| rfc9904v1.txt | rfc9904.txt | |||
|---|---|---|---|---|
| skipping to change at line 21 ¶ | skipping to change at line 21 ¶ | |||
| Abstract | Abstract | |||
| The DNSSEC protocol makes use of various cryptographic algorithms to | The DNSSEC protocol makes use of various cryptographic algorithms to | |||
| provide authentication of DNS data and proof of nonexistence. To | provide authentication of DNS data and proof of nonexistence. To | |||
| ensure interoperability between DNS resolvers and DNS authoritative | ensure interoperability between DNS resolvers and DNS authoritative | |||
| servers, it is necessary to specify both a set of algorithm | servers, it is necessary to specify both a set of algorithm | |||
| implementation requirements and usage guidelines to ensure that there | implementation requirements and usage guidelines to ensure that there | |||
| is at least one algorithm that all implementations support. This | is at least one algorithm that all implementations support. This | |||
| document replaces and obsoletes RFC 8624 and moves the canonical | document replaces and obsoletes RFC 8624 and moves the canonical | |||
| source of algorithm implementation requirements and usage guidance | source of algorithm implementation requirements and usage guidance | |||
| for DNSSEC from RFC 8624 to an IANA registry. This is done to allow | for DNSSEC from RFC 8624 to the IANA DNSSEC algorithm registries. | |||
| the list of requirements to be more easily updated and referenced. | This is done to allow the list of requirements to be more easily | |||
| Future extensions to this registry can be made under new, incremental | updated and referenced. Extensions to these registries can be made | |||
| update RFCs. This document also updates RFC 9157 and incorporates | in future RFCs. This document also updates RFC 9157 and incorporates | |||
| the revised IANA DNSSEC considerations from that RFC. | the revised IANA DNSSEC considerations from that RFC. | |||
| This document does not change the status (MUST, MAY, RECOMMENDED, | This document does not change the recommendation status (MUST, MAY, | |||
| etc.) of the algorithms listed in RFC 8624; that is the work of | RECOMMENDED, etc.) of the algorithms listed in RFC 8624; that is the | |||
| future documents. | work of future documents. | |||
| Status of This Memo | Status of This Memo | |||
| This is an Internet Standards Track document. | This is an Internet Standards Track document. | |||
| This document is a product of the Internet Engineering Task Force | This document is a product of the Internet Engineering Task Force | |||
| (IETF). It represents the consensus of the IETF community. It has | (IETF). It represents the consensus of the IETF community. It has | |||
| received public review and has been approved for publication by the | received public review and has been approved for publication by the | |||
| Internet Engineering Steering Group (IESG). Further information on | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | Internet Standards is available in Section 2 of RFC 7841. | |||
| skipping to change at line 243 ¶ | skipping to change at line 243 ¶ | |||
| the algorithm in DNSSEC validators. | the algorithm in DNSSEC validators. | |||
| Implement for DNSSEC Delegation: Indicates the recommendation for | Implement for DNSSEC Delegation: Indicates the recommendation for | |||
| implementing the algorithm within authoritative servers. | implementing the algorithm within authoritative servers. | |||
| Implement for DNSSEC Validation: Indicates the recommendation for | Implement for DNSSEC Validation: Indicates the recommendation for | |||
| implementing the algorithm within validating resolvers. | implementing the algorithm within validating resolvers. | |||
| 2.2. Adding and Changing Values | 2.2. Adding and Changing Values | |||
| Adding a new entry to the "DNS System Algorithm Numbers" registry | The following note describing the procedures for adding and changing | |||
| with a recommended value of "MAY" in the "Use for DNSSEC Signing", | values has been added to the "DNS Security Algorithm Numbers" | |||
| "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or | registry: | |||
