DNS is the most extensively specified protocol in the IETF ecosystem. As of 2022, approximately 297 approved RFCs and over 2,300 Internet-Drafts relate to DNS. No other protocol — not HTTP, not TLS, not BGP — has as many RFCs.
This index covers the essential RFCs organized by category, with the ones you are most likely to need highlighted.
| RFC | Year | Title | Notes |
|---|
| RFC 882 | 1983 | Domain Names — Concepts and Facilities | Original DNS architecture by Paul Mockapetris. Obsoleted by RFC 1034 |
| RFC 883 | 1983 | Domain Names — Implementation and Specification | Original wire protocol. Obsoleted by RFC 1035 |
| RFC 1034 | 1987 | Domain Names — Concepts and Facilities | Current base spec (concepts). Describes the design, architecture, and delegation model. Still canonical after nearly 40 years |
| RFC 1035 | 1987 | Domain Names — Implementation and Specification | Current base spec (wire protocol). Defines the message format, record types (A, NS, CNAME, SOA, PTR, MX, TXT), and query/response mechanism |
| RFC 2181 | 1997 | Clarifications to the DNS Specification | Resolved 8 ambiguities in RFC 1034/1035 including RRset TTL consistency, zone cuts, and valid label characters |
| RFC 9499 | 2023 | DNS Terminology | Comprehensive glossary of DNS terms. The definitive reference for DNS vocabulary |
| RFC | Year | Title | Notes |
|---|
| RFC 1035 | 1987 | (see above) | Defines A, NS, CNAME, SOA, PTR, MX, TXT, HINFO |
| RFC 2782 | 2000 | A DNS RR for Specifying the Location of Services (SRV) | Service discovery via DNS. Updated SRV spec (obsoletes RFC 2052) |
| RFC 3596 | 2003 | DNS Extensions to Support IP Version 6 | Defines the AAAA record type for IPv6 addresses |
| RFC 6672 | 2012 | DNAME Redirection in the DNS | Delegates entire subtrees to another domain |
| RFC 8659 | 2019 | DNS Certification Authority Authorization (CAA) | Specifies which CAs may issue certificates for a domain |
| RFC 9460 | 2023 | Service Binding and Parameter Specification via DNS | Defines SVCB and HTTPS record types for modern service discovery |
| RFC | Year | Title | Notes |
|---|
| RFC 2065 | 1997 | Domain Name System Security Extensions | First DNSSEC attempt. Obsoleted |
| RFC 2535 | 1999 | Domain Name System Security Extensions (revised) | Second attempt. Also obsoleted |
| RFC 4033 | 2005 | DNS Security Introduction and Requirements | DNSSEC-bis: introduction and threat model |
| RFC 4034 | 2005 | Resource Records for DNS Security Extensions | DNSSEC-bis: defines DNSKEY, RRSIG, NSEC, DS records |
| RFC 4035 | 2005 | Protocol Modifications for DNS Security Extensions | DNSSEC-bis: resolver and server behavior. Defines AD and CD header bits |
| RFC 5155 | 2008 | DNS Security (DNSSEC) Hashed Authenticated Denial of Existence | NSEC3: prevents zone enumeration via hashed names |
| RFC 6698 | 2012 | The DNS-Based Authentication of Named Entities (DANE) TLSA | Binds TLS certificates to domain names via DNSSEC |
| RFC 7672 | 2015 | SMTP Security via Opportunistic DANE TLS | DANE for email transport security |
| RFC | Year | Title | Notes |
|---|
| RFC 2671 | 1999 | Extension Mechanisms for DNS (EDNS0) | Original EDNS spec by Paul Vixie. Obsoleted by RFC 6891 |
| RFC 6891 | 2013 | Extension Mechanisms for DNS (EDNS(0)) | Current EDNS spec. Introduces OPT pseudo-record, extends UDP payload beyond 512 bytes |
| RFC 7871 | 2016 | Client Subnet in DNS Queries | EDNS Client Subnet (ECS) for CDN geolocation |
| RFC 7873 | 2016 | Domain Name System (DNS) Cookies | Lightweight transaction authentication against spoofing |
| RFC 7830 | 2016 | The EDNS(0) Padding Option | Privacy-preserving message padding for encrypted DNS |
| RFC 8467 | 2018 | Padding Policies for EDNS(0) | Recommends block-length padding (128-byte blocks) |
| RFC | Year | Title | Notes |
|---|
| RFC 7858 | 2016 | Specification for DNS over Transport Layer Security (DoT) | Encrypted DNS on dedicated port 853/TCP. Easy to identify and block |
