DNS Requirements

RFC 2119 requirements by RFC for DNS:

rfc1034

rfc1035

rfc1982

rfc1995

rfc1996

rfc2136

rfc2163

10 Security Considerations

rfc2181

3 Terminology

rfc2308

3 - Negative Answers from Authoritative Servers

5 - Caching Negative Answers

6 - Negative answers from the cache

7.1 Server Failure (OPTIONAL)

7.2 Dead / Unreachable Server (OPTIONAL)

8 - Changes from RFC 1034

rfc2536

rfc2539

2 Diffie-Hellman KEY Resource Records

rfc2782

None None

rfc2845

2 - TSIG RR Format

3 - Protocol Operation

4 - Protocol Details

rfc2930

2 The TKEY Resource Record

2.1 The Name Field

2.2 The TTL Field

2.4 The Inception and Expiration Fields

2.5 The Mode Field

2.8 The Other Size and Data Fields

3 General TKEY Considerations

4 Exchange via Resolver Query

4.1 Query for Diffie-Hellman Exchanged Keying

4.2 Query for TKEY Deletion

4.3 Query for GSS-API Establishment

4.4 Query for Server Assigned Keying

4.5 Query for Resolver Assigned Keying

5 Spontaneous Server Inclusion

5.1 Spontaneous Server Key Deletion

6 Methods of Encryption

rfc2931

2.4 Differences Between TSIG and SIG(0)

3 The SIG(0) Resource Record

3.1 Calculating Request and Transaction SIGs

3.2 Processing Responses and SIG(0) RRs

rfc3007

1.4 - Data and message signatures

1.5 - Signatory strength

2 - Authentication

3 - Policy

3.1 - Standard policies

3.1.1 - User types

4.1 - Adding SIGs

4.2 - Deleting SIGs

4.3 - Non-explicit updates to SIGs

4.4 - Effects on the zone

rfc3110

1 Introduction

2 RSA Public KEY Resource Records

3 RSA/SHA1 SIG Resource Records

rfc3225

3 Protocol Changes

rfc3226

3 Protocol changes:

rfc3402

3 The Algorithm

3.2 Substitution Expression Syntax

3.3 The Complete Algorithm

5 Specifying A Database

rfc3403

3 DDDS Database Specification

4.1 Packet Format

4.2.1 Additional Section Processing by DNS Servers

4.2.2 Additional Section Processing by Resolver/Applications

8 Notes

rfc3404

4.1 Application Unique String

4.3 Flags

4.4.2 Protocols

4.4.3 Applicability of Services

4.5 Valid Databases

6 Notes

rfc3425

3 - Effect on RFC 1035

rfc3492

5 Parameter values for Punycode

rfc3596

rfc3597

3 Transparency

4 Domain Name Compression

5 Text Representation

6 Equality Comparison

8 Additional Section Processing

rfc3645

1 Introduction

2.1 GSS Details

2.2 Modifications to the TSIG protocol (RFC 2845)

3 Client Protocol Details

3.1.1 Call GSSInitsec_context

3.1.2 Send TKEY Query to Server

3.1.3 Receive TKEY Query-Response from Server

3.1.3.1 Value of majorstatus == GSSS_COMPLETE

3.1.3.2 Value of majorstatus == GSSSCONTINUENEEDED

3.2 Context Established

3.2.1 Terminating a Context

4 Server Protocol Details

4.1 Negotiating Context

4.1.1 Receive TKEY Query from Client

4.1.2 Call GSSAcceptsec_context

4.1.3 Send TKEY Query-Response to Client

4.2 Context Established

4.2.1 Terminating a Context

5.1 Sending a Signed Message - Call GSS_GetMIC

5.2 Verifying a Signed Message - Call GSS_VerifyMIC

6 Example usage of GSS-TSIG algorithm

9 Conformance

rfc3646

3 DNS Recursive Name Server option

4 Domain Search List option

5 Appearance of these options

6 Security Considerations

rfc4025

1.2 Use of DNS Address-to-Name Maps (IN-ADDR.ARPA and IP6.ARPA)

1.3 Usage Criteria

2.3 RDATA Format - Gateway Type

2.5 RDATA Format - Gateway

3.1 Representation of IPSECKEY RRs

4 Security Considerations

4.1.2 Active Attacks Against IPSECKEY Gateway Material

rfc4033

rfc4034

2 The DNSKEY Resource Record

2.1.1 The Flags Field

2.1.2 The Protocol Field

2.2 The DNSKEY RR Presentation Format

3 The RRSIG Resource Record

3.1.3 The Labels Field

3.1.5 Signature Expiration and Inception Fields

3.1.7 The Signer's Name Field

3.1.8.1 Signature Calculation

3.2 The RRSIG RR Presentation Format

4 The NSEC Resource Record

4.1.1 The Next Domain Name Field

4.1.2 The Type Bit Maps Field

4.2 The NSEC RR Presentation Format

5.2 Processing of DS RRs When Validating Responses

5.3 The DS RR Presentation Format

6.3 Canonical RR Ordering within an RRset

8 Security Considerations

10.2 Informative References

rfc4035

2.1 Including DNSKEY RRs in a Zone

2.2 Including RRSIG RRs in a Zone

2.3 Including NSEC RRs in a Zone

2.4 Including DS RRs in a Zone

2.5 Changes to the CNAME Resource Record

2.6 DNSSEC RR Types Appearing at Zone Cuts

3 Serving

3.1 Authoritative Name Servers

3.1.1 Including RRSIG RRs in a Response

3.1.2 Including DNSKEY RRs in a Response

3.1.3 Including NSEC RRs in a Response

3.1.3.1 Including NSEC RRs: No Data Response

