1Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 3See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. 4 5BIND 9 is striving for strict compliance with IETF standards. We 6believe this release of BIND 9 complies with the following RFCs, with 7the caveats and exceptions listed in the numbered notes below. Note 8that a number of these RFCs do not have the status of Internet 9standards but are proposed or draft standards, experimental RFCs, 10or Best Current Practice (BCP) documents. The list is non exhaustive. 11 12 RFC1034 13 RFC1035 [1] [2] 14 RFC1101 15 RFC1123 16 RFC1183 17 RFC1521 [17] 18 RFC1535 19 RFC1536 20 RFC1706 21 RFC1712 22 RFC1750 23 RFC1876 24 RFC1982 25 RFC1995 26 RFC1996 27 RFC2136 28 RFC2163 29 RFC2181 30 RFC2230 31 RFC2308 32 RFC2539 33 RFC2606 [18] 34 RFC2782 35 RFC2845 36 RFC2874 [18] 37 RFC2915 38 RFC2930 39 RFC2931 [5] 40 RFC3007 41 RFC3110 42 RFC3123 43 RFC3225 44 RFC3226 45 RFC3363 [6] 46 RFC3490 [7] 47 RFC3491 (Obsoleted by 5890, 5891) [7] 48 RFC3493 49 RFC3496 50 RFC3597 51 RFC3645 52 RFC4025 53 RFC4033 [19] 54 RFC4034 55 RFC4035 56 RFC4074 57 RFC4255 58 RFC4294 - Section 5.1 [8] 59 RFC4343 60 RFC4398 61 RFC4408 62 RFC4431 63 RFC4470 [9] 64 RFC4509 65 RFC4592 66 RFC4635 67 RFC4701 68 RFC4892 69 RFC4955 [10] 70 RFC5001 71 RFC5011 72 RFC5155 73 RFC5205 74 RFC5452 [11] 75 RFC5702 76 RFC5933 [12] 77 RFC5936 78 RFC5952 79 RFC5966 80 RFC6052 81 RFC6147 [13] 82 RFC6303 83 RFC6604 84 RFC6605 [14] 85 RFC6672 86 RFC6698 87 RFC6742 88 RFC6725 89 RFC6840 [15] 90 RFC6844 91 RFC6891 92 RFC6944 93 RFC7043 94 RFC7314 95 RFC7344 [20] 96 RFC7477 97 RFC7553 98 RFC7793 99 RFC7830 [16] 100 RFC7929 101 RFC8080 102 103The following DNS related RFC have been obsoleted 104 105 RFC2535 (Obsoleted by 4034, 4035) [3] [4] 106 RFC2537 (Obsoleted by 3110) 107 RFC2538 (Obsoleted by 4398) 108 RFC2671 (Obsoleted by 6891) 109 RFC2672 (Obsoleted by 6672) 110 RFC2673 (Obsoleted by 6891) 111 RFC3008 (Obsoleted by 4034, 4035) 112 RFC3152 (Obsoleted by 3596) 113 RFC3445 (Obsoleted by 4034, 4035) 114 RFC3655 (Obsoleted by 4034, 4035) 115 RFC3658 (Obsoleted by 4034, 4035) 116 RFC3755 (Obsoleted by 4034, 4035) 117 RFC3757 (Obsoleted by 4034, 4035) 118 RFC3845 (Obsoleted by 4034, 4035) 119 120[1] Queries to zones that have failed to load return SERVFAIL rather 121than a non-authoritative response. This is considered a feature. 122 123[2] CLASS ANY queries are not supported. This is considered a 124feature. 125 126[3] Wildcard records are not supported in DNSSEC secure zones. 127 128[4] Servers authoritative for secure zones being resolved by BIND 1299 must support EDNS0 (RFC2671), and must return all relevant SIGs 130and NXTs in responses rather than relying on the resolving server 131to perform separate queries for missing SIGs and NXTs. 132 133[5] When receiving a query signed with a SIG(0), the server will 134only be able to verify the signature if it has the key in its local 135authoritative data; it will not do recursion or validation to 136retrieve unknown keys. 137 138[6] Section 4 is ignored. 139 140[7] Requires --with-idn to enable entry of IDN labels within dig, 141host and nslookup at compile time. ACE labels are supported 142everywhere with or without --with-idn. 143 144[8] Section 5.1 - DNAME records are fully supported. 145 146[9] Minimally Covering NSEC Record are accepted but not generated. 147 148[10] Will interoperate with correctly designed experiments. 149 150[11] Named only uses ports to extend the id space, address are not 151used. 152 153[12] Conditional on the OpenSSL library being linked against 154supporting GOST. 155 156[13] Section 5.5 does not match reality. Named uses the presence 157of DO=1 to detect if validation may be occurring. CD has no bearing 158on whether validation is occurring or not. 159 160[14] Conditional on the OpenSSL library being linked against 161supporting ECDSA. 162 163[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as 164it prevents DNSSEC working correctly through another recursive server. 165 166When talking to a recurive server the best algorithm to do is send 167CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive 168server has a bad clock and/or bad trust anchor. Alternatively one 169can send CD=1 then CD=0 on validation failure in case the recursive 170server is under attack or there is stale / bogus authoritative data. 171 172[16] Named doesn't currently encrypt DNS requests so the PAD option 173is accepted but not returned in responses. 174 175[17] Only the Base 64 encoding specification. 176 177[18] Not applicable to DNS server implementations. 178 179[19] Loading and serving of A6 records only. A6 records were moved 180/o the experimental category by RFC3363. 181 182[20] Updating of parent zones is not yet implemented. 183