rfc-compliance revision b63a83eea86edf5a9c72f1a9a9bac076a6ed4501
333fe280eb574439ef3f828d8755dd9e243ec855Andreas GustafssonCopyright (C) 2004, 2015 Internet Systems Consortium, Inc. ("ISC")
276e28f813ffef042d5a6e9f3373ef4e2ad37996Mark AndrewsCopyright (C) 2001 Internet Software Consortium.
a6a23642eaf383add7a0be045c01e7dd8278ccafAndreas GustafssonSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
848dcebe28e032abfc66e7f10686e1b04a8516feMark AndrewsBIND 9 is striving for strict compliance with IETF standards. We
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrewsbelieve this release of BIND 9 complies with the following RFCs, with
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrewsthe caveats and exceptions listed in the numbered notes below. Note
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrewsthat a number of these RFCs do not have the status of Internet
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrewsstandards but are proposed or draft standards, experimental RFCs,
58f7af60e79a5aaf58f6a8861c306d4c617fb1d1Mukund Sivaramanor Best Current Practice (BCP) documents. The list is non exhaustive.
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrews RFC1035 [1] [2]
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrews RFC3491 (Obsoleted by 5890, 5891) [7]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater RFC4294 - Section 5.1 [8]
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrews RFC4955 [10]
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrews RFC5452 [11]
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrews RFC5933 [12]
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrews RFC6147 [13]
67adc03ef81fb610f8df093b17f55275ee816754Evan Hunt RFC6605 [14]
67adc03ef81fb610f8df093b17f55275ee816754Evan Hunt RFC6840 [15]
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox UserThe following DNS related RFC have been obsoleted
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater RFC2535 (Obsoleted by 4034, 4035) [3] [4]
7a7a44400d49122d4cc207b43922a7b9c5afe443Automatic Updater RFC2537 (Obsoleted by 3110)
22f0b13f28a7df3b348b18848d0ccd745ea88c3cAndreas Gustafsson RFC2538 (Obsoleted by 4398)
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrews RFC2671 (Obsoleted by 6891)
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User RFC2672 (Obsoleted by 6672)
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User RFC2673 (Obsoleted by 6891)
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User RFC3008 (Obsoleted by 4034, 4035)
1e126d80e1b8a0dd541a733283907656424634dcTinderbox User RFC3152 (Obsoleted by 3596)
1e126d80e1b8a0dd541a733283907656424634dcTinderbox User RFC3445 (Obsoleted by 4034, 4035)
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater RFC3655 (Obsoleted by 4034, 4035)
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrews RFC3658 (Obsoleted by 4034, 4035)
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrews RFC3755 (Obsoleted by 4034, 4035)
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrews RFC3757 (Obsoleted by 4034, 4035)
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrews RFC3845 (Obsoleted by 4034, 4035)
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User[1] Queries to zones that have failed to load return SERVFAIL rather
848dcebe28e032abfc66e7f10686e1b04a8516feMark Andrewsthan a non-authoritative response. This is considered a feature.
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrews[2] CLASS ANY queries are not supported. This is considered a
1879ff49326b49a9e4eadaca193c631409bf8575Tinderbox User[3] Wildcard records are not supported in DNSSEC secure zones.
4ca7391e640bd4f0abb31508019d3bd62819fa8eMark Andrews[4] Servers authoritative for secure zones being resolved by BIND
22f0b13f28a7df3b348b18848d0ccd745ea88c3cAndreas Gustafsson9 must support EDNS0 (RFC2671), and must return all relevant SIGs
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updaterand NXTs in responses rather than relying on the resolving server
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updaterto perform separate queries for missing SIGs and NXTs.
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater[5] When receiving a query signed with a SIG(0), the server will
4ca7391e640bd4f0abb31508019d3bd62819fa8eMark Andrewsonly be able to verify the signature if it has the key in its local
22f0b13f28a7df3b348b18848d0ccd745ea88c3cAndreas Gustafssonauthoritative data; it will not do recursion or validation to
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrewsretrieve unknown keys.
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrews[6] Section 4 is ignored.
e334405421979688f2d838805ac67ee47bd62976Mark Andrews[7] Requires --with-idn to enable entry of IDN labels within dig,
e334405421979688f2d838805ac67ee47bd62976Mark Andrewshost and nslookup at compile time. ACE labels are supported
e334405421979688f2d838805ac67ee47bd62976Mark Andrewseverywhere with or without --with-idn.
e334405421979688f2d838805ac67ee47bd62976Mark Andrews[8] Section 5.1 - DNAME records are fully supported.
e334405421979688f2d838805ac67ee47bd62976Mark Andrews[9] Minimally Covering NSEC Record are accepted but not generated.
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater[10] Will interoperate with correctly designed experiments.
089c63b69cdf6803aa8901aae3f2fbae58969511Automatic Updater[11] Named only uses ports to extend the id space, address are not
36da16fa31fa2a582afe67010ba449a57177fd2fAutomatic Updater[12] Conditional on the OpenSSL library being linked against
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrewssupporting GOST.
9ce6056d520aaf5241560fab6ab096c0d4e87b36Automatic Updater[13] Section 5.5 does not match reality. Named uses the presence
ebabe300b615154d08f5577822cfd8726d2643c8Automatic Updaterof DO=1 to detect if validation may be occuring. CD has no bearing
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox Useron whether validation is occuring or not.
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox User[14] Conditional on the OpenSSL library being linked against
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox Usersupporting ECDSA.
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox User[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as
67adc03ef81fb610f8df093b17f55275ee816754Evan Huntit prevents DNSSEC working correctly through another recursive server.
67adc03ef81fb610f8df093b17f55275ee816754Evan HuntWhen talking to a recurive server the best algorithm to do is send
67adc03ef81fb610f8df093b17f55275ee816754Evan HuntCD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive
67adc03ef81fb610f8df093b17f55275ee816754Evan Huntserver has a bad clock and/or bad trust anchor. Alternatively one
22f0b13f28a7df3b348b18848d0ccd745ea88c3cAndreas Gustafssoncan send CD=1 then CD=0 on validation failure in case the recursive
a3edcadfffbe617a419cdbe1bebb95f68a0eda1eMark Andrewsserver is under attack or there is stale / bogus authoritative data.