3.1.3.2 Including NSEC RRs: Name Error Response

3.1.3.3 Including NSEC RRs: Wildcard Answer Response

3.1.3.4 Including NSEC RRs: Wildcard No Data Response

3.1.4 Including DS RRs in a Response

3.1.4.1 Responding to Queries for DS RRs

3.1.5 Responding to Queries for Type AXFR or IXFR

3.1.6 The AD and CD Bits in an Authoritative Response

3.2.1 The DO Bit

3.2.2 The CD Bit

3.2.3 The AD Bit

4.1 EDNS Support

4.2 Signature Verification Support

4.3 Determining Security Status of Data

4.4 Configured Trust Anchors

4.5 Response Caching

4.6 Handling of the CD and AD Bits

4.7 Caching BAD Data

4.8 Synthesized CNAMEs

4.9 Stub Resolvers

4.9.1 Handling of the DO Bit

4.9.2 Handling of the CD Bit

4.9.3 Handling of the AD Bit

5 Authenticating DNS Responses

5.1 Special Considerations for Islands of Security

5.2 Authenticating Referrals

5.3.1 Checking the RRSIG RR Validity

5.3.2 Reconstructing the Signed Data

5.3.3 Checking the Signature

5.4 Authenticated Denial of Existence

5.5 Resolver Behavior When Signatures Do Not Validate

rfc4255

2.1 Method

2.2 Implementation Notes

2.3 Fingerprint Matching

2.4 Authentication

rfc4343

3 Name Lookup, Label Types, and CLASS

4 Case on Input and Output

4.2 DNS Input Case Preservation

rfc4398

2 The CERT Resource Record

2.1 Certificate Type Values

3 Appropriate Owner Names for CERT RRs

4 Performance Considerations

rfc4470

3 Minimally Covering NSEC Records

rfc4501

3 DNS URI Registration

rfc4509

1 Introduction

2 Implementing the SHA-256 Algorithm for DS Record Support

3 Implementation Requirements

rfc4592

rfc4635

2 Algorithms and Identifiers

3.1 Truncation Specification

4 TSIG Truncation Policy and Error Provisions

rfc4701

3.5.1 Using the Client's DUID

3.5.2 Using the Client Identifier Option

3.5.3 Using the Client's htype and chaddr

4 Use of the DHCID RR

5 Updater Behavior

6 Security Considerations

rfc4955

4 Method

5 Defining an Experiment

7 Use in Non-Experiments

rfc5001

2.1 Resolver Behavior

2.2 Name Server Behavior

2.4 Presentation Format

rfc5011

2.1 Revocation

2.2 Add Hold-Down

2.3 Active Refresh

2.4.1 Add Hold-Down Time

2.4.3 Minimum Trust Anchors per Trust Point

3 Changes to DNSKEY RDATA Wire Format

4.2 States

5 Trust Point Deletion

8.1 Key Ownership vs. Acceptance Policy

rfc5155

2 Backwards Compatibility

3 The NSEC3 Resource Record

3.2.1 Type Bit Maps Encoding

3.3 Presentation Format

4 The NSEC3PARAM Resource Record

4.1.2 Flag Fields

6 Opt-Out

7.1 Zone Signing

7.2 Zone Serving

7.2.2 Name Error Responses

7.2.3 No Data Responses, QTYPE is not DS

7.2.4 No Data Responses, QTYPE is DS

7.2.5 Wildcard No Data Responses

7.2.6 Wildcard Answer Responses

7.2.7 Referrals to Unsigned Subzones

7.2.8 Responding to Queries for NSEC3 Owner Names

7.2.9 Server Response to a Run-Time Collision

7.4 Zones Using Unknown Hash Algorithms

7.5 Dynamic Update

8.1 Responses with Unknown Hash Types

8.2 Verifying NSEC3 RRs

8.3 Closest Encloser Proof

8.4 Validating Name Error Responses

8.5 Validating No Data Responses, QTYPE is not DS

8.6 Validating No Data Responses, QTYPE is DS

8.7 Validating Wildcard No Data Responses

8.8 Validating Wildcard Answer Responses

8.9 Validating Referrals to Unsigned Subzones

9.1 NSEC3 Resource Record Caching

9.2 Use of the AD Bit

10.2 DNAME at the Zone Apex

10.3 Iterations

10.4 Transitioning a Signed Zone from NSEC to NSEC3

11 IANA Considerations

12.1.1 Dictionary Attacks

12.1.3 Transitioning to a New Hash Algorithm

12.2 Opt-Out Considerations

13.2 Informative References

rfc5321

2.1 Basic Structure

2.2.1 Background

2.2.2 Definition and Registration of Extensions

2.2.3 Special Issues with Extensions

2.3.4 Host

2.3.5 Domain Names

2.3.8 Lines

2.3.11 Mailbox and Address

2.4 General Syntax Principles and Transaction Model

3.1 Session Initiation

3.2 Client Initiation

3.3 Mail Transactions

3.4 Forwarding for Address Correction or Updating

3.5.1 Overview

3.5.2 VRFY Normal Response

3.5.3 Meaning of VRFY or EXPN Success Response

3.5.4 Semantics and Applications of EXPN

3.6.1 Source Routes and Relaying

3.6.2 Mail eXchange Records and Relaying

3.6.3 Message Submission Servers as Relays

3.7.1 Header Fields in Gatewaying

3.7.2 Received Lines in Gatewaying

3.7.3 Addresses in Gatewaying

3.7.4 Other Header Fields in Gatewaying

3.7.5 Envelopes in Gatewaying

3.8 Terminating Sessions and Connections

3.9 Mailing Lists and Aliases

4.1.1 Command Semantics and Syntax

4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)