| "Implement for DNSSEC Validation" columns will be subject to the | ||||
| Specification Required policy as defined in [RFC8126] in order to | ||||
| promote continued evolution of DNSSEC algorithms and DNSSEC agility. | ||||
| New entries added through the Specification Required process will | ||||
| have the value of "MAY" for all columns. | ||||
| Adding a new entry to, or changing existing values in, the "DNS | ||||
| System Algorithm Numbers" registry for the "Use for DNSSEC Signing", | ||||
| "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or | ||||
| "Implement for DNSSEC Validation" columns to any other value than | ||||
| "MAY" requires a Standards Action. | ||||
| Adding a new entry to the "Digest Algorithms" registry with a | | Adding a new entry to the "DNS Security Algorithm Numbers" | |||
| recommended value of "MAY" in the "Use for DNSSEC Delegation", "Use | | registry with a recommended value of "MAY" in the "Use for DNSSEC | |||
| for DNSSEC Validation", "Implement for DNSSEC Delegation", or | | Signing", "Use for DNSSEC Validation", "Implement for DNSSEC | |||
| "Implement for DNSSEC Validation" columns SHALL follow the | | Signing", or "Implement for DNSSEC Validation" columns will be | |||
| Specification Required policy as defined in [RFC8126]. | | subject to the Specification Required policy as defined in | |||
| | [RFC8126] in order to promote continued evolution of DNSSEC | ||||
| | algorithms and DNSSEC agility. New entries added through the | ||||
| | Specification Required process will have the value of "MAY" for | ||||
| | all columns. | ||||
| | | ||||
| | Adding a new entry to, or changing an existing value in, the "DNS | ||||
| | Security Algorithm Numbers" registry that has any value other than | ||||
| | "MAY" in the "Use for DNSSEC Signing", "Use for DNSSEC | ||||
| | Validation", "Implement for DNSSEC Signing", or "Implement for | ||||
| | DNSSEC Validation" columns requires Standards Action. | ||||
| | | ||||
| | If an item is not marked as "RECOMMENDED", it does not necessarily | ||||
| | mean that it is flawed; rather, it indicates that the item either | ||||
| | has not been through the IETF consensus process, has limited | ||||
| | applicability, or is intended only for specific use cases. | ||||
| Adding a new entry to, or changing existing values in, the "Digest | The following note has been added to the "Digest Algorithms" | |||
| Algorithms" registry for the "Use for DNSSEC Delegation", "Use for | registry: | |||
| DNSSEC Validation", "Implement for DNSSEC Delegation", or "Implement | ||||
| for DNSSEC Validation" columns to any other value than "MAY" requires | ||||
| a Standards Action. | ||||
| If an item is not marked as "RECOMMENDED", it does not necessarily | | Adding a new entry to the "Digest Algorithms" registry with a | |||
| mean that it is flawed; rather, it indicates that the item either has | | recommended value of "MAY" in the "Use for DNSSEC Delegation", | |||
| not been through the IETF consensus process, has limited | | "Use for DNSSEC Validation", "Implement for DNSSEC Delegation", or | |||
| applicability, or is intended only for specific use cases. | | "Implement for DNSSEC Validation" columns SHALL follow the | |||
| | Specification Required policy as defined in [RFC8126]. | ||||
| | | ||||
| | Adding a new entry to, or changing an existing value in, the | ||||
| | "Digest Algorithms" registry that has any value other than "MAY" | ||||
| | in the "Use for DNSSEC Delegation", "Use for DNSSEC Validation", | ||||
| | "Implement for DNSSEC Delegation", or "Implement for DNSSEC | ||||
| | Validation" columns requires Standards Action. | ||||
| | | ||||
| | If an item is not marked as "RECOMMENDED", it does not necessarily | ||||
| | mean that it is flawed; rather, it indicates that the item either | ||||
| | has not been through the IETF consensus process, has limited | ||||
| | applicability, or is intended only for specific use cases. | ||||
| Only values of "MAY", "RECOMMENDED", "MUST NOT", and "NOT | Only values of "MAY", "RECOMMENDED", "MUST NOT", and "NOT | |||
| RECOMMENDED" may be placed into the "Use for DNSSEC Signing" and "Use | RECOMMENDED" may be placed into the "Use for DNSSEC Signing" and "Use | |||
