BIND 9 RFC Compliance

IETF RFCs and Draft RFCs implemented in BIND 9

BIND 9 is striving for strict compliance with IETF standards. We believe current versions of BIND 9 comply with the following RFCs, with the caveats and exceptions listed in the numbered notes below. Note that a number of these RFCs do not have the status of Internet standards but are proposed or draft standards, experimental RFCs, or Best Current Practice (BCP) documents. The list is non exhaustive.

  • RFC1034
  • RFC1035 [1] [2]
  • RFC1101
  • RFC1123
  • RFC1183
  • RFC1521 [16]
  • RFC1535
  • RFC1536
  • RFC1706
  • RFC1712
  • RFC1750
  • RFC1876
  • RFC1876 A Means for Expressing Location Information in the Domain Name System
  • RFC1982
  • RFC1995
  • RFC1996
  • RFC1996 A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
  • RFC2136
  • RFC2136 Dynamic Updates in the Domain Name System (DNS UPDATE)
  • RFC2163
  • RFC2181
  • RFC2230
  • RFC2308
  • RFC2308 Negative Caching of DNS Queries (DNS NCACHE)
  • RFC2539
  • RFC2606 [17]
  • RFC2782
  • RFC2845
  • RFC2845 Secret Key Transaction Authentication for DNS (TSIG)
  • RFC2874 [18]
  • RFC2915
  • RFC2930
  • RFC2931 [5]
  • RFC3007
  • RFC3110
  • RFC3123
  • RFC3225
  • RFC3226
  • RFC3363 [6]
  • RFC3490 [7]
  • RFC3491 (Obsoleted by 5890, 5891) [7]
  • RFC3493
  • RFC3496
  • RFC3597
  • RFC3645
  • RFC4025
  • RFC4033 [18]
  • RFC4033 DNS Security Introduction and Requirements
  • RFC4034
  • RFC4034 Resource Records for the DNS Security Extensions
  • RFC4035
  • RFC4035 Protocol Modifications for the DNS Security Extensions
  • RFC4074
  • RFC4074 Common Misbehavior Against DNS Queries for IPv6 Addresses
  • RFC4255
  • RFC4294 - Section 5.1 [8]
  • RFC4343
  • RFC4398
  • RFC4408
  • RFC4431
  • RFC4470 [9]
  • RFC4509
  • RFC4592
  • RFC4635
  • RFC4701
  • RFC4892
  • RFC4892 Requirements for a Mechanism Identifying a Name Server Instance
  • RFC4955 [10]
  • RFC5001
  • RFC5001 DNS Name Server Identifier (NSID) Option
  • RFC5011
  • RFC5155
  • RFC5205
  • RFC5452 [11]
  • RFC5702
  • RFC5936
  • RFC5966 DNS Transport over TCP - Implementation Requirements
  • RFC5952
  • RFC5966
  • RFC6052
  • RFC6147 [12]
  • RFC6303 RFC6303 Locally Served DNS Zones
  • RFC6604
  • RFC6605 [13]
  • RFC6672
  • RFC6698
  • RFC6742
  • RFC6725 [19]
  • RFC6840 [14]
  • RFC6844
  • RFC6891
  • RFC6891 Extension Mechanisms for DNS (EDNS(0))
  • RFC6944
  • RFC7043
  • RFC7314
  • RFC7314 Extension Mechanisms for DNS (EDNS) EXPIRE Option
  • RFC7344 [20]
  • RFC7477
  • RFC7553
  • RFC7793
  • RFC7793 Adding 100.64.0.0/10 Prefixes to the IPv4 Locally-Served DNS Zones Registry
  • M. Andrews
  • RFC7830 [15]
  • RFC7929
  • RFC8080

No longer supported

RFC2536

The following DNS related RFC have been obsoleted

  • RFC2535 (Obsoleted by 4034, 4035) [3] [4]
  • RFC2537 (Obsoleted by 3110) [19]
  • RFC2538 (Obsoleted by 4398)
  • RFC2671 (Obsoleted by 6891)
  • RFC2672 (Obsoleted by 6672)
  • RFC2673 (Obsoleted by 6891)
  • RFC3008 (Obsoleted by 4034, 4035)
  • RFC3152 (Obsoleted by 3596)
  • RFC3445 (Obsoleted by 4034, 4035)
  • RFC3655 (Obsoleted by 4034, 4035)
  • RFC3658 (Obsoleted by 4034, 4035)
  • RFC3755 (Obsoleted by 4034, 4035)
  • RFC3757 (Obsoleted by 4034, 4035)
  • RFC3845 (Obsoleted by 4034, 4035)

[1] Queries to zones that have failed to load return SERVFAIL rather than a non-authoritative response. This is considered a feature.

[2] CLASS ANY queries are not supported. This is considered a feature.

[3] Wildcard records are not supported in DNSSEC secure zones.

[4] Servers authoritative for secure zones being resolved by BIND 9 must support EDNS0 (RFC2671), and must return all relevant SIGs and NXTs in responses rather than relying on the resolving server to perform separate queries for missing SIGs and NXTs.

[5] When receiving a query signed with a SIG(0), the server will only be able to verify the signature if it has the key in its local authoritative data; it will not do recursion or validation to retrieve unknown keys.

[6] Section 4 is ignored.

[7] Requires –with-idn to enable entry of IDN labels within dig, host and nslookup at compile time. ACE labels are supported everywhere with or without –with-idn.

[8] Section 5.1 - DNAME records are fully supported.

[9] Minimally Covering NSEC Record are accepted but not generated.

[10] Will interoperate with correctly designed experiments.

[11] Named only uses ports to extend the id space, address are not used.

[12] Section 5.5 does not match reality. Named uses the presence of DO=1 to detect if validation may be occurring. CD has no bearing on whether validation is occurring or not.

[13] Conditional on the OpenSSL library being linked against supporting ECDSA.

[14] Section 5.9 - Always set CD=1 on queries. This is not done as it prevents DNSSEC working correctly through another recursive server.

When talking to a recurive server the best algorithm to do is send CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive server has a bad clock and/or bad trust anchor. Alternatively one can send CD=1 then CD=0 on validation failure in case the recursive server is under attack or there is stale / bogus authoritative data.

[15] Named doesn’t currently encrypt DNS requests so the PAD option is accepted but not returned in responses.

[16] Only the Base 64 encoding specification.

[17] Not applicable to DNS server implementations.

[18] Loading and serving of A6 records only. A6 records were moved to the experimental category by RFC3363.

[19] RSAMD5 support has been removed. See RFC 6944.

[20] Updating of parent zones is not yet implemented.