4.1.1.3 RECIPIENT (RCPT)

4.1.1.4 DATA (DATA)

4.1.1.5 RESET (RSET)

4.1.1.8 HELP (HELP)

4.1.1.9 NOOP (NOOP)

4.1.1.10 QUIT (QUIT)

4.1.2 Command Argument Syntax

4.1.3 Address Literals

4.1.4 Order of Commands

4.1.5 Private-Use Commands

4.2 SMTP Replies

4.2.1 Reply Code Severities and Theory

4.2.4 Reply Code 502

4.2.5 Reply Codes after DATA and the Subsequent .

4.3.1 Sequencing Overview

4.3.2 Command-Reply Sequences

4.4 Trace Information

4.5.1 Minimum Implementation

4.5.2 Transparency

4.5.3.1 Size Limits and Minimums

4.5.3.1.7 Message Content

4.5.3.1.8 Recipients Buffer

4.5.3.1.10 Too Many Recipients Code

4.5.3.2 Timeouts

4.5.3.2.7 Server Timeout: 5 Minutes.

4.5.4 Retry Strategies

4.5.4.1 Sending Strategy

4.5.4.2 Receiving Strategy

4.5.5 Messages with a Null Reverse-Path

5.1 Locating the Target Host

6.1 Reliable Delivery and Replies by Email

6.2 Unwanted, Unsolicited, and "Attack" Messages

6.3 Loop Detection

6.4 Compensating for Irregularities

7.2 "Blind" Copies

7.3 VRFY, EXPN, and Security

7.5 Information Disclosure in Announcements

7.9 Scope of Operation of SMTP Servers

8 IANA Considerations

10.2 Informative References

rfc5452

9.1 Query Matching Rules

9.2 Extending the Q-ID Space by Using Ports and Addresses

9.3 Spoof Detection and Countermeasure

10 Security Considerations

rfc5494

rfc5509

3 DNS SRV Usage of SIP with 'im' and 'pres' URIs

rfc5676

6 Relationship to the SNMP Notification to SYSLOG Mapping

7 Definitions

10 Security Considerations

rfc5702

2.1 RSA/SHA-256 DNSKEY Resource Records

2.2 RSA/SHA-512 DNSKEY Resource Records

3 RRSIG Resource Records

5.1 Support for SHA-2 Signatures

5.2 Support for NSEC3 Denial of Existence

8.2 Signature Type Downgrade Attacks

rfc5864

4 DNS SRV RRs for AFS

4.1 Interpretation as AFS Preference Ranks

5 Use of AFSDB RRs

rfc5890

2.3.1 LDH Label

2.3.2.1 IDNA-valid strings, A-label, and U-label

rfc5891

3.1 Requirements

3.2 Applicability

4.1 Input to IDNA Registration

4.2.1 Input Format

4.2.2 Rejection of Characters That Are Not Permitted

4.2.3.1 Hyphen Restrictions

4.2.3.2 Leading Combining Marks

4.2.3.3 Contextual Rules

4.2.3.4 Labels Containing Characters Written Right to Left

5.2 Conversion to Unicode

5.3 A-label Input

5.4 Validation and Character List Testing

rfc5910

1.1 Conventions Used in This Document

2 Migrating from RFC 4310

3.2 Booleans

3.3 Maximum Signature Lifetime

4 DS Data Interface and Key Data Interface

4.1 DS Data Interface

5.1.2 EPP Command

5.2.1 EPP Command

5.2.5 EPP Command

6 Formal Syntax

7 Internationalization Considerations

9 Security Considerations

11.2 Informative References

rfc5933

2 DNSKEY Resource Records

3 RRSIG Resource Records

4 DS Resource Records

5.1 Key Sizes

6.1 Support for GOST Signatures

6.2 Support for NSEC3 Denial of Existence

8 IANA Considerations

rfc5936

2.1.1 Header Values

2.1.2 Question Section

2.1.3 Answer Section

2.1.4 Authority Section

2.1.5 Additional Section

2.2 AXFR Response

2.2.1 Header Values

2.2.2 Question Section

2.2.3 Answer Section

2.2.4 Authority Section

2.2.5 Additional Section

2.3 TCP Connection Aborts

3.1 Records to Include

3.2 Delegation Records

3.3 Glue Records

3.4 Name Compression

3.5 Occluded Names

