Merge branch 'pspacek/rfc-nits' into 'main'

Update and deduplicate list of RFCs in documentation Closes #1918 See merge request isc-projects/bind9!5813
2025-08-31 06:25:31 +00:00 · 2022-02-14 11:10:21 +00:00
parent 98961e86b8 8058d64dda
commit 6914a4cda3
3 changed files with 183 additions and 493 deletions
--- a/doc/arm/advanced.rst
+++ b/doc/arm/advanced.rst
@@ -117,7 +117,7 @@ Incremental Zone Transfers (IXFR)
 The incremental zone transfer (IXFR) protocol is a way for secondary servers
 to transfer only changed data, instead of having to transfer an entire
-zone. The IXFR protocol is specified in :rfc:`1995`. See :ref:`proposed_standards`.
+zone. The IXFR protocol is specified in :rfc:`1995`.
 When acting as a primary server, BIND 9 supports IXFR for those zones where the
 necessary change history information is available. These include primary
@@ -812,9 +812,6 @@ understand the binary label format at all anymore, and return an
 error if one is given. In particular, an authoritative BIND 9 name server will
 not load a zone file containing binary labels.
 For an overview of the format and structure of IPv6 addresses, see
 :ref:`ipv6addresses`.
 Address Lookups Using AAAA Records
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -14,50 +14,6 @@
 General DNS Reference Information
 =================================
 .. _ipv6addresses:
 IPv6 Addresses (AAAA)
 ---------------------
 IPv6 addresses are 128-bit identifiers, for interfaces and sets of
 interfaces, which were introduced in the DNS to facilitate scalable
 Internet routing. There are three types of addresses: *Unicast*, an
 identifier for a single interface; *Anycast*, an identifier for a set of
 interfaces; and *Multicast*, an identifier for a set of interfaces. Here
 we describe the global Unicast address scheme. For more information, see
 :rfc:`3587`, "IPv6 Global Unicast Address Format."
 IPv6 unicast addresses consist of a *global routing prefix*, a *subnet
 identifier*, and an *interface identifier*.
 The global routing prefix is provided by the upstream provider or ISP,
 and roughly corresponds to the IPv4 *network* section of the address
 range. The subnet identifier is for local subnetting, much like
 subnetting an IPv4 /16 network into /24 subnets. The interface
 identifier is the address of an individual interface on a given network;
 in IPv6, addresses belong to interfaces rather than to machines.
 The subnetting capability of IPv6 is much more flexible than that of
 IPv4; subnetting can be carried out on bit boundaries, in much the same
 way as Classless InterDomain Routing (CIDR), and the DNS PTR
 representation ("nibble" format) makes setting up reverse zones easier.
 The interface identifier must be unique on the local link, and is
 usually generated automatically by the IPv6 implementation, although it
 is usually possible to override the default setting if necessary. A
 typical IPv6 address might look like:
 ``2001:db8:201:9:a00:20ff:fe81:2b32``.
 IPv6 address specifications often contain long strings of zeros, so the
 architects have included a shorthand for specifying them. The double
 colon (``::``) indicates the longest possible string of zeros that can
 fit, and can be used only once in an address.
 .. _bibliography:
 Bibliography (and Suggested Reading)
 ------------------------------------
 .. _rfcs:
 Requests for Comment (RFCs)
@@ -88,30 +44,25 @@ The list is non-exhaustive.
 Some of these RFCs, though DNS-related, are not concerned with implementing
 software.
-Internet Standards
+Protocol Specifications
------------------
+-----------------------
 :rfc:`1034` - P. Mockapetris. *Domain Names — Concepts and Facilities.* November
 1987.
 :rfc:`1035` - P. Mockapetris. *Domain Names — Implementation and Specification.*
-November 1987. [1] [2]
+November 1987. [#rfc1035_1]_ [#rfc1035_2]_
-:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and
+:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR
-Support.* October 1989.
+Definitions.* October 1990.
-:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to
+:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994.
 Support IP Version 6.* October 2003.
-:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.*
+:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of
 Geographical Location.* November 1994.
-:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS
+:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing
-(EDNS(0)).* April 2013.
+Location Information in the Domain Name System.* January 1996.
 .. _proposed_standards:
 Proposed Standards
 ------------------
 :rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996.
@@ -128,6 +79,9 @@ Conformant Global Address Mapping (MCGAM).* January 1998.
 :rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997.
 :rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November
 1997.
 :rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998.
 :rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name
@@ -136,14 +90,11 @@ System (DNS).* March 1999.
 :rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the
 Location of Services (DNS SRV).* February 2000.
 :rfc:`2845` - P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. *Secret Key
 Transaction Authentication for DNS (TSIG).* May 2000.
 :rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).*
 September 2000.
 :rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).*
-September 2000. [3]
+September 2000. [#rfc2931]_
 :rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.*
 November 2000.
@@ -151,14 +102,36 @@ November 2000.
 :rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
 System (DNS).* May 2001.
 :rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June
 2001.
 :rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001.
 :rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver
 Message Size Requirements.* December 2001.
 :rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain.
 *Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name
 System (DNS).* August 2002. [#rfc3363]_
 :rfc:`3403` - M. Mealling.
 *Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System
 (DNS) Database.*
 October 2002.
 :rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for
 Internationalized Domain Names in Applications (IDNA).* March 2003.
 :rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens.
 *Basic Socket Interface Extensions for IPv6.* March 2003.
 :rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of
 Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label
 Switching (MPLS) Traffic Engineering.* March 2003.
 :rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to
 Support IP Version 6.* October 2003.
 :rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.*
 September 2003.
@@ -187,7 +160,7 @@ Clarification.* January 2006.
 :rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006.
 :rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and
-DNSSEC On-line Signing.* April 2006. [5]
+DNSSEC On-line Signing.* April 2006. [#rfc4470]_
 :rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer
 (DS) Resource Records (RRs).* May 2006.
@@ -201,19 +174,28 @@ Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006.
 (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID
 RR).* October 2006.
-:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [6]
+:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_
 :rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007.
 :rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.*
 :rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security
 (DNSSEC) Hashed Authenticated Denial of Existence.* March 2008.
 :rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP)
 Domain Name System (DNS) Extension.* April 2008.
 :rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More
-Resilient Against Forged Answers.* January 2009. [7]
+Resilient Against Forged Answers.* January 2009. [#rfc5452]_
 :rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and
 RRSIG Resource Records for DNSSEC.* October 2009.
 :rfc:`5891` - J. Klensin.
 *Internationalized Domain Names in Applications (IDNA): Protocol.*
 August 2010
 :rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).*
 June 2010.
@@ -225,13 +207,13 @@ Addressing of IPv4/IPv6 Translators.* October 2010.
 :rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum.
 *DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to
-IPv4 Servers.* April 2011. [8]
+IPv4 Servers.* April 2011. [#rfc6147]_
 :rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.*
 April 2012.
 :rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital
-Signature Algorithm (DSA) for DNSSEC.* April 2012. [9]
+Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_
 :rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.*
 June 2012.
@@ -241,88 +223,37 @@ Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.*
 August 2012.
 :rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry
-Updates.* August 2012. [10]
+Updates.* August 2012. [#rfc6725]_
 :rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS
 Resource Records for the Identifier-Locator Network Protocol (ILNP).*
 November 2012.
 :rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and
-Implementation Notes for DNS Security (DNSSEC).* February 2013. [11]
+Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_
-:rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6
+:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS
-Prefix Used for IPv6 Address Synthesis.* November 2013. [21]
+(EDNS(0)).* April 2013.
 :rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC
 Delegation Trust Maintenance.* September 2014. [12]
 :rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March
 2015.
 :rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D.
 Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016.
 :rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis.
 *The edns-tcp-keepalive EDNS0 Option.* April 2016.
 :rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [13]
 :rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the
 Parent via CDS/CDNSKEY.* March 2017. [22]
 :rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm
 (EdDSA) for DNSSEC.* February 2017.
