14 +102,36 @@ November 2000. :rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS).* May 2001. +:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June +2001. + :rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001. :rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver Message Size Requirements.* December 2001. +:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain. +*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name +System (DNS).* August 2002. [#rfc3363]_ + +:rfc:`3403` - M. Mealling. +*Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System +(DNS) Database.* +October 2002. + :rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for Internationalized Domain Names in Applications (IDNA).* March 2003. +:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens. +*Basic Socket Interface Extensions for IPv6.* March 2003. + +:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of +Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label +Switching (MPLS) Traffic Engineering.* March 2003. + +:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to +Support IP Version 6.* October 2003. + :rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.* September 2003. @@ -187,7 +160,7 @@ Clarification.* January 2006. :rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006. :rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and -DNSSEC On-line Signing.* April 2006. [5] +DNSSEC On-line Signing.* April 2006. [#rfc4470]_ :rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs).* May 2006. @@ -201,19 +174,28 @@ Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006. (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR).* October 2006. -:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [6] +:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_ :rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007. +:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.* + :rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security (DNSSEC) Hashed Authenticated Denial of Existence.* March 2008. +:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP) +Domain Name System (DNS) Extension.* April 2008. + :rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More -Resilient Against Forged Answers.* January 2009. [7] +Resilient Against Forged Answers.* January 2009. [#rfc5452]_ :rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC.* October 2009. +:rfc:`5891` - J. Klensin. +*Internationalized Domain Names in Applications (IDNA): Protocol.* +August 2010 + :rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).* June 2010. @@ -225,13 +207,13 @@ Addressing of IPv4/IPv6 Translators.* October 2010. :rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum. *DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to -IPv4 Servers.* April 2011. [8] +IPv4 Servers.* April 2011. [#rfc6147]_ :rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.* April 2012. :rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital -Signature Algorithm (DSA) for DNSSEC.* April 2012. [9] +Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_ :rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.* June 2012. @@ -241,88 +223,37 @@ Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.* August 2012. :rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry -Updates.* August 2012. [10] +Updates.* August 2012. [#rfc6725]_ + +:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS +Resource Records for the Identifier-Locator Network Protocol (ILNP).* +November 2012. :rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and -Implementation Notes for DNS Security (DNSSEC).* February 2013. [11] +Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_ -:rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6 -Prefix Used for IPv6 Address Synthesis.* November 2013. [21] - -:rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC -Delegation Trust Maintenance.* September 2014. [12] - -:rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March -2015. - -:rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. -Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. - -:rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis. -*The edns-tcp-keepalive EDNS0 Option.* April 2016. - -:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [13] - -:rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the -Parent via CDS/CDNSKEY.* March 2017. [22] - -:rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm -(EdDSA) for DNSSEC.* February 2017. - -:rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name -'ipv4only.arpa'.* August 2020. - -:rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements -and Usage Guidance for DNSSEC.* June 2019. - -:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation -(DLV) to Historic Status.* March 2020. - -Informational RFCs ------------------- - -:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely -Deployed DNS Software.* October 1993. - -:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS -Implementation Errors and Suggested Fixes.