diff --git a/doc/user/index.rst b/doc/user/index.rst
index a2f8d3b144131ed8e741e2d68e76859fef989ecb..ce9b1ed3a2d97d6c61a7574bcafec2516bddd4cb 100644
--- a/doc/user/index.rst
+++ b/doc/user/index.rst
@@ -59,6 +59,8 @@ If you are a completely new user or new to version 6, please start with chapters
upgrading
upgrading-to-6
NEWS
+ rfc-list
+.. maybe find a better location for rfc-list
.. toctree::
:caption: For developers
diff --git a/doc/user/rfc-list.rst b/doc/user/rfc-list.rst
new file mode 100644
index 0000000000000000000000000000000000000000..a4cbd711a871309338fb429f34d1ffd01d5c272d
--- /dev/null
+++ b/doc/user/rfc-list.rst
@@ -0,0 +1,362 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _rfc-list:
+
+List of RFCs
+============
+
+Here we provide a list of implemented RFCs, though it may not be 100% complete.
+Normal users shouldn't need to look here; they might search the docs instead.
+
+Knot Resolver aims to faithfully follow RFC standards to ensure correct behavior,
+security, and interoperability.
+Note that in some cases only part of the RFC is covered,
+as some parts are optional to a degree or even not relevant to DNS resolvers.
+
+
+:rfc:`1034`
+ Domain Names – Concepts and Facilities
+:rfc:`1035`
+ Domain Names – Implementation and Specifciation
+:rfc:`1101`
+ DNS Encoding of Network Names and Other Types
+:rfc:`1123`
+ Requirements for Internet Hosts -- Application and Support
+..
+ I haven't heard of anyone using these RR types in the past decade.
+ :rfc:`1183`
+ New DNS RR Definitions
+..
+ Uh, why? TCP implementation details are for OS to deal with, not us.
+ :rfc:`13371
+ TIME-WAIT Assassination Hazards in TCP
+
+.. Uh well, our DoH server does use MIME, I guess...
+:rfc:`1521`
+ MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies
+..
+ I haven't heard of anyone using these RR types in the past decade.
+ :rfc:`1706`
+ DNS NSAP Resource Records
+ :rfc:`1712`
+ DNS Encoding of Geographical Location
+:rfc:`1876`
+ A Means for Expressing Location Information in the Domain Name System
+..
+ I don't think we're really utilizing it in resolver right now. In Knot DNS for sure, but...
+ :rfc:`1982`
+ Serial Number Arithmetic
+..
+ No *XFR yet in resolver.
+ :rfc:`1995`
+ Incremental Zone Transfer in DNS
+ :rfc:`1996`
+ A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
+..
+ Large RFC about an obsolete mechanism.
+ KNOT_RRTYPE_PX exists, but just for name compression to work,
+ so I don't think we can claim this RFC as supported really.
+ :rfc:`2163`
+ Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping (MCGAM)
+
+:rfc:`2181`
+ Clarifications to the DNS Specification
+..
+ I fail to see how one could call this RFC supported by any kind of resolver.
+ :rfc:`2182`
+ Selection and Operation of Secondary DNS Servers
+:rfc:`2230`
+ Key Exchange Delegation Record for the DNS
+..
+ I fail to see how representation of names in LDAP is related.
+ :rfc:`2253`
+ Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
+:rfc:`2308`
+ Negative Caching of DNS Queries (DNS NCACHE)
+:rfc:`2535`
+ Domain Name System Security Extensions
+
+ *This variant of DNSSEC has been obsolete for many years, but we stil support those RRs (in zonefile and wire).*
+..
+ DSA crypto has been obsoleted.
+ :rfc:`2536`
+ DSA KEYs and SIGs in the Domain Name System (DNS)
+..
+ MD5-based crypto has been obsoleted.
+ :rfc:`2537`
+ RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
+:rfc:`2538`
+ Storing Certificates in the Domain Name System (DNS)
+
+ *The RFC is obsolete, but we still support those RRs (in zonefile and wire).*
+..
+ DH in DNSSEC has been long obsolete.
+ :rfc:`2539`
+ Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
+:rfc:`2606`
+ Reserved Top Level DNS Names
+:rfc:`2671`
+ Extension Mechanisms for DNS (EDNS0)
+
+ *Well, the EDNS0 definition has been rewritten as* :rfc:`6891` *which we really support.*
+:rfc:`2672`
+ Non-Terminal DNS Name Redirection
+
+ *Well, the DNAME definition has been rewritten as* :rfc:`6672` *which we really support.*
+..
+ This has been obsoleted over a decade ago, and I'm not sure if it works for us.
+ :rfc:`2673`
+ Binary Labels in the Domain Name System
+:rfc:`2782`
+ A DNS RR for specifying the location of services (DNS SRV)
+..
