paulehoffman/DNSSEC-RFCs.md

## DNSSEC-RFCs.md

      
    Raw
  

              DNSSEC-RFCs.md
            
          
    DNSSEC RFCs

This is derived from a list of every RFC from rfc-editor.org which has DNSSEC in the abstract or title.
It has all the RFCs already in [https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bcp/] removed, and
has comments on removal from Paul Wouters and Paul Hoffman.


Number
Title
Included?
Reasons
More Info
Status


RFC 9157
Revised IANA Considerations for DNSSEC
Yes
IANA section
Updates RFC 5155, RFC 6014, RFC 8624
Proposed Standard


RFC 9102
TLS DNSSEC Chain Extension
No
Not Relevant
Errata
Experimental


RFC 8976
Message Digest for DNS Zones
No
Not Relevant
Errata
Proposed Standard


RFC 8901
Multi-Signer DNSSEC Models
Yes


Informational


RFC 8749
Moving DNSSEC Lookaside Validation (DLV) to Historic Status
No

Updates RFC 6698, RFC 6840
Proposed Standard


RFC 8683
Additional Deployment Guidelines for NAT64/464XLAT in Operator and Enterprise Networks
No
Not Relevant

Informational


RFC 8509
A Root Key Trust Anchor Sentinel for DNSSEC
No
Trust Anchor

Proposed Standard


RFC 8483
Yeti DNS Testbed
No
Not Relevant

Informational


RFC 8145
Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
No
Trust Anchor
Updated by RFC 8553
Proposed Standard


RFC 8080
Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
Yes

Errata
Proposed Standard


RFC 8027 a.k.a. BCP 207
DNSSEC Roadblock Avoidance
Yes

Errata
Best Current Practice


RFC 7958
DNSSEC Trust Anchor Publication for the Root Zone
No

Errata
Informational


RFC 7901
CHAIN Query Requests in DNS
No
EDNS Option

Experimental


RFC 7828
The edns-tcp-keepalive EDNS0 Option
No
EDNS Option

Proposed Standard


RFC 7646
Definition and Use of DNSSEC Negative Trust Anchors
No
Trust Anchor

Informational


RFC 7583
DNSSEC Key Rollover Timing Considerations
Yes


Informational


RFC 7250
Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
No
Not Relevant
Errata
Proposed Standard


RFC 7218
Adding Acronyms to Simplify Conversations about DNS-Based Authentication of Named Entities (DANE)
No
Not Relevant
Updates RFC 6698
Proposed Standard


RFC 7129
Authenticated Denial of Existence in the DNS
Yes


Informational


RFC 6975
Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC)


Proposed Standard


RFC 6944
Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status
No
Obsoleted
Errata,Obsoleted by RFC 8624,
Updates RFC 2536, RFC 2539, RFC 3110, RFC 4034, RFC 4398, RFC 5155, RFC 5702, RFC 5933
Proposed Standard


RFC 6844
DNS Certification Authority Authorization (CAA) Resource Record
No
Obsoleted
Errata,
Obsoleted by RFC 8659
Proposed Standard


RFC 6841
A Framework for DNSSEC Policies and DNSSEC Practice Statements
No
Not Relevant

Informational


RFC 6725
DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates


Proposed Standard


RFC 6698
The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA


Errata,
Updated by RFC 7218, RFC 7671, RFC 8749
Proposed Standard


RFC 6605
Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
Yes


Proposed Standard


RFC 6604
xNAME RCODE and Status Bits Clarification
No
Not Relevant
Updates RFC 1035, RFC 2308, RFC 2672
Proposed Standard


RFC 6014
Cryptographic Algorithm Identifier Allocation for DNSSEC
Yes
IANA section
Updates RFC 4033, RFC 4034, RFC 4035,
Updated by RFC 9157
Proposed Standard


RFC 5933
Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
No (not relevant to readers of draft-ietf-dnsop-dnssec-bcp)

Updated by RFC 6944
Proposed Standard


RFC 5910
Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
No
Not Relevant
Errata,
Obsoletes RFC 4310
Proposed Standard


RFC 5074
DNSSEC Lookaside Validation (DLV)
No
Historic

Historic (changed from Informational September 2019)


RFC 4986
Requirements Related to DNS Security (DNSSEC) Trust Anchor Rollover
No
Trust Anchor not relevant