4.1.1 AXFR Client TCP

4.1.2 AXFR Server TCP

5 Authorization

6 Zone Integrity

7 Backwards Compatibility

7.1 Server

7.2 Client

rfc6014

rfc6116

2 Use of These Mechanisms for Private Dialing Plans

3.4.1 Optional Name Server Additional Section Processing

3.4.2 Flags

3.4.3 Service Parameters

3.4.3.1 ENUM Services

3.6 Case Sensitivity in ENUM

3.7 Collision Avoidance

5.1 Collected Implications for ENUM Provisioning

5.2 Collected Implications for ENUM Clients

5.2.1 Non-Terminal NAPTR Processing

7.1 DNS Security

7.2 Caching Security

rfc6117

None None

3 Registration Requirements

3.1 Functionality Requirements

3.2 Naming Requirements

3.3 Security Requirements

3.4 Publication Requirements

4.1 General Enumservice Considerations

4.2 Classification, Type and Subtype

4.2.1 General Type/Subtype Considerations

4.2.2 Protocol-Based Enumservices Class

4.2.2.1 Protocol-Based Enumservice "Type" Strings

4.2.2.2 Protocol-Based Enumservice "Subtype" Strings

4.2.3 Application-Based Enumservice Classes

4.2.3.2 Application-Based Enumservice "Subtype" Strings

4.2.4.2 Data Type-Based Enumservice "Subtype" Strings

4.2.5 Other Enumservice

5 Required Sections and Information

5.1 Introduction (REQUIRED)

5.2 IANA Registration (REQUIRED)

5.2.1 Enumservice Class ()

5.2.2 Enumservice Type ()

5.2.3 Enumservice Subtype ()

5.2.4 URI Scheme(s) ()

5.2.7 Intended Usage ()

5.2.9 Requesters ()

5.3 Examples (REQUIRED)

5.4 Implementation Recommendations / Notes (OPTIONAL)

5.5 DNS Considerations (REQUIRED)

5.6 Security Considerations (REQUIRED)

5.8 Other Sections (OPTIONAL)

6.6 Step 6: Publication of the Registration Document

8 Revision of Existing Enumservice Specifications

9 Extension of Existing Enumservice Specifications

11.7 Change Control

11.8 Restrictions

rfc6147

5 DNS64 Normative Specification

5.1 Resolving AAAA Queries and the Answer Section

5.1.1 The Answer when There is AAAA Data Available

5.1.4 Special Exclusion Set for AAAA Records

5.1.7 Performing the Synthesis

5.1.8 Querying in Parallel

5.2 Generation of the IPv6 Representations of IPv4 Addresses

5.3.1 PTR Resource Record

5.3.2 Handling the Additional Section

5.3.3 Other Resource Records

5.5 DNSSEC Processing: DNS64 in Validating Resolver Mode

rfc6376

2.11 DKIM-Quoted-Printable

3.2 Tag=Value Lists

3.3 Signing and Verification Algorithms

3.3.1 The rsa-sha1 Signing Algorithm

3.3.2 The rsa-sha256 Signing Algorithm

3.3.3 Key Sizes

3.3.4 Other Algorithms

3.4 Canonicalization

3.4.1 The "simple" Header Canonicalization Algorithm

3.4.2 The "relaxed" Header Canonicalization Algorithm

3.4.4 The "relaxed" Body Canonicalization Algorithm

3.5 The DKIM-Signature Header Field

3.6.1 Textual Representation

3.6.2 DNS Binding

3.6.2.2 Resource Record Types for Key Storage

3.7 Computing the Message Hashes

3.8 Input Requirements

3.9 Output Requirements

3.10 Signing by Parent Domains

3.11 Relationship between SDID and AUID

4.2 Interpretation

5.3 Normalize the Message to Prevent Transport Conversions

5.3.1 Body Length Limits

5.4 Determine the Header Fields to Sign

5.4.1 Recommended Signature Content

5.4.2 Signatures Involving Multiple Instances of a Field

5.5 Compute the Message Hash and Signature

