One document matched: draft-ietf-dnsext-dnssec-registry-fixes-05.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc strict="yes"?>
<rfc ipr="trust200902" category="std" docName="draft-ietf-dnsext-dnssec-registry-fixes-05" updates="2536, 2539, 3110, 4034, 4398, 5155, 5702">
<front>
<title abbrev="IANA Registry Fixes">DNS Security (DNSSEC) DNSKEY IANA Registry Algorithm Status Addition</title>
<author fullname="Scott Rose" initials="S." surname="Rose">
<organization> NIST </organization>
<address>
<postal>
<street>100 Bureau Dr.</street>
<city>Gaithersburg</city>
<code>20899</code>
<region>MD</region>
<country>USA</country>
</postal>
<phone>+1-301-975-8439</phone>
<email> scottr.nist@gmail.com </email>
</address>
</author>
<date month="June" year="2010"/>
<area> Internet Area </area>
<workgroup> DNS Extensions Working Group </workgroup>
<keyword>DNS</keyword>
<keyword>DNSSEC</keyword>
<abstract>
<t>
The DNS Security Extensions (DNSSEC) has an IANA registry to allocate
cryptographic algorithm suites for use in generating digital signatures over DNS data.
Newly introduced cryptographic algorithms to DNSSEC mean implementors need to
know which algorithms need to be implemented, which are optional, and which are obsolete.
This document adds a column to the IANA registry table for Domain Name System Security (DNSSEC)
Algorithm Numbers which lists their current status for use.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The Domain Name System (DNS) Security Extensions (DNSSEC) <xref target="RFC4033" />, <xref target="RFC4034" />,
and <xref target="RFC4035" /> uses digital signatures over DNS data
to provide source authentication and integrity protection. DNSSEC uses an IANA registry
to allocate codes for digital signature algorithms (consisting of a cryptographic
algorithm and one-way hash function).
</t>
<t>
The original list of algorithm status is found in <xref target="RFC4034" />.
Other DNSSEC documents have added new algorithms or changed the status of
algorithms in the registry. However, implementors
must read through all the documents in order to discover which algorithms are mandatory to
implement and which are optional or no longer used.
</t>
<t>
This document requests a column to be added to the IANA registry for Domain Name
System Security (DNSSEC) Algorithm Numbers. This column will list the current status of each digital
signature algorithm in the registry at the time of writing and assigns status for algorithms
used with DNSSEC that did not have a status when they were originally specified. This
document updates the following: <xref target="RFC2536" />, <xref target="RFC2539" />, <xref target="RFC3110" />,
<xref target="RFC4034" />, <xref target="RFC4398" />, <xref target="RFC5155" />, <xref target="RFC5702" />, and [RFCTBD].
</t>
<section title="Terms Used in this Document to Indicate Status">
<t>The following terms are used within this document to indicate the current implementation
status of the given digital signature algorithm as of the time of writing. Here, "implementation"
refers to any component (e.g. validator, signer, etc.) that conforms to this document. Some of these
terms were used without definition in previous documents and are defined here.
</t>
<t><list style="hanging">
<t hangText=" ">MANDATORY: Implementations MUST support this algorithm to be considered
currently inter-operable.
</t>
<t hangText=" ">OPTIONAL: Implementation MAY support this algorithm. The presence
or lack thereof this algorithm MUST NOT be used to judge conformance to this document.
</t>
<t hangText=" ">ENCOURAGED: Implementations SHOULD support this algorithm, but like DISCRETIONARY,
lack of support MUST NOT be used to judge conformance to this document. This term is also used to hint
of a possible status change in the future to MANDATORY.
</t>
<t hangText=" ">OBSOLETE: New implementations SHOULD NOT support this algorithm.
</t>
</list>
</t>
<t>These words are also defined in <xref target="I-D.ogud-iana-protocol-maintenance-words" />, but
the definitions above are used for this document.
</t>
</section>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in <xref target="RFC2119" />.
</t>
</section>
</section>
<section title="DNS Security Algorithm Number Subregistry Fixes">
<t>
The DNS Security Algorithm Number subregistry (part of the Domain Name
System (DNS) Security Number registry) will be modified to include a new column.
This column will contain the current implementation requirements of the given
algorithm. This document does not make any changes to any other column in the
registry table.
</t>
<t>
There are additional fixes to entries that are described in sub-section 2.1.
The overall new registry table is in sub-section 2.2. The values for the status
were obtained from <xref target="RFC4034" /> with updates for algorithms
specified after the original DNSSEC specification. The status of algorithms marked
OPTIONAL in <xref target="RFC4034" /> are changed to DISCRETIONARY as defined in
<xref target="I-D.ogud-iana-protocol-maintenance-words" />. The status of algorithms
marked NOT RECOMMENDED in <xref target="RFC4034" /> are changed to OBSOLETE as
defined in <xref target="I-D.ogud-iana-protocol-maintenance-words" />.
</t>
<section title="Individual Fixes">
<t>
This document changes three entries in the Domain Name System Security (DNSSEC)
Algorithm Registry. They are:
</t>
<t>
The description for assignment number 4 is changed to "Reserved until 2020".
</t>
<t>
The description for assignment number 9 is changed to "Reserved until 2020".
