From f713984886eef3a05f8810b8f4b6a91cf8c78827 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 21 Jan 2022 17:15:32 +0100 Subject: [PATCH 01/15] Use Sphinx footnotes for DNS Reference Information It limits risk of errors while doing updates, which are next in the pipeline. --- doc/arm/general.rst | 130 ++++++++++++++++++++++---------------------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 16bdde269a..710ba1be95 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -95,7 +95,7 @@ Internet Standards 1987. :rfc:`1035` - P. Mockapetris. *Domain Names — Implementation and Specification.* -November 1987. [1] [2] +November 1987. [#rfc1035_1]_ [#rfc1035_2]_ :rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and Support.* October 1989. @@ -143,7 +143,7 @@ Transaction Authentication for DNS (TSIG).* May 2000. September 2000. :rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).* -September 2000. [3] +September 2000. [#rfc2931]_ :rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.* November 2000. @@ -187,7 +187,7 @@ Clarification.* January 2006. :rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006. :rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and -DNSSEC On-line Signing.* April 2006. [5] +DNSSEC On-line Signing.* April 2006. [#rfc4470]_ :rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs).* May 2006. @@ -201,7 +201,7 @@ Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006. (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR).* October 2006. -:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [6] +:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_ :rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007. @@ -209,7 +209,7 @@ RR).* October 2006. (DNSSEC) Hashed Authenticated Denial of Existence.* March 2008. :rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More -Resilient Against Forged Answers.* January 2009. [7] +Resilient Against Forged Answers.* January 2009. [#rfc5452]_ :rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC.* October 2009. @@ -225,13 +225,13 @@ Addressing of IPv4/IPv6 Translators.* October 2010. :rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum. *DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to -IPv4 Servers.* April 2011. [8] +IPv4 Servers.* April 2011. [#rfc6147]_ :rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.* April 2012. :rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital -Signature Algorithm (DSA) for DNSSEC.* April 2012. [9] +Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_ :rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.* June 2012. @@ -241,16 +241,16 @@ Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.* August 2012. :rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry -Updates.* August 2012. [10] +Updates.* August 2012. [#rfc6725]_ :rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and -Implementation Notes for DNS Security (DNSSEC).* February 2013. [11] +Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_ :rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6 -Prefix Used for IPv6 Address Synthesis.* November 2013. [21] +Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_ :rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC -Delegation Trust Maintenance.* September 2014. [12] +Delegation Trust Maintenance.* September 2014. [#rfc7344]_ :rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March 2015. @@ -261,10 +261,10 @@ Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. :rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis. *The edns-tcp-keepalive EDNS0 Option.* April 2016. -:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [13] +:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_ :rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the -Parent via CDS/CDNSKEY.* March 2017. [22] +Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ :rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC.* February 2017. @@ -297,7 +297,7 @@ Implementation Errors and Suggested Fixes.* October 1993. :rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain. *Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name -System (DNS).* August 2002. [14] +System (DNS).* August 2002. [#rfc3363]_ :rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens. *Basic Socket Interface Extensions for IPv6.* March 2003. @@ -368,7 +368,7 @@ October 1997. March 1998. :rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June -1999. [15] +1999. [#rfc2606]_ :rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.* September 2004. @@ -387,7 +387,7 @@ Historic RFCs ------------- :rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address -Aggregation and Renumbering.* July 2000. [4] +Aggregation and Renumbering.* July 2000. [#rfc2874]_ :rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation (DLV) DNS Resource Record.* February 2006. @@ -403,13 +403,13 @@ Obsoleted and Unimplemented Experimental RFCs :rfc:`1521` - N. Borenstein and N. Freed. *MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of -Internet Message Bodies.* September 1993 [16] +Internet Message Bodies.* September 1993 [#rfc1521]_ :rfc:`1750` - D. Eastlake, 3rd, S. Crocker, and J. Schiller. *Randomness Recommendations for Security.* December 1994. :rfc:`2535` - D. Eastlake, 3rd. *Domain Name System Security Extensions.* -March 1999. [17] [18] +March 1999. [#rfc2535_1]_ [#rfc2535_2]_ :rfc:`2537` - D. Eastlake, 3rd. *RSA/MD5 KEYs and SIGs in the Domain Name System (DNS).* March 1999. @@ -435,10 +435,10 @@ Authority.* November 2000. (RR).* December 2002. :rfc:`3490` - P. Faltstrom, P. Hoffman, and A. Costello. *Internationalizing Domain Names -in Applications (IDNA).* March 2003. [19] +in Applications (IDNA).* March 2003. [#idna] :rfc:`3491` - P. Hoffman and M. Blanchet. *Nameprep: A Stringprep Profile for -Internationalized Domain Names (IDN).* March 2003. [19] +Internationalized Domain Names (IDN).* March 2003. [#idna] :rfc:`3655` - B. Wellington and O. Gudmundsson. *Redefinition of DNS Authenticated Data (AD) Bit.* November 2003. @@ -455,7 +455,7 @@ Resource Record (RR) Secure Entry Point (SEP) Flag.* May 2004. :rfc:`3845` - J. Schlyter. *DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format.