5.6 Insert the DKIM-Signature Header Field

6 Verifier Actions

6.1 Extract Signatures from the Message

6.1.1 Validate the Signature Header Field

6.1.2 Get the Public Key

6.1.3 Compute the Verification

6.2 Communicate Verification Results

6.3 Interpret Results/Apply Local Policy

7 IANA Considerations

8.8 Intentionally Malformed Key Records

8.9 Intentionally Malformed DKIM-Signature Header Fields

8.14 Inappropriate Signing by Parent Domains

9.2 Informative References

rfc6604

3 RCODE Clarification

rfc6605

4 DNSKEY and RRSIG Resource Records for ECDSA

5 Support for NSEC3 Denial of Existence

7 IANA Considerations

rfc6641

3 Use of the SRV Resource Record in DNS

4.2 Mount Options

4.3 File System Integration Issues

6 Security Considerations

7 IANA Considerations

rfc6652

3 Optional Reporting Address for SPF

4 Requested Reports

5.1 SPF Modifier Registration

6.1 Identity Selection

rfc6672

2.1 Format

2.3 DNAME Owner Name Matching the QNAME

2.4 Names next to and below a DNAME Record

2.5 Compression of the DNAME Record

3.1 CNAME Synthesis

3.2 Server Algorithm

3.3 Wildcards

3.4 Acceptance and Intermediate Storage

5.2 Dynamic Update and DNAME

5.3.2 DNAME Bit in NSEC Type Map

5.3.4 Validators Must Understand DNAME

8 Security Considerations

10.2 Informative References

rfc6698

2.1.1 The Certificate Usage Field

2.2 TLSA RR Presentation Format

3 Domain Names for TLSA Certificate Associations

4 Use of TLSA Records in TLS

4.1 Usable Certificate Associations

6 Mandatory-to-Implement Features

8.2 DNS Caching

10.2 Informative References

rfc6725

rfc6731

4.1 Procedure for Prioritizing RDNSSes and Handling Responses

4.2 RDNSS Selection DHCPv6 Option

4.3 RDNSS Selection DHCPv4 Option

4.5 Limitations on Use

4.6 Coexistence of Various RDNSS Configuration Tools

4.7 Considerations on Follow-Up Queries

4.8 Closing Network Interfaces and Local Caches

6 Considerations for Network Administrators

rfc6761

4 Procedure

6.1 Domain Name Reservation Considerations for Private Addresses

6.2 Domain Name Reservation Considerations for "test."

6.3 Domain Name Reservation Considerations for "localhost."

6.4 Domain Name Reservation Considerations for "invalid."

6.5 Domain Name Reservation Considerations for Example Domains

rfc6762

2 Conventions and Terminology Used in This Document

3 Multicast DNS Names

4 Reverse Address Mapping

5 Querying

5.1 One-Shot Multicast DNS Queries

5.2 Continuous Multicast DNS Querying

5.4 Questions Requesting Unicast Responses

5.5 Direct Unicast Queries to Port 5353

6 Responding

6.1 Negative Responses

6.2 Responding to Address Queries

6.3 Responding to Multiquestion Queries

6.4 Response Aggregation

6.5 Wildcard Queries (qtype "ANY" and qclass "ANY")

6.6 Cooperating Multicast DNS Responders

6.7 Legacy Unicast Responses

7.1 Known-Answer Suppression

7.2 Multipacket Known-Answer Suppression

7.3 Duplicate Question Suppression

7.4 Duplicate Answer Suppression

8 Probing and Announcing on Startup

8.1 Probing

8.2 Simultaneous Probe Tiebreaking

8.3 Announcing

8.4 Updating

9 Conflict Resolution

10 Resource Record TTL Values and Cache Coherency

10.1 Goodbye Packets

10.2 Announcements to Flush Outdated Cache Entries

10.4 Cache Flush on Failure Indication