+ A6 is obsolete/historic, and we don't even support the type anymore (in zonefile and wire).
+ :rfc:`2874`
+ DNS Extensions to Support IPv6 Address Aggregation and Renumbering
+:rfc:`2915`
+ The Naming Authority Pointer (NAPTR) DNS Resource Record
+..
+ I don't think we can call this supported. Name (de)compression for TKEY yes, but not even zonefile.
+ :rfc:`2930`
+ Secret Key Establishment for DNS (TKEY RR)
+..
+ This is for KEY and SIG records; see the same as :rfc:`2535` above.
+ :rfc:`3110`
+ RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)
+:rfc:`3123`
+ A DNS RR Type for Lists of Address Prefixes (APL RR)
+
+ *This is probably unused in practice, but we still support the APL RR (in zonefile and wire).*
+:rfc:`3225`
+ Indicating Resolver Support of DNSSEC
+
+ *This is the* **DO** *bit in DNS messages.*
+
+.. This is most likely still part of normal DH handshake in TLS, though I expect that newer exchange is negotiated typically nowadays.
+:rfc:`3526`
+ More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
+:rfc:`3597`
+ Handling of Unknown DNS Resource Record (RR) Types
+..
+ TODO I'm not sure. Maybe gnutls does implement this certificate stuff and then we could profess compliance.
+ :rfc:`3779`
+ X.509 Extensions for IP Addresses and AS Identifiers
+
+.. We can listen on scoped IPv6 addresses.
+:rfc:`4007`
+ IPv6 Scoped Address Architecture
+:rfc:`4025`
+ A Method for Storing IPsec Keying Material in DNS
+:rfc:`4033`
+ DNS Security Introduction and Requirements
+:rfc:`4034`
+ Resource Records for the DNS Security Extensions
+:rfc:`4035`
+ Protocol Modifications for the DNS Security Extensions
+:rfc:`4255`
+ Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
+:rfc:`4343`
+ Domain Name System (DNS) Case Insensitivity Clarification
+:rfc:`4398`
+ Storing Certificates in the Domain Name System (DNS)
+..
+ DLV is long obsolete/historic, and we don't even support the type anymore (in zonefile and wire).
+ :rfc:`4431`
+ The DNSSEC Lookaside Validation (DLV) DNS Resource Record
+:rfc:`4509`
+ Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
+:rfc:`4592`
+ The Role of Wildcards in the Domain Name System
+..
+ Uh, no idea how this is related to DNS.
+ :rfc:`4597`
+ Conferencing Scenarios
+:rfc:`4697`
+ Observed DNS Resolution Misbehavior
+:rfc:`4701`
+ A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
+:rfc:`5001`
+ DNS Name Server Identifier (NSID) Option
+
+ *See* :ref:`config-nsid`
+:rfc:`5011`
+ Automated Updates of DNS Security (DNSSEC) Trust Anchors
+
+ *See inside* :ref:`config-dnssec`
+
+.. Same as 3526.
+:rfc:`5114`
+ Additional Diffie-Hellman Groups for Use with IETF Standards
+:rfc:`5155`
+ DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
+..
+ HIP is long obsolete/historic, and we don't even support the type anymore (in zonefile and wire).
+ :rfc:`5205`
+ Host Identity Protocol (HIP) Domain Name System (DNS) Extension
+:rfc:`5358`
+ Preventing Use of Recursive Nameservers in Reflector Attacks
+:rfc:`5452`
+ Measures for Making DNS More Resilient against Forged Answers
+:rfc:`5702`
+ Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
+..
+ This crypto-protocol is obsolete, and I believe we've never supported it.
+ :rfc:`5933`
+ Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
+..
+ I don't know. NAT64 doesn't seem related except for DNS64 which follows directly.
+ :rfc:`6146`
+ Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers
+:rfc:`6147`
+ DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers
+
+ *See* :ref:`config-dns64`
+:rfc:`6234`
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)
+:rfc:`6303`
+ Locally Served DNS Zones
+:rfc:`6598`
+ IANA-Reserved IPv4 Prefix for Shared Address Space
+:rfc:`6604`
+ xNAME RCODE and Status Bits Clarification
+:rfc:`6605`
+ Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
+:rfc:`6672`
+ DNAME Redirection in the DNS
+:rfc:`6698`
+ The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
+
+ *We support the record, but not authenticating by it.*
+:rfc:`6725`
+ DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates
+:rfc:`6742`
+ DNS Resource Records for the Identifier-Locator Network Protocol (ILNP)
+:rfc:`6761`
+ Special-Use Domain Names
+:rfc:`6840`
+ Clarifications and Implementation Notes for DNS Security (DNSSEC)
+:rfc:`6844`
+ DNS Certification Authority Authorization (CAA) Resource Record
+:rfc:`6891`
+ Extension Mechanisms for DNS (EDNS(0))
+..
