Appendix A: RFC Reference
The essential RFCs for DNS practitioners, organized by topic with one-line descriptions.
Appendix A: RFC Reference
The essential RFCs for DNS practitioners. Not exhaustive — this is the set you'll actually reference. Organized by topic.
Core DNS Protocol
RFC 1034 — Domain Names — Concepts and Facilities (1987, Mockapetris) The conceptual foundation. The distributed hierarchy, the zone model, the resolution algorithm. Read this if you want to understand why DNS works the way it does.
RFC 1035 — Domain Names — Implementation and Specification (1987, Mockapetris) The implementation companion to 1034. Message format, wire protocol, record type definitions (A, NS, CNAME, SOA, MX, TXT). This is the spec that implementations are tested against.
RFC 2181 — Clarifications to the DNS Specification (1997) Fifteen years of implementation experience produced a lot of ambiguities; this document resolves them. Covers TTL semantics, the "single CNAME at a node" rule, and what CNAME actually means in the resolution chain. Useful when you're debugging unexpected resolver behavior.
RFC 1123 — Requirements for Internet Hosts — Application and Support (1989) Defines hostname syntax rules that DNS uses: letters, digits, and hyphens, no starting or ending with a hyphen. The source of the LDH (letter-digit-hyphen) rule that appears in validation logic everywhere.
RFC 4592 — The Role of Wildcards in the Domain Name System (2006)
Wildcard records (*.example.com) behave differently than most people expect. This RFC clarifies exactly when wildcard expansion applies and when it doesn't.
Security Extensions (DNSSEC)
RFC 4033 — DNS Security Introduction and Requirements (2005) The why and what of DNSSEC: the threat model, the chain of trust from root to zone, what DNSSEC protects against and what it doesn't.
RFC 4034 — Resource Records for the DNS Security Extensions (2005) The record types: DNSKEY (public key), RRSIG (signature over a record set), NSEC (authenticated denial of existence), DS (delegation signer — links parent and child zone keys).
RFC 4035 — Protocol Modifications for the DNS Security Extensions (2005) How DNSSEC changes the query and response protocol: the DO bit, DNSSEC-aware resolvers, signature validation, the NSEC chain.
RFC 5155 — DNS Security (DNSSEC) Hashed Authenticated Denial of Existence (2008) NSEC3, which replaces NSEC for zones that need to prevent zone enumeration. NSEC3 hashes zone labels, making it harder to walk the entire zone by following the denial-of-existence chain.
RFC 6781 — DNSSEC Operational Practices, Version 2 (2012) The practical guide to running DNSSEC: key generation, signing, rollovers, emergency procedures. If you're operating a signed zone, this is the operations manual.
Protocol Extensions
RFC 6891 — Extension Mechanisms for DNS (EDNS(0)) (2013) EDNS0 extends the DNS message format to support larger UDP payloads (required for DNSSEC), additional options, and the DO (DNSSEC OK) bit. Without EDNS0, DNSSEC responses wouldn't fit in a standard DNS UDP message.
RFC 7766 — DNS Transport over TCP — Implementation Requirements (2016) Clarifies when DNS must use TCP rather than UDP. Required reading if you're operating resolvers or firewalls: DNS over TCP is not exceptional, it's required for large responses.
Encrypted DNS
RFC 7858 — Specification for DNS over Transport Layer Security (DoT) (2016) DNS queries over TLS on port 853. Provides privacy against passive surveillance of DNS queries. The standard for stub-to-resolver encrypted DNS.
RFC 8484 — DNS Queries over HTTPS (DoH) (2018) DNS queries inside HTTPS on port 443. Useful in networks where port 853 is blocked. More difficult for network operators to distinguish from regular HTTPS traffic.
RFC 9250 — DNS over Dedicated QUIC Connections (DoQ) (2022) DNS over QUIC transport. Faster connection establishment than DoT, no head-of-line blocking. The likely successor to DoT for high-performance stub-to-resolver communication.
Specific Record Types
RFC 2782 — A DNS RR for Specifying the Location of Services (SRV) (2000) SRV records: hostname, port, priority, and weight in a single record. Used for service discovery in SIP, XMPP, and Kubernetes internal DNS.
RFC 6698 — The DNS-Based Authentication of Named Entities (DANE) (2012) TLSA records: publish TLS certificate information in DNS, allowing clients to verify a server's certificate against the DNS record rather than relying solely on CAs. Requires DNSSEC.
RFC 7505 — A "Null MX" Resource Record for Domains That Accept No Mail (2015)
A domain with MX 0 . explicitly declares it accepts no email. Helps mail servers fail fast rather than trying all delivery options for a domain that will never accept mail.
RFC 8659 — DNS Certification Authority Authorization (CAA) Resource Record (2019) CAA records restrict which certificate authorities can issue TLS certificates for a domain. A CA checking before issuance will refuse to issue if the CAA record doesn't permit it.
RFC 9460 — Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records) (2023) SVCB and HTTPS record types for advertising service parameters in DNS: supported application protocols (h2, h3), IP address hints, alternative ports. Enables clients to optimize connection setup.
Security and Threats
RFC 3833 — Threat Analysis of the Domain Name System (DNS) (2004) A structured threat analysis of DNS: eavesdropping, forgery, denial of service, dynamic update exploits. The paper that motivated much of the DNSSEC work. Still the reference for understanding what DNS is and isn't designed to protect against.
RFC 5936 — DNS Zone Transfer Protocol (AXFR) (2010) Full zone transfer: the mechanism by which secondary nameservers pull an entire zone from a primary. Defines the AXFR query type and the correct response format.
RFC 5452 — Measures for Making DNS More Resilient Against Forged Answers (2009) Source port randomization and query ID randomization to reduce DNS cache poisoning risk. The measures that made the Kaminsky attack significantly harder to exploit.
Email Authentication
RFC 7208 — Sender Policy Framework (SPF) for Authorizing Use of Domains in Email (2014) SPF: the TXT record mechanism for declaring which mail servers are authorized to send email for a domain.
RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures (2011) DKIM: cryptographic signatures on email headers and body, with public keys published in DNS. Allows receiving mail servers to verify that email was signed by the domain it claims to be from.
RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC) (2015) DMARC: policies published in DNS that specify what to do with email that fails SPF/DKIM alignment, and where to send aggregate and failure reports.
Registration and Operations
RFC 5730 — Extensible Provisioning Protocol (EPP) (2009) The protocol used between registrars and registries for domain registration operations. EPP status codes (clientTransferProhibited, serverHold, etc.) come from this spec.
RFC 7482 — Registration Data Access Protocol (RDAP) Query Format (2015) RDAP: the structured replacement for WHOIS. Returns JSON rather than free-form text. Supports authentication for privacy-protected access.
RFC 8305 — Happy Eyeballs Version 2: Better Connectivity Using Concurrency (2017) How clients should handle dual-stack (IPv4+IPv6) connections — race both, use whichever responds first. DNS returns both AAAA and A records; this spec governs how clients use them to minimize connection latency.