10.5 Passive Observation Of Failures (POOF)

11 Source Address Check

13 Enabling and Disabling Multicast DNS

14 Considerations for Multiple Interfaces

15.1 Receiving Unicast Responses

16 Multicast DNS Character Set

17 Multicast DNS Message Size

18.1 ID (Query Identifier)

18.2 QR (Query/Response) Bit

18.3 OPCODE

18.4 AA (Authoritative Answer) Bit

18.5 TC (Truncated) Bit

18.6 RD (Recursion Desired) Bit

18.7 RA (Recursion Available) Bit

18.8 Z (Zero) Bit

18.9 AD (Authentic Data) Bit

18.10 CD (Checking Disabled) Bit

18.11 RCODE (Response Code)

18.14 Name Compression

21 Security Considerations

22.1 Domain Name Reservation Considerations

24.2 Informative References

rfc6763

4.1.1 Instance Names

4.1.3 Domain Names

4.3 Internal Handling of Names

5 Service Instance Resolution

6 Data Syntax for DNS-SD TXT Records

6.1 General Format Rules for DNS TXT Records

6.2 DNS-SD TXT Record Size

6.3 DNS TXT Record Format Rules for Use in DNS-SD

6.4 Rules for Keys in DNS-SD Key/Value Pairs

6.5 Rules for Values in DNS-SD Key/Value Pairs

6.7 Version Tag

8 Flagship Naming

11 Discovery of Browsing and Registration Domains (Domain Enumeration)

12 DNS Additional Record Generation

12.1 PTR Records

12.2 SRV Records

rfc6840

2.1 NSEC3 Support

3.1 Implement a BAD Cache

4.1 Clarifications on Nonexistence Proofs

4.2 Validating Responses to an ANY Query

4.3 Check for CNAME

4.4 Insecure Delegation Proofs

5.2 Unknown DS Message Digest Algorithms

5.3 Private Algorithms

5.4 Caution about Local Policy and Multiple RRSIGs

5.6 Setting the DO Bit on Replies

5.8 Setting the AD Bit on Replies

5.9 Always Set the CD Bit on Queries

5.11 Mandatory Algorithm Rules

5.12 Ignore Extra Signatures from Unknown Keys

6.4 Errors in RFC 5155

8.2 Informative References

rfc6844

1 Introduction

3 The CAA RR Type

4 Certification Authority Processing

4.1 Use of DNS Security

5.1 Syntax

5.2 CAA issue Property

5.3 CAA issuewild Property

5.4 CAA iodef Property

6.2 Mis-Issue by Authorized Certification Authority

6.3 Suppression or Spoofing of CAA Records

6.5 Abuse of the Critical Flag

7.2 Certification Authority Restriction Properties

rfc6891

1 Introduction

3 EDNS Support Requirement

5 Extended Label Types

6.1.1 Basic Elements

6.1.2 Wire Format

6.1.3 OPT Record TTL Field Use

6.2.1 Cache Behaviour

6.2.2 Fallback

6.2.3 Requestor's Payload Size

6.2.5 Payload Size Selection

6.2.6 Support in Middleboxes

7 Transport Considerations

9 IANA Considerations

rfc6944

2.1 Status Definitions

4 Security Considerations

rfc6975

1 Introduction

3 Signaling DNSSEC Algorithm Understood (DAU), DS Hash Understood

4 Client Considerations

4.1.1 Validating Stub Resolvers

4.1.2 Non-validating Stub Resolvers

4.2.1 Validating Recursive Resolvers

4.2.2 Non-validating Recursive Resolvers

5 Intermediate System Considerations

6 Server Considerations

rfc7208

2.2 Checking Authorization

2.3 The "HELO" Identity

2.4 The "MAIL FROM" Identity

2.5 Location of Checks

3.1 DNS Resource Records

3.2 Multiple DNS Records

3.3 Multiple Strings in a Single DNS Record

3.4 Record Size

3.5 Wildcard Records

4 The check_host() Function

4.3 Initial Processing

4.6.4 DNS Lookup Limits

5.1 "all"

5.4 "mx"

5.5 "ptr" (do not use)