* October 1993. - -:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994. - -:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February -1996. - -:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November -1997. - -:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain. -*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name -System (DNS).* August 2002. [14] - -:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens. -*Basic Socket Interface Extensions for IPv6.* March 2003. - -:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of -Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label -Switching (MPLS) Traffic Engineering.* March 2003. - -:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System -(DNS).* August 2004. - -:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for -IPv6 Addresses.* June 2005. - -:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism -Identifying a Name Server Instance.* June 2007. - -:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational -Practices, Version 2.* December 2012. +:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS +(EDNS(0)).* April 2013. :rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses in the DNS.* October 2013. -:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence -in the DNS.* February 2014. +:rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6 +Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_ + +:rfc:`7208` - S. Kitterman. +*Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, +Version 1.* +April 2014. + +:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.* +July 2014. + +:rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC +Delegation Trust Maintenance.* September 2014. [#rfc7344]_ + +:rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March +2015. :rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier (URI) DNS Resource Record.* June 2015. @@ -330,34 +261,48 @@ in the DNS.* February 2014. :rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key Rollover Timing Considerations.* October 2015. -Experimental RFCs ------------------ +:rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. +Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. -:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR -Definitions.* October 1990. +:rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis. +*The edns-tcp-keepalive EDNS0 Option.* April 2016. -:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of -Geographical Location.* November 1994. +:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_ -:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing -Location Information in the Domain Name System.* January 1996. - -:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June -2001. - -:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP) -Domain Name System (DNS) Extension.* April 2008. - -:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS -Resource Records for the Identifier-Locator Network Protocol (ILNP).* -November 2012. - -:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.* -July 2014. +:rfc:`7858` - Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, +and P. Hoffman. *Specification for DNS over Transport Layer Security (TLS).* +May 2016. [#noencryptedfwd]_ :rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP.* August 2016. +:rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the +Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ + +:rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm +(EdDSA) for DNSSEC.* February 2017. + +:rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).* +October 2018. [#noencryptedfwd]_ + +:rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements +and Usage Guidance for DNSSEC.* June 2019. + +:rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews. +*DNS Certification Authority Authorization (CAA) Resource Record.* +November 2019. + +:rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name +'ipv4only.arpa'.* August 2020. + +:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, +and B. Wellington. +*Secret Key Transaction Authentication for DNS (TSIG).* +November 2020. + +:rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin. +*DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_ + Best Current Practice RFCs -------------------------- @@ -368,7 +313,7 @@ October 1997. March 1998. :rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June -1999. [15] +1999. [#rfc2606]_ :rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.* September 2004. @@ -383,167 +328,119 @@ Locally-Served DNS Zones Registry.* May 2016. :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS Servers: Failure to Communicate.* September 2020. -Historic RFCs -------------- - -:rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address -Aggregation and Renumbering.* July 2000. [4] - -:rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation -(DLV) DNS Resource Record.