cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndCopyright (C) 2001, 2004, 2015, 2016 Internet Systems Consortium, Inc. ("ISC")

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

fd9abdda70912b99b24e3bf1a38f26fde908a74cndThis Source Code Form is subject to the terms of the Mozilla Public

fd9abdda70912b99b24e3bf1a38f26fde908a74cndLicense, v. 2.0. If a copy of the MPL was not distributed with this

fd9abdda70912b99b24e3bf1a38f26fde908a74cndfile, You can obtain one at http://mozilla.org/MPL/2.0/.

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndBIND 9 is striving for strict compliance with IETF standards. We

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndbelieve this release of BIND 9 complies with the following RFCs, with

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndthe caveats and exceptions listed in the numbered notes below. Note

96ad5d81ee4a2cc66a4ae19893efc8aa6d06fae7jailletcthat a number of these RFCs do not have the status of Internet

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndstandards but are proposed or draft standards, experimental RFCs,

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndor Best Current Practice (BCP) documents. The list is non exhaustive.

d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen

2e545ce2450a9953665f701bb05350f0d3f26275nd RFC1034

d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen RFC1035 [1] [2]

d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen RFC1123

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC1183

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC1535

af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen RFC1536

3f08db06526d6901aa08c110b5bc7dde6bc39905nd RFC1706

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC1712

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC1750

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC1876

3f08db06526d6901aa08c110b5bc7dde6bc39905nd RFC1982

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC1995

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC1996

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2136

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2163

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2181

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2230

fac8c35bfb158112226ab43ddf84d59daca5dc30nd RFC2308

f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung RFC2536

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2539

0a05fab9aadd37834734ffe106fc8ad4488fb3e3rbowen RFC2782

0a05fab9aadd37834734ffe106fc8ad4488fb3e3rbowen RFC2915

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2930

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2931 [5]

48c64aeceef385e19025b384bd719b2a9789592dnd RFC3007

48c64aeceef385e19025b384bd719b2a9789592dnd RFC3110

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC3123

48c64aeceef385e19025b384bd719b2a9789592dnd RFC3225

874fce7533e165555a04ab08df66f589f723e80frbowen RFC3226

874fce7533e165555a04ab08df66f589f723e80frbowen RFC3363 [6]

874fce7533e165555a04ab08df66f589f723e80frbowen RFC3490 [7]

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC3491 (Obsoleted by 5890, 5891) [7]

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC3493

591f748210dc55f2972482dddc84bb6bac61d6b9noodl RFC3496

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC3597

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC3645

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC4025

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4034

72c2f500f39311ecf8f08449f2bfbb85e46f2e8elgentis RFC4035

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4074

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC4255

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC4294 - Section 5.1 [8]

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4343

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4398

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4408

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4431

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4470 [9]

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4509

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4635

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4701

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4892

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC4955 [10]

7f0952c0239ea2d6e37b472db6fde4ef2718343dsf RFC5001

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC5011

30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh RFC5155

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC5205

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC5452 [11]

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC5702

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC5933 [12]

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC5936

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC5952

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC5966

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC6052

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC6147 [13]

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC6303

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC6605 [14]

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC6672

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC6698

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC6742

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC6840 [15]

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC6844

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC6891

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC7043

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC7314

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC7477

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC7793

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC7830 [16]

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndThe following DNS related RFC have been obsoleted

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2535 (Obsoleted by 4034, 4035) [3] [4]

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2537 (Obsoleted by 3110)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2538 (Obsoleted by 4398)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2671 (Obsoleted by 6891)

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC2672 (Obsoleted by 6672)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC2673 (Obsoleted by 6891)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC3008 (Obsoleted by 4034, 4035)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC3152 (Obsoleted by 3596)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC3445 (Obsoleted by 4034, 4035)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC3655 (Obsoleted by 4034, 4035)

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere RFC3658 (Obsoleted by 4034, 4035)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC3755 (Obsoleted by 4034, 4035)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC3757 (Obsoleted by 4034, 4035)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd RFC3845 (Obsoleted by 4034, 4035)

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd[1] Queries to zones that have failed to load return SERVFAIL rather

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclerethan a non-authoritative response. This is considered a feature.

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd[2] CLASS ANY queries are not supported. This is considered a

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndfeature.

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd[3] Wildcard records are not supported in DNSSEC secure zones.

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd[4] Servers authoritative for secure zones being resolved by BIND

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere9 must support EDNS0 (RFC2671), and must return all relevant SIGs

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndand NXTs in responses rather than relying on the resolving server

cd7c928b185ceb2b481d1149dd90f0fc40f83da1ndto perform separate queries for missing SIGs and NXTs.

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd[5] When receiving a query signed with a SIG(0), the server will

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclereonly be able to verify the signature if it has the key in its local

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclereauthoritative data; it will not do recursion or validation to

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclereretrieve unknown keys.

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere[6] Section 4 is ignored.

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd[7] Requires --with-idn to enable entry of IDN labels within dig,

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclerehost and nslookup at compile time. ACE labels are supported

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclereeverywhere with or without --with-idn.

591f748210dc55f2972482dddc84bb6bac61d6b9noodl

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd[8] Section 5.1 - DNAME records are fully supported.

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

148a98f0533f743cb941e1acf2c296e35e97a9fdjfclere[9] Minimally Covering NSEC Record are accepted but not generated.

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

48c64aeceef385e19025b384bd719b2a9789592dnd[10] Will interoperate with correctly designed experiments.

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd

cd7c928b185ceb2b481d1149dd90f0fc40f83da1nd[11] Named only uses ports to extend the id space, address are not

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfused.

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf[12] Conditional on the OpenSSL library being linked against

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfsupporting GOST.

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf[13] Section 5.5 does not match reality. Named uses the presence

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfof DO=1 to detect if validation may be occuring. CD has no bearing

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfon whether validation is occuring or not.

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf[14] Conditional on the OpenSSL library being linked against

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfsupporting ECDSA.

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfit prevents DNSSEC working correctly through another recursive server.

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfWhen talking to a recurive server the best algorithm to do is send

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfCD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfserver has a bad clock and/or bad trust anchor. Alternatively one

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfcan send CD=1 then CD=0 on validation failure in case the recursive

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfserver is under attack or there is stale / bogus authoritative data.

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf[16] Named doesn't currently encrypt DNS requests so the PAD option

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sfis accepted but not returned in responses.

df135dbebadfdf65d0c45e181d6c19b84d17b7c6sf