One document matched: draft-ietf-dnsext-dnssec-algo-imp-status-04.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc strict="yes"?>
<rfc ipr="trust200902" category="std" docName="draft-ietf-dnsext-dnssec-algo-imp-status-04" updates="2536, 2539, 3110, 4034, 4398, 5155, 5702, 5933">
<front>
<title abbrev="Algorithm-Status">Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status</title>
<author fullname="Scott Rose" initials="S." surname="Rose">
<organization> NIST </organization>
<address>
<postal>
<street>100 Bureau Dr.</street>
<city>Gaithersburg</city>
<code>20899</code>
<region>MD</region>
<country>USA</country>
</postal>
<phone>+1-301-975-8439</phone>
<email> scottr.nist@gmail.com </email>
</address>
</author>
<date month="March" year="2013"/>
<area> Internet Area </area>
<workgroup> DNS Extensions Working Group </workgroup>
<keyword>DNS</keyword>
<keyword>DNSSEC</keyword>
<abstract>
<t>
The DNS Security Extensions (DNSSEC) requires the use of
cryptographic algorithm suites for generating digital
signatures over DNS data. There is currently an IANA registry
for these algorithms but there is no record of the recommended
implementation status of each algorithm. This document
provides an applicability statement on algorithm
implementation status for DNSSEC component software. This
document lists each algorithm's status based on the current
reference. In the case that an algorithm is specified without
an implementation status, this document assigns one. This
document updates RFCs 2536, 2539, 3110, 4034, 4398, 5155,
5702, and 5933.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The Domain Name System (DNS) Security Extensions (DNSSEC) <xref target="RFC4033" />, <xref target="RFC4034" />,
<xref target="RFC4035" />, <xref target="RFC4509" />, <xref target="RFC5155" />, and <xref target="RFC5702" /> uses digital signatures over DNS data
to provide source authentication and integrity protection. DNSSEC uses an IANA registry
to list codes for digital signature algorithms (consisting of a cryptographic
algorithm and one-way hash function).
</t>
<t>
The original list of algorithm status is found in <xref target="RFC4034" />.
Other DNSSEC RFC's have added new algorithms or changed the status of
algorithms in the registry. However, implementers
must read through all the documents in order to discover which algorithms are
considered wise to implement, which are not, and which algorithms may become widely
used in the future.
</t>
<t>
This document defines the current implementation status for
all registered algorithms. If the status of algorithms
change, this document will be replaced with a new one
establishing the new status; see <xref target="future-spec" />.
</t>
<t>
This
document updates the following: <xref target="RFC2536" />, <xref target="RFC2539" />, <xref target="RFC3110" />,
<xref target="RFC4034" />, <xref target="RFC4398" />, <xref target="RFC5155" />, <xref target="RFC5702" />, and
<xref target="RFC5933" />.
</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in <xref target="RFC2119" />.
</t>
</section>
</section>
<section title="The DNS Security Algorithm Implementation Status Lists">
<section title="Status definitions">
<t>
<list style="hanging">
<t hangText="Must Implement">The algorithm MUST be implemented
to interoperate with other implementations of this
specification.</t>
<t hangText="Must Not Implement">The algorithm MUST NOT be
implemented. An algorithm with this status has known
weaknesses.</t>
<t hangText="Recommended to Implement">The algorithm SHOULD be
implemented. Utility and interoperability with other
implementations will be improved when an algorithm with this
status is implemented, though there might be occasions where it
is reasonable not to implement the algorithm. An implementer
must understand and weigh the full implications of choosing not
to implement this particular algorithm.</t>
<t hangText="Optional">The algorithm MAY be implemented, but
that all implementations MUST be prepared to interoperate with
implementations that do or do not implement this algorithm.</t>
</list>
</t>
</section>
<section title="Algorithm Implementation Status Assignment Rationale">
<t>
The status of RSASHA1-NSEC3-SHA1 is set to Recommended to
Implement as many deployments use NSEC3. The status of
RSA/SHA-256 and RSA/SHA-512 are also set to Recommended to
Implement as major deployments (such as the root zone) use these
algorithms <xref target="ROOTDPS" />. It is believed that
RSA/SHA-256 or RSA/SHA-512 algorithms will replace older
algorithms (e.g. RSA/SHA-1) that have a perceived weakness.
