One document matched: draft-ietf-dnsext-dnssec-registry-fixes-06.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc strict="yes"?>
<rfc ipr="trust200902" category="std" docName="draft-ietf-dnsext-dnssec-registry-fixes-06" updates="2536, 2539, 3110, 4034, 4398, 5155, 5702, 5933">
<front>
<title abbrev="IANA Registry Fixes">Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry</title>
<author fullname="Scott Rose" initials="S." surname="Rose">
<organization> NIST </organization>
<address>
<postal>
<street>100 Bureau Dr.</street>
<city>Gaithersburg</city>
<code>20899</code>
<region>MD</region>
<country>USA</country>
</postal>
<phone>+1-301-975-8439</phone>
<email> scottr.nist@gmail.com </email>
</address>
</author>
<date month="August" year="2010"/>
<area> Internet Area </area>
<workgroup> DNS Extensions Working Group </workgroup>
<keyword>DNS</keyword>
<keyword>DNSSEC</keyword>
<abstract>
<t>
The DNS Security Extensions (DNSSEC) requires the use of
cryptographic algorithm suites for generating digital signatures over DNS data. There is currently an
IANA registry for these algorithms that is incomplete in that it lacks the implementation status of
each algorithm. This document provides an applicability statement on algorithm status for DNSSEC implementations.
This document replaces that registry table with a new IANA registry table for Domain
Name System Security (DNSSEC) Algorithm Numbers which lists each algorithm's status based on the
current reference. If that status is not defined in the original specification, this document assigns a
status.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The Domain Name System (DNS) Security Extensions (DNSSEC) <xref target="RFC4033" />, <xref target="RFC4034" />,
and <xref target="RFC4035" /> uses digital signatures over DNS data
to provide source authentication and integrity protection. DNSSEC uses an IANA registry
to allocate codes for digital signature algorithms (consisting of a cryptographic
algorithm and one-way hash function).
</t>
<t>
The original list of algorithm status is found in <xref target="RFC4034" />.
Other DNSSEC documents have added new algorithms or changed the status of
algorithms in the registry. However, currently implementors
must read through all the documents in order to discover the current status
of each algorithm in the registry.
</t>
<t>
This document replaces the current IANA registry for Domain Name
System Security (DNSSEC) Algorithm Numbers with a newly defined registry table. This new table (Section 2.2 below)
contains a column that will list the current status of each digital
signature algorithm in the registry at the time of writing and assigns status for some algorithms
used with DNSSEC that did not have an identified status in their specification. This
document updates the following: <xref target="RFC2536" />, <xref target="RFC2539" />, <xref target="RFC3110" />,
<xref target="RFC4034" />, <xref target="RFC4398" />, <xref target="RFC5155" />, <xref target="RFC5702" />, and
<xref target="RFC5933" />.
</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in <xref target="RFC2119" />.
</t>
</section>
</section>
<section title="The DNS Security Algorithm Number Subregistry">
<t>
The DNS Security Algorithm Number subregistry (part of the Domain Name
System (DNS) Security Number registry) will be replaced with the table below.
This table contains a column that contains the current implementation requirements of the given
algorithm.
</t>
<t>
There are additional differences to entries that are described in sub-section 2.1.
The overall new registry table is in sub-section 2.2. The values for the status
were obtained from <xref target="RFC4034" /> with updates for algorithms
specified after the original DNSSEC specification. If no status was listed in
the original specification, this document assigns one.
</t>
<section title="Individual Changes">
<t>
This document changes three entries in the Domain Name System Security (DNSSEC)
Algorithm Registry. They are:
</t>
<t>
The description for assignment number 4 is changed to "Reserved until 2020".
</t>
<t>
The description for assignment number 9 is changed to "Reserved until 2020".
</t>
<t>
The description for assignment number 11 is changed to "Reserved until 2020".</t>
<t>Registry entries 13-251 remains Unassigned.</t>
<t>
The status of RSASHA1-NSEC3-SHA1 and DSA-NSEC3-SHA1 are set to RECOMMENDED and OPTIONAL
respectively. The difference is due to the fact that RSA/SHA-1 is REQUIRED and DSA/SHA-1
is only OPTIONAL.