* August 2004. -:rfc:`4294` - J. Loughney, Ed. *IPv6 Node Requirements.* [20] +:rfc:`4294` - J. Loughney, Ed. *IPv6 Node Requirements.* [#rfc4294]_ :rfc:`4408` - M. Wong and W. Schlitt. *Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1.* April 2006. @@ -478,72 +478,72 @@ RFCs No Longer Supported in BIND 9 Notes ~~~~~ -[1] Queries to zones that have failed to load return SERVFAIL rather -than a non-authoritative response. This is considered a feature. +.. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather + than a non-authoritative response. This is considered a feature. -[2] CLASS ANY queries are not supported. This is considered a -feature. +.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a + feature. -[3] When receiving a query signed with a SIG(0), the server is -only able to verify the signature if it has the key in its local -authoritative data; it cannot do recursion or validation to -retrieve unknown keys. +.. [#rfc2931] When receiving a query signed with a SIG(0), the server is + only able to verify the signature if it has the key in its local + authoritative data; it cannot do recursion or validation to + retrieve unknown keys. -[4] Compliance is with loading and serving of A6 records only. A6 records were moved -to the experimental category by :rfc:`3363`. +.. [#rfc2874] Compliance is with loading and serving of A6 records only. + A6 records were moved to the experimental category by :rfc:`3363`. -[5] Minimally Covering NSEC records are accepted but not generated. +.. [#rfc4470] Minimally Covering NSEC records are accepted but not generated. -[6] BIND 9 interoperates with correctly designed experiments. +.. [#rfc4955] BIND 9 interoperates with correctly designed experiments. -[7] ``named`` only uses ports to extend the ID space; addresses are not -used. +.. [#rfc5452] ``named`` only uses ports to extend the ID space; addresses are not + used. -[8] Section 5.5 does not match reality. ``named`` uses the presence -of DO=1 to detect if validation may be occurring. CD has no bearing -on whether validation occurs. +.. [#rfc6147] Section 5.5 does not match reality. ``named`` uses the presence + of DO=1 to detect if validation may be occurring. CD has no bearing + on whether validation occurs. -[9] Compliance is conditional on the OpenSSL library being linked against -a supporting ECDSA. +.. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against + a supporting ECDSA. -[10] RSAMD5 support has been removed. See :rfc:`6944`. +.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`6944`. -[11] Section 5.9 - Always set CD=1 on queries. This is *not* done, as -it prevents DNSSEC from working correctly through another recursive server. +.. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as + it prevents DNSSEC from working correctly through another recursive server. -When talking to a recursive server, the best algorithm is to send -CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive -server has a bad clock and/or bad trust anchor. Alternatively, one -can send CD=1 then CD=0 on validation failure, in case the recursive -server is under attack or there is stale/bogus authoritative data. + When talking to a recursive server, the best algorithm is to send + CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive + server has a bad clock and/or bad trust anchor. Alternatively, one + can send CD=1 then CD=0 on validation failure, in case the recursive + server is under attack or there is stale/bogus authoritative data. -[12] Updating of parent zones is not yet implemented. +.. [#rfc7344] Updating of parent zones is not yet implemented. -[13] ``named`` does not currently encrypt DNS requests, so the PAD option -is accepted but not returned in responses. +.. [#rfc7830] ``named`` does not currently encrypt DNS requests, so the PAD option + is accepted but not returned in responses. -[14] Section 4 is ignored. +.. [#rfc3363] Section 4 is ignored. -[15] This does not apply to DNS server implementations. +.. [#rfc2606] This does not apply to DNS server implementations. -[16] Only the Base 64 encoding specification is supported. +.. [#rfc1521] Only the Base 64 encoding specification is supported. -[17] Wildcard records are not supported in DNSSEC secure zones. +.. [#rfc2535_1] Wildcard records are not supported in DNSSEC secure zones. -[18] Servers authoritative for secure zones being resolved by BIND -9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs -and NXTs in responses, rather than relying on the resolving server -to perform separate queries for missing SIGs and NXTs. +.. [#rfc2535_2] Servers authoritative for secure zones being resolved by BIND + 9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs + and NXTs in responses, rather than relying on the resolving server + to perform separate queries for missing SIGs and NXTs. -[19] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within -dig, host, and nslookup at compile time. ACE labels are supported -everywhere with or without ``--with-libidn2``. +.. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within + dig, host, and nslookup at compile time. ACE labels are supported + everywhere with or without ``--with-libidn2``. -[20] Section 5.1 - DNAME records are fully supported. +.. [#rfc4294] Section 5.1 - DNAME records are fully supported. -[21] RFC 7050 is updated by RFC 8880. +.. [#rfc7050] RFC 7050 is updated by RFC 8880. -[22] Updating of parent zones is not yet implemented. +.. [#rfc8078] Updating of parent zones is not yet implemented. .. _internet_drafts: From b686b5c161e2a79ba12ce1e904bdec8a3fc49963 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:05:31 +0100 Subject: [PATCH 02/15] Remove obsolete book reference from ARM --- doc/arm/general.rst | 8 -------- 1 file changed, 8 deletions(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 710ba1be95..e054060121 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -557,11 +557,3 @@ archival, and they should not be quoted or cited in any formal documents unless accompanied by the disclaimer that they are "works in progress." IDs have a lifespan of six months, after which they are deleted unless updated by their authors. - -.. _more_about_bind: - -Other Documents About BIND -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Paul Albitz and Cricket Liu. *DNS and BIND.