| rfc9906v1.txt | rfc9906.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) W. Hardaker | Internet Engineering Task Force (IETF) W. Hardaker | |||
| Request for Comments: 0000 USC/ISI | Request for Comments: 9906 USC/ISI | |||
| Category: Standards Track W. Kumari | Category: Standards Track W. Kumari | |||
| ISSN: 2070-1721 Google | ISSN: 2070-1721 Google | |||
| November 2025 | November 2025 | |||
| Deprecate Usage of ECC-GOST within DNSSEC | Deprecate Usage of ECC-GOST within DNSSEC | |||
| Abstract | Abstract | |||
| This document retires the use of GOST R 34.10-2001 (mnemonic "ECC- | This document retires the use of GOST R 34.10-2001 (mnemonic "ECC- | |||
| GOST") within DNSSEC. | GOST") and GOST R 34.11-94 within DNSSEC. | |||
| RFC 5933 (now historic) defined the use of GOST R 34.10-2001 and GOST | RFC 5933 (Historic) defined the use of GOST R 34.10-2001 and GOST R | |||
| R 34.11-94 algorithms with DNS Security Extensions (DNSSEC). This | 34.11-94 algorithms with DNS Security Extensions (DNSSEC). This | |||
| document updates RFC 5933 by deprecating the use of ECC-GOST. | document updates RFC 5933 by deprecating the use of ECC-GOST. | |||
| Status of This Memo | Status of This Memo | |||
| This is an Internet Standards Track document. | This is an Internet Standards Track document. | |||
| This document is a product of the Internet Engineering Task Force | This document is a product of the Internet Engineering Task Force | |||
| (IETF). It represents the consensus of the IETF community. It has | (IETF). It represents the consensus of the IETF community. It has | |||
| received public review and has been approved for publication by the | received public review and has been approved for publication by the | |||
| Internet Engineering Steering Group (IESG). Further information on | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | Internet Standards is available in Section 2 of RFC 7841. | |||
| Information about the current status of this document, any errata, | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | and how to provide feedback on it may be obtained at | |||
| https://www.rfc-editor.org/info/rfc0000. | https://www.rfc-editor.org/info/rfc9906. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at line 64 ¶ | skipping to change at line 64 ¶ | |||
| 4. Operational Considerations | 4. Operational Considerations | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| 6.2. Informative References | 6.2. Informative References | |||
| Acknowledgments | Acknowledgments | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| The use of the GOST R 34.10-2001 and GOST R 34.11-94 algorithms with | The GOST R 34.10-2001 and GOST R 34.11-94 algorithms are documented | |||
| the DNS Security Extensions (DNSSEC) [RFC9364], was documented in | in [RFC5933] and their use with DNS Security Extensions (DNSSEC) is | |||
| [RFC5933]. These two algorithms were deprecated by the Orders of the | further described in [RFC9364]. These two algorithms were deprecated | |||
| Federal Agency for Technical Regulation and Metrology of Russia | by the Orders of the Federal Agency for Technical Regulation and | |||
| (Rosstandart) in August 2012 and were superseded by GOST 34.10-2012 | Metrology of Russia (Rosstandart) in August 2012 and were superseded | |||
| and GOST 34.11-2012, respectively. The use of these two newer | by GOST 34.10-2012 and GOST 34.11-2012, respectively. The use of | |||
| algorithms in DNSSEC is documented in [RFC9558] and their associated | these two newer algorithms in DNSSEC is documented in [RFC9558], and | |||
| requirement levels are not changed by this document. | their associated requirement levels are not changed by this document. | |||
| Thus, the use of GOST R 34.10-2001 (mnemonic GOST-ECC) and GOST R | Thus, the use of GOST R 34.10-2001 (mnemonic "ECC-GOST") and GOST R | |||
| 34.11-94 is no longer recommended for use in DNSSEC [RFC9364]. | 34.11-94 is no longer recommended for use in DNSSEC [RFC9364]. | |||
| 1.1. Requirements Notation | 1.1. Requirements Notation | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. Deprecating ECC-GOST Algorithms in DNSSEC | 2. Deprecating ECC-GOST Algorithms in DNSSEC | |||
| The GOST R 34.11-94 [RFC5933] algorithm MUST NOT be used when | The GOST R 34.11-94 algorithm [RFC5933] MUST NOT be used when | |||
| creating DS records. Validating resolvers MUST treat GOST R 34.11-94 | creating Delegation Signer (DS) records. Validating resolvers MUST | |||
| DS records as insecure. If no other DS records of accepted | treat GOST R 34.11-94 DS records as insecure. If no other DS records | |||
| cryptographic algorithms are available, the DNS records below the | of accepted cryptographic algorithms are available, the DNS records | |||
| delegation point MUST be treated as insecure. | below the delegation point MUST be treated as insecure. | |||
| The ECC-GOST [RFC5933] algorithm MUST NOT be used when creating DNS | The GOST R 34.10-2001 algorithm [RFC5933] (mnemonic "ECC-GOST") MUST | |||