 :rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name
 'ipv4only.arpa'.* August 2020.
 :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements
 and Usage Guidance for DNSSEC.* June 2019.
 :rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation
 (DLV) to Historic Status.* March 2020.
 Informational RFCs
 ------------------
 :rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely
 Deployed DNS Software.* October 1993.
 :rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS
 Implementation Errors and Suggested Fixes.* October 1993.
 :rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994.
 :rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February
 1996.
 :rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November
 1997.
 :rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain.
 *Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name
 System (DNS).* August 2002. [14]
 :rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens.
 *Basic Socket Interface Extensions for IPv6.* March 2003.
 :rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of
 Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label
 Switching (MPLS) Traffic Engineering.* March 2003.
 :rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System
 (DNS).* August 2004.
 :rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for
 IPv6 Addresses.* June 2005.
 :rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism
 Identifying a Name Server Instance.* June 2007.
 :rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational
 Practices, Version 2.* December 2012.
 :rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses
 in the DNS.* October 2013.
-:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence
+:rfc:`7050` - T. Savolainen, J. Korhonen, and D. Wing. *Discovery of the IPv6
-in the DNS.* February 2014.
+Prefix Used for IPv6 Address Synthesis.* November 2013. [#rfc7050]_
 :rfc:`7208` - S. Kitterman.
 *Sender Policy Framework (SPF) for Authorizing Use of Domains in Email,
 Version 1.*
 April 2014.
 :rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.*
 July 2014.
 :rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC
 Delegation Trust Maintenance.* September 2014. [#rfc7344]_
 :rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March
 2015.
 :rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier
 (URI) DNS Resource Record.* June 2015.
@@ -330,34 +261,48 @@ in the DNS.* February 2014.
 :rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key
 Rollover Timing Considerations.* October 2015.
-Experimental RFCs
+:rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D.
-----------------
+Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016.
-:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR
+:rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis.
-Definitions.* October 1990.
+*The edns-tcp-keepalive EDNS0 Option.* April 2016.
-:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of
+:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_
 Geographical Location.* November 1994.
-:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing
+:rfc:`7858` - Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels,
-Location Information in the Domain Name System.* January 1996.
+and P. Hoffman. *Specification for DNS over Transport Layer Security (TLS).*
-
+May 2016. [#noencryptedfwd]_
 :rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June
 2001.
 :rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP)
 Domain Name System (DNS) Extension.* April 2008.
 :rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS
 Resource Records for the Identifier-Locator Network Protocol (ILNP).*
 November 2012.
 :rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.*
 July 2014.
 :rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE)
 Bindings for OpenPGP.* August 2016.
 :rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the
 Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_
 :rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm
 (EdDSA) for DNSSEC.* February 2017.
 :rfc:`8484` - P. Hoffman and P. McManus. *DNS Queries over HTTPS (DoH).*
 October 2018. [#noencryptedfwd]_
 :rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements
 and Usage Guidance for DNSSEC.* June 2019.
 :rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews.
 *DNS Certification Authority Authorization (CAA) Resource Record.*
 November 2019.
 :rfc:`8880` - S. Cheshire and D. Schinazi. *Special Use Domain Name
 'ipv4only.arpa'.* August 2020.
 :rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson,
 and B. Wellington.
 *Secret Key Transaction Authentication for DNS (TSIG).*
 November 2020.
 :rfc:`9103` - W. Toorop, S. Dickinson, S. Sahib, P. Aras, and A. Mankin.
 *DNS Zone Transfer over TLS.* August 2021. [#rfc9103]_
 Best Current Practice RFCs
 --------------------------
@@ -368,7 +313,7 @@ October 1997.
 March 1998.
 :rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June
-1999. [15]
+1999. [#rfc2606]_
 :rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.*
 September 2004.
@@ -383,167 +328,119 @@ Locally-Served DNS Zones Registry.* May 2016.
 :rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS
 Servers: Failure to Communicate.* September 2020.
