0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsCopyright (C) 2001, 2004, 2015, 2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsThis Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsLicense, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrewsfile, You can obtain one at http://mozilla.org/MPL/2.0/.
6211baaa66d7cac28a21b6426681e597ff04ca9eAndreas GustafssonBIND 9 is striving for strict compliance with IETF standards. We
6211baaa66d7cac28a21b6426681e597ff04ca9eAndreas Gustafssonbelieve this release of BIND 9 complies with the following RFCs, with
6211baaa66d7cac28a21b6426681e597ff04ca9eAndreas Gustafssonthe caveats and exceptions listed in the numbered notes below. Note
6211baaa66d7cac28a21b6426681e597ff04ca9eAndreas Gustafssonthat a number of these RFCs do not have the status of Internet
230f8da57ce436687289c928c209a5b90979dbbaMark Andrewsstandards but are proposed or draft standards, experimental RFCs,
230f8da57ce436687289c928c209a5b90979dbbaMark Andrewsor Best Current Practice (BCP) documents. The list is non exhaustive.
6211baaa66d7cac28a21b6426681e597ff04ca9eAndreas Gustafsson RFC1035 [1] [2]
b63a83eea86edf5a9c72f1a9a9bac076a6ed4501Mark Andrews RFC3491 (Obsoleted by 5890, 5891) [7]
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC4294 - Section 5.1 [8]
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC4955 [10]
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC5452 [11]
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC5933 [12]
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC6147 [13]
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC6605 [14]
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC6840 [15]
bf4fe7ca1b9c313200aaefec18ac165ce9efc16bMark Andrews RFC7830 [16]
230f8da57ce436687289c928c209a5b90979dbbaMark AndrewsThe following DNS related RFC have been obsoleted
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC2535 (Obsoleted by 4034, 4035) [3] [4]
230f8da57ce436687289c928c209a5b90979dbbaMark Andrews RFC2537 (Obsoleted by 3110)
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC2538 (Obsoleted by 4398)
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC2671 (Obsoleted by 6891)
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC2672 (Obsoleted by 6672)
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews RFC2673 (Obsoleted by 6891)
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC3008 (Obsoleted by 4034, 4035)
230f8da57ce436687289c928c209a5b90979dbbaMark Andrews RFC3152 (Obsoleted by 3596)
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC3445 (Obsoleted by 4034, 4035)
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC3655 (Obsoleted by 4034, 4035)
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC3658 (Obsoleted by 4034, 4035)
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC3755 (Obsoleted by 4034, 4035)
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC3757 (Obsoleted by 4034, 4035)
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews RFC3845 (Obsoleted by 4034, 4035)
6211baaa66d7cac28a21b6426681e597ff04ca9eAndreas Gustafsson[1] Queries to zones that have failed to load return SERVFAIL rather
6211baaa66d7cac28a21b6426681e597ff04ca9eAndreas Gustafssonthan a non-authoritative response. This is considered a feature.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[2] CLASS ANY queries are not supported. This is considered a
6211baaa66d7cac28a21b6426681e597ff04ca9eAndreas Gustafsson[3] Wildcard records are not supported in DNSSEC secure zones.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[4] Servers authoritative for secure zones being resolved by BIND
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews9 must support EDNS0 (RFC2671), and must return all relevant SIGs
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewsand NXTs in responses rather than relying on the resolving server
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewsto perform separate queries for missing SIGs and NXTs.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[5] When receiving a query signed with a SIG(0), the server will
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewsonly be able to verify the signature if it has the key in its local
c3a56b9ab3f7ddf433a9d22b6a4e9db42155be4bAndreas Gustafssonauthoritative data; it will not do recursion or validation to
c3a56b9ab3f7ddf433a9d22b6a4e9db42155be4bAndreas Gustafssonretrieve unknown keys.
230f8da57ce436687289c928c209a5b90979dbbaMark Andrews[6] Section 4 is ignored.
230f8da57ce436687289c928c209a5b90979dbbaMark Andrews[7] Requires --with-idn to enable entry of IDN labels within dig,
230f8da57ce436687289c928c209a5b90979dbbaMark Andrewshost and nslookup at compile time. ACE labels are supported
230f8da57ce436687289c928c209a5b90979dbbaMark Andrewseverywhere with or without --with-idn.
b2b408e4ed56c94e49a4bd3202df546de00b15b0Mark Andrews[8] Section 5.1 - DNAME records are fully supported.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[9] Minimally Covering NSEC Record are accepted but not generated.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[10] Will interoperate with correctly designed experiments.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[11] Named only uses ports to extend the id space, address are not
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[12] Conditional on the OpenSSL library being linked against
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewssupporting GOST.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[13] Section 5.5 does not match reality. Named uses the presence
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewsof DO=1 to detect if validation may be occuring. CD has no bearing
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewson whether validation is occuring or not.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[14] Conditional on the OpenSSL library being linked against
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewssupporting ECDSA.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrews[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewsit prevents DNSSEC working correctly through another recursive server.
090ba6ff300ccb980e3adfa24f69251efe9db85dMark AndrewsWhen talking to a recurive server the best algorithm to do is send
090ba6ff300ccb980e3adfa24f69251efe9db85dMark AndrewsCD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewsserver has a bad clock and/or bad trust anchor. Alternatively one
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewscan send CD=1 then CD=0 on validation failure in case the recursive
090ba6ff300ccb980e3adfa24f69251efe9db85dMark Andrewsserver is under attack or there is stale / bogus authoritative data.
bf4fe7ca1b9c313200aaefec18ac165ce9efc16bMark Andrews[16] Named doesn't currently encrypt DNS requests so the PAD option
bf4fe7ca1b9c313200aaefec18ac165ce9efc16bMark Andrewsis accepted but not returned in responses.