* Copyright 1998 Sebastopol, CA: O'Reilly and -Associates. From 2b5b777c0752e2ca8abc3d8cfde6e57529992ff5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:14:43 +0100 Subject: [PATCH 03/15] Replace obsolete RFC6488 reference with RFC8659 (CAA) --- doc/arm/general.rst | 4 ++++ doc/misc/rfc-compliance | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index e054060121..88b674a0da 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -275,6 +275,10 @@ Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements and Usage Guidance for DNSSEC.* June 2019. +:rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews. +*DNS Certification Authority Authorization (CAA) Resource Record.* +November 2019. + :rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation (DLV) to Historic Status.* March 2020. diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 9e40d30ad4..9dc6253d99 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -93,7 +93,6 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC6742 RFC6725 [19] RFC6840 [14] - RFC6844 RFC6891 RFC6944 RFC7043 @@ -107,6 +106,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC7929 RFC8078 [20] RFC8080 + RFC8659 RFC8880 No longer supported @@ -129,6 +129,7 @@ The following DNS related RFC have been obsoleted RFC3755 (Obsoleted by 4034, 4035) RFC3757 (Obsoleted by 4034, 4035) RFC3845 (Obsoleted by 4034, 4035) + RFC6844 (Obsoleted by 8659) [1] Queries to zones that have failed to load return SERVFAIL rather than a non-authoritative response. This is considered a feature. From 9437ea08e14b4de848f7580a8e36c326ba5aa0a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:19:20 +0100 Subject: [PATCH 04/15] Remove obsolete RFCs from documentation There is little point of listing all of the obsolete RFCs. I think it is more likely confuse people than to do anything useful. --- doc/arm/general.rst | 84 ----------------------------------------- doc/misc/rfc-compliance | 31 --------------- 2 files changed, 115 deletions(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 88b674a0da..dba2df7c15 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -402,83 +402,6 @@ RFCs of Type "Unknown" :rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.* April 1989. -Obsoleted and Unimplemented Experimental RFCs ---------------------------------------------- - -:rfc:`1521` - N. Borenstein and N. Freed. *MIME (Multipurpose Internet Mail -Extensions) Part One: Mechanisms for Specifying and Describing the Format of -Internet Message Bodies.* September 1993 [#rfc1521]_ - -:rfc:`1750` - D. Eastlake, 3rd, S. Crocker, and J. Schiller. *Randomness -Recommendations for Security.* December 1994. - -:rfc:`2535` - D. Eastlake, 3rd. *Domain Name System Security Extensions.* -March 1999. [#rfc2535_1]_ [#rfc2535_2]_ - -:rfc:`2537` - D. Eastlake, 3rd. *RSA/MD5 KEYs and SIGs in the Domain Name System -(DNS).* March 1999. - -:rfc:`2538` - D. Eastlake, 3rd and O. Gudmundsson. *Storing Certificates in the Domain -Name System (DNS).* March 1999. - -:rfc:`2671` - P. Vixie. *Extension Mechanisms for DNS (EDNS0).* August 1999. - -:rfc:`2672` - M. Crawford. *Non-Terminal DNS Name Redirection.* August 1999. - -:rfc:`2673` - M. Crawford. *Binary Labels in the Domain Name System.* August 1999. - -:rfc:`2915` - M. Mealling and R. Daniel. *The Naming Authority Pointer (NAPTR) DNS -Resource Record.* September 2000. - -:rfc:`3008` - B. Wellington. *Domain Name System Security (DNSSEC) Signing -Authority.* November 2000. - -:rfc:`3152` - R. Bush. *Delegation of IP6.ARPA.* August 2001. - -:rfc:`3445` - D. Massey and S. Rose. *Limiting the Scope of the KEY Resource Record -(RR).* December 2002. - -:rfc:`3490` - P. Faltstrom, P. Hoffman, and A. Costello. *Internationalizing Domain Names -in Applications (IDNA).* March 2003. [#idna] - -:rfc:`3491` - P. Hoffman and M. Blanchet. *Nameprep: A Stringprep Profile for -Internationalized Domain Names (IDN).* March 2003. [#idna] - -:rfc:`3655` - B. Wellington and O. Gudmundsson. *Redefinition of DNS Authenticated -Data (AD) Bit.* November 2003. - -:rfc:`3658` - O. Gudmundsson. *Delegation Signer (DS) Resource Record (RR).* -December 2003. - -:rfc:`3755` - S. Weiler. *Legacy Resolver Compatibility for Delegation Signer -(DS).* May 2004. - -:rfc:`3757` - O. Kolkman, J. Schlyter, and E. Lewis. *Domain Name System KEY (DNSKEY) -Resource Record (RR) Secure Entry Point (SEP) Flag.* May 2004. - -:rfc:`3845` - J. Schlyter. *DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format.* -August 2004. - -:rfc:`4294` - J. Loughney, Ed. *IPv6 Node Requirements.* [#rfc4294]_ - -:rfc:`4408` - M. Wong and W. Schlitt. *Sender Policy Framework (SPF) for -Authorizing Use of Domains in E-Mail, Version 1.* April 2006. - -:rfc:`5966` - R. Bellis. *DNS Transport Over TCP - Implementation -Requirements.* August 2010. - -:rfc:`6844` - P. Hallam-Baker and R. Stradling. *DNS Certification Authority -Authorization (CAA) Resource Record.* January 2013. - -:rfc:`6944` - S. Rose. *Applicability Statement: DNS Security (DNSSEC) DNSKEY -Algorithm Implementation Status.* April 2013. - -RFCs No Longer Supported in BIND 9 ----------------------------------- - -:rfc:`2536` - D. Eastlake, 3rd. *DSA KEYs and SIGs in the Domain Name System -(DNS).* March 1999. - Notes ~~~~~ @@ -532,13 +455,6 @@ Notes .. [#rfc1521] Only the Base 64 encoding specification is supported. -.. [#rfc2535_1] Wildcard records are not supported in DNSSEC secure zones. - -.. [#rfc2535_2] Servers authoritative for secure zones being resolved by BIND - 9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs - and NXTs in responses, rather than relying on the resolving server - to perform separate queries for missing SIGs and NXTs. - .. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within dig, host, and nslookup at compile time. ACE labels are supported everywhere with or without ``--with-libidn2``. diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 9dc6253d99..da8f6d4b76 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -50,8 +50,6 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC3225 RFC3226 RFC3363 [6] - RFC3490 [7] - RFC3491 (Obsoleted by 5890, 5891) [7] RFC3493 RFC3496 RFC3597 @@ -109,41 +107,12 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC8659 RFC8880 -No longer supported - - RFC2536 - -The following DNS related RFC have been obsoleted - - RFC2535 (Obsoleted by 4034, 4035) [3] [4] - RFC2537 (Obsoleted by 3110) [19] - RFC2538 (Obsoleted by 4398) - RFC2671 (Obsoleted by 6891) - RFC2672 (Obsoleted by 6672) - RFC2673 (Obsoleted by 6891) - RFC3008 (Obsoleted by 4034, 4035) - RFC3152 (Obsoleted by 3596) - RFC3445 (Obsoleted by 4034, 4035) - RFC3655 (Obsoleted by 4034, 4035) - RFC3658 (Obsoleted by 4034, 4035) - RFC3755 (Obsoleted by 4034, 4035) - RFC3757 (Obsoleted by 4034, 4035) - RFC3845 (Obsoleted by 4034, 4035) - RFC6844 (Obsoleted by 8659) - [1] Queries to zones that have failed to load return SERVFAIL rather than a non-authoritative response. This is considered a feature. [2] CLASS ANY queries are not supported. This is considered a feature. -[3] Wildcard records are not supported in DNSSEC secure zones. - -[4] Servers authoritative for secure zones being resolved by BIND -9 must support EDNS0 (RFC2671), and must return all relevant SIGs -and NXTs in responses rather than relying on the resolving server -to perform separate queries for missing SIGs and NXTs. - [5] When receiving a query signed with a SIG(0), the server will only be able to verify the signature if it has the key in its local authoritative data; it will not do recursion or validation to From 09d6cf89dfd084c67ddd0df73166c898dcf8b930 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:21:29 +0100 Subject: [PATCH 05/15] Add newer version of IDNA RFC to docs --- doc/arm/general.rst | 4 ++++ doc/misc/rfc-compliance | 1 + 2 files changed, 5 insertions(+) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index dba2df7c15..0ce4b0d80a 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -214,6 +214,10 @@ Resilient Against Forged Answers.* January 2009. [#rfc5452]_ :rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC.* October 2009. +:rfc:`5891` - J. Klensin. +*Internationalized Domain Names in Applications (IDNA): Protocol.* +August 2010 + :rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).* June 2010. diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index da8f6d4b76..6e83bed650 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -78,6 +78,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC5205 RFC5452 [11] RFC5702 + RFC5891 [7] RFC5936 RFC5952 RFC5966 From f7225db8223ec9f5bb8fc6f9c08e8d7e533887ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:25:55 +0100 Subject: [PATCH 06/15] Add link to RFC8749 (DLV is historic) --- doc/arm/general.rst | 5 ++++- doc/misc/rfc-compliance | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 0ce4b0d80a..0532308186 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -398,7 +398,7 @@ Historic RFCs Aggregation and Renumbering.* July 2000. [#rfc2874]_ :rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation -(DLV) DNS Resource Record.* February 2006. +(DLV) DNS Resource Record.* February 2006. [#rfc4431]_ RFCs of Type "Unknown" ---------------------- @@ -423,6 +423,9 @@ Notes .. [#rfc2874] Compliance is with loading and serving of A6 records only. A6 records were moved to the experimental category by :rfc:`3363`. +.. [#rfc4431] Compliance is with loading and serving of DLV records only. + DLV records were moved to the historic category by :rfc:`8749`. + .. [#rfc4470] Minimally Covering NSEC records are accepted but not generated. .. [#rfc4955] BIND 9 interoperates with correctly designed experiments. diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 6e83bed650..7eac0e5c8c 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -64,7 +64,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC4343 RFC4398 RFC4408 - RFC4431 + RFC4431 [22] RFC4470 [9] RFC4509 RFC4592 @@ -165,3 +165,6 @@ to the experimental category by RFC3363. [20] Updating of parent zones is not yet implemented. [21] RFC 7050 is updated by RFC 8880 + +[22] Compliance is with loading and serving of DLV records only. +DLV records were moved to the historic category by RFC 8749. From 16dec1ff58b7976df804d682abdafebb1840ec71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:35:20 +0100 Subject: [PATCH 07/15] Replace obsolete RFC2915 reference with RFC3403 (NAPTR) --- doc/arm/general.rst | 5 +++++ doc/misc/rfc-compliance | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 0532308186..4031457cb1 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -156,6 +156,11 @@ System (DNS).* May 2001. :rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver Message Size Requirements.* December 2001. +:rfc:`3403` - M. Mealling. +*Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System +(DNS) Database.* +October 2002. + :rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for Internationalized Domain Names in Applications (IDNA).* March 2003. diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 7eac0e5c8c..65f6e4e1d9 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -41,7 +41,6 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC2782 RFC2845 RFC2874 [18] - RFC2915 RFC2930 RFC2931 [5] RFC3007 @@ -50,6 +49,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC3225 RFC3226 RFC3363 [6] + RFC3403 RFC3493 RFC3496 RFC3597 From f8cb0ac141ee8c346f9b6797d948db01f6cfb339 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:39:02 +0100 Subject: [PATCH 08/15] Replace obsolete RFC4408 reference with RFC7208 (SPF) --- doc/arm/general.rst | 5 +++++ doc/misc/rfc-compliance | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 4031457cb1..d5398f67ab 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -258,6 +258,11 @@ Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_ :rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_ +:rfc:`7208` - S. Kitterman. +*Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, +Version 1.* +April 2014. + :rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC Delegation Trust Maintenance.