| Public Key (DNSKEY) and Resource Record Signature (RRSIG) records. | NOT be used when creating DNS Public Key (DNSKEY) and Resource Record | |||
| Validating resolvers MUST treat RRSIG records created from DNSKEY | Signature (RRSIG) records. Validating resolvers MUST treat RRSIG | |||
| records using these algorithms as unsupported algorithms. If no | records created from DNSKEY records using these algorithms as | |||
| other RRSIG records of accepted cryptographic algorithms are | unsupported algorithms. If no other RRSIG records of accepted | |||
| available, the validating resolver MUST consider the associated | cryptographic algorithms are available, the validating resolver MUST | |||
| resource records as insecure. | consider the associated resource records as insecure. | |||
| 3. Security Considerations | 3. Security Considerations | |||
| This document potentially increases the security of the DNSSEC | This document potentially increases the security of the DNSSEC | |||
| ecosystem by deprecating algorithms that are no longer recommended | ecosystem by deprecating algorithms that are no longer recommended | |||
| for use. | for use. | |||
| 4. Operational Considerations | 4. Operational Considerations | |||
| This document removes support for ECC-GOST. Zone operators currently | This document removes support for ECC-GOST. Zone operators currently | |||
| making use of ECC-GOST-based algorithms should switch to algorithms | making use of ECC-GOST-based algorithms should switch to algorithms | |||
| that remain supported. DNS registries should prohibit their clients | that remain supported. DNS registries should prohibit their clients | |||
| from uploading and publishing ECC-GOST-based DS records to ensure | from uploading and publishing ECC-GOST-based DS records to ensure | |||
| that they are using algorithms that are supported by DNSSEC | that they are using algorithms that are supported by DNSSEC | |||
| validators and thus can be DNSSEC validated. | validators and thus can be DNSSEC validated. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| IANA has set the "Use for DNSSEC Signing", "Use for DNSSEC | IANA has updated the GOST R 34.10-2001 (12) entry in the "DNS | |||
| Validation", "Implement for DNSSEC Signing", and "Implement for | Security Algorithm Numbers" registry [DNSKEY-IANA] [RFC9904] as | |||
| DNSSEC Validation" columns in the "DNS Security Algorithm Numbers" | follows: | |||
| registry [DNSKEY-IANA] [RFC9904] to MUST NOT for ECC-GOST (12). Note | ||||
| that the "Use for DNSSEC Signing" and "Implement for DNSSEC | Number: 12 | |||
| Description: GOST R 34.10-2001 (DEPRECATED) | ||||
| Mnemonic: ECC-GOST | ||||
| Zone Signing: Y | ||||
| Trans. Sec.: * | ||||
| Use for DNSSEC Signing: MUST NOT | ||||
| Use for DNSSEC Validation: MUST NOT | ||||
| Implement for DNSSEC Signing: MUST NOT | ||||
| Implement for DNSSEC Validation: MUST NOT | ||||
| Reference: [RFC5933], Change the status of GOST Signature Algorithms | ||||
| in DNSSEC in the IETF stream to Historic | ||||
| (https://datatracker.ietf.org/doc/status-change-gost-dnssec-to- | ||||
| historic/), and RFC 9906 | ||||
| Note: The "Use for DNSSEC Signing" and "Implement for DNSSEC | ||||
| Delegation" columns were already set to MUST NOT. | Delegation" columns were already set to MUST NOT. | |||
| IANA has set the "Use for DNSSEC Delegation", "Use for DNSSEC | IANA has updated the GOST R 34.11-94 (3) entry in the "Digest | |||
| Validation", "Implement for DNSSEC Delegation", and "Implement for | Algorithms" registry [DS-IANA] as follows: | |||
| DNSSEC Validation" columns in the "Digest Algorithms" registry | ||||
| [DS-IANA] to MUST NOT for GOST R 34.11-94 (3). Note that the "Use | Value: 3 | |||
| for DNSSEC Signing" and "Implement for DNSSEC Delegation" columns | Description: GOST R 34.11-94 (DEPRECATED) | |||
| were already set to MUST NOT. | Use for DNSSEC Delegation: MUST NOT | |||
| Use for DNSSEC Validation: MUST NOT | ||||
| Implement for DNSSEC Delegation: MUST NOT | ||||
| Implement for DNSSEC Validation: MUST NOT | ||||
| Reference: [RFC5933], Change the status of GOST Signature Algorithms | ||||
| in DNSSEC in the IETF stream to Historic | ||||
| (https://datatracker.ietf.org/doc/status-change-gost-dnssec-to- | ||||
| historic/), and RFC 9906 | ||||
| Note: The "Use for DNSSEC Signing" and "Implement for DNSSEC | ||||
| Delegation" columns were already set to MUST NOT. | ||||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [DNSKEY-IANA] | [DNSKEY-IANA] | |||
| IANA, "DNS Security Algorithm Numbers", | IANA, "DNS Security Algorithm Numbers", | |||
| <https://www.iana.org/assignments/dns-sec-alg-numbers>. | <https://www.iana.org/assignments/dns-sec-alg-numbers>. | |||
| [DS-IANA] IANA, "Digest Algorithms", | [DS-IANA] IANA, "Digest Algorithms", | |||
| End of changes. 10 change blocks. | ||||
| 37 lines changed or deleted | 61 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||