The status of RSA/SHA-256 and RSA/SHA-512 are set to RECOMMENDED as it is believed
that these algorithms will replace older algorithms (e.g. RSA/SHA-1) that have a
perceived weakness in their hash algorithm (SHA-1).
</t>
</section>
<section title="Domain Name System (DNS) Security Algorithm Number Registry Table">
<figure><preamble>
The Domain Name System (DNS) Security Algorithm Number registry is hereby specified
as follows:
</preamble>
<artwork>
Zone Transaction
Number Description Mnemonic Sign Sign Status Reference
------ ----------- ------ ---- ----- ------------ ---------
0 Reserved [RFC4398]
1 RSA/MD5 RSAMD5 N Y MUST NOT [RFC4034],
IMPLEMENT [RFC3110]
(this memo)
2 Diffie-Hellman DH N Y [RFC2539]
(this memo)
3 DSA/SHA-1 DSASHA1 Y Y [RFC2536],
[RFC4034],
FIPS 186-3,
FIPS 180-3
(this memo)
4 Reserved until ECC (this memo)
2020
5 RSA/SHA-1 RSASHA1 Y Y REQUIRED [RFC4034]
(this memo)
6 DSA-NSEC3-SHA1 DSA-NSEC3 Y Y [RFC5155]
-SHA1 (this memo)
7 RSASHA1-NSEC3 RSASHA1- Y Y RECOMMENDED [RFC5155]
-SHA1 NSEC3- (this memo)
SHA1
8 RSA/SHA-256 RSASHA256 Y * RECOMMENDED [RFC5702]
(this memo)
9 Reserved until (this memo)
2020
10 RSA/SHA-512 RSASHA512 Y * RECOMMENDED [RFC5702]
(this memo)
11 Reserved until (this memo)
2020
12 GOST R GOST-ECC Y * [RFC5933]
34.10-2001 (this memo)
13-251 Unassigned
252 Reserved for INDIRECT N N [RFC4034]
Indirect keys (this memo)
253 private PRIVATE Y Y [RFC4034]
algorithm (this memo)
254 private PRIVATEOID Y Y [RFC4034]
algorithm OID (this memo)
255 Reserved
</artwork>
</figure>
</section>
<section title="Specifying New Algorithms and Updating Status of Existing Entries">
<t>
<xref target="I-D.ietf-dnsext-dnssec-alg-allocation" /> establishes a parallel procedure for
obtaining an algorithm number for new algorithms other than a standards track document.
Algorithms entered into the registry using that procedure do not have a listed status. Specifications
that follow this path do not need to obsolete or update this document.
</t>
<t>
Adding a newly specified algorithm to the registry with a status
SHALL entail obsoleting this document and replacing the registry table (with the new
algorithm entry). Altering the status column value of any existing algorithm in the registry SHALL entail obsoleting
this document and replacing the registry table.
</t>
<t>
This document cannot be updated, only made obsolete and replaced by a successor document.
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry.
The new registry table is in Section 2.2.
</t>
<t>
The original Domain
Name System (DNS) Security Algorithm Number registry is
available at http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml.
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry. It is not meant
to be a discussion on algorithm superiority. No new security considerations are
raised in this document.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2536" ?>
<?rfc include="reference.RFC.2539" ?>
<?rfc include="reference.RFC.3110" ?>
<?rfc include="reference.RFC.4033" ?>
<?rfc include="reference.RFC.4034" ?>
<?rfc include="reference.RFC.4035" ?>
<?rfc include="reference.RFC.4398" ?>
<?rfc include="reference.RFC.5155" ?>
<?rfc include="reference.RFC.5702" ?>
<?rfc include="reference.RFC.5933" ?>
<?rfc include="reference.I-D.ietf-dnsext-dnssec-alg-allocation" ?>
</references>
<references title="Informative References">
<?rfc include="reference.FIPS.186-3.2009" ?>
<?rfc include="reference.FIPS.180-3.2008" ?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:22:01 |