| for DNSSEC Validation" columns. Only values of "MAY", "RECOMMENDED", | for DNSSEC Validation" columns. Only values of "MAY", "RECOMMENDED", | |||
| "MUST", "MUST NOT", and "NOT RECOMMENDED" may be placed into the | "MUST", "MUST NOT", and "NOT RECOMMENDED" may be placed into the | |||
| "Implement for DNSSEC Signing" and "Implement for DNSSEC Validation" | "Implement for DNSSEC Signing" and "Implement for DNSSEC Validation" | |||
| columns. Note that a value of "MUST" is not an allowed value for the | columns. Note that a value of "MUST" is not an allowed value for the | |||
| two "Use for" columns. | two "Use for" columns. | |||
| The following sections state the initial values that have been | The following sections state the initial values that have been | |||
| skipping to change at line 296 ¶ | skipping to change at line 309 ¶ | |||
| set to the same values as those in the "Implement for" columns since | set to the same values as those in the "Implement for" columns since | |||
| the general interpretation to date indicates they have been treated | the general interpretation to date indicates they have been treated | |||
| as values for both "use" and "implementation". Note that the value | as values for both "use" and "implementation". Note that the value | |||
| in the "Use for" column is "RECOMMENDED" when the value in the | in the "Use for" column is "RECOMMENDED" when the value in the | |||
| corresponding "Implement for" column is "MUST". We note that the | corresponding "Implement for" column is "MUST". We note that the | |||
| values for "Implement for" and "Use for" may diverge in the future as | values for "Implement for" and "Use for" may diverge in the future as | |||
| implementations generally precede deployments. | implementations generally precede deployments. | |||
| 3. DNS Security Algorithm Numbers Registry Column Values | 3. DNS Security Algorithm Numbers Registry Column Values | |||
| Initial recommendation columns of use and implementation | Initial values for the use and implementation recommendation columns | |||
| recommendations for the "DNS Security Algorithm Numbers" registry | in the "DNS Security Algorithm Numbers" registry under the "Domain | |||
| under the "Domain Name System Security (DNSSEC) Algorithm Numbers" | Name System Security (DNSSEC) Algorithm Numbers" registry group are | |||
| registry group are shown in Table 2. | shown in Table 2. | |||
| When there are multiple RECOMMENDED algorithms in the "use" column, | When there are multiple RECOMMENDED algorithms in the "Use for" | |||
| operators should choose the best algorithm according to local policy. | columns, operators should choose the best algorithm according to | |||
| local policy. | ||||
| +===+===============+===========+===========+===========+===========+ | +===+===============+===========+===========+===========+===========+ | |||
| |No.|Mnemonics |Use for |Use for |Implement |Implement | | |No.|Mnemonics |Use for |Use for |Implement |Implement | | |||
| | | |DNSSEC |DNSSEC |for DNSSEC |for DNSSEC | | | | |DNSSEC |DNSSEC |for DNSSEC |for DNSSEC | | |||
| | | |Signing |Validation |Signing |Validation | | | | |Signing |Validation |Signing |Validation | | |||
| +===+===============+===========+===========+===========+===========+ | +===+===============+===========+===========+===========+===========+ | |||
| |1 |RSAMD5 |MUST NOT |MUST NOT |MUST NOT |MUST NOT | | |1 |RSAMD5 |MUST NOT |MUST NOT |MUST NOT |MUST NOT | | |||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |3 |DSA |MUST NOT |MUST NOT |MUST NOT |MUST NOT | | |3 |DSA |MUST NOT |MUST NOT |MUST NOT |MUST NOT | | |||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| skipping to change at line 336 ¶ | skipping to change at line 350 ¶ | |||
