One document matched: draft-ietf-dnsext-dnssec-registry-fixes-07.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc strict="yes"?>
<rfc ipr="trust200902" category="std" docName="draft-ietf-dnsext-dnssec-registry-fixes-07" updates="2536, 2539, 3110, 4034, 4398, 5155, 5702, 5933">
<front>
<title abbrev="IANA Registry Fixes">Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry</title>
<author fullname="Scott Rose" initials="S." surname="Rose">
<organization> NIST </organization>
<address>
<postal>
<street>100 Bureau Dr.</street>
<city>Gaithersburg</city>
<code>20899</code>
<region>MD</region>
<country>USA</country>
</postal>
<phone>+1-301-975-8439</phone>
<email> scottr.nist@gmail.com </email>
</address>
</author>
<date month="January" year="2011"/>
<area> Internet Area </area>
<workgroup> DNS Extensions Working Group </workgroup>
<keyword>DNS</keyword>
<keyword>DNSSEC</keyword>
<abstract>
<t>
The DNS Security Extensions (DNSSEC) requires the use of
cryptographic algorithm suites for generating digital signatures over DNS data. There is currently an
IANA registry for these algorithms that is incomplete in that it lacks the implementation status of
each algorithm. This document provides an applicability statement on algorithm implementation compliance status for DNSSEC implementations.
This status is to measure compliance to this RFC only.
This document replaces that registry table with a new IANA registry table for Domain
Name System Security (DNSSEC) Algorithm Numbers that lists (or assigns) each algorithm's status based on the
current reference.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The Domain Name System (DNS) Security Extensions (DNSSEC) <xref target="RFC4033" />, <xref target="RFC4034" />,
<xref target="RFC4035" />, <xref target="RFC4509" />, <xref target="RFC5155" />, and <xref target="RFC5702" /> uses digital signatures over DNS data
to provide source authentication and integrity protection. DNSSEC uses an IANA registry
to allocate codes for digital signature algorithms (consisting of a cryptographic
algorithm and one-way hash function).
</t>
<t>
The original list of algorithm status is found in <xref target="RFC4034" />.
Other DNSSEC documents have added new algorithms or changed the status of
algorithms in the registry. However, currently implementers
must read through all the documents in order to discover which algorithms are
considered wise to implement, which are not, and which algorithms may become widely
used in the future.
</t>
<t>
This compliance status indication is only to be considered for implementation, not deployment or operations.
Operators are free to deploy any digital signature algorithm available in
implementations or algorithms chosen by local security policies. This status is to measure compliance to this RFC only.
</t>
<t>
This document replaces the current IANA registry for Domain Name
System Security (DNSSEC) Algorithm Numbers with a newly defined registry table. This new table (Section 2.2 below)
contains a column that will list the current compliance status of each digital
signature algorithm in the registry at the time of writing and assigns status for some algorithms
used with DNSSEC that did not have an identified status in their specification. This
document updates the following: <xref target="RFC2536" />, <xref target="RFC2539" />, <xref target="RFC3110" />,
<xref target="RFC4034" />, <xref target="RFC4398" />, <xref target="RFC5155" />, <xref target="RFC5702" />, and
<xref target="RFC5933" />.
</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in <xref target="RFC2119" />.
</t>
</section>
</section>
<section title="The DNS Security Algorithm Number Sub-registry">
<t>
The DNS Security Algorithm Number sub-registry (part of the Domain Name
System (DNS) Security Number registry) will be replaced with the table below.
This table contains a column that contains the current implementation requirements of the given
algorithm.
</t>
<t>
There are additional differences to entries that are described in sub-section 2.1.
The overall new registry table is in sub-section 2.2. The values for the compliance status
were obtained from <xref target="RFC4034" /> with updates for algorithms
specified after the original DNSSEC specification. If no status was listed in
the original specification, this document assigns one for some of the entries.
</t>
<section title="Individual Changes">
<t>
This document changes three entries in the Domain Name System Security (DNSSEC)
Algorithm Registry. They are:
</t>
<t>
The description for assignment number 4 is changed to "Reserved until 2020".
</t>
<t>
The description for assignment number 9 is changed to "Reserved until 2020".
