List of RFCs¶
Here we provide a list of implemented RFCs, though it may not be 100% complete. Normal users shouldn’t need to look here; they might search the docs instead.
Knot Resolver aims to faithfully follow RFC standards to ensure correct behavior, security, and interoperability. Note that in some cases only part of the RFC is covered, as some parts are optional to a degree or even not relevant to DNS resolvers.
- RFC 1034
Domain Names – Concepts and Facilities
- RFC 1035
Domain Names – Implementation and Specifciation
- RFC 1101
DNS Encoding of Network Names and Other Types
- RFC 1123
Requirements for Internet Hosts – Application and Support
- RFC 1521
MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies
- RFC 1876
A Means for Expressing Location Information in the Domain Name System
- RFC 2181
Clarifications to the DNS Specification
- RFC 2230
Key Exchange Delegation Record for the DNS
- RFC 2308
Negative Caching of DNS Queries (DNS NCACHE)
- RFC 2535
Domain Name System Security Extensions
This variant of DNSSEC has been obsolete for many years, but we stil support those RRs (in zonefile and wire).
- RFC 2538
Storing Certificates in the Domain Name System (DNS)
The RFC is obsolete, but we still support those RRs (in zonefile and wire).
- RFC 2606
Reserved Top Level DNS Names
- RFC 2671
Extension Mechanisms for DNS (EDNS0)
Well, the EDNS0 definition has been rewritten as RFC 6891 which we really support.
- RFC 2672
Non-Terminal DNS Name Redirection
Well, the DNAME definition has been rewritten as RFC 6672 which we really support.
- RFC 2782
A DNS RR for specifying the location of services (DNS SRV)
- RFC 2915
The Naming Authority Pointer (NAPTR) DNS Resource Record
- RFC 3123
A DNS RR Type for Lists of Address Prefixes (APL RR)
This is probably unused in practice, but we still support the APL RR (in zonefile and wire).
- RFC 3225
Indicating Resolver Support of DNSSEC
This is the DO bit in DNS messages.
- RFC 3526
More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
- RFC 3597
Handling of Unknown DNS Resource Record (RR) Types
- RFC 4007
IPv6 Scoped Address Architecture
- RFC 4025
A Method for Storing IPsec Keying Material in DNS
- RFC 4033
DNS Security Introduction and Requirements
- RFC 4034
Resource Records for the DNS Security Extensions
- RFC 4035
Protocol Modifications for the DNS Security Extensions
- RFC 4255
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
- RFC 4343
Domain Name System (DNS) Case Insensitivity Clarification
- RFC 4398
Storing Certificates in the Domain Name System (DNS)
- RFC 4509
Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
- RFC 4592
The Role of Wildcards in the Domain Name System
- RFC 4697
Observed DNS Resolution Misbehavior
- RFC 4701
A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
- RFC 5001
DNS Name Server Identifier (NSID) Option
- RFC 5011
Automated Updates of DNS Security (DNSSEC) Trust Anchors
See inside DNSSEC, data verification
- RFC 5114
Additional Diffie-Hellman Groups for Use with IETF Standards
- RFC 5155
DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
- RFC 5358
Preventing Use of Recursive Nameservers in Reflector Attacks
- RFC 5452
Measures for Making DNS More Resilient against Forged Answers
- RFC 5702
Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
- RFC 6147
DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers
See DNS64
- RFC 6234
US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)
- RFC 6303
Locally Served DNS Zones
- RFC 6598
IANA-Reserved IPv4 Prefix for Shared Address Space
- RFC 6604
xNAME RCODE and Status Bits Clarification
- RFC 6605
Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
- RFC 6672
DNAME Redirection in the DNS
- RFC 6698
The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
We support the record, but not authenticating by it.
- RFC 6725
DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates
- RFC 6742
DNS Resource Records for the Identifier-Locator Network Protocol (ILNP)
- RFC 6761
Special-Use Domain Names
- RFC 6840
Clarifications and Implementation Notes for DNS Security (DNSSEC)
- RFC 6844
DNS Certification Authority Authorization (CAA) Resource Record
- RFC 6891
Extension Mechanisms for DNS (EDNS(0))
- RFC 7043
Resource Records for EUI-48 and EUI-64 Addresses in the DNS
- RFC 7344
Automating DNSSEC Delegation Trust Maintenance
- RFC 7413
TCP Fast Open
We only support it on the server side.
- RFC 7477
Child-to-Parent Synchronization in DNS
- RFC 7553
The Uniform Resource Identifier (URI) DNS Resource Record
- RFC 7646
Definition and Use of DNSSEC Negative Trust Anchors
See inside DNSSEC, data verification
- RFC 7686
The “.onion” Special-Use Domain Name
- RFC 7706
Decreasing Access Time to Root Servers by Running One on Loopback
Obsoleted by RFC 8806; see also Cache prefilling
- RFC 7766
DNS Transport over TCP - Implementation Requirements
- RFC 7830
The EDNS(0) Padding Option
See inside DoT and DoH (encrypted DNS)
- RFC 7858
Specification for DNS over Transport Layer Security (TLS)
See DNS-over-TLS (DoT) and Forwarding.
- RFC 7929
DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP
- RFC 7958
DNSSEC Trust Anchor Publication for the Root Zone
Though typical Knot Resolver packaging uses a different approach.
- RFC 8080
Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
- RFC 8145
Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
- RFC 8162
Using Secure DNS to Associate Certificates with Domain Names for S/MIME
- RFC 8198
Aggressive Use of DNSSEC-Validated Cache
See Cache
- RFC 8310
Usage Profiles for DNS over TLS and DNS over DTLS
- RFC 8375
Special-Use Domain ‘home.arpa.’
- RFC 8467
Padding Policies for Extension Mechanisms for DNS (EDNS(0))
See inside DoT and DoH (encrypted DNS)
- RFC 8482
Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY
This RFC was focused on authoritative servers. As a resolver, we shouldn’t just make up data on arbitrary names, so we really use a different minimization method currently: reply with RCODE=NOTIMPL.
- RFC 8484
DNS Queries over HTTPS (DoH)
- RFC 8509
A Root Key Trust Anchor Sentinel for DNSSEC
- RFC 8624
Algorithm Implementation Requirements and Usage Guidance for DNSSEC
- RFC 8767
Serving Stale Data to Improve DNS Resiliency
See Serve stale
- RFC 8806
Running a Root Server Local to a Resolver
See Cache prefilling
- RFC 8914
Extended DNS Errors
- RFC 8976
Message Digest for DNS Zones
- RFC 9077
NSEC and NSEC3: TTLs and Aggressive Use
- RFC 9156
DNS Query Name Minimisation to Improve Privacy
Our current code doesn’t use full minimization but a compromise approach, which in practice mainly minimizes queries going to root and TLD servers. We also have a fallback that deals with typical cases of non-conforming servers.
- RFC 9210
DNS Transport over TCP - Operational Requirements