</t>
<t>
The description for assignment number 11 is changed to "Reserved until 2020".</t>
<t>Registry entries 13-251 remains Unassigned.</t>
<t>
The status of RSASHA1-NSEC3-SHA1 and DSA-NSEC3-SHA1 are both set to DISCRETIONARY.
The status of RSA/SHA-256 and RSA/SHA-512 are set to ENCOURAGED as it is believed
that these algorithms will replace older algorithms (e.g. RSA/SHA-1) that have a
perceived weakness in their hash algorithm (SHA-1).
</t>
</section>
<section title="Updated Registry Snapshot">
<figure><preamble>
As of the current time, the DNS Security Algorithm Number subregistry would look
like the following:
</preamble>
<artwork>
Zone Trans
Number Description Mnem. Sign Sign Status Reference
------ ----------- ------ ---- ----- ------------ ---------
0 Reserved [RFC4398]
1 RSA/MD5 RSAMD5 N Y OBSOLETE [RFC4034],
[RFC3110]
(this memo)
2 Diffie-Hellman DH N Y OPTIONAL [RFC2539]
(this memo)
3 DSA/SHA-1 DSASHA1 Y Y OPTIONAL [RFC2536],
[RFC4034],
FIPS 186-3,
FIPS 180-3
(this memo)
4 Reserved until ECC (this memo)
2020
5 RSA/SHA-1 RSASHA1 Y Y MANDATORY [RFC4034]
(this memo)
6 DSA-NSEC3-SHA1 DSA-NSEC3 Y Y OPTOINAL [RFC5155]
-SHA1 (this memo)
7 RSASHA1-NSEC3 RSASHA1- Y Y OPTIONAL [RFC5155]
-SHA1 NSEC3- (this memo)
SHA1
8 RSA/SHA-256 RSASHA256 Y * ENCOURAGED [RFC5702]
9 Reserved until (this memo)
2020
10 RSA/SHA-512 RSASHA512 Y * ENCOURAGED [RFC5702]
(this memo)
11 Reserved until (this memo)
2020
12 GOST R GOST-ECC Y * OPTIONAL [RFCTBD]
34.10-2001 (this memo)
13-251 Unassigned
252 Reserved for INDIRECT N N OPTIONAL [RFC4034]
Indirect keys (this memo)
253 private PRIVATE Y Y OPTIONAL [RFC4034]
algorithm (this memo)
254 private PRIVATEOID Y Y OPTIONAL [RFC4034]
algorithm OID (this memo)
255 Reserved
</artwork>
</figure>
</section>
<section title="Specifying New Algorithms and Updating Status of Existing Entries">
<t>
<xref target="I-D.ietf-dnsext-dnssec-alg-allocation" /> establishes a parallel procedure for
obtaining an algorithm number for new algorithms other than a standards track document.
Algorithms entered into the registry using that procedure are always OPTIONAL.
</t>
<t>
Adding a newly specified algorithm to the registry with any status other than OPTIONAL
SHALL entail an update of this document in order to specify new content to the registry.
</t>
<t>
Altering the status of any existing algorithm in the registry SHALL entail an update to
this document in order to change the contents of the registry.
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
This document seeks to add a column (titled "Status") to the Domain Name System (DNS) Security Algorithm Numbers registry to
indicate each algorithm's status for implementations seeking to conform to this document.
The new table is in Section 2.2 and includes the additional following changes detailed in Section 2.1:
</t>
<t>
The description of assignment 4 is changed from "Reserved for ECC" to
"Reserved until 2020".
</t>
<t>
The description of assignment 9 is changed from "Unassigned" to "Reserved
until 2020".
</t>
<t>
The description for assignment number 11 is changed from "Unassigned" to "Reserved until 2020".</t>
<t>Registry entries 13-251 remains Unassigned.</t>
<t>
The references for current algorithms in the table in Section 2.2 have been
updated to remove obsolete RFC's and replaced with the current reference.
</t>
<t>
The references to FIPS 180 and FIPS 186 have been updated (to FIPS 180-3 and
FIPS 186-3 respectively) to reflect the latest versions. These revisions
are maintenance updates and the relevant content of the FIPS documents have
not changed.
</t>
<t>
This draft updates the references of the entries that have an assigned status, in the table in Section 2.2,
the text '(this memo)' should be replaced with the final RFC when published.
</t>
<t>
The Domain
Name System (DNS) Security Algorithm Number registry is
available at http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml.
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
This document seeks to add a status column to an existing IANA registry. It is not meant
to be a discussion on algorithm superiority. No new security considerations are
raised in this document.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2536" ?>
<?rfc include="reference.RFC.2539" ?>
<?rfc include="reference.RFC.3110" ?>
<?rfc include="reference.RFC.4033" ?>
<?rfc include="reference.RFC.4034" ?>
<?rfc include="reference.RFC.4035" ?>
<?rfc include="reference.RFC.4398" ?>
<?rfc include="reference.RFC.5155" ?>
<?rfc include="reference.RFC.5702" ?>
<?rfc include="reference.RFC.TBD" ?>
<?rfc include="reference.I-D.ogud-iana-protocol-maintenance-words" ?>
<?rfc include="reference.I-D.ietf-dnsext-dnssec-alg-allocation" ?>
</references>
<references title="Informative References">
<?rfc include="reference.FIPS.186-3.2009" ?>
<?rfc include="reference.FIPS.180-3.2008" ?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:22:19 |