rfc-compliance revision 483f1611fcc53d0f9eafee85b885a0c0bfedf418
843e19887f64dde75055cf8842fc4db2171eff45johnlevCopyright (C) 2004, 2015 Internet Systems Consortium, Inc. ("ISC")
843e19887f64dde75055cf8842fc4db2171eff45johnlevCopyright (C) 2001 Internet Software Consortium.
843e19887f64dde75055cf8842fc4db2171eff45johnlevSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
843e19887f64dde75055cf8842fc4db2171eff45johnlevBIND 9 is striving for strict compliance with IETF standards. We
843e19887f64dde75055cf8842fc4db2171eff45johnlevbelieve this release of BIND 9 complies with the following RFCs, with
843e19887f64dde75055cf8842fc4db2171eff45johnlevthe caveats and exceptions listed in the numbered notes below. Note
843e19887f64dde75055cf8842fc4db2171eff45johnlevthat a number of these RFCs do not have the status of Internet
843e19887f64dde75055cf8842fc4db2171eff45johnlevstandards but are proposed or draft standards, experimental RFCs,
843e19887f64dde75055cf8842fc4db2171eff45johnlevor Best Current Practice (BCP) documents. The list is non exhaustive.
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC1035 [1] [2]
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab RFC2931 [5]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC3363 [6]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC3490 [7]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC3491 (Obsoleted by 5890, 5891) [7]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC4294 - Section 5.1 [8]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC4470 [9]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC4955 [10]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC5452 [11]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC5933 [12]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC6147 [13]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC6605 [14]
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC6840 [15]
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabThe following DNS related RFC have been obsoleted
5d2eda970e48f8985448151c73e699614ce9f357John Levon RFC2535 (Obsoleted by 4034, 4035) [3] [4]
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab RFC2537 (Obsoleted by 3110)
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab RFC2538 (Obsoleted by 4398)
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC2671 (Obsoleted by 6891)
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC2672 (Obsoleted by 6672)
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC2673 (Obsoleted by 6891)
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC3008 (Obsoleted by 4034, 4035)
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab RFC3152 (Obsoleted by 3596)
5d2eda970e48f8985448151c73e699614ce9f357John Levon RFC3445 (Obsoleted by 4034, 4035)
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC3655 (Obsoleted by 4034, 4035)
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC3658 (Obsoleted by 4034, 4035)
5d2eda970e48f8985448151c73e699614ce9f357John Levon RFC3755 (Obsoleted by 4034, 4035)
5d2eda970e48f8985448151c73e699614ce9f357John Levon RFC3757 (Obsoleted by 4034, 4035)
843e19887f64dde75055cf8842fc4db2171eff45johnlev RFC3845 (Obsoleted by 4034, 4035)
843e19887f64dde75055cf8842fc4db2171eff45johnlev[1] Queries to zones that have failed to load return SERVFAIL rather
843e19887f64dde75055cf8842fc4db2171eff45johnlevthan a non-authoritative response. This is considered a feature.
843e19887f64dde75055cf8842fc4db2171eff45johnlev[2] CLASS ANY queries are not supported. This is considered a
843e19887f64dde75055cf8842fc4db2171eff45johnlev[3] Wildcard records are not supported in DNSSEC secure zones.
843e19887f64dde75055cf8842fc4db2171eff45johnlev[4] Servers authoritative for secure zones being resolved by BIND
843e19887f64dde75055cf8842fc4db2171eff45johnlev9 must support EDNS0 (RFC2671), and must return all relevant SIGs
843e19887f64dde75055cf8842fc4db2171eff45johnlevand NXTs in responses rather than relying on the resolving server
843e19887f64dde75055cf8842fc4db2171eff45johnlevto perform separate queries for missing SIGs and NXTs.
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[5] When receiving a query signed with a SIG(0), the server will
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabonly be able to verify the signature if it has the key in its local
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabauthoritative data; it will not do recursion or validation to
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabretrieve unknown keys.
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[6] Section 4 is ignored.
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[7] Requires --with-idn to enable entry of IDN labels within dig,
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabhost and nslookup at compile time. ACE labels are supported
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabeverywhere with or without --with-idn.
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[8] Section 5.1 - DNAME records are fully supported.
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[9] Minimally Covering NSEC Record are accepted but not generated.
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[10] Will interoperate with correctly designed experiments.
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[11] Named only uses ports to extend the id space, address are not
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[12] Conditional on the OpenSSL library being linked against
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabsupporting GOST.
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rab[13] Section 5.5 does not match reality. Named uses the presence
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabof DO=1 to detect if validation may be occuring. CD has no bearing
a576ab5b6e08c47732b3dedca9eaa8a8cbb85720rabon whether validation is occuring or not.
843e19887f64dde75055cf8842fc4db2171eff45johnlev[14] Conditional on the OpenSSL library being linked against
843e19887f64dde75055cf8842fc4db2171eff45johnlevsupporting ECDSA.
843e19887f64dde75055cf8842fc4db2171eff45johnlev[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as
843e19887f64dde75055cf8842fc4db2171eff45johnlevit prevents DNSSEC working correctly through another recursive server.
843e19887f64dde75055cf8842fc4db2171eff45johnlevWhen talking to a recurive server the best algorithm to do is send
843e19887f64dde75055cf8842fc4db2171eff45johnlevCD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive
843e19887f64dde75055cf8842fc4db2171eff45johnlevserver has a bad clock and/or bad trust anchor. Alternatively one
843e19887f64dde75055cf8842fc4db2171eff45johnlevcan send CD=1 then CD=0 on validation failure in case the recursive
843e19887f64dde75055cf8842fc4db2171eff45johnlevserver is under attack or there is stale / bogus authoritative data.