-Historic RFCs
+For Your Information
-------------
+--------------------
 :rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address
 Aggregation and Renumbering.* July 2000. [4]
 :rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation
 (DLV) DNS Resource Record.* February 2006.
 RFCs of Type "Unknown"
 ----------------------
 :rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.*
 April 1989.
-Obsoleted and Unimplemented Experimental RFCs
+:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and
---------------------------------------------
+Support.* October 1989.
-:rfc:`1521` - N. Borenstein and N. Freed. *MIME (Multipurpose Internet Mail
+:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely
-Extensions) Part One: Mechanisms for Specifying and Describing the Format of
+Deployed DNS Software.* October 1993.
 Internet Message Bodies.* September 1993 [16]
-:rfc:`1750` - D. Eastlake, 3rd, S. Crocker, and J. Schiller. *Randomness
+:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS
-Recommendations for Security.* December 1994.
+Implementation Errors and Suggested Fixes.* October 1993.
-:rfc:`2535` - D. Eastlake, 3rd. *Domain Name System Security Extensions.*
+:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February
-March 1999. [17] [18]
+1996.
-:rfc:`2537` - D. Eastlake, 3rd. *RSA/MD5 KEYs and SIGs in the Domain Name System
+:rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address
-(DNS).* March 1999.
+Aggregation and Renumbering.* July 2000. [#rfc2874]_
-:rfc:`2538` - D. Eastlake, 3rd and O. Gudmundsson. *Storing Certificates in the Domain
+:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System
-Name System (DNS).* March 1999.
+(DNS).* August 2004.
-:rfc:`2671` - P. Vixie. *Extension Mechanisms for DNS (EDNS0).* August 1999.
+:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for
 IPv6 Addresses.* June 2005.
-:rfc:`2672` - M. Crawford. *Non-Terminal DNS Name Redirection.* August 1999.
+:rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation
 (DLV) DNS Resource Record.* February 2006. [#rfc4431]_
-:rfc:`2673` - M. Crawford. *Binary Labels in the Domain Name System.* August 1999.
+:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism
 Identifying a Name Server Instance.* June 2007.
-:rfc:`2915` - M. Mealling and R. Daniel. *The Naming Authority Pointer (NAPTR) DNS
+:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational
-Resource Record.* September 2000.
+Practices, Version 2.* December 2012.
-:rfc:`3008` - B. Wellington. *Domain Name System Security (DNSSEC) Signing
+:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence
-Authority.* November 2000.
+in the DNS.* February 2014.
-:rfc:`3152` - R. Bush. *Delegation of IP6.ARPA.* August 2001.
+:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation
-
+(DLV) to Historic Status.* March 2020.
 :rfc:`3445` - D. Massey and S. Rose. *Limiting the Scope of the KEY Resource Record
 (RR).* December 2002.
 :rfc:`3490` - P. Faltstrom, P. Hoffman, and A. Costello. *Internationalizing Domain Names
 in Applications (IDNA).* March 2003. [19]
 :rfc:`3491` - P. Hoffman and M. Blanchet. *Nameprep: A Stringprep Profile for
 Internationalized Domain Names (IDN).* March 2003. [19]
 :rfc:`3655` - B. Wellington and O. Gudmundsson. *Redefinition of DNS Authenticated
 Data (AD) Bit.* November 2003.
 :rfc:`3658` - O. Gudmundsson. *Delegation Signer (DS) Resource Record (RR).*
 December 2003.
 :rfc:`3755` - S. Weiler. *Legacy Resolver Compatibility for Delegation Signer
 (DS).* May 2004.
 :rfc:`3757` - O. Kolkman, J. Schlyter, and E. Lewis. *Domain Name System KEY (DNSKEY)
 Resource Record (RR) Secure Entry Point (SEP) Flag.* May 2004.
 :rfc:`3845` - J. Schlyter. *DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format.*
 August 2004.