| |12 |ECC-GOST |MUST NOT |MAY |MUST NOT |MAY | | |12 |ECC-GOST |MUST NOT |MAY |MUST NOT |MAY | | |||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |13 |ECDSAP256SHA256|RECOMMENDED|RECOMMENDED|MUST |MUST | | |13 |ECDSAP256SHA256|RECOMMENDED|RECOMMENDED|MUST |MUST | | |||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |14 |ECDSAP384SHA384|MAY |RECOMMENDED|MAY |RECOMMENDED| | |14 |ECDSAP384SHA384|MAY |RECOMMENDED|MAY |RECOMMENDED| | |||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |15 |ED25519 |RECOMMENDED|RECOMMENDED|RECOMMENDED|RECOMMENDED| | |15 |ED25519 |RECOMMENDED|RECOMMENDED|RECOMMENDED|RECOMMENDED| | |||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |16 |ED448 |MAY |RECOMMENDED|MAY |RECOMMENDED| | |16 |ED448 |MAY |RECOMMENDED|MAY |RECOMMENDED| | |||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |17 |SM2/SM3 |MAY |MAY |MAY |MAY | | |17 |SM2SM3 |MAY |MAY |MAY |MAY | | |||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |23 |GOST R |MAY |MAY |MAY |MAY | | |23 |ECC-GOST12 |MAY |MAY |MAY |MAY | | |||
| | |34.10-2012 | | | | | | ||||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |253|private |MAY |MAY |MAY |MAY | | |253|PRIVATEDNS |MAY |MAY |MAY |MAY | | |||
| | |algorithm | | | | | | ||||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| |254|private |MAY |MAY |MAY |MAY | | |254|PRIVATEOID |MAY |MAY |MAY |MAY | | |||
| | |algorithm OID | | | | | | ||||
| +---+---------------+-----------+-----------+-----------+-----------+ | +---+---------------+-----------+-----------+-----------+-----------+ | |||
| Table 2: Initial Values for the DNS Security Algorithm Numbers | Table 2: Initial Values for the DNS Security Algorithm Numbers | |||
| Registry Columns | Registry Columns | |||
| 4. Digest Algorithms Registry Column Values | 4. Digest Algorithms Registry Column Values | |||
| Initial recommendation columns of use and implementation | Initial values for the use and implementation recommendation columns | |||
| recommendations for the "Digest Algorithms" registry under the | in the "Digest Algorithms" registry under the "DNSSEC Delegation | |||
| "DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest | Signer (DS) Resource Record (RR) Type Digest Algorithms" registry | |||
| Algorithms" registry group are shown in Table 3. | group are shown in Table 3. | |||
| When there are multiple RECOMMENDED algorithms in the "use" column, | When there are multiple RECOMMENDED algorithms in the "Use for" | |||
| operators should choose the best algorithm according to local policy. | columns, operators should choose the best algorithm according to | |||
| local policy. | ||||
| +=====+===========+===========+===========+==========+=============+ | +=====+===========+===========+===========+==========+=============+ | |||
| |Value|Description|Use for |Use for |Implement | Implement | | |Value|Description|Use for |Use for |Implement | Implement | | |||
| | | |DNSSEC |DNSSEC |for DNSSEC| for DNSSEC | | | | |DNSSEC |DNSSEC |for DNSSEC| for DNSSEC | | |||
| | | |Delegation |Validation |Delegation| Validation | | | | |Delegation |Validation |Delegation| Validation | | |||
| +=====+===========+===========+===========+==========+=============+ | +=====+===========+===========+===========+==========+=============+ | |||
| |0 |NULL (CDS |MUST NOT |MUST NOT |MUST NOT | MUST NOT | | |0 |NULL (CDS |MUST NOT |MUST NOT |MUST NOT | MUST NOT | | |||
| | |only) | | | | | | | |only) | | | | | | |||
| +-----+-----------+-----------+-----------+----------+-------------+ | +-----+-----------+-----------+-----------+----------+-------------+ | |||
| |1 |SHA-1 |MUST NOT |RECOMMENDED|MUST NOT | MUST | | |1 |SHA-1 |MUST NOT |RECOMMENDED|MUST NOT | MUST | | |||
| skipping to change at line 492 ¶ | skipping to change at line 504 ¶ | |||
| * Deleted the (now superfluous) column "Status" from the registry. | * Deleted the (now superfluous) column "Status" from the registry. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [DNSKEY-IANA] | [DNSKEY-IANA] | |||
| IANA, "DNS Security Algorithm Numbers", | IANA, "DNS Security Algorithm Numbers", | |||
| <https://www.iana.org/assignments/dns-sec-alg-numbers>. | <https://www.iana.org/assignments/dns-sec-alg-numbers>. | |||
| [DS-IANA] IANA, "DNSSEC Delegation Signer (DS) Resource Record (RR) | [DS-IANA] IANA, "Digest Algorithms", | |||
| Type Digest Algorithms", | ||||
| <http://www.iana.org/assignments/ds-rr-types>. | <http://www.iana.org/assignments/ds-rr-types>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| End of changes. 15 change blocks. | ||||
| 56 lines changed or deleted | 67 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||