</t>
<t>
Likewise, ECDSA with the two identified curves (ECDSAP256SHA256
and ECDSAP384SHA384) are algorithms that may see widespread use
due to the perceived similar level of security offered with
smaller key size compared to the key sizes of algorithms such as
RSA. Therefore, ECDSAP256SHA256 and ECDSAP384SHA384 are
Recommended to Implement.
</t>
<t>
All other algorithms used in DNSSEC specified without an
implementation status are currently set to Optional.
</t>
</section>
<section title="DNSSEC Implementation Status Table" anchor="table">
<figure><preamble>
The DNSSEC algorithm implementation status table is listed below. Only the algorithms already
specified for use with DNSSEC at the time of writing are listed.
</preamble>
<artwork>
+------------+------------+-------------------+-------------------+
| Must | Must Not | Recommended | Optional |
| Implement | Implement | to Implement | |
+------------+------------+-------------------+-------------------+
| | | | |
| RSASHA1 | RSAMD5 | RSASHA256 | Any |
| | | RSASHA1-NSEC3 | registered |
| | | -SHA1 | algorithm |
| | | RSASHA512 | not listed in |
| | | ECDSAP256SHA256 | this table |
| | | ECDSAP384SHA384 | |
+------------+------------+-------------------+-------------------+
</artwork>
<postamble>
This table does not list the Reserved values in the IANA registry
table or the values for INDIRECT (252), PRIVATE (253) and PRIVATEOID
(254). These values may relate to more than one algorithm and are
therefore up to the implementer's discretion. As noted, any
algorithm not listed in the table is Optional. As of this writing,
the relevant algorithms are DSASHA1, DH, DSA-NSEC3-SHA1, and
GOST-ECC; but in general, anything not explicitly listed is
Optional.
</postamble>
</figure>
</section>
<section title="Specifying New Algorithms and Updating Status of
Existing Entries" anchor="future-spec">
<t>
<xref target="RFC6014" /> establishes a parallel procedure for
adding a registry entry for a new algorithm other than a
standards track document. Because any algorithm not listed in
the foregoing table is Optional, algorithms entered into the
registry using the <xref target="RFC6014" /> procedure are
automatically Optional.
</t>
<t>
It has turned out to be useful for implementations to refer
to a single document that specifies the implementation
status of every algorithm. Accordingly, when a new
algorithm is to be registered with a status other than
Optional, this document shall be made obsolete by a new
document which adds the new algorithm to the table in <xref
target="table" />. Similarly, if the status of any
algorithm in the table in <xref target="table" /> changes, a
new document shall make this document obsolete; that
document shall include a replacement of the table in <xref
target="table" />. This way, the goal of having one
authoritative document to specify all the status values is
achieved.
</t>
<t>
This document cannot be updated, only made obsolete and replaced by a successor document.
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
This document lists the implementation status of cryptographic algorithms used with DNSSEC. These algorithms
are maintained in an IANA registry at
http://www.iana.org/assignments/dns-sec-alg-numbers. Because
this document establishes the implementation status of every
algorithm, it should be listed as a reference for the entire registry.
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
This document lists, and in some cases assigns, the
implementation status of cryptographic algorithms used with
DNSSEC. It is not meant to be a discussion on algorithm
superiority. No new security considerations are raised in this
document, though prior description of algorithms as NOT
RECOMMENDED (see <xref target="RFC4034" />) has been recast as Must Not Implement.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2536" ?>
<?rfc include="reference.RFC.2539" ?>
<?rfc include="reference.RFC.3110" ?>
<?rfc include="reference.RFC.4033" ?>
<?rfc include="reference.RFC.4034" ?>
<?rfc include="reference.RFC.4035" ?>
<?rfc include="reference.RFC.4398" ?>
<?rfc include="reference.RFC.4509" ?>
<?rfc include="reference.RFC.5155" ?>
<?rfc include="reference.RFC.5702" ?>
<?rfc include="reference.RFC.5933" ?>
<?rfc include="reference.RFC.6014" ?>
</references>
<references title="Informative References">
<?rfc include="reference.DNS.ROOTDPS" ?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 04:25:41 |