 :rfc:`4294` - J. Loughney, Ed. *IPv6 Node Requirements.* [20]
 :rfc:`4408` - M. Wong and W. Schlitt. *Sender Policy Framework (SPF) for
 Authorizing Use of Domains in E-Mail, Version 1.* April 2006.
 :rfc:`5966` - R. Bellis. *DNS Transport Over TCP - Implementation
 Requirements.* August 2010.
 :rfc:`6844` - P. Hallam-Baker and R. Stradling. *DNS Certification Authority
 Authorization (CAA) Resource Record.* January 2013.
 :rfc:`6944` - S. Rose. *Applicability Statement: DNS Security (DNSSEC) DNSKEY
 Algorithm Implementation Status.* April 2013.
 RFCs No Longer Supported in BIND 9
 ----------------------------------
 :rfc:`2536` - D. Eastlake, 3rd. *DSA KEYs and SIGs in the Domain Name System
 (DNS).* March 1999.
 Notes
 ~~~~~
-[1] Queries to zones that have failed to load return SERVFAIL rather
+.. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather
-than a non-authoritative response. This is considered a feature.
+   than a non-authoritative response. This is considered a feature.
-[2] CLASS ANY queries are not supported. This is considered a
+.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a
-feature.
+   feature.
-[3] When receiving a query signed with a SIG(0), the server is
+.. [#rfc2931] When receiving a query signed with a SIG(0), the server is
-only able to verify the signature if it has the key in its local
+   only able to verify the signature if it has the key in its local
-authoritative data; it cannot do recursion or validation to
+   authoritative data; it cannot do recursion or validation to
-retrieve unknown keys.
+   retrieve unknown keys.
-[4] Compliance is with loading and serving of A6 records only. A6 records were moved
+.. [#rfc2874] Compliance is with loading and serving of A6 records only.
-to the experimental category by :rfc:`3363`.
+   A6 records were moved to the experimental category by :rfc:`3363`.
-[5] Minimally Covering NSEC records are accepted but not generated.
+.. [#rfc4431] Compliance is with loading and serving of DLV records only.
   DLV records were moved to the historic category by :rfc:`8749`.
-[6] BIND 9 interoperates with correctly designed experiments.
+.. [#rfc4470] Minimally Covering NSEC records are accepted but not generated.
-[7] ``named`` only uses ports to extend the ID space; addresses are not
+.. [#rfc4955] BIND 9 interoperates with correctly designed experiments.
 used.
-[8] Section 5.5 does not match reality. ``named`` uses the presence
+.. [#rfc5452] ``named`` only uses ports to extend the ID space; addresses are not
-of DO=1 to detect if validation may be occurring. CD has no bearing
+   used.
 on whether validation occurs.
-[9] Compliance is conditional on the OpenSSL library being linked against
+.. [#rfc6147] Section 5.5 does not match reality. ``named`` uses the presence
-a supporting ECDSA.
+   of DO=1 to detect if validation may be occurring. CD has no bearing
   on whether validation occurs.
-[10] RSAMD5 support has been removed. See :rfc:`6944`.
+.. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against
   a supporting ECDSA.
-[11] Section 5.9 - Always set CD=1 on queries. This is *not* done, as
+.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`.
 it prevents DNSSEC from working correctly through another recursive server.
-When talking to a recursive server, the best algorithm is to send
+.. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as
-CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive
+   it prevents DNSSEC from working correctly through another recursive server.
 server has a bad clock and/or bad trust anchor. Alternatively, one
 can send CD=1 then CD=0 on validation failure, in case the recursive
 server is under attack or there is stale/bogus authoritative data.
-[12] Updating of parent zones is not yet implemented.
+   When talking to a recursive server, the best algorithm is to send
   CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive
   server has a bad clock and/or bad trust anchor. Alternatively, one
   can send CD=1 then CD=0 on validation failure, in case the recursive
   server is under attack or there is stale/bogus authoritative data.
-[13] ``named`` does not currently encrypt DNS requests, so the PAD option
+.. [#rfc7344] Updating of parent zones is not yet implemented.
 is accepted but not returned in responses.