* February 2006. - -RFCs of Type "Unknown" ----------------------- +For Your Information +-------------------- :rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.* April 1989. -Obsoleted and Unimplemented Experimental RFCs ---------------------------------------------- +:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and +Support.* October 1989. -:rfc:`1521` - N. Borenstein and N. Freed. *MIME (Multipurpose Internet Mail -Extensions) Part One: Mechanisms for Specifying and Describing the Format of -Internet Message Bodies.* September 1993 [16] +:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely +Deployed DNS Software.* October 1993. -:rfc:`1750` - D. Eastlake, 3rd, S. Crocker, and J. Schiller. *Randomness -Recommendations for Security.* December 1994. +:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS +Implementation Errors and Suggested Fixes.* October 1993. -:rfc:`2535` - D. Eastlake, 3rd. *Domain Name System Security Extensions.* -March 1999. [17] [18] +:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February +1996. -:rfc:`2537` - D. Eastlake, 3rd. *RSA/MD5 KEYs and SIGs in the Domain Name System -(DNS).* March 1999. +:rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address +Aggregation and Renumbering.* July 2000. [#rfc2874]_ -:rfc:`2538` - D. Eastlake, 3rd and O. Gudmundsson. *Storing Certificates in the Domain -Name System (DNS).* March 1999. +:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System +(DNS).* August 2004. -:rfc:`2671` - P. Vixie. *Extension Mechanisms for DNS (EDNS0).* August 1999. +:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for +IPv6 Addresses.* June 2005. -:rfc:`2672` - M. Crawford. *Non-Terminal DNS Name Redirection.* August 1999. +:rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation +(DLV) DNS Resource Record.* February 2006. [#rfc4431]_ -:rfc:`2673` - M. Crawford. *Binary Labels in the Domain Name System.* August 1999. +:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism +Identifying a Name Server Instance.* June 2007. -:rfc:`2915` - M. Mealling and R. Daniel. *The Naming Authority Pointer (NAPTR) DNS -Resource Record.* September 2000. +:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational +Practices, Version 2.* December 2012. -:rfc:`3008` - B. Wellington. *Domain Name System Security (DNSSEC) Signing -Authority.* November 2000. +:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence +in the DNS.* February 2014. -:rfc:`3152` - R. Bush. *Delegation of IP6.ARPA.* August 2001. - -:rfc:`3445` - D. Massey and S. Rose. *Limiting the Scope of the KEY Resource Record -(RR).* December 2002. - -:rfc:`3490` - P. Faltstrom, P. Hoffman, and A. Costello. *Internationalizing Domain Names -in Applications (IDNA).* March 2003. [19] - -:rfc:`3491` - P. Hoffman and M. Blanchet. *Nameprep: A Stringprep Profile for -Internationalized Domain Names (IDN).* March 2003. [19] - -:rfc:`3655` - B. Wellington and O. Gudmundsson. *Redefinition of DNS Authenticated -Data (AD) Bit.* November 2003. - -:rfc:`3658` - O. Gudmundsson. *Delegation Signer (DS) Resource Record (RR).* -December 2003. - -:rfc:`3755` - S. Weiler. *Legacy Resolver Compatibility for Delegation Signer -(DS).* May 2004. - -:rfc:`3757` - O. Kolkman, J. Schlyter, and E. Lewis. *Domain Name System KEY (DNSKEY) -Resource Record (RR) Secure Entry Point (SEP) Flag.* May 2004. - -:rfc:`3845` - J. Schlyter. *DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format.* -August 2004. - -:rfc:`4294` - J. Loughney, Ed. *IPv6 Node Requirements.* [20] - -:rfc:`4408` - M. Wong and W. Schlitt. *Sender Policy Framework (SPF) for -Authorizing Use of Domains in E-Mail, Version 1.* April 2006. - -:rfc:`5966` - R. Bellis. *DNS Transport Over TCP - Implementation -Requirements.* August 2010. - -:rfc:`6844` - P. Hallam-Baker and R. Stradling. *DNS Certification Authority -Authorization (CAA) Resource Record.* January 2013. - -:rfc:`6944` - S. Rose. *Applicability Statement: DNS Security (DNSSEC) DNSKEY -Algorithm Implementation Status.* April 2013. - -RFCs No Longer Supported in BIND 9 ----------------------------------- - -:rfc:`2536` - D. Eastlake, 3rd. *DSA KEYs and SIGs in the Domain Name System -(DNS).* March 1999. +:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation +(DLV) to Historic Status.* March 2020. Notes ~~~~~ -[1] Queries to zones that have failed to load return SERVFAIL rather -than a non-authoritative response. This is considered a feature. +.. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather + than a non-authoritative response. This is considered a feature. -[2] CLASS ANY queries are not supported. This is considered a -feature. +.