This document tracks DNS-related RFCs that are implemented (or partially implemented) in the TDNS codebase.
Status: ✅ Fully Supported
Implementation: Core DNS protocol implementation
Notes:
- Standard DNS message format, wire format, and record types
- Domain name encoding/decoding
- Standard query/response handling
Status: ✅ Fully Supported
Implementation: tdns/dnssec_validate.go, tdns/cache/rrset_validate.go
Notes:
- Used for DNSSEC validation period calculations
- Implements 32-bit serial arithmetic for SOA serial number comparisons
Status: ✅ Mostly Supported
Implementation: tdns/dnssec_validate.go, tdns/queryresponder.go
Notes:
- DNSSEC validation support
- RRSIG, DNSKEY, NSEC, NSEC3 handling
- DO (DNSSEC OK) bit support
- Negative response handling (partially complete per README)
Status: ✅ Fully Supported
Implementation: tdns/queryresponder.go, tdns/cache/rrset_validate.go, tdns/edns0/edns0.go, dog/cmd/dog.go
Notes:
- CO (Compact Ok) Bit: Full support for the CO bit (bit 14) in EDNS(0) OPT header TTL
- Extracted in
ExtractFlagsAndEDNS0Options()intdns/edns0/edns0.go - Supported in
dogtool via+COor+COMPACToption
- Extracted in
- Compact Denial Responses: Complete implementation of compact denial format
- NXDOMAIN: NSEC with owner=qname, bitmap containing exactly RRSIG, NSEC, NXNAME; Rcode=NXDOMAIN
- NODATA: NSEC with owner=qname, bitmap containing RRSIG, NSEC, and existing types (not qtype); Rcode=NOERROR
- Implemented in
addCDEResponse()function - Rcode handling based on CO bit: CO=1 uses compact denial Rcode semantics, CO=0 uses traditional DNSSEC
- Unsigned Referrals (Section 3.4): Full support for adding NSEC to referral responses
- NSEC covering the delegation point (zone cut)
- Type bitmap contains NS, NSEC, RRSIG (indicating delegation point exists)
- NextDomain correctly computed as leftmost label + "\000" + rest
- Implemented in
addReferralNSEC()function
- NXNAME Query Rejection: Explicit queries for NXNAME type are rejected
- Returns RcodeFormatError with EDE code 30 ("Invalid Query Type")
- NXNAME is only valid in NSEC type bitmaps, not as a query type
- Validation Support: Compact denial validation in
ValidateNegativeResponse()- Detects compact denial NXDOMAIN (bitmap = RRSIG, NSEC, NXNAME)
- Detects compact denial NODATA (qtype not in bitmap)
- Modifies Rcode from NOERROR to NXDOMAIN when appropriate
Status: ✅ Fully Supported
Implementation: tdns/edns0/edns0_ede.go
Notes:
- Full support for EDE codes in EDNS(0) options
- Standard EDE codes from RFC 8914
- Custom EDE codes (513+) for TDNS-specific errors:
- SIG(0) key management errors
- Zone state errors
- Delegation sync errors
- TSIG validation errors
- EDE codes are attached to responses when validation fails or errors occur
Status: ✅ Fully Supported
Implementation: tdns/edns0/edns0_er.go, reporter/main.go, tdns/do53.go
Notes:
- EDNS(0) ER Option (Option Code 18): Full support for adding and extracting the Error Reporting option
- Implemented in
tdns/edns0/edns0_er.go - Support in
dogtool via+ER=agent.domainoption
- Implemented in
- Error Channel Queries: Full support for receiving and parsing error channel queries
- QNAME format:
_er.<orig qtype>.<orig-qname>.<ede code>._er.<agent domain> - Implemented in
ErrorChannelReporter()function - tdns-reporter can act as a monitoring agent
- QNAME format:
- Integration:
- ER option extraction in
ExtractEDNS0Options() - Error channel query handling in
createAuthDnsHandler()for reporter app type
- ER option extraction in
Status: ✅ Fully Supported
Implementation: tdns/core/rr_dsync.go
Notes:
- Complete implementation of the DSYNC record type
- Used for child-to-parent synchronization
- Supports delegation synchronization via DNS UPDATE
Status: ✅ Partially Supported
Implementation: tdns/scanner_csync.go
Notes:
- CSYNC record parsing and processing
- References RFC 7477 procedures in code comments
- Used for scanning child zones for delegation changes
Status: ✅ Supported
Implementation: Standard DNS record type support
Notes:
- CDS record type is recognized and can be queried/managed
- Used in multi-provider synchronization scenarios
Status: ✅ Supported
Implementation: Standard DNS record type support
Notes:
- CDNSKEY record type is recognized and can be queried/managed
- Used alongside CDS for delegation trust maintenance
Status: ✅ Supported
Implementation: tdns/ops_svcb.go, music/sidecar.go
Notes:
- SVCB record type support
- Used for DNS transport signaling
- Supports IPv4/IPv6 hints and port specification
Status: ✅ Supported
Implementation: Standard DNS record type support
Notes:
- HTTPS record type (SVCB alias) support
- Used for DNS-over-HTTPS service discovery
Status: ✅ Fully Supported
Implementation: tdns/v2/catalog.go, tdns/v2/apihandler_catalog.go, tdns/v2/cli/catalog_cmds.go, tdns/v2/refreshengine.go
Notes:
- Catalog Zone Format: Full support for RFC 9432 catalog zone structure
- Version TXT record:
version.{catalog-zone}. IN TXT "2"(required) - Member zone PTR records:
{hash}.zones.{catalog-zone}. IN PTR {member-zone} - Group TXT records:
group.{hash}.zones.{catalog-zone}. IN TXT "group1" "group2"(multiple groups per zone) - Invalid. NS records for autozones (recommended by RFC)
- Version TXT record:
- Catalog Zone Parsing: Complete implementation of catalog zone parsing
- Extracts member zones and their associated groups
- Categorizes groups into service groups, signing groups, and meta groups
- Handles multiple groups per zone via TXT record RDATA
- Auto-Configuration: Full support for automatic zone configuration from catalog zones
- Policy-based auto-configuration (
catalog.policy.zones.add: auto) - Meta group configuration for upstream, store, and zone options
- Automatic zone transfer initiation for newly configured zones
- Manual configuration always takes precedence over catalog entries
- Policy-based auto-configuration (
- Primary and Secondary Catalog Zones: Catalog zones can be configured as either primary or secondary
- Primary catalog zones persist across restarts
- Secondary catalog zones are transferred via AXFR
- CLI Management: Complete CLI support for catalog zone operations
catalog create- Create a new catalog zonecatalog zone add/delete/list- Manage member zones in catalogcatalog group add/delete/list- Manage groups in catalogcatalog zone group add/delete- Associate groups with member zones
- API Endpoints: REST API support for catalog zone management
/api/v1/catalogendpoint for all catalog operations- JSON-based request/response format
- Configuration Validation: Comprehensive validation of catalog zone configuration
- Hard fail if catalog zone is configured but
catalog:section is missing - Validation of group references (missing groups, insufficient group configuration)
- Error state tracking for catalog zones with configuration issues
- Hard fail if catalog zone is configured but
- Integration: Catalog zone processing integrated into refresh engine
- Automatic parsing after catalog zone transfers
- Callback system for applications to react to catalog zone updates
- Support for multiple catalog zones per server
Status: ✅ Fully Supported
Implementation: tdns/dot.go
Notes:
- Full DoT server and client support
- TLS 1.3 minimum version
- ALPN protocol negotiation ("dot")
- Supported in tdns-server, tdns-imr, and dog
Status: ✅ Fully Supported
Implementation: tdns/doh.go
Notes:
- Full DoH server and client support
- GET and POST methods
- Base64 URL encoding for GET requests
- Supported in tdns-server, tdns-imr, and dog
Status: ✅ Fully Supported
Implementation: tdns/doq.go
Notes:
- Full DoQ server and client support
- QUIC stream handling
- TLS 1.3 with "doq" ALPN
- Supported in tdns-server, tdns-imr, and dog
Status: ✅ Fully Supported
Implementation: tdns/edns0/ package
Notes:
- Base EDNS(0) support
- DO (DNSSEC OK) bit
- Custom EDNS(0) options:
- OTS (Option Code 65001) - Transport Signaling
- KeyState (Option Code 65002) - SIG(0) key state communication
- Report (Option Code 65003) - Error reporting
- ER (Option Code 18) - Error Reporting (RFC 9567)
Status: ✅ Implemented (Experimental)
Implementation: tdns/core/rr_hsync.go, tdns/core/rr_hsync2.go
Notes:
- Zone owner signaling for multi-provider setups
- Not yet standardized
- Used for expressing zone owner intent to DNS providers
Status: ✅ Partially Implemented (Experimental)
Implementation: tdns/core/rr_deleg.go
Notes:
- Authoritative part of DELEG record
- Discussed in dd@ietf.org working group
- Used for delegation management
Status: ✅ Implemented (Experimental)
Implementation: tdns/core/rr_tsync.go
Notes:
- Transport signaling without using SVCB
- Alternative to SVCB for transport discovery
Status: ✅ Implemented (Proprietary)
Implementation: tdns/edns0/edns0_keystate.go
Notes:
- Custom EDNS(0) option for SIG(0) key state communication
- Enables child-to-parent key validation status exchange
- Used in key bootstrapping process
- ✅ Fully Supported: Complete implementation of the RFC specification
- ✅ Mostly Supported: Major features implemented, some edge cases may be incomplete
- ✅ Partially Supported: Core functionality implemented, some features may be missing
- ✅ Supported: Basic support for the feature, may need additional work for full compliance
- IXFR Support: Currently only AXFR is supported
- TSIG Support: SIG(0) is supported, but TSIG is not yet implemented
- Full Negative Response Handling: Some edge cases in DNSSEC negative responses may need work
- ALPN Signaling Caching: Planned but not yet implemented in tdns-imr
Date: 2025-01-16
This document was last updated based on codebase analysis. RFC support status should be verified against the actual implementation when making changes.