6 Modifier Definitions

6.1 redirect: Redirected Query

6.2 exp: Explanation

7.3 Macro Processing Details

8.2 Neutral

8.4 Fail

8.5 Softfail

8.6 Temperror

8.7 Permerror

9 Recording the Result

9.1 The Received-SPF Header Field

rfc7216

4.1 Identification of IP Addresses

4.3 Shortened DNS Names

4.4 When To Use the Reverse DNS Method

4.8 Deployment Considerations

5 Privacy Considerations

6 Security Considerations

rfc7218

rfc7344

4 Automating DS Maintenance with CDS/CDNSKEY Records

4.1 CDS and CDNSKEY Processing Rules

5 CDS/CDNSKEY Publication

6 Parent-Side CDS/CDNSKEY Consumption

6.1 Detecting a Changed CDS/CDNSKEY

6.1.1 CDS/CDNSKEY Polling

6.2 Using the New CDS/CDNSKEY Records

9 Security Considerations

rfc7372

4 General Considerations

rfc7477

2 Definition of the CSYNC RRType

2.1.1.1 The SOA Serial Field

2.1.1.2 The Flags Field

2.1.1.2.1 The Type Bit Map Field

2.1.2 The CSYNC Presentation Format

3 CSYNC Data Processing

3.1 Processing Procedure

3.2.1 The NS type

3.2.2 The A and AAAA Types

4.2 Child Nameserver Selection

4.3 Out-of-Bailiwick NS Records

4.4 Documented Parental Agent Type Support

4.5 Removal of the CSYNC Records

5 Security Considerations

rfc7671

2 DANE TLSA Record Overview

3 DANE TLS Requirements

4 DANE Certificate Usage Selection Guidelines

4.1 Opportunistic Security and PKIX Usages

4.2 Interaction with Certificate Transparency

5.1 Certificate Usage DANE-EE(3)

5.2 Certificate Usage DANE-TA(2)

5.2.1 Recommended Record Combinations

5.2.2 Trust Anchor Digests and Server Certificate Chain

5.2.3 Trust Anchor Public Keys

5.4 Certificate Usage PKIX-TA(0)

7 TLSA Base Domain and CNAMEs

8 TLSA Publisher Requirements

8.3 Switching to New TLSA Parameters

8.4 TLSA Publisher Requirements: Summary

9 Digest Algorithm Agility

10.1.1 UDP and TCP Considerations

10.1.2 Packet Size Considerations for TLSA Parameters

10.2 Certificate Name Check Conventions

10.3 Design Considerations for Protocols Using DANE

12 Summary of Updates to RFC 6698

13 Operational Considerations

14 Security Considerations

rfc7672

1.1 Terminology

2.1.1 DNS Errors, "Bogus" Responses, and "Indeterminate" Responses

2.1.2 DNS Error Handling

2.1.3 Stub Resolver Considerations

2.2 TLS Discovery

2.2.1 MX Resolution

2.2.2 Non-MX Destinations

2.2.3 TLSA Record Lookup

3.1.1 Certificate Usage DANE-EE(3)

3.1.2 Certificate Usage DANE-TA(2)

3.1.3 Certificate Usages PKIX-TA(0) and PKIX-EE(1)

3.2 Certificate Matching

3.2.1 DANE-EE(3) Name Checks

3.2.2 DANE-TA(2) Name Checks

3.2.3 Reference Identifier Matching

4 Server Key Management

5 Digest Algorithm Agility

8.1 SNI Support

8.2 Anonymous TLS Cipher Suites

9.1 Client Operational Considerations

9.2 Publisher Operational Considerations

rfc7673

2 Terminology

3.1 SRV Query

3.2 Address Queries

3.3 TLSA Queries

3.4 Impact on TLS Usage

4 TLS Checks

4.1 SRV Records Only

4.2 TLSA Records

6 Guidance for Server Operators

rfc7686

2 The ".onion" Special-Use Domain Name

rfc7766

1 Introduction

5 Transport Protocol Selection

6.2.1 Connection Reuse

6.2.1.1 Query Pipelining

6.2.2 Concurrent Connections

6.2.3 Idle Timeouts

6.2.4 Teardown

7 Response Reordering

8 TCP Message Length Field

11.2 Informative References

rfc7828