* September 2014. [#rfc7344]_ diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 65f6e4e1d9..843860219b 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -63,7 +63,6 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC4294 - Section 5.1 [8] RFC4343 RFC4398 - RFC4408 RFC4431 [22] RFC4470 [9] RFC4509 @@ -96,6 +95,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC6944 RFC7043 RFC7050 [21] + RFC7208 RFC7314 RFC7344 [20] RFC7477 From bd3b310eaeec7d8af86eac16e56f1946fef55def Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:40:15 +0100 Subject: [PATCH 09/15] Replace obsolete RFC5966 reference with RFC7766 (TCP) --- doc/misc/rfc-compliance | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 843860219b..c21f45f47a 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -80,7 +80,6 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC5891 [7] RFC5936 RFC5952 - RFC5966 RFC6052 RFC6147 [12] RFC6303 @@ -100,6 +99,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC7344 [20] RFC7477 RFC7553 + RFC7766 RFC7793 RFC7830 [15] RFC7929 From 3c83a9d50363c955a9899101c966a684e9177119 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 16:42:30 +0100 Subject: [PATCH 10/15] Replace obsolete RFC6944 reference with RFC8624 (DNSSEC algorithm status) --- doc/arm/general.rst | 2 +- doc/misc/rfc-compliance | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index d5398f67ab..27388a57f0 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -450,7 +450,7 @@ Notes .. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against a supporting ECDSA. -.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`6944`. +.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`. .. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as it prevents DNSSEC from working correctly through another recursive server. diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index c21f45f47a..42596be576 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -91,7 +91,6 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC6725 [19] RFC6840 [14] RFC6891 - RFC6944 RFC7043 RFC7050 [21] RFC7208 @@ -105,6 +104,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC7929 RFC8078 [20] RFC8080 + RFC8624 RFC8659 RFC8880 @@ -160,7 +160,7 @@ is accepted but not returned in responses. [18] Loading and serving of A6 records only. A6 records were moved to the experimental category by RFC3363. -[19] RSAMD5 support has been removed. See RFC 6944. +[19] RSAMD5 support has been removed. See RFC 6944 and RFC 8624. [20] Updating of parent zones is not yet implemented. From 2774b497a67989ef61ab0c06a81eae351e5e3c08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 18:17:19 +0100 Subject: [PATCH 11/15] Remove special chapter about IPv6 address formats from ARM In 2022, IPv6 is not anything unusual, and it was really odd to have it in a separate section next to a huge list of RFCs. Fixes: #1918 --- doc/arm/advanced.rst | 3 --- doc/arm/general.rst | 44 -------------------------------------------- 2 files changed, 47 deletions(-) diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst index bd913dd300..ce73ae3149 100644 --- a/doc/arm/advanced.rst +++ b/doc/arm/advanced.rst @@ -812,9 +812,6 @@ understand the binary label format at all anymore, and return an error if one is given. In particular, an authoritative BIND 9 name server will not load a zone file containing binary labels. -For an overview of the format and structure of IPv6 addresses, see -:ref:`ipv6addresses`. - Address Lookups Using AAAA Records ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 27388a57f0..f000cf0375 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -14,50 +14,6 @@ General DNS Reference Information ================================= -.. _ipv6addresses: - -IPv6 Addresses (AAAA) ---------------------- - -IPv6 addresses are 128-bit identifiers, for interfaces and sets of -interfaces, which were introduced in the DNS to facilitate scalable -Internet routing. There are three types of addresses: *Unicast*, an -identifier for a single interface; *Anycast*, an identifier for a set of -interfaces; and *Multicast*, an identifier for a set of interfaces. Here -we describe the global Unicast address scheme. For more information, see -:rfc:`3587`, "IPv6 Global Unicast Address Format." - -IPv6 unicast addresses consist of a *global routing prefix*, a *subnet -identifier*, and an *interface identifier*. - -The global routing prefix is provided by the upstream provider or ISP, -and roughly corresponds to the IPv4 *network* section of the address -range. The subnet identifier is for local subnetting, much like -subnetting an IPv4 /16 network into /24 subnets. The interface -identifier is the address of an individual interface on a given network; -in IPv6, addresses belong to interfaces rather than to machines. - -The subnetting capability of IPv6 is much more flexible than that of -IPv4; subnetting can be carried out on bit boundaries, in much the same -way as Classless InterDomain Routing (CIDR), and the DNS PTR -representation ("nibble" format) makes setting up reverse zones easier. - -The interface identifier must be unique on the local link, and is -usually generated automatically by the IPv6 implementation, although it -is usually possible to override the default setting if necessary. A -typical IPv6 address might look like: -``2001:db8:201:9:a00:20ff:fe81:2b32``. - -IPv6 address specifications often contain long strings of zeros, so the -architects have included a shorthand for specifying them. The double -colon (``::``) indicates the longest possible string of zeros that can -fit, and can be used only once in an address. - -.. _bibliography: - -Bibliography (and Suggested Reading) ------------------------------------- - .. _rfcs: Requests for Comment (RFCs) From 4dbad65bfd0710ad550d84a1c91f821dab2795a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 18:28:33 +0100 Subject: [PATCH 12/15] Replace obsolete RFC2845 reference with RFC8945 (TSIG) --- doc/arm/general.rst | 8 +++++--- doc/misc/rfc-compliance | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index f000cf0375..44d9147f90 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -64,6 +64,11 @@ Support IP Version 6.* October 2003. :rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS (EDNS(0)).* April 2013. +:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, +and B. Wellington. +*Secret Key Transaction Authentication for DNS (TSIG).* +November 2020. + .. _proposed_standards: Proposed Standards @@ -92,9 +97,6 @@ System (DNS).