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a + feature. -[3] When receiving a query signed with a SIG(0), the server is -only able to verify the signature if it has the key in its local -authoritative data; it cannot do recursion or validation to -retrieve unknown keys. +.. [#rfc2931] When receiving a query signed with a SIG(0), the server is + only able to verify the signature if it has the key in its local + authoritative data; it cannot do recursion or validation to + retrieve unknown keys. -[4] Compliance is with loading and serving of A6 records only. A6 records were moved -to the experimental category by :rfc:`3363`. +.. [#rfc2874] Compliance is with loading and serving of A6 records only. + A6 records were moved to the experimental category by :rfc:`3363`. -[5] Minimally Covering NSEC records are accepted but not generated. +.. [#rfc4431] Compliance is with loading and serving of DLV records only. + DLV records were moved to the historic category by :rfc:`8749`. -[6] BIND 9 interoperates with correctly designed experiments. +.. [#rfc4470] Minimally Covering NSEC records are accepted but not generated. -[7] ``named`` only uses ports to extend the ID space; addresses are not -used. +.. [#rfc4955] BIND 9 interoperates with correctly designed experiments. -[8] Section 5.5 does not match reality. ``named`` uses the presence -of DO=1 to detect if validation may be occurring. CD has no bearing -on whether validation occurs. +.. [#rfc5452] ``named`` only uses ports to extend the ID space; addresses are not + used. -[9] Compliance is conditional on the OpenSSL library being linked against -a supporting ECDSA. +.. [#rfc6147] Section 5.5 does not match reality. ``named`` uses the presence + of DO=1 to detect if validation may be occurring. CD has no bearing + on whether validation occurs. -[10] RSAMD5 support has been removed. See :rfc:`6944`. +.. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against + a supporting ECDSA. -[11] Section 5.9 - Always set CD=1 on queries. This is *not* done, as -it prevents DNSSEC from working correctly through another recursive server. +.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`. -When talking to a recursive server, the best algorithm is to send -CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive -server has a bad clock and/or bad trust anchor. Alternatively, one -can send CD=1 then CD=0 on validation failure, in case the recursive -server is under attack or there is stale/bogus authoritative data. +.. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as + it prevents DNSSEC from working correctly through another recursive server. -[12] Updating of parent zones is not yet implemented. + When talking to a recursive server, the best algorithm is to send + CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive + server has a bad clock and/or bad trust anchor. Alternatively, one + can send CD=1 then CD=0 on validation failure, in case the recursive + server is under attack or there is stale/bogus authoritative data. -[13] ``named`` does not currently encrypt DNS requests, so the PAD option -is accepted but not returned in responses. +.. [#rfc7344] Updating of parent zones is not yet implemented. -[14] Section 4 is ignored. +.. [#rfc7830] ``named`` does not currently encrypt DNS requests, so the PAD option + is accepted but not returned in responses. -[15] This does not apply to DNS server implementations. +.. [#rfc3363] Section 4 is ignored. -[16] Only the Base 64 encoding specification is supported. +.. [#rfc2606] This does not apply to DNS server implementations. -[17] Wildcard records are not supported in DNSSEC secure zones. +.. [#rfc1521] Only the Base 64 encoding specification is supported. -[18] Servers authoritative for secure zones being resolved by BIND -9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs -and NXTs in responses, rather than relying on the resolving server -to perform separate queries for missing SIGs and NXTs. +.. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within + dig, host, and nslookup at compile time. ACE labels are supported + everywhere with or without ``--with-libidn2``. -[19] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within -dig, host, and nslookup at compile time. ACE labels are supported -everywhere with or without ``--with-libidn2``. +.. [#rfc4294] Section 5.1 - DNAME records are fully supported. -[20] Section 5.1 - DNAME records are fully supported. +.. [#rfc7050] RFC 7050 is updated by RFC 8880. -[21] RFC 7050 is updated by RFC 8880. +.. [#noencryptedfwd] Forwarding DNS queries over encrypted transports is not + supported yet. -[22] Updating of parent zones is not yet implemented. +.. [#rfc8078] Updating of parent zones is not yet implemented. + +.. [#rfc9103] Strict TLS and Mutual TLS authentication mechanisms are + not supported yet. .. _internet_drafts: @@ -557,11 +454,3 @@ archival, and they should not be quoted or cited in any formal documents unless accompanied by the disclaimer that they are "works in progress." IDs have a lifespan of six months, after which they are deleted unless updated by their authors. - -.. _more_about_bind: - -Other Documents About BIND -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Paul Albitz and Cricket Liu. *DNS and BIND.