-[14] Section 4 is ignored.
+.. [#rfc7830] ``named`` does not currently encrypt DNS requests, so the PAD option
   is accepted but not returned in responses.
-[15] This does not apply to DNS server implementations.
+.. [#rfc3363] Section 4 is ignored.
-[16] Only the Base 64 encoding specification is supported.
+.. [#rfc2606] This does not apply to DNS server implementations.
-[17] Wildcard records are not supported in DNSSEC secure zones.
+.. [#rfc1521] Only the Base 64 encoding specification is supported.
-[18] Servers authoritative for secure zones being resolved by BIND
+.. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within
-9 must support EDNS0 (:rfc:`2671`), and must return all relevant SIGs
+   dig, host, and nslookup at compile time.  ACE labels are supported
-and NXTs in responses, rather than relying on the resolving server
+   everywhere with or without ``--with-libidn2``.
 to perform separate queries for missing SIGs and NXTs.
-[19] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within
+.. [#rfc4294] Section 5.1 - DNAME records are fully supported.
 dig, host, and nslookup at compile time.  ACE labels are supported
 everywhere with or without ``--with-libidn2``.
-[20] Section 5.1 - DNAME records are fully supported.
+.. [#rfc7050] RFC 7050 is updated by RFC 8880.
-[21] RFC 7050 is updated by RFC 8880.
+.. [#noencryptedfwd] Forwarding DNS queries over encrypted transports is not
   supported yet.
-[22] Updating of parent zones is not yet implemented.
+.. [#rfc8078] Updating of parent zones is not yet implemented.
 .. [#rfc9103] Strict TLS and Mutual TLS authentication mechanisms are
   not supported yet.
 .. _internet_drafts:
@@ -557,11 +454,3 @@ archival, and they should not be quoted or cited in any formal documents
 unless accompanied by the disclaimer that they are "works in progress."
 IDs have a lifespan of six months, after which they are deleted unless
 updated by their authors.
 .. _more_about_bind:
 Other Documents About BIND
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Paul Albitz and Cricket Liu. *DNS and BIND.* Copyright 1998 Sebastopol, CA: O'Reilly and
 Associates.
--- a/doc/misc/rfc-compliance
+++ b/doc/misc/rfc-compliance
@@ -1,196 +0,0 @@
 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 SPDX-License-Identifier: MPL-2.0
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0.  If a copy of the MPL was not distributed with this
 file, you can obtain one at https://mozilla.org/MPL/2.0/.
 See the COPYRIGHT file distributed with this work for additional
 information regarding copyright ownership.
 BIND 9 is striving for strict compliance with IETF standards.  We
 believe this release of BIND 9 complies with the following RFCs, with
 the caveats and exceptions listed in the numbered notes below.  Note
 that a number of these RFCs do not have the status of Internet
 standards but are proposed or draft standards, experimental RFCs,
 or Best Current Practice (BCP) documents.  The list is non exhaustive.