+ We've never implemented this one and it's never gotten popularity.
+ :rfc:`6975`
+ Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC)
+:rfc:`7043`
+ Resource Records for EUI-48 and EUI-64 Addresses in the DNS
+:rfc:`7344`
+ Automating DNSSEC Delegation Trust Maintenance
+:rfc:`7413`
+ TCP Fast Open
+
+ *We only support it on the server side.*
+:rfc:`7477`
+ Child-to-Parent Synchronization in DNS
+:rfc:`7553`
+ The Uniform Resource Identifier (URI) DNS Resource Record
+:rfc:`7646`
+ Definition and Use of DNSSEC Negative Trust Anchors
+
+ *See inside* :ref:`config-dnssec`
+:rfc:`7686`
+ The ".onion" Special-Use Domain Name
+:rfc:`7706`
+ Decreasing Access Time to Root Servers by Running One on Loopback
+
+ *Obsoleted by* :rfc:`8806`; *see also* :ref:`config-cache-prefill`
+:rfc:`7766`
+ DNS Transport over TCP - Implementation Requirements
+:rfc:`7830`
+ The EDNS(0) Padding Option
+
+ *See inside* :ref:`config-network-server-tls`
+:rfc:`7858`
+ Specification for DNS over Transport Layer Security (TLS)
+
+ *See* :ref:`dns-over-tls` *and* :ref:`config-forward`.
+..
+ We currently don't plan ECS.
+ :rfc:`7871`
+ Client Subnet in DNS Queries
+..
+ Cookies are a missing feature so far, though some older code exists.
+ :rfc:`7873`
+ Domain Name System (DNS) Cookies
+:rfc:`7929`
+ DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP
+:rfc:`7958`
+ DNSSEC Trust Anchor Publication for the Root Zone
+
+ *Though typical Knot Resolver packaging uses a different approach.*
+..
+ I don't think we can claim this as fully supported,
+ as our cache so far does not work that way
+ (except for aggressive DNSSEC caching, but that's different really).
+ :rfc:`8020`
+ NXDOMAIN: There Really Is Nothing Underneath
+:rfc:`8080`
+ Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
+:rfc:`8145`
+ Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
+
+ *See* :ref:`config-ta-signal-query`
+:rfc:`8162`
+ Using Secure DNS to Associate Certificates with Domain Names for S/MIME
+:rfc:`8198`
+ Aggressive Use of DNSSEC-Validated Cache
+
+ *See* :ref:`config-cache`
+:rfc:`8310`
+ Usage Profiles for DNS over TLS and DNS over DTLS
+:rfc:`8375`
+ Special-Use Domain 'home.arpa.'
+:rfc:`8467`
+ Padding Policies for Extension Mechanisms for DNS (EDNS(0))
+
+ *See inside* :ref:`config-network-server-tls`
+:rfc:`8482`
+ Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY
+
+ *This RFC was focused on authoritative servers.
+ As a resolver, we shouldn't just make up data on arbitrary names,
+ so we really use a different minimization method currently: reply with RCODE=NOTIMPL.*
+:rfc:`8484`
+ DNS Queries over HTTPS (DoH)
+
+ *See* :ref:`dns-over-https`
+:rfc:`8509`
+ A Root Key Trust Anchor Sentinel for DNSSEC
+
+ *See* :ref:`config-ta_sentinel`
+:rfc:`8624`
+ Algorithm Implementation Requirements and Usage Guidance for DNSSEC
+:rfc:`8767`
+ Serving Stale Data to Improve DNS Resiliency
+
+ *See* :ref:`config-serve-stale`
+:rfc:`8806`
+ Running a Root Server Local to a Resolver
+
+ *See* :ref:`config-cache-prefill`
+:rfc:`8914`
+ Extended DNS Errors
+:rfc:`8976`
+ Message Digest for DNS Zones
+..
+ Cookies are a missing feature so far, though some older code exists.
+ :rfc:`9018`
+ Interoperable Domain Name System (DNS) Server Cookies
+:rfc:`9077`
+ NSEC and NSEC3: TTLs and Aggressive Use
+:rfc:`9156`
+ DNS Query Name Minimisation to Improve Privacy
+
+ *Our current code doesn't use full minimization but a compromise approach,
+ which in practice mainly minimizes queries going to root and TLD servers.
+ We also have a fallback that deals with typical cases of non-conforming servers.*
+:rfc:`9210`
+ DNS Transport over TCP - Operational Requirements
+.. No DoQ yet, but it's planned.
+ :rfc:`9250`
+ DNS over Dedicated QUIC Connections