.. SPDX-License-Identifier: GPL-3.0-or-later .. _rfc-list: List of RFCs ============ Here we provide a list of implemented RFCs, though it may not be 100% complete. Normal users shouldn't need to look here; they might search the docs instead. Knot Resolver aims to faithfully follow RFC standards to ensure correct behavior, security, and interoperability. Note that in some cases only part of the RFC is covered, as some parts are optional to a degree or even not relevant to DNS resolvers. :rfc:`1034` Domain Names – Concepts and Facilities :rfc:`1035` Domain Names – Implementation and Specifciation :rfc:`1101` DNS Encoding of Network Names and Other Types :rfc:`1123` Requirements for Internet Hosts -- Application and Support .. I haven't heard of anyone using these RR types in the past decade. :rfc:`1183` New DNS RR Definitions .. Uh, why? TCP implementation details are for OS to deal with, not us. :rfc:`13371 TIME-WAIT Assassination Hazards in TCP .. Uh well, our DoH server does use MIME, I guess... :rfc:`1521` MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies .. I haven't heard of anyone using these RR types in the past decade. :rfc:`1706` DNS NSAP Resource Records :rfc:`1712` DNS Encoding of Geographical Location :rfc:`1876` A Means for Expressing Location Information in the Domain Name System .. I don't think we're really utilizing it in resolver right now. In Knot DNS for sure, but... :rfc:`1982` Serial Number Arithmetic .. No *XFR yet in resolver. :rfc:`1995` Incremental Zone Transfer in DNS :rfc:`1996` A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) .. Large RFC about an obsolete mechanism. KNOT_RRTYPE_PX exists, but just for name compression to work, so I don't think we can claim this RFC as supported really. :rfc:`2163` Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping (MCGAM) :rfc:`2181` Clarifications to the DNS Specification .. I fail to see how one could call this RFC supported by any kind of resolver. :rfc:`2182` Selection and Operation of Secondary DNS Servers :rfc:`2230` Key Exchange Delegation Record for the DNS .. I fail to see how representation of names in LDAP is related. :rfc:`2253` Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names :rfc:`2308` Negative Caching of DNS Queries (DNS NCACHE) :rfc:`2535` Domain Name System Security Extensions *This variant of DNSSEC has been obsolete for many years, but we stil support those RRs (in zonefile and wire).* .. DSA crypto has been obsoleted. :rfc:`2536` DSA KEYs and SIGs in the Domain Name System (DNS) .. MD5-based crypto has been obsoleted. :rfc:`2537` RSA/MD5 KEYs and SIGs in the Domain Name System (DNS) :rfc:`2538` Storing Certificates in the Domain Name System (DNS) *The RFC is obsolete, but we still support those RRs (in zonefile and wire).* .. DH in DNSSEC has been long obsolete. :rfc:`2539` Storage of Diffie-Hellman Keys in the Domain Name System (DNS) :rfc:`2606` Reserved Top Level DNS Names :rfc:`2671` Extension Mechanisms for DNS (EDNS0) *Well, the EDNS0 definition has been rewritten as* :rfc:`6891` *which we really support.* :rfc:`2672` Non-Terminal DNS Name Redirection *Well, the DNAME definition has been rewritten as* :rfc:`6672` *which we really support.* .. This has been obsoleted over a decade ago, and I'm not sure if it works for us. :rfc:`2673` Binary Labels in the Domain Name System :rfc:`2782` A DNS RR for specifying the location of services (DNS SRV) .. A6 is obsolete/historic, and we don't even support the type anymore (in zonefile and wire). :rfc:`2874` DNS Extensions to Support IPv6 Address Aggregation and Renumbering :rfc:`2915` The Naming Authority Pointer (NAPTR) DNS Resource Record .. I don't think we can call this supported. Name (de)compression for TKEY yes, but not even zonefile. :rfc:`2930` Secret Key Establishment for DNS (TKEY RR) .. This is for KEY and SIG records; see the same as :rfc:`2535` above. :rfc:`3110` RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) :rfc:`3123` A DNS RR Type for Lists of Address Prefixes (APL RR) *This is probably unused in practice, but we still support the APL RR (in zonefile and wire).* :rfc:`3225` Indicating Resolver Support of DNSSEC *This is the* **DO** *bit in DNS messages.* .. This is most likely still part of normal DH handshake in TLS, though I expect that newer exchange is negotiated typically nowadays. :rfc:`3526` More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) :rfc:`3597` Handling of Unknown DNS Resource Record (RR) Types .. TODO I'm not sure. Maybe gnutls does implement this certificate stuff and then we could profess compliance. :rfc:`3779` X.509 Extensions for IP Addresses and AS Identifiers .. We can listen on scoped IPv6 addresses. :rfc:`4007` IPv6 Scoped Address Architecture :rfc:`4025` A Method for Storing IPsec Keying Material in DNS :rfc:`4033` DNS Security Introduction and Requirements :rfc:`4034` Resource Records for the DNS Security Extensions :rfc:`4035` Protocol Modifications for the DNS Security Extensions :rfc:`4255` Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints :rfc:`4343` Domain Name System (DNS) Case Insensitivity Clarification :rfc:`4398` Storing Certificates in the Domain Name System (DNS) .. DLV is long obsolete/historic, and we don't even support the type anymore (in zonefile and wire). :rfc:`4431` The DNSSEC Lookaside Validation (DLV) DNS Resource Record :rfc:`4509` Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) :rfc:`4592` The Role of Wildcards in the Domain Name System .. Uh, no idea how this is related to DNS. :rfc:`4597` Conferencing Scenarios :rfc:`4697` Observed DNS Resolution Misbehavior :rfc:`4701` A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR) :rfc:`5001` DNS Name Server Identifier (NSID) Option *See* :ref:`config-nsid` :rfc:`5011` Automated Updates of DNS Security (DNSSEC) Trust Anchors *See inside* :ref:`config-dnssec` .. Same as 3526. :rfc:`5114` Additional Diffie-Hellman Groups for Use with IETF Standards :rfc:`5155` DNS Security (DNSSEC) Hashed Authenticated Denial of Existence .. HIP is long obsolete/historic, and we don't even support the type anymore (in zonefile and wire). :rfc:`5205` Host Identity Protocol (HIP) Domain Name System (DNS) Extension :rfc:`5358` Preventing Use of Recursive Nameservers in Reflector Attacks :rfc:`5452` Measures for Making DNS More Resilient against Forged Answers :rfc:`5702` Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC .. This crypto-protocol is obsolete, and I believe we've never supported it. :rfc:`5933` Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC .. I don't know. NAT64 doesn't seem related except for DNS64 which follows directly. :rfc:`6146` Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers :rfc:`6147` DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers *See* :ref:`config-dns64` :rfc:`6234` US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) :rfc:`6303` Locally Served DNS Zones :rfc:`6598` IANA-Reserved IPv4 Prefix for Shared Address Space :rfc:`6604` xNAME RCODE and Status Bits Clarification :rfc:`6605` Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC :rfc:`6672` DNAME Redirection in the DNS :rfc:`6698` The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA *We support the record, but not authenticating by it.* :rfc:`6725` DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates :rfc:`6742` DNS Resource Records for the Identifier-Locator Network Protocol (ILNP) :rfc:`6761` Special-Use Domain Names :rfc:`6840` Clarifications and Implementation Notes for DNS Security (DNSSEC) :rfc:`6844` DNS Certification Authority Authorization (CAA) Resource Record :rfc:`6891` Extension Mechanisms for DNS (EDNS(0)) .. We've never implemented this one and it's never gotten popularity. :rfc:`6975` Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC) :rfc:`7043` Resource Records for EUI-48 and EUI-64 Addresses in the DNS :rfc:`7344` Automating DNSSEC Delegation Trust Maintenance :rfc:`7413` TCP Fast Open *We only support it on the server side.* :rfc:`7477` Child-to-Parent Synchronization in DNS :rfc:`7553` The Uniform Resource Identifier (URI) DNS Resource Record :rfc:`7646` Definition and Use of DNSSEC Negative Trust Anchors *See inside* :ref:`config-dnssec` :rfc:`7686` The ".onion" Special-Use Domain Name :rfc:`7706` Decreasing Access Time to Root Servers by Running One on Loopback *Obsoleted by* :rfc:`8806`; *see also* :ref:`config-cache-prefill` :rfc:`7766` DNS Transport over TCP - Implementation Requirements :rfc:`7830` The EDNS(0) Padding Option *See inside* :ref:`config-network-server-tls` :rfc:`7858` Specification for DNS over Transport Layer Security (TLS) *See* :ref:`dns-over-tls` *and* :ref:`config-forward`. .. We currently don't plan ECS. :rfc:`7871` Client Subnet in DNS Queries .. Cookies are a missing feature so far, though some older code exists. :rfc:`7873` Domain Name System (DNS) Cookies :rfc:`7929` DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP :rfc:`7958` DNSSEC Trust Anchor Publication for the Root Zone *Though typical Knot Resolver packaging uses a different approach.* .. I don't think we can claim this as fully supported, as our cache so far does not work that way (except for aggressive DNSSEC caching, but that's different really). :rfc:`8020` NXDOMAIN: There Really Is Nothing Underneath :rfc:`8080` Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC :rfc:`8145` Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC) *See* :ref:`config-ta-signal-query` :rfc:`8162` Using Secure DNS to Associate Certificates with Domain Names for S/MIME :rfc:`8198` Aggressive Use of DNSSEC-Validated Cache *See* :ref:`config-cache` :rfc:`8310` Usage Profiles for DNS over TLS and DNS over DTLS :rfc:`8375` Special-Use Domain 'home.arpa.' :rfc:`8467` Padding Policies for Extension Mechanisms for DNS (EDNS(0)) *See inside* :ref:`config-network-server-tls` :rfc:`8482` Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY *This RFC was focused on authoritative servers. As a resolver, we shouldn't just make up data on arbitrary names, so we really use a different minimization method currently: reply with RCODE=NOTIMPL.* :rfc:`8484` DNS Queries over HTTPS (DoH) *See* :ref:`dns-over-https` :rfc:`8509` A Root Key Trust Anchor Sentinel for DNSSEC *See* :ref:`config-ta_sentinel` :rfc:`8624` Algorithm Implementation Requirements and Usage Guidance for DNSSEC :rfc:`8767` Serving Stale Data to Improve DNS Resiliency *See* :ref:`config-serve-stale` :rfc:`8806` Running a Root Server Local to a Resolver *See* :ref:`config-cache-prefill` :rfc:`8914` Extended DNS Errors :rfc:`8976` Message Digest for DNS Zones .. Cookies are a missing feature so far, though some older code exists. :rfc:`9018` Interoperable Domain Name System (DNS) Server Cookies :rfc:`9077` NSEC and NSEC3: TTLs and Aggressive Use :rfc:`9156` DNS Query Name Minimisation to Improve Privacy *Our current code doesn't use full minimization but a compromise approach, which in practice mainly minimizes queries going to root and TLD servers. We also have a fallback that deals with typical cases of non-conforming servers.* :rfc:`9210` DNS Transport over TCP - Operational Requirements .. No DoQ yet, but it's planned. :rfc:`9250` DNS over Dedicated QUIC Connections