List of RFCs¶
Here we provide a list of implemented RFCs, though it may not be 100% complete. Normal users shouldn’t need to look here; they might search the docs instead.
Note that in some cases only part of the RFC is covered, as some parts are optional to a degree or even not relevant to DNS resolvers.
- RFC 1034
Domain Names – Concepts and Facilities
- RFC 1035
Domain Names – Implementation and Specifciation
- RFC 1101
DNS Encoding of Network Names and Other Types
- RFC 1123
Requirements for Internet Hosts – Application and Support
- RFC 1521
MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies
- RFC 1876
A Means for Expressing Location Information in the Domain Name System
- RFC 2181
Clarifications to the DNS Specification
- RFC 2230
Key Exchange Delegation Record for the DNS
- RFC 2308
Negative Caching of DNS Queries (DNS NCACHE)
- RFC 2535
Domain Name System Security Extensions
This variant of DNSSEC has been obsolete for many years, but we stil support those RRs (in zonefile and wire).
- RFC 2538
Storing Certificates in the Domain Name System (DNS)
The RFC is obsolete, but we still support those RRs (in zonefile and wire).
- RFC 2606
Reserved Top Level DNS Names
- RFC 2671
Extension Mechanisms for DNS (EDNS0)
Well, the EDNS0 definition has been rewritten as RFC 6891 which we really support.
- RFC 2672
Non-Terminal DNS Name Redirection
Well, the DNAME definition has been rewritten as RFC 6672 which we really support.
- RFC 2782
A DNS RR for specifying the location of services (DNS SRV)
- RFC 2915
The Naming Authority Pointer (NAPTR) DNS Resource Record
- RFC 3123
A DNS RR Type for Lists of Address Prefixes (APL RR)
This is probably unused in practice, but we still support the APL RR (in zonefile and wire).
- RFC 3225
Indicating Resolver Support of DNSSEC
This is the DO bit in DNS messages.
- RFC 3526
More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
- RFC 3597
Handling of Unknown DNS Resource Record (RR) Types
- RFC 4007
IPv6 Scoped Address Architecture
- RFC 4025
A Method for Storing IPsec Keying Material in DNS
- RFC 4033
DNS Security Introduction and Requirements
- RFC 4034
Resource Records for the DNS Security Extensions
- RFC 4035
Protocol Modifications for the DNS Security Extensions
- RFC 4255
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
- RFC 4343
Domain Name System (DNS) Case Insensitivity Clarification
- RFC 4398
Storing Certificates in the Domain Name System (DNS)
- RFC 4509
Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
- RFC 4592
The Role of Wildcards in the Domain Name System
- RFC 4697
Observed DNS Resolution Misbehavior
- RFC 4701
A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
- RFC 5001
DNS Name Server Identifier (NSID) Option
- RFC 5011
Automated Updates of DNS Security (DNSSEC) Trust Anchors
See inside DNSSEC, data verification
- RFC 5114
Additional Diffie-Hellman Groups for Use with IETF Standards
- RFC 5155
DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
- RFC 5358
Preventing Use of Recursive Nameservers in Reflector Attacks
- RFC 5452
Measures for Making DNS More Resilient against Forged Answers
- RFC 5702
Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
- RFC 6147
DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers
See DNS64
- RFC 6234
US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)
- RFC 6303
Locally Served DNS Zones
- RFC 6598
IANA-Reserved IPv4 Prefix for Shared Address Space
- RFC 6604
xNAME RCODE and Status Bits Clarification
- RFC 6605
Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
- RFC 6672
DNAME Redirection in the DNS
- RFC 6698
The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
We support the record, but not authenticating by it.
- RFC 6725
DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates
- RFC 6742
DNS Resource Records for the Identifier-Locator Network Protocol (ILNP)
- RFC 6761
Special-Use Domain Names
- RFC 6840
Clarifications and Implementation Notes for DNS Security (DNSSEC)
- RFC 6844
DNS Certification Authority Authorization (CAA) Resource Record
- RFC 6891
Extension Mechanisms for DNS (EDNS(0))
- RFC 7043
Resource Records for EUI-48 and EUI-64 Addresses in the DNS
- RFC 7344
Automating DNSSEC Delegation Trust Maintenance
- RFC 7413
TCP Fast Open
We only support it on the server side.
- RFC 7477
Child-to-Parent Synchronization in DNS
- RFC 7553
The Uniform Resource Identifier (URI) DNS Resource Record
- RFC 7646
Definition and Use of DNSSEC Negative Trust Anchors
See inside DNSSEC, data verification
- RFC 7686
The “.onion” Special-Use Domain Name
- RFC 7706
Decreasing Access Time to Root Servers by Running One on Loopback
Obsoleted by RFC 8806; see also Cache prefilling
- RFC 7766
DNS Transport over TCP - Implementation Requirements
- RFC 7830
The EDNS(0) Padding Option
See inside DoT and DoH (encrypted DNS)
- RFC 7858
Specification for DNS over Transport Layer Security (TLS)
See DNS-over-TLS (DoT) and Forwarding.
- RFC 7929
DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP
- RFC 7958
DNSSEC Trust Anchor Publication for the Root Zone
Though typical Knot Resolver packaging uses a different approach.
- RFC 8080
Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
- RFC 8145
Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
- RFC 8162
Using Secure DNS to Associate Certificates with Domain Names for S/MIME
- RFC 8198
Aggressive Use of DNSSEC-Validated Cache
See Cache
- RFC 8310
Usage Profiles for DNS over TLS and DNS over DTLS
- RFC 8375
Special-Use Domain ‘home.arpa.’
- RFC 8467
Padding Policies for Extension Mechanisms for DNS (EDNS(0))
See inside DoT and DoH (encrypted DNS)
- RFC 8482
Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY
This RFC was focused on authoritative servers. As a resolver, we shouldn’t just make up data on arbitrary names, so we really use a different minimization method currently: reply with RCODE=NOTIMPL.
- RFC 8484
DNS Queries over HTTPS (DoH)
- RFC 8509
A Root Key Trust Anchor Sentinel for DNSSEC
- RFC 8624
Algorithm Implementation Requirements and Usage Guidance for DNSSEC
- RFC 8767
Serving Stale Data to Improve DNS Resiliency
See Serve stale
- RFC 8806
Running a Root Server Local to a Resolver
See Cache prefilling
- RFC 8914
Extended DNS Errors
- RFC 8976
Message Digest for DNS Zones
- RFC 9077
NSEC and NSEC3: TTLs and Aggressive Use
- RFC 9156
DNS Query Name Minimisation to Improve Privacy
Our current code doesn’t use full minimization but a compromise approach, which in practice mainly minimizes queries going to root and TLD servers. We also have a fallback that deals with typical cases of non-conforming servers.
- RFC 9210
DNS Transport over TCP - Operational Requirements