  RFC1034
  RFC1035 [1] [2]
  RFC1101
  RFC1123
  RFC1183
  RFC1521 [16]
  RFC1535
  RFC1536
  RFC1706
  RFC1712
  RFC1750
  RFC1876
  RFC1982
  RFC1995
  RFC1996
  RFC2136
  RFC2163
  RFC2181
  RFC2230
  RFC2308
  RFC2539
  RFC2606 [17]
  RFC2782
  RFC2845
  RFC2874 [18]
  RFC2915
  RFC2930
  RFC2931 [5]
  RFC3007
  RFC3110
  RFC3123
  RFC3225
  RFC3226
  RFC3363 [6]
  RFC3490 [7]
  RFC3491 (Obsoleted by 5890, 5891) [7]
  RFC3493
  RFC3496
  RFC3597
  RFC3645
  RFC4025
  RFC4033
  RFC4034
  RFC4035
  RFC4074
  RFC4255
  RFC4294 - Section 5.1 [8]
  RFC4343
  RFC4398
  RFC4408
  RFC4431
  RFC4470 [9]
  RFC4509
  RFC4592
  RFC4635
  RFC4701
  RFC4892
  RFC4955 [10]
  RFC5001
  RFC5011
  RFC5155
  RFC5205
  RFC5452 [11]
  RFC5702
  RFC5936
  RFC5952
  RFC5966
  RFC6052
  RFC6147 [12]
  RFC6303
  RFC6604
  RFC6605 [13]
  RFC6672
  RFC6698
  RFC6742
  RFC6725 [19]
  RFC6840 [14]
  RFC6844
  RFC6891
  RFC6944
  RFC7043
  RFC7050 [21]
  RFC7314
  RFC7344 [20]
  RFC7477
  RFC7553
  RFC7793
  RFC7830 [15]
  RFC7929
  RFC8078 [20]
  RFC8080
  RFC8880
 No longer supported
  RFC2536
 The following DNS related RFC have been obsoleted
  RFC2535 (Obsoleted by 4034, 4035) [3] [4]
  RFC2537 (Obsoleted by 3110) [19]
  RFC2538 (Obsoleted by 4398)
  RFC2671 (Obsoleted by 6891)
  RFC2672 (Obsoleted by 6672)
  RFC2673 (Obsoleted by 6891)
  RFC3008 (Obsoleted by 4034, 4035)
  RFC3152 (Obsoleted by 3596)
  RFC3445 (Obsoleted by 4034, 4035)
  RFC3655 (Obsoleted by 4034, 4035)
  RFC3658 (Obsoleted by 4034, 4035)
  RFC3755 (Obsoleted by 4034, 4035)
  RFC3757 (Obsoleted by 4034, 4035)
  RFC3845 (Obsoleted by 4034, 4035)
 [1] Queries to zones that have failed to load return SERVFAIL rather
 than a non-authoritative response.  This is considered a feature.
 [2] CLASS ANY queries are not supported.  This is considered a
 feature.
 [3] Wildcard records are not supported in DNSSEC secure zones.
 [4] Servers authoritative for secure zones being resolved by BIND
 9 must support EDNS0 (RFC2671), and must return all relevant SIGs
 and NXTs in responses rather than relying on the resolving server
 to perform separate queries for missing SIGs and NXTs.
 [5] When receiving a query signed with a SIG(0), the server will
 only be able to verify the signature if it has the key in its local
 authoritative data; it will not do recursion or validation to
 retrieve unknown keys.
 [6] Section 4 is ignored.
 [7] Requires --with-libidn2 to enable entry of IDN labels within dig,
 host and nslookup at compile time.  ACE labels are supported
 everywhere with or without --with-libidn2.
 [8] Section 5.1 - DNAME records are fully supported.
 [9] Minimally Covering NSEC Record are accepted but not generated.
 [10] Will interoperate with correctly designed experiments.
 [11] Named only uses ports to extend the id space, address are not
 used.
 [12] Section 5.5 does not match reality.  Named uses the presence
 of DO=1 to detect if validation may be occurring.  CD has no bearing
 on whether validation is occurring or not.
 [13] Conditional on the OpenSSL library being linked against
 supporting ECDSA.
 [14] Section 5.9 - Always set CD=1 on queries.  This is *not* done as
 it prevents DNSSEC working correctly through another recursive server.
 When talking to a recurive server the best algorithm to do is send
 CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive
 server has a bad clock and/or bad trust anchor.  Alternatively one
 can send CD=1 then CD=0 on validation failure in case the recursive
 server is under attack or there is stale / bogus authoritative data.
 [15] Named doesn't currently encrypt DNS requests so the PAD option
 is accepted but not returned in responses.
 [16] Only the Base 64 encoding specification.
 [17] Not applicable to DNS server implementations.
 [18] Loading and serving of A6 records only.  A6 records were moved
 to the experimental category by RFC3363.
 [19] RSAMD5 support has been removed. See RFC 6944.
 [20] Updating of parent zones is not yet implemented.
 [21] RFC 7050 is updated by RFC 8880