One document matched: draft-ietf-dnsext-dnssec-algo-imp-status-01.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc strict="yes"?>
<rfc ipr="trust200902" category="bcp" docName="draft-ietf-dnsext-dnssec-algo-imp-status-01" updates="2536, 2539, 3110, 4034, 4398, 5155, 5702, 5933">
<front>
<title abbrev="Algorithm-Status">Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status</title>
<author fullname="Scott Rose" initials="S." surname="Rose">
<organization> NIST </organization>
<address>
<postal>
<street>100 Bureau Dr.</street>
<city>Gaithersburg</city>
<code>20899</code>
<region>MD</region>
<country>USA</country>
</postal>
<phone>+1-301-975-8439</phone>
<email> scottr.nist@gmail.com </email>
</address>
</author>
<date month="March" year="2012"/>
<area> Internet Area </area>
<workgroup> DNS Extensions Working Group </workgroup>
<keyword>DNS</keyword>
<keyword>DNSSEC</keyword>
<abstract>
<t>
The DNS Security Extensions (DNSSEC) requires the use of
cryptographic algorithm suites for generating digital signatures over DNS data. There is currently an
IANA registry for these algorithms that is incomplete in that it lacks the recommended implementation status of
each algorithm. This document provides an applicability statement on algorithm implementation status for DNSSEC component software.
This document lists each algorithm's status based on the
current reference. In the case that an algorithm is specified without an implementation status, this document assigns one.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The Domain Name System (DNS) Security Extensions (DNSSEC) <xref target="RFC4033" />, <xref target="RFC4034" />,
<xref target="RFC4035" />, <xref target="RFC4509" />, <xref target="RFC5155" />, and <xref target="RFC5702" /> uses digital signatures over DNS data
to provide source authentication and integrity protection. DNSSEC uses an IANA registry
to list codes for digital signature algorithms (consisting of a cryptographic
algorithm and one-way hash function).
</t>
<t>
The original list of algorithm status is found in <xref target="RFC4034" />.
Other DNSSEC RFC's have added new algorithms or changed the status of
algorithms in the registry. However, implementers
must read through all the documents in order to discover which algorithms are
considered wise to implement, which are not, and which algorithms may become widely
used in the future. This document includes the current implementation status for certain algorithms.
</t>
<t>
This implementation status indication is only to be considered for implementation, not deployment or operations.
Operators are free to deploy any digital signature algorithm available in
implementations or algorithms chosen by local security policies. This status is to measure compliance to this document only.
</t>
<t>
This
document updates the following: <xref target="RFC2536" />, <xref target="RFC2539" />, <xref target="RFC3110" />,
<xref target="RFC4034" />, <xref target="RFC4398" />, <xref target="RFC5155" />, <xref target="RFC5702" />, and
<xref target="RFC5933" />.
</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in <xref target="RFC2119" />.
</t>
</section>
</section>
<section title="The DNS Security Algorithm Implementation Status Lists">
<section title="Algorithm Implementation Status Assignement Rationale">
<t>
The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED TO IMPLEMENT as major deployments (such as the
root zone) use NSEC3 <xref target="ROOTDPS" />.
The status of RSA/SHA-256 and RSA/SHA-512 are also set to RECOMMENDED TO IMPLEMENT as it is believed
that these algorithms will replace an older algorithm (e.g. RSA/SHA-1) that have a
perceived weakness in its hash algorithm (SHA-1) as well as seen in major deployments.
</t>
<t>
All other algorithms used in DNSSEC specified without an implementation status are currently set to OPTIONAL.
</t>
</section>
<section title="DNSSEC Implementation Status Table">
<figure><preamble>
The DNSSEC algorithm implementation status table is listed below. Only the algorithms already
specified for use with DNSSEC (at the time of writing) are listed.
</preamble>
<artwork>
+------------+------------+-----------------+-------------------+
| MUST | MUST NOT | RECOMMENDED | OPTIONAL |
| IMPLEMENT | IMPLEMENT | TO IMPLEMENT | |
+------------+------------+-----------------+-------------------+
| | | | |
| RSASHA1 | RSAMD5 | RSASHA256 | DSASHA1 |
| | | RSASHA1-NSEC3 | DH |
| | | -SHA1 | DSA-NSEC3-SHA1 |
| | | RSASHA512 | GOST-ECC |
| | | | ECDSAP256SHA256 |
| | | | ECDSAP384SHA384 |
+------------+------------+-----------------+-------------------+
</artwork>
<postamble>
This table does not list the Reserved values in the IANA registry table or the
values for INDIRECT (252), PRIVATE (253) and PRIVATEOID (254). These values may relate to
more than one algorithm and are therefore up to the implementer's discretion.
Their implementation (or lack thereof) therefore cannot
be included when judging compliance to this document.
</postamble>
</figure>
</section>
<section title="Specifying New Algorithms and Updating Status of Existing Entries">
<t>
<xref target="RFC6014" /> establishes a parallel procedure for
adding a registry entry for a new algorithm other than a standards track document.
Algorithms entered into the registry using that procedure are to be considered OPTIONAL for
implementation purposes. Specifications
that follow this path do not need to obsolete or update this document.
</t>
<t>
Adding a newly specified algorithm to the registry with a implementation status other than OPTIONAL
SHALL entail obsolescing this document and replacing the table in Section 2.2 (with the new
algorithm entry). Altering the status column value of any existing algorithm in the registry SHALL entail obsolescing
this document and replacing the table in Section 2.2 above.
</t>
<t>
This document cannot be updated, only made obsolete and replaced by a successor document.
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
This document lists the implementation status of cryptographic algorithms used with DNSSEC. These algorithms
are maintained in an IANA registry. There are no changes to the registry in this document. However this document
asks to be listed as a reference for the entire registry.
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
This document lists, and in some cases assigns, the implementation status of cryptographic algorithms used with DNSSEC. It is not meant
to be a discussion on algorithm superiority. No new security considerations are
raised in this document.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2536" ?>
<?rfc include="reference.RFC.2539" ?>
<?rfc include="reference.RFC.3110" ?>
<?rfc include="reference.RFC.4033" ?>
<?rfc include="reference.RFC.4034" ?>
<?rfc include="reference.RFC.4035" ?>
<?rfc include="reference.RFC.4398" ?>
<?rfc include="reference.RFC.4509" ?>
<?rfc include="reference.RFC.5155" ?>
<?rfc include="reference.RFC.5702" ?>
<?rfc include="reference.RFC.5933" ?>
<?rfc include="reference.RFC.6014" ?>
</references>
<references title="Informative References">
<?rfc include="reference.DNS.ROOTDPS" ?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 04:25:15 |