Informational


RFC 4956
DNS Security (DNSSEC) Opt-In
No
Not Relevant
Errata
Experimental


RFC 4955
DNS Security (DNSSEC) Experiments
No
Not Relevant

Proposed Standard


RFC 4641
DNSSEC Operational Practices
No
Obsoleted
Errata,
Obsoletes RFC 2541,
Obsoleted by RFC 6781
Informational


RFC 4471
Derivation of DNS Name Predecessor and Successor
No
Not Relevant

Experimental


RFC 4470
Minimally Covering NSEC Records and DNSSEC On-line Signing
Yes

Errata,
Updates RFC 4035, RFC 4034
Proposed Standard


RFC 4431
The DNSSEC Lookaside Validation (DLV) DNS Resource Record
No
Historic

Historic (changed from Informational November 2019)


RFC 4310
Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
No
Obsoleted
Obsoleted by RFC 5910
Proposed Standard


RFC 4255
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
No
Not Relevant
Errata
Proposed Standard


RFC 3845
DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
No
Obsoleted
Obsoleted by RFC 4033, RFC 4034, RFC 4035,
Updates RFC 3755, RFC 2535
Proposed Standard


RFC 3757
Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag
No
Obsoleted
Errata,
Obsoleted by RFC 4033, RFC 4034, RFC 4035,
Updates RFC 3755, RFC 2535
Proposed Standard


RFC 3755
Legacy Resolver Compatibility for Delegation Signer (DS)
No
Obsoleted
Obsoleted by RFC 4033, RFC 4034, RFC 4035,
Updates RFC 3658, RFC 2535,
Updated by RFC 3757, RFC 3845
Proposed Standard


RFC 3226
DNSSEC and IPv6 A6 aware server/resolver message size requirements
No
Not Relevant
Errata,
Updates RFC 2535, RFC 2874,
Updated by RFC 4033, RFC 4034, RFC 4035
Proposed Standard


RFC 3225
Indicating Resolver Support of DNSSEC


Updated by RFC 4033, RFC 4034, RFC 4035
Proposed Standard


RFC 3130
Notes from the State-Of-The-Technology: DNSSEC
No
Not Relevant

Informational


RFC 3008
Domain Name System Security (DNSSEC) Signing Authority
No
Obsoleted
Obsoleted by RFC 4035, RFC 4033, RFC 4034,
Updates RFC 2535,
Updated by RFC 3658
Proposed Standard