* March 1999. :rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the Location of Services (DNS SRV).* February 2000. -:rfc:`2845` - P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. *Secret Key -Transaction Authentication for DNS (TSIG).* May 2000. - :rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).* September 2000. diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 42596be576..bfcaa80691 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -39,7 +39,6 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC2539 RFC2606 [17] RFC2782 - RFC2845 RFC2874 [18] RFC2930 RFC2931 [5] @@ -107,6 +106,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC8624 RFC8659 RFC8880 + RFC8945 [1] Queries to zones that have failed to load return SERVFAIL rather than a non-authoritative response. This is considered a feature. From 7fd61f9403169e31843f778eee790d61f702efdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 9 Feb 2022 18:42:54 +0100 Subject: [PATCH 13/15] Reorder list of supported RFCs in more user-oriented manner For users it's not really important if a RFC is Internet Standard, Proposed Standard, or Experimental. RFCs are now regrouped by "Protocol", Best Current Practice, and "catch all" category FYI. --- doc/arm/advanced.rst | 2 +- doc/arm/general.rst | 204 ++++++++++++++++++++----------------------- 2 files changed, 96 insertions(+), 110 deletions(-) diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst index ce73ae3149..70799e0f54 100644 --- a/doc/arm/advanced.rst +++ b/doc/arm/advanced.rst @@ -117,7 +117,7 @@ Incremental Zone Transfers (IXFR) The incremental zone transfer (IXFR) protocol is a way for secondary servers to transfer only changed data, instead of having to transfer an entire -zone. The IXFR protocol is specified in :rfc:`1995`. See :ref:`proposed_standards`. +zone. The IXFR protocol is specified in :rfc:`1995`. When acting as a primary server, BIND 9 supports IXFR for those zones where the necessary change history information is available. These include primary diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 44d9147f90..1f54abfb61 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -44,8 +44,8 @@ The list is non-exhaustive. Some of these RFCs, though DNS-related, are not concerned with implementing software. -Internet Standards ------------------- +Protocol Specifications +----------------------- :rfc:`1034` - P. Mockapetris. *Domain Names — Concepts and Facilities.* November 1987. @@ -53,26 +53,16 @@ Internet Standards :rfc:`1035` - P. Mockapetris. *Domain Names — Implementation and Specification.* November 1987. [#rfc1035_1]_ [#rfc1035_2]_ -:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and -Support.* October 1989. +:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR +Definitions.* October 1990. -:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to -Support IP Version 6.* October 2003. +:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994. -:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.* +:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of +Geographical Location.* November 1994. -:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS -(EDNS(0)).* April 2013. - -:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, -and B. Wellington. -*Secret Key Transaction Authentication for DNS (TSIG).* -November 2020. - -.. _proposed_standards: - -Proposed Standards ------------------- +:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing +Location Information in the Domain Name System.* January 1996. :rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996. @@ -89,6 +79,9 @@ Conformant Global Address Mapping (MCGAM).* January 1998. :rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997. +:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November +1997. + :rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998. :rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name @@ -109,11 +102,18 @@ November 2000. :rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS).* May 2001. +:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June +2001. + :rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001. :rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver Message Size Requirements.* December 2001. +:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain. +*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name +System (DNS).* August 2002. [#rfc3363]_ + :rfc:`3403` - M. Mealling. *Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System (DNS) Database.* @@ -122,6 +122,16 @@ October 2002. :rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for Internationalized Domain Names in Applications (IDNA).* March 2003. +:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens. +*Basic Socket Interface Extensions for IPv6.* March 2003. + +:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of +Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label +Switching (MPLS) Traffic Engineering.* March 2003. + +:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to +Support IP Version 6.* October 2003. + :rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.* September 2003. @@ -168,9 +178,14 @@ RR).* October 2006. :rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007. +:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.* + :rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security (DNSSEC) Hashed Authenticated Denial of Existence.* March 2008. +:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP) +Domain Name System (DNS) Extension.* April 2008. + :rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More Resilient Against Forged Answers.* January 2009. [#rfc5452]_ @@ -210,9 +225,19 @@ August 2012. :rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates.* August 2012. [#rfc6725]_ +:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS +Resource Records for the Identifier-Locator Network Protocol (ILNP).* +November 2012. + :rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_ +:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS +(EDNS(0)).* April 2013. + +:rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses +in the DNS.