| RFC 8484 | 2018 | DNS Queries over HTTPS (DoH) | DNS over HTTPS on port 443. Indistinguishable from web traffic |
| RFC 9250 | 2022 | DNS over Dedicated QUIC Connections (DoQ) | QUIC-based encrypted DNS on port 853/UDP. Eliminates TCP head-of-line blocking |
| RFC 9230 | 2022 | Oblivious DNS over HTTPS (ODoH) | Adds proxy layer between client and resolver for privacy |
| RFC | Year | Title | Notes |
|---|
| RFC 1995 | 1996 | Incremental Zone Transfer in DNS (IXFR) | Efficient zone synchronization via deltas |
| RFC 1996 | 1996 | Prompt Notification of Zone Changes (NOTIFY) | Push-based zone change signaling |
| RFC 2136 | 1997 | Dynamic Updates in the DNS | Programmatic record modification (OPCODE 5) |
| RFC 5936 | 2010 | DNS Zone Transfer Protocol (AXFR) | Formalized full zone transfer specification |
| RFC 5966 | 2010 | DNS Transport over TCP — Implementation Requirements | Made TCP mandatory. Obsoleted by RFC 7766 |
| RFC 7766 | 2016 | DNS Transport over TCP — Implementation Requirements | Updated TCP requirements. Connection reuse via pipelining |
| RFC 8490 | 2018 | DNS Stateful Operations (DSO) | Persistent session management for DNS (OPCODE 6) |
| RFC 9103 | 2021 | DNS Zone Transfer over TLS | Encrypted AXFR/IXFR |
| RFC | Year | Title | Notes |
|---|
| RFC 2845 | 2000 | Secret Key Transaction Authentication for DNS (TSIG) | Original TSIG. Obsoleted by RFC 8945 |
| RFC 3645 | 2003 | GSS-TSIG | Kerberos-based TSIG authentication (used by Active Directory) |
| RFC 8945 | 2019 | Secret Key Transaction Authentication for DNS (TSIG) | Current TSIG spec. Shared-secret HMAC authentication |
| RFC | Year | Title | Notes |
|---|
| RFC 8020 | 2016 | NXDOMAIN: There Really Is Nothing Underneath | Aggressive NXDOMAIN caching. An NXDOMAIN means nothing exists below |
| RFC 8198 | 2017 | Aggressive Use of DNSSEC-Validated Cache | Aggressive NSEC/NSEC3 caching to synthesize negative answers |
| RFC 8767 | 2020 | Serving Stale Data to Improve DNS Resiliency | Serve-stale: return expired cache entries when authoritative servers are unreachable |
| RFC 9156 | 2021 | DNS Query Name Minimisation to Improve Privacy | QNAME minimization: send only minimum labels at each resolution step |
| RFC | Year | Title | Notes |
|---|
| RFC 7208 | 2014 | Sender Policy Framework (SPF) | Validates email sender IP against domain policy via TXT records |
| RFC 6376 | 2011 | DomainKeys Identified Mail (DKIM) Signatures | Cryptographic email signing with public key published in DNS |
| RFC 7489 | 2015 | Domain-based Message Authentication, Reporting, and Conformance (DMARC) | Policy framework combining SPF and DKIM |
| RFC | Year | Title | Notes |
|---|
| RFC 2782 | 2000 | SRV Records | (see Record types above) |
| RFC 6762 | 2013 | Multicast DNS (mDNS) | Zero-configuration name resolution on local networks (.local domain) |
| RFC 6763 | 2013 | DNS-Based Service Discovery (DNS-SD) | Service discovery using PTR, SRV, and TXT records |
DNS standards are developed within these IETF Working Groups:
| Working group | Focus | Status |
|---|
| DNSOP | DNS Operations — operational practices, protocol clarifications | Active. 70+ RFCs published |
| DPRIVE | DNS PRIVate Exchange — transport confidentiality (DoT, DoH, DoQ) | Active |
| ADD | Adaptive DNS Discovery — client-side resolver selection | Active |
| DNSSD | DNS-based Service Discovery — mDNS, Bonjour at scale | Active |
- Internet-Draft (I-D): Individual or WG-adopted draft, versioned, expires after 6 months
- Working Group Last Call: Rough consensus within the WG
- IETF Last Call: Broader community review
- IESG Review: Internet Engineering Steering Group approves publication
- RFC Publication: Permanent number assigned
Standards-track documents progress through: Proposed Standard then Internet Standard. The old “Draft Standard” level was eliminated by RFC 6410 in 2011.
The “-bis” pattern: when a DNS RFC needs substantial revision, the replacement is informally called a “-bis” document (e.g., “DNSSEC-bis” for RFC 4033-4035 replacing RFC 2535).