1Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2
3See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
4
5BIND 9 is striving for strict compliance with IETF standards.  We
6believe this release of BIND 9 complies with the following RFCs, with
7the caveats and exceptions listed in the numbered notes below.  Note
8that a number of these RFCs do not have the status of Internet
9standards but are proposed or draft standards, experimental RFCs,
10or Best Current Practice (BCP) documents.  The list is non exhaustive.
11
12  RFC1034
13  RFC1035 [1] [2]
14  RFC1101
15  RFC1123
16  RFC1183
17  RFC1521 [17]
18  RFC1535
19  RFC1536
20  RFC1706
21  RFC1712
22  RFC1750
23  RFC1876
24  RFC1982
25  RFC1995
26  RFC1996
27  RFC2136
28  RFC2163
29  RFC2181
30  RFC2230
31  RFC2308
32  RFC2539
33  RFC2606 [18]
34  RFC2782
35  RFC2845
36  RFC2874 [18]
37  RFC2915
38  RFC2930
39  RFC2931 [5]
40  RFC3007
41  RFC3110
42  RFC3123
43  RFC3225
44  RFC3226
45  RFC3363 [6]
46  RFC3490 [7]
47  RFC3491 (Obsoleted by 5890, 5891) [7]
48  RFC3493
49  RFC3496
50  RFC3597
51  RFC3645
52  RFC4025
53  RFC4033 [19]
54  RFC4034
55  RFC4035
56  RFC4074
57  RFC4255
58  RFC4294 - Section 5.1 [8]
59  RFC4343
60  RFC4398
61  RFC4408
62  RFC4431
63  RFC4470 [9]
64  RFC4509
65  RFC4592
66  RFC4635
67  RFC4701
68  RFC4892
69  RFC4955 [10]
70  RFC5001
71  RFC5011
72  RFC5155
73  RFC5205
74  RFC5452 [11]
75  RFC5702
76  RFC5933 [12]
77  RFC5936
78  RFC5952
79  RFC5966
80  RFC6052
81  RFC6147 [13]
82  RFC6303
83  RFC6604
84  RFC6605 [14]
85  RFC6672
86  RFC6698
87  RFC6742
88  RFC6725
89  RFC6840 [15]
90  RFC6844
91  RFC6891
92  RFC6944
93  RFC7043
94  RFC7314
95  RFC7344 [20]
96  RFC7477
97  RFC7553
98  RFC7793
99  RFC7830 [16]
100  RFC7929
101  RFC8080
102
103The following DNS related RFC have been obsoleted
104
105  RFC2535 (Obsoleted by 4034, 4035) [3] [4]
106  RFC2537 (Obsoleted by 3110)
107  RFC2538 (Obsoleted by 4398)
108  RFC2671 (Obsoleted by 6891)
109  RFC2672 (Obsoleted by 6672)
110  RFC2673 (Obsoleted by 6891)
111  RFC3008 (Obsoleted by 4034, 4035)
112  RFC3152 (Obsoleted by 3596)
113  RFC3445 (Obsoleted by 4034, 4035)
114  RFC3655 (Obsoleted by 4034, 4035)
115  RFC3658 (Obsoleted by 4034, 4035)
116  RFC3755 (Obsoleted by 4034, 4035)
117  RFC3757 (Obsoleted by 4034, 4035)
118  RFC3845 (Obsoleted by 4034, 4035)
119
120[1] Queries to zones that have failed to load return SERVFAIL rather
121than a non-authoritative response.  This is considered a feature.
122
123[2] CLASS ANY queries are not supported.  This is considered a
124feature.
125
126[3] Wildcard records are not supported in DNSSEC secure zones.
127
128[4] Servers authoritative for secure zones being resolved by BIND
1299 must support EDNS0 (RFC2671), and must return all relevant SIGs
130and NXTs in responses rather than relying on the resolving server
131to perform separate queries for missing SIGs and NXTs.
132
133[5] When receiving a query signed with a SIG(0), the server will
134only be able to verify the signature if it has the key in its local
135authoritative data; it will not do recursion or validation to
136retrieve unknown keys.
137
138[6] Section 4 is ignored.
139
140[7] Requires --with-idn to enable entry of IDN labels within dig,
141host and nslookup at compile time.  ACE labels are supported
142everywhere with or without --with-idn.
143
144[8] Section 5.1 - DNAME records are fully supported.
145
146[9] Minimally Covering NSEC Record are accepted but not generated.
147
148[10] Will interoperate with correctly designed experiments.
149
150[11] Named only uses ports to extend the id space, address are not
151used.
152
153[12] Conditional on the OpenSSL library being linked against
154supporting GOST.
155
156[13] Section 5.5 does not match reality.  Named uses the presence
157of DO=1 to detect if validation may be occurring.  CD has no bearing
158on whether validation is occurring or not.
159
160[14] Conditional on the OpenSSL library being linked against
161supporting ECDSA.
162
163[15] Section 5.9 - Always set CD=1 on queries.  This is *not* done as
164it prevents DNSSEC working correctly through another recursive server.
165
166When talking to a recurive server the best algorithm to do is send
167CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive
168server has a bad clock and/or bad trust anchor.  Alternatively one
169can send CD=1 then CD=0 on validation failure in case the recursive
170server is under attack or there is stale / bogus authoritative data.
171
172[16] Named doesn't currently encrypt DNS requests so the PAD option
173is accepted but not returned in responses.
174
175[17] Only the Base 64 encoding specification.
176
177[18] Not applicable to DNS server implementations.
178
179[19] Loading and serving of A6 records only.  A6 records were moved
180/o the experimental category by RFC3363.
181
182[20] Updating of parent zones is not yet implemented.
183