* October 2013. + :rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_ @@ -221,12 +246,21 @@ Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_ Version 1.* April 2014. +:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.* +July 2014. + :rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC Delegation Trust Maintenance.* September 2014. [#rfc7344]_ :rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March 2015. +:rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier +(URI) DNS Resource Record.* June 2015. + +:rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key +Rollover Timing Considerations.* October 2015. + :rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. @@ -235,15 +269,15 @@ Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. :rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_ +:rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE) +Bindings for OpenPGP.* August 2016. + :rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ :rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC.* February 2017. -:rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name -'ipv4only.arpa'.* August 2020. - :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements and Usage Guidance for DNSSEC.* June 2019. @@ -251,88 +285,13 @@ and Usage Guidance for DNSSEC.* June 2019. *DNS Certification Authority Authorization (CAA) Resource Record.* November 2019. -:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation -(DLV) to Historic Status.* March 2020. +:rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name +'ipv4only.arpa'.* August 2020. -Informational RFCs ------------------- - -:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely -Deployed DNS Software.* October 1993. - -:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS -Implementation Errors and Suggested Fixes.* October 1993. - -:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994. - -:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February -1996. - -:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November -1997. - -:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain. -*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name -System (DNS).* August 2002. [#rfc3363]_ - -:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens. -*Basic Socket Interface Extensions for IPv6.* March 2003. - -:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of -Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label -Switching (MPLS) Traffic Engineering.* March 2003. - -:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System -(DNS).* August 2004. - -:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for -IPv6 Addresses.* June 2005. - -:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism -Identifying a Name Server Instance.* June 2007. - -:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational -Practices, Version 2.* December 2012. - -:rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses -in the DNS.* October 2013. - -:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence -in the DNS.* February 2014. - -:rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier -(URI) DNS Resource Record.* June 2015. - -:rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key -Rollover Timing Considerations.* October 2015. - -Experimental RFCs ------------------ - -:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR -Definitions.* October 1990. - -:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of -Geographical Location.* November 1994. - -:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing -Location Information in the Domain Name System.* January 1996. - -:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June -2001. - -:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP) -Domain Name System (DNS) Extension.* April 2008. - -:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS -Resource Records for the Identifier-Locator Network Protocol (ILNP).* -November 2012. - -:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.* -July 2014. - -:rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE) -Bindings for OpenPGP.* August 2016. +:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, +and B. Wellington. +*Secret Key Transaction Authentication for DNS (TSIG).* +November 2020. Best Current Practice RFCs -------------------------- @@ -359,20 +318,47 @@ Locally-Served DNS Zones Registry.* May 2016. :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS Servers: Failure to Communicate.* September 2020. -Historic RFCs -------------- +For Your Information +-------------------- + +:rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.* +April 1989. + +:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and +Support.* October 1989. + +:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely +Deployed DNS Software.* October 1993. + +:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS +Implementation Errors and Suggested Fixes.* October 1993. + +:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February +1996. :rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address Aggregation and Renumbering.* July 2000. [#rfc2874]_ +:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System +(DNS).* August 2004. + +:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for +IPv6 Addresses.* June 2005. + :rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation (DLV) DNS Resource Record.* February 2006. [#rfc4431]_ -RFCs of Type "Unknown" ----------------------- +:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism +Identifying a Name Server Instance.* June 2007. -:rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.* -April 1989. +:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational +Practices, Version 2.* December 2012. + +:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence +in the DNS.* February 2014. + +:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation +(DLV) to Historic Status.