One document matched: draft-ietf-dnsext-dnssec-algo-imp-status-00.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc strict="yes"?>
<rfc ipr="trust200902" category="bcp" docName="draft-ietf-dnsext-dnssec-algo-imp-status-00" updates="2536, 2539, 3110, 4034, 4398, 5155, 5702, 5933">
<front>
<title abbrev="Algorithm-Status">Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status</title>
	<author fullname="Scott Rose" initials="S." surname="Rose">
			<organization> NIST </organization>
			<address>
				<postal>
					<street>100 Bureau Dr.</street>
					<city>Gaithersburg</city>
					<code>20899</code>
					<region>MD</region>
					<country>USA</country>
				</postal>
				<phone>+1-301-975-8439</phone>
				<email> scottr.nist@gmail.com </email>
			</address>
		</author>
	
<date month="January" year="2012"/>
<area> Internet Area </area>
<workgroup> DNS Extensions Working Group </workgroup>
<keyword>DNS</keyword>
<keyword>DNSSEC</keyword>
<abstract>
	<t>
	The DNS Security Extensions (DNSSEC) requires the use of
	cryptographic algorithm suites for generating digital signatures over DNS data. There is currently an
    IANA registry for these algorithms that is incomplete in that it lacks the recommended implementation status of 
    each algorithm. This document provides an applicability statement on algorithm implementation compliance status for DNSSEC implementations.
    This document lists each algorithm's status based on the 
    current reference. In the case that an algorithm is specified without an implementation status, this document assigns one.
	</t>
</abstract>

</front>
<middle>
<section title="Introduction">
	<t>
	The Domain Name System (DNS) Security Extensions (DNSSEC) <xref target="RFC4033" />, <xref target="RFC4034" />,
	<xref target="RFC4035" />, <xref target="RFC4509" />, <xref target="RFC5155" />, and <xref target="RFC5702" /> uses digital signatures over DNS data
	to provide source authentication and integrity protection.  DNSSEC uses an IANA registry
	to list codes for digital signature algorithms (consisting of a cryptographic
	algorithm and one-way hash function).   
	</t>
	<t>
	The original list of algorithm status is found in <xref target="RFC4034" />.
	Other DNSSEC RFC's have added new algorithms or changed the status of
	algorithms in the registry.  However, implementers
	must read through all the documents in order to discover which algorithms are 
	considered wise to implement, which are not, and which algorithms may become widely 
	used in the future.  This document includes the current compliance status for certain algorithms.  
	</t>
	<t>
	This compliance status indication is only to be considered for implementation, not deployment or operations.
	Operators are free to deploy any digital signature algorithm available in 
	implementations or algorithms chosen by local security policies. This status is to measure compliance to this RFC only.
	</t>
	<t>
      This 
	document updates the following: <xref target="RFC2536" />, <xref target="RFC2539" />, <xref target="RFC3110" />, 
	<xref target="RFC4034" />, <xref target="RFC4398" />, <xref target="RFC5155" />, <xref target="RFC5702" />, and 
    <xref target="RFC5933" />.
	</t>
<section title="Requirements Language">
    <t>The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in <xref target="RFC2119" />.
	</t>
</section>
</section>
<section title="The DNS Security Algorithm Implementation Status Lists">
	
  <section title="Algorithm Implementation Status Assignement Rationale">
	<t>
        The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED TO IMPLEMENT.  This is due to the fact that RSA/SHA-1 is a MUST IMPLEMENT.
        The status of RSA/SHA-256 and RSA/SHA-512 are also set to RECOMMENDED TO IMPLEMENT as it is believed 
        that these algorithms will replace an older algorithm (e.g. RSA/SHA-1) that have a 
	perceived weakness in its hash algorithm (SHA-1).
    </t>
  </section>
  <section title="DNSSEC Implementation Status Table">
	<figure><preamble>
	The DNSSEC algorithm implementation status table is listed below. Only the algorithms already
	specified for use with DNSSEC (at the time of writing) are listed.  
	</preamble>
<artwork>

   +------------+------------+-----------------+-------------+
   |    MUST    |  MUST NOT  |   RECOMMENDED   |  OPTIONAL   |
   |  IMPLEMENT | IMPLEMENT  |  TO IMPLEMENT   |             |
   +------------+------------+-----------------+-------------+
   |            |            |                 |             |
   |   RSASHA1  |   RSAMD5   |   RSASHA256     |   DSASHA1   |
   |            |            |   RSASHA1-NSEC3 |   DH        |
   |            |            |    -SHA1        |   DSA-NSEC3 |
   |            |            |   RSASHA512     |    -SHA1    |
   |            |            |                 |   GOST-ECC  |
   |            |            |                 |             |
   +------------+------------+-----------------+-------------+

</artwork>
<postamble>
  This table does not list the Reserved values in the IANA registry table or the
  values for INDIRECT (252), PRIVATE (253) and PRIVATEOID (254).  These values may relate to
  more than one algorithm and are therefore up to the implementer's discretion.
  Their implementation (or lack thereof) therefore cannot 
  be included when judging compliance to this document.
</postamble>
</figure>
</section>

<section title="Specifying New Algorithms and Updating Status of Existing Entries">
	<t>
	<xref target="RFC6014" /> establishes a parallel procedure for
	adding a registry entry for a new algorithm other than a standards track document.  
	Algorithms entered into the registry using that procedure are to be considered OPTIONAL for 
	implementation purposes.  Specifications
        that follow this path do not need to obsolete or update this document.
    	</t>
	<t>
	Adding a newly specified algorithm to the registry with a compliance status  
	SHALL entail obsolescing this document and replacing the registry table (with the new 
    algorithm entry). Altering the status column value of any existing algorithm in the registry SHALL entail obsolescing
	this document and replacing the registry table.
	</t>
	<t>
	This document cannot be updated, only made obsolete and replaced by a successor document.
	</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
	<t>
	This document lists the implementation status of cryptographic algorithms used with DNSSEC.  These algorithms
	are maintained in an IANA registry.  There are no changes to the registry in this document. However this document 
	asks to be listed as a reference for the entire registry.
	</t>
</section>

<section anchor="Security" title="Security Considerations">
	<t>
	This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry.  It is not meant
	to be a discussion on algorithm superiority. No new security considerations are
	raised in this document.
	</t>
</section>

</middle>
<back>
	<references title="Normative References">
        <?rfc include="reference.RFC.2119" ?>
        <?rfc include="reference.RFC.2536" ?>
		<?rfc include="reference.RFC.2539" ?>
		<?rfc include="reference.RFC.3110" ?>
		<?rfc include="reference.RFC.4033" ?>
		<?rfc include="reference.RFC.4034" ?>
		<?rfc include="reference.RFC.4035" ?>
		<?rfc include="reference.RFC.4398" ?>
		<?rfc include="reference.RFC.4509" ?>
		<?rfc include="reference.RFC.5155" ?>
		<?rfc include="reference.RFC.5702" ?>
		<?rfc include="reference.RFC.5933" ?>
		<?rfc include="reference.RFC.6014" ?>
	</references>
</back>
</rfc>