</t>
<t>
The description for assignment number 11 is changed to "Reserved until 2020".</t>
<t>Registry entries 13-251 remains Unassigned.</t>
<t>
The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED. This is due to the fact that RSA/SHA-1 is REQUIRED.
The status of RSA/SHA-256 and RSA/SHA-512 are also set to RECOMMENDED as it is believed
that these algorithms will replace older algorithms (e.g. RSA/SHA-1) that have a
perceived weakness in their hash algorithm (SHA-1).
</t>
</section>
<section title="Domain Name System (DNS) Security Algorithm Number Registry Table">
<figure><preamble>
The Domain Name System (DNS) Security Algorithm Number registry is hereby specified
as follows:
</preamble>
<artwork>
Trans-
Zone action Compliance to
Number Description Mnemonic Sign Sign RFC TBD1 Reference
------ ----------- ------ ---- ----- ------------ ---------
0 Reserved [RFC4398]
1 RSA/MD5 RSAMD5 N Y MUST NOT [RFC2537]
IMPLEMENT
2 Diffie-Hellman DH N Y [RFC2539]
3 DSA/SHA-1 DSASHA1 Y Y [RFC2536]
4 Reserved until
2020
5 RSA/SHA-1 RSASHA1 Y Y MUST [RFC3110]
IMPLEMENT
6 DSA-NSEC3-SHA1 DSA-NSEC3 Y Y [RFC5155]
-SHA1
7 RSASHA1-NSEC3 RSASHA1- Y Y RECOMMENDED [RFC5155]
-SHA1 NSEC3- TO IMPLEMENT
SHA1
8 RSA/SHA-256 RSASHA256 Y * RECOMMENDED [RFC5702]
TO IMPLEMENT
9 Reserved until
2020
10 RSA/SHA-512 RSASHA512 Y * RECOMMENDED [RFC5702]
TO IMPLEMENT
11 Reserved until
2020
12 GOST R GOST-ECC Y * [RFC5933]
34.10-2001
13-251 Unassigned
252 Reserved for INDIRECT N N [RFC4034]
Indirect keys
253 private PRIVATE Y Y [RFC4034]
algorithm
254 private PRIVATEOID Y Y [RFC4034]
algorithm OID
255 Reserved
</artwork>
<postamble>
Table rows where the compliance column is not filled in are left
to the discretion of implementers and their implementation (or lack thereof) therefore cannot
be included when judging compliance to this document.
</postamble>
</figure>
</section>
<section title="Specifying New Algorithms and Updating Status of Existing Entries">
<t>
<xref target="RFC6014" /> establishes a parallel procedure for
obtaining an algorithm number for new algorithms other than a standards track document.
Algorithms entered into the registry using that procedure do not have a listed status. Specifications
that follow this path do not need to obsolete or update this document.
</t>
<t>
Adding a newly specified algorithm to the registry with a compliance status
SHALL entail obsolescing this document and replacing the registry table (with the new
algorithm entry). Altering the status column value of any existing algorithm in the registry SHALL entail obsolescing
this document and replacing the registry table.
</t>
<t>
This document cannot be updated, only made obsolete and replaced by a successor document.
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry.
The new registry table is in Section 2.2. In the column "Compliance to RFC TBD1", "RFC TBD1" should be changed to the official RFC when
published.
</t>
<t>
The original Domain
Name System (DNS) Security Algorithm Number registry is
available at http://www.iana.org/assignments/dns-sec-alg-numbers.
</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>
This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry. It is not meant
to be a discussion on algorithm superiority. No new security considerations are
raised in this document.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2536" ?>
<?rfc include="reference.RFC.2537" ?>
<?rfc include="reference.RFC.2539" ?>
<?rfc include="reference.RFC.3110" ?>
<?rfc include="reference.RFC.4033" ?>
<?rfc include="reference.RFC.4034" ?>
<?rfc include="reference.RFC.4035" ?>
<?rfc include="reference.RFC.4398" ?>
<?rfc include="reference.RFC.4509" ?>
<?rfc include="reference.RFC.5155" ?>
<?rfc include="reference.RFC.5702" ?>
<?rfc include="reference.RFC.5933" ?>
<?rfc include="reference.RFC.6014" ?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:22:03 |