RFC 3007
Secure Domain Name System (DNS) Dynamic Update
No
Not Relevant
Obsoletes RFC 2137,
 Updates RFC 2535, RFC 2136
Proposed Standard
Number	Title	Included?	Reasons	More Info	Status
RFC 9157	Revised IANA Considerations for DNSSEC	Yes	IANA section	Updates RFC 5155, RFC 6014, RFC 8624	Proposed Standard
RFC 9102	TLS DNSSEC Chain Extension	No	Not Relevant	Errata	Experimental
RFC 8976	Message Digest for DNS Zones	No	Not Relevant	Errata	Proposed Standard
RFC 8901	Multi-Signer DNSSEC Models	Yes			Informational
RFC 8749	Moving DNSSEC Lookaside Validation (DLV) to Historic Status	No		Updates RFC 6698, RFC 6840	Proposed Standard
RFC 8683	Additional Deployment Guidelines for NAT64/464XLAT in Operator and Enterprise Networks	No	Not Relevant		Informational
RFC 8509	A Root Key Trust Anchor Sentinel for DNSSEC	No	Trust Anchor		Proposed Standard
RFC 8483	Yeti DNS Testbed	No	Not Relevant		Informational
RFC 8145	Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)	No	Trust Anchor	Updated by RFC 8553	Proposed Standard
RFC 8080	Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC	Yes		Errata	Proposed Standard
RFC 8027 a.k.a. BCP 207	DNSSEC Roadblock Avoidance	Yes		Errata	Best Current Practice
RFC 7958	DNSSEC Trust Anchor Publication for the Root Zone	No		Errata	Informational
RFC 7901	CHAIN Query Requests in DNS	No	EDNS Option		Experimental
RFC 7828	The edns-tcp-keepalive EDNS0 Option	No	EDNS Option		Proposed Standard
RFC 7646	Definition and Use of DNSSEC Negative Trust Anchors	No	Trust Anchor		Informational
RFC 7583	DNSSEC Key Rollover Timing Considerations	Yes			Informational
RFC 7250	Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)	No	Not Relevant	Errata	Proposed Standard
RFC 7218	Adding Acronyms to Simplify Conversations about DNS-Based Authentication of Named Entities (DANE)	No	Not Relevant	Updates RFC 6698	Proposed Standard
RFC 7129	Authenticated Denial of Existence in the DNS	Yes			Informational
RFC 6975	Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC)				Proposed Standard
RFC 6944	Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status	No	Obsoleted	Errata,Obsoleted by RFC 8624, Updates RFC 2536, RFC 2539, RFC 3110, RFC 4034, RFC 4398, RFC 5155, RFC 5702, RFC 5933	Proposed Standard
RFC 6844	DNS Certification Authority Authorization (CAA) Resource Record	No	Obsoleted	Errata, Obsoleted by RFC 8659	Proposed Standard
RFC 6841	A Framework for DNSSEC Policies and DNSSEC Practice Statements	No	Not Relevant		Informational
RFC 6725	DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates				Proposed Standard
RFC 6698	The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA			Errata, Updated by RFC 7218, RFC 7671, RFC 8749	Proposed Standard
RFC 6605	Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC	Yes			Proposed Standard
RFC 6604	xNAME RCODE and Status Bits Clarification	No	Not Relevant	Updates RFC 1035, RFC 2308, RFC 2672	Proposed Standard
RFC 6014	Cryptographic Algorithm Identifier Allocation for DNSSEC	Yes	IANA section	Updates RFC 4033, RFC 4034, RFC 4035, Updated by RFC 9157	Proposed Standard
RFC 5933	Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC	No (not relevant to readers of draft-ietf-dnsop-dnssec-bcp)		Updated by RFC 6944	Proposed Standard
RFC 5910	Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)	No	Not Relevant	Errata, Obsoletes RFC 4310	Proposed Standard
RFC 5074	DNSSEC Lookaside Validation (DLV)	No	Historic		Historic (changed from Informational September 2019)
RFC 4986	Requirements Related to DNS Security (DNSSEC) Trust Anchor Rollover	No	Trust Anchor not relevant		Informational
RFC 4956	DNS Security (DNSSEC) Opt-In	No	Not Relevant	Errata	Experimental
RFC 4955	DNS Security (DNSSEC) Experiments	No	Not Relevant		Proposed Standard
RFC 4641	DNSSEC Operational Practices	No	Obsoleted	Errata, Obsoletes RFC 2541, Obsoleted by RFC 6781	Informational
RFC 4471	Derivation of DNS Name Predecessor and Successor	No	Not Relevant		Experimental
RFC 4470	Minimally Covering NSEC Records and DNSSEC On-line Signing	Yes		Errata, Updates RFC 4035, RFC 4034	Proposed Standard
RFC 4431	The DNSSEC Lookaside Validation (DLV) DNS Resource Record	No	Historic		Historic (changed from Informational November 2019)
RFC 4310	Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)	No	Obsoleted	Obsoleted by RFC 5910	Proposed Standard
RFC 4255	Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints	No	Not Relevant	Errata	Proposed Standard
RFC 3845	DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format	No	Obsoleted	Obsoleted by RFC 4033, RFC 4034, RFC 4035, Updates RFC 3755, RFC 2535	Proposed Standard
RFC 3757	Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag	No	Obsoleted	Errata, Obsoleted by RFC 4033, RFC 4034, RFC 4035, Updates RFC 3755, RFC 2535	Proposed Standard
RFC 3755	Legacy Resolver Compatibility for Delegation Signer (DS)	No	Obsoleted	Obsoleted by RFC 4033, RFC 4034, RFC 4035, Updates RFC 3658, RFC 2535, Updated by RFC 3757, RFC 3845	Proposed Standard
RFC 3226	DNSSEC and IPv6 A6 aware server/resolver message size requirements	No	Not Relevant	Errata, Updates RFC 2535, RFC 2874, Updated by RFC 4033, RFC 4034, RFC 4035	Proposed Standard
RFC 3225	Indicating Resolver Support of DNSSEC			Updated by RFC 4033, RFC 4034, RFC 4035	Proposed Standard
RFC 3130	Notes from the State-Of-The-Technology: DNSSEC	No	Not Relevant		Informational
RFC 3008	Domain Name System Security (DNSSEC) Signing Authority	No	Obsoleted	Obsoleted by RFC 4035, RFC 4033, RFC 4034, Updates RFC 2535, Updated by RFC 3658	Proposed Standard
RFC 3007	Secure Domain Name System (DNS) Dynamic Update	No	Not Relevant	Obsoletes RFC 2137, Updates RFC 2535, RFC 2136	Proposed Standard