* Copyright 1998 Sebastopol, CA: O'Reilly and -Associates. diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance deleted file mode 100644 index 9e40d30ad4..0000000000 --- a/doc/misc/rfc-compliance +++ /dev/null @@ -1,196 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -SPDX-License-Identifier: MPL-2.0 - -This Source Code Form is subject to the terms of the Mozilla Public -License, v. 2.0. If a copy of the MPL was not distributed with this -file, you can obtain one at https://mozilla.org/MPL/2.0/. - -See the COPYRIGHT file distributed with this work for additional -information regarding copyright ownership. - -BIND 9 is striving for strict compliance with IETF standards. We -believe this release of BIND 9 complies with the following RFCs, with -the caveats and exceptions listed in the numbered notes below. Note -that a number of these RFCs do not have the status of Internet -standards but are proposed or draft standards, experimental RFCs, -or Best Current Practice (BCP) documents. The list is non exhaustive. - - RFC1034 - RFC1035 [1] [2] - RFC1101 - RFC1123 - RFC1183 - RFC1521 [16] - RFC1535 - RFC1536 - RFC1706 - RFC1712 - RFC1750 - RFC1876 - RFC1982 - RFC1995 - RFC1996 - RFC2136 - RFC2163 - RFC2181 - RFC2230 - RFC2308 - RFC2539 - RFC2606 [17] - RFC2782 - RFC2845 - RFC2874 [18] - RFC2915 - RFC2930 - RFC2931 [5] - RFC3007 - RFC3110 - RFC3123 - RFC3225 - RFC3226 - RFC3363 [6] - RFC3490 [7] - RFC3491 (Obsoleted by 5890, 5891) [7] - RFC3493 - RFC3496 - RFC3597 - RFC3645 - RFC4025 - RFC4033 - RFC4034 - RFC4035 - RFC4074 - RFC4255 - RFC4294 - Section 5.1 [8] - RFC4343 - RFC4398 - RFC4408 - RFC4431 - RFC4470 [9] - RFC4509 - RFC4592 - RFC4635 - RFC4701 - RFC4892 - RFC4955 [10] - RFC5001 - RFC5011 - RFC5155 - RFC5205 - RFC5452 [11] - RFC5702 - RFC5936 - RFC5952 - RFC5966 - RFC6052 - RFC6147 [12] - RFC6303 - RFC6604 - RFC6605 [13] - RFC6672 - RFC6698 - RFC6742 - RFC6725 [19] - RFC6840 [14] - RFC6844 - RFC6891 - RFC6944 - RFC7043 - RFC7050 [21] - RFC7314 - RFC7344 [20] - RFC7477 - RFC7553 - RFC7793 - RFC7830 [15] - RFC7929 - RFC8078 [20] - RFC8080 - RFC8880 - -No longer supported - - RFC2536 - -The following DNS related RFC have been obsoleted - - RFC2535 (Obsoleted by 4034, 4035) [3] [4] - RFC2537 (Obsoleted by 3110) [19] - RFC2538 (Obsoleted by 4398) - RFC2671 (Obsoleted by 6891) - RFC2672 (Obsoleted by 6672) - RFC2673 (Obsoleted by 6891) - RFC3008 (Obsoleted by 4034, 4035) - RFC3152 (Obsoleted by 3596) - RFC3445 (Obsoleted by 4034, 4035) - RFC3655 (Obsoleted by 4034, 4035) - RFC3658 (Obsoleted by 4034, 4035) - RFC3755 (Obsoleted by 4034, 4035) - RFC3757 (Obsoleted by 4034, 4035) - RFC3845 (Obsoleted by 4034, 4035) - -[1] Queries to zones that have failed to load return SERVFAIL rather -than a non-authoritative response. This is considered a feature. - -[2] CLASS ANY queries are not supported. This is considered a -feature. - -[3] Wildcard records are not supported in DNSSEC secure zones. - -[4] Servers authoritative for secure zones being resolved by BIND -9 must support EDNS0 (RFC2671), and must return all relevant SIGs -and NXTs in responses rather than relying on the resolving server -to perform separate queries for missing SIGs and NXTs. - -[5] When receiving a query signed with a SIG(0), the server will -only be able to verify the signature if it has the key in its local -authoritative data; it will not do recursion or validation to -retrieve unknown keys. - -[6] Section 4 is ignored. - -[7] Requires --with-libidn2 to enable entry of IDN labels within dig, -host and nslookup at compile time. ACE labels are supported -everywhere with or without --with-libidn2. - -[8] Section 5.1 - DNAME records are fully supported. - -[9] Minimally Covering NSEC Record are accepted but not generated. - -[10] Will interoperate with correctly designed experiments. - -[11] Named only uses ports to extend the id space, address are not -used. - -[12] Section 5.5 does not match reality. Named uses the presence -of DO=1 to detect if validation may be occurring. CD has no bearing -on whether validation is occurring or not. - -[13] Conditional on the OpenSSL library being linked against -supporting ECDSA. - -[14] Section 5.9 - Always set CD=1 on queries. This is *not* done as -it prevents DNSSEC working correctly through another recursive server. - -When talking to a recurive server the best algorithm to do is send -CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive -server has a bad clock and/or bad trust anchor. Alternatively one -can send CD=1 then CD=0 on validation failure in case the recursive -server is under attack or there is stale / bogus authoritative data. - -[15] Named doesn't currently encrypt DNS requests so the PAD option -is accepted but not returned in responses. - -[16] Only the Base 64 encoding specification. - -[17] Not applicable to DNS server implementations. - -[18] Loading and serving of A6 records only. A6 records were moved -to the experimental category by RFC3363. - -[19] RSAMD5 support has been removed. See RFC 6944. - -[20] Updating of parent zones is not yet implemented. - -[21] RFC 7050 is updated by RFC 8880