3.2.1 Sending Queries

3.2.2 Receiving Responses

3.3.1 Receiving Queries

3.3.2 Sending Responses

3.4 TCP Session Management

3.5 Non-clean Paths

4 Intermediary Considerations

5 Security Considerations

rfc7830

3 The "Padding" Option

4 Usage Considerations

6 Security Considerations

rfc7858

3.1 Session Initiation

3.3 Transmitting and Receiving Messages

3.4 Connection Reuse, Close, and Reestablishment

4.2 Out-of-Band Key-Pinned Privacy Profile

5 Performance Considerations

8 Security Considerations

rfc7873

4.1 Client Cookie

4.2 Server Cookie

5 DNS Cookies Protocol Specification

5.2.3 Only a Client Cookie

5.2.4 A Client Cookie and an Invalid Server Cookie

5.2.5 A Client Cookie and a Valid Server Cookie

5.3 Processing Responses

5.4 Querying for a Server Cookie

6 NAT Considerations and Anycast Server Considerations

7.1 Client and Server Secret Rollover

7.2 Counters

9.1 Cookie Algorithm Considerations

11.2 Informative References

rfc8005

3 Usage Scenarios

4.1 Storing HI, HIT, and RVS in the DNS

4.2 Initiating Connections Based on DNS Names

5 HIP RR Storage Format

5.6 Rendezvous Servers Format

6 HIP RR Presentation Format

8 Security Considerations

8.2 Hash and HITs Collisions

rfc8028

1.1 Host Model

2.1 Expectations the Host Has of the Network

3.1 Interpreting Router Advertisements

3.2 Default Router Selection

3.3 Source Address Selection

3.4 Redirects

3.5 History

rfc8078

3.1 Accept Policy via Authenticated Channel

4 DNSSEC Delete Algorithm

5 Security Considerations

rfc8080

8 Security Considerations

rfc8106

1.2 Coexistence of RA Options and DHCP Options for DNS Configuration

5.1 Recursive DNS Server Option

5.2 DNS Search List Option

5.3.1 Procedure in IPv6 Hosts

6.1 DNS Repository Management

7.2 Recommendations

9.2 Informative References

rfc8145

1 Introduction

4.2 Use by Queriers

4.2.1.1 Validating Stub Resolvers

4.2.1.2 Non-validating Stub Resolvers

4.2.2.1 Validating Recursive Resolvers

4.2.2.2 Non-validating Recursive Resolvers

4.3 Use by Responders

5.1 Query Format

5.2 Use by Queriers

5.3 Use by Responders

5.3.1 Interaction with Aggressive Negative Caching

7 Security Considerations

8 Privacy Considerations

rfc8198

5 Aggressive Use of DNSSEC-Validated Cache

5.3 Wildcards

5.4 Consideration on TTL

7 Update to RFC 4035

10.2 Informative References

rfc8301

1 Introduction

3.1 Signing and Verification Algorithms

3.2 Key Sizes

rfc8310

1 Introduction

4 Discussion

5 Usage Profiles

5.1 DNS Resolution

6.4 Combining Authentication Mechanisms

6.5 Authentication in Opportunistic Privacy

6.6 Authentication in Strict Privacy

7.2 Direct Configuration of ADN Only

7.3 Dynamic Discovery of ADN

8.1 Authentication Based on PKIX Certificate

8.2 DANE

8.2.1 Direct DNS Meta-Queries

8.2.2 TLS DNSSEC Chain Extension

9 (D)TLS Protocol Profile

11 Security Considerations

11.1 Countermeasures to DNS Traffic Analysis

rfc7385

rfc8463

5 Choice and Strength of Keys and Algorithms

rfc8484

3 Selection of DoH Server

4.1 The HTTP Request

4.2 The HTTP Response

5 HTTP Integration

5.1 Cache Interaction

5.2 HTTP/2

5.3 Server Push

5.4 Content Negotiation

6 Definition of the "application/dns-message" Media Type

8.2 In the Server

10 Operational Considerations

index