* March 2020. Notes ~~~~~ From 63989e98ac06cf1895727357a3a6cb5401fd8daa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Thu, 10 Feb 2022 14:03:39 +0100 Subject: [PATCH 14/15] Remove rfc-compliance list in plaintext - ARM deduplication The plaintext version is now fully replaced by the doc/arm/general.rst. --- doc/misc/rfc-compliance | 170 ---------------------------------------- 1 file changed, 170 deletions(-) delete mode 100644 doc/misc/rfc-compliance diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance deleted file mode 100644 index bfcaa80691..0000000000 --- a/doc/misc/rfc-compliance +++ /dev/null @@ -1,170 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -SPDX-License-Identifier: MPL-2.0 - -This Source Code Form is subject to the terms of the Mozilla Public -License, v. 2.0. If a copy of the MPL was not distributed with this -file, you can obtain one at https://mozilla.org/MPL/2.0/. - -See the COPYRIGHT file distributed with this work for additional -information regarding copyright ownership. - -BIND 9 is striving for strict compliance with IETF standards. We -believe this release of BIND 9 complies with the following RFCs, with -the caveats and exceptions listed in the numbered notes below. Note -that a number of these RFCs do not have the status of Internet -standards but are proposed or draft standards, experimental RFCs, -or Best Current Practice (BCP) documents. The list is non exhaustive. - - RFC1034 - RFC1035 [1] [2] - RFC1101 - RFC1123 - RFC1183 - RFC1521 [16] - RFC1535 - RFC1536 - RFC1706 - RFC1712 - RFC1750 - RFC1876 - RFC1982 - RFC1995 - RFC1996 - RFC2136 - RFC2163 - RFC2181 - RFC2230 - RFC2308 - RFC2539 - RFC2606 [17] - RFC2782 - RFC2874 [18] - RFC2930 - RFC2931 [5] - RFC3007 - RFC3110 - RFC3123 - RFC3225 - RFC3226 - RFC3363 [6] - RFC3403 - RFC3493 - RFC3496 - RFC3597 - RFC3645 - RFC4025 - RFC4033 - RFC4034 - RFC4035 - RFC4074 - RFC4255 - RFC4294 - Section 5.1 [8] - RFC4343 - RFC4398 - RFC4431 [22] - RFC4470 [9] - RFC4509 - RFC4592 - RFC4635 - RFC4701 - RFC4892 - RFC4955 [10] - RFC5001 - RFC5011 - RFC5155 - RFC5205 - RFC5452 [11] - RFC5702 - RFC5891 [7] - RFC5936 - RFC5952 - RFC6052 - RFC6147 [12] - RFC6303 - RFC6604 - RFC6605 [13] - RFC6672 - RFC6698 - RFC6742 - RFC6725 [19] - RFC6840 [14] - RFC6891 - RFC7043 - RFC7050 [21] - RFC7208 - RFC7314 - RFC7344 [20] - RFC7477 - RFC7553 - RFC7766 - RFC7793 - RFC7830 [15] - RFC7929 - RFC8078 [20] - RFC8080 - RFC8624 - RFC8659 - RFC8880 - RFC8945 - -[1] Queries to zones that have failed to load return SERVFAIL rather -than a non-authoritative response. This is considered a feature. - -[2] CLASS ANY queries are not supported. This is considered a -feature. - -[5] When receiving a query signed with a SIG(0), the server will -only be able to verify the signature if it has the key in its local -authoritative data; it will not do recursion or validation to -retrieve unknown keys. - -[6] Section 4 is ignored. - -[7] Requires --with-libidn2 to enable entry of IDN labels within dig, -host and nslookup at compile time. ACE labels are supported -everywhere with or without --with-libidn2. - -[8] Section 5.1 - DNAME records are fully supported. - -[9] Minimally Covering NSEC Record are accepted but not generated. - -[10] Will interoperate with correctly designed experiments. - -[11] Named only uses ports to extend the id space, address are not -used. - -[12] Section 5.5 does not match reality. Named uses the presence -of DO=1 to detect if validation may be occurring. CD has no bearing -on whether validation is occurring or not. - -[13] Conditional on the OpenSSL library being linked against -supporting ECDSA. - -[14] Section 5.9 - Always set CD=1 on queries. This is *not* done as -it prevents DNSSEC working correctly through another recursive server. - -When talking to a recurive server the best algorithm to do is send -CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive -server has a bad clock and/or bad trust anchor. Alternatively one -can send CD=1 then CD=0 on validation failure in case the recursive -server is under attack or there is stale / bogus authoritative data. - -[15] Named doesn't currently encrypt DNS requests so the PAD option -is accepted but not returned in responses. - -[16] Only the Base 64 encoding specification. - -[17] Not applicable to DNS server implementations. - -[18] Loading and serving of A6 records only. A6 records were moved -to the experimental category by RFC3363. - -[19] RSAMD5 support has been removed. See RFC 6944 and RFC 8624. - -[20] Updating of parent zones is not yet implemented. - -[21] RFC 7050 is updated by RFC 8880 - -[22] Compliance is with loading and serving of DLV records only. -DLV records were moved to the historic category by RFC 8749. From 8058d64dda957083ee2771ee33f038b357446abf Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Thu, 10 Feb 2022 16:29:57 +0200 Subject: [PATCH 15/15] Mention DoT/DoH related RFCs in the ARM Mention RFC 7858 (DoT), 8484 (DoH), and 8945 (XoT). --- doc/arm/general.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 1f54abfb61..c1808886be 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -269,6 +269,10 @@ Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016. :rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_ +:rfc:`7858` - Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, +and P. Hoffman. *Specification for DNS over Transport Layer Security (TLS).* +May 2016. [#noencryptedfwd]_ + :rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP.* August 2016. @@ -278,6 +282,9 @@ Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_ :rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC.* February 2017. +:rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).* +October 2018. [#noencryptedfwd]_ + :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements and Usage Guidance for DNSSEC.* June 2019. @@ -293,6 +300,9 @@ and B. Wellington. *Secret Key Transaction Authentication for DNS (TSIG).* November 2020. +:rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin. +*DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_ + Best Current Practice RFCs -------------------------- @@ -424,8 +434,14 @@ Notes .. [#rfc7050] RFC 7050 is updated by RFC 8880. +.. [#noencryptedfwd] Forwarding DNS queries over encrypted transports is not + supported yet. + .. [#rfc8078] Updating of parent zones is not yet implemented. +.. [#rfc9103] Strict TLS and Mutual TLS authentication mechanisms are + not supported yet. + .. _internet_drafts: Internet Drafts