<?xml version="1.0"?>
<?xml-stylesheet type='text/xsl' href='./rfc2629.xslt' ?>

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC4034 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4034.xml">
<!ENTITY RFC5155 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5155.xml">
<!ENTITY RFC5702 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5702.xml">
<!ENTITY RFC5933 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5933.xml">
<!ENTITY RFC6605 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6605.xml">
<!ENTITY RFC6781 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6781.xml">
<!ENTITY RFC6944 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6944.xml">
<!ENTITY RFC6979 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml">
<!ENTITY RFC6986 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6986.xml">
<!ENTITY RFC7344 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7344.xml">
<!ENTITY RFC7583 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7583.xml">
<!ENTITY RFC8078 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8078.xml">
<!ENTITY RFC8080 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8080.xml">
]>

<?rfc toc="yes"?>
<?rfc strict="yes" ?>
<?rfc linkmailto="yes" ?>
<?rfc symrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc sortrefs="no" ?>
<?rfc rfcedstyle="yes"?>

<rfc ipr="trust200902" docName="draft-ietf-dnsop-algorithm-update-00" category="std" obsoletes="6944">
  <front>
    <title abbrev="DNSSEC Cryptographic Algorithms">Algorithm Implementation Requirements and Usage Guidance for DNSSEC</title>
    <author fullname="Paul Wouters" initials="P." surname="Wouters">
      <organization>Red Hat</organization>
      <address>
	<postal>
	  <street/>
	  <country>CA</country>
	</postal>
        <email>pwouters@redhat.com</email>
      </address>
    </author>
    <author fullname="Ondrej Sury" initials="O." surname="Sury">
      <organization>Internet Systems Consortium</organization>
      <address>
	<postal>
	  <street/>
	  <country>CZ</country>
	</postal>
        <email>ondrej@isc.org</email>
      </address>
    </author>
    <date year="2018"/>
    <area>Security</area>
    <workgroup>dnsop</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <t>
	The DNSSEC protocol makes use of various cryptographic
	algorithms in order to provide authentication of DNS data and
	proof of non-existence.  To ensure interoperability between
	DNS resolvers and DNS authoritative servers, it is necessary
	to specify a set of algorithm implementation requirements and
	usage guidance to ensure that there is at least one algorithm
	that all implementations support.  This document defines the
	current algorithm implementation requirements and usage
	guidance for DNSSEC. This document obsoletes <xref target="RFC6944"/>.
      </t>
    </abstract>
  </front>
  <!-- ====================================================================== -->
  <middle>

    <section anchor="introduction" title="Introduction">
      <t>
	The DNSSEC signing algorithms are defined by various RFCs,
	including <xref target="RFC4034"/>, <xref target="RFC5155"/>,
	<xref target="RFC5702"/>, <xref target="RFC5933"/>, <xref
	target="RFC6605"/>, <xref target="RFC8080"/>.
	 DNSSEC is used to provide authentication of data. To ensure interoperability,
	a set of "mandatory-to-implement" DNSKEY algorithms are defined.
	This document obsoletes <xref target="RFC6944"/>.
      </t>

      <section title="Updating Algorithm Implementation Requirements and Usage Guidance">
	<t>
	  The field of cryptography evolves continuously.  New stronger
	  algorithms appear and existing algorithms are found to be
	  less secure then originally thought.  Therefore, algorithm
	  implementation requirements and usage guidance need to be
	  updated from time to time to reflect the new reality.  The
	  choices for algorithms must be conservative to minimize the
	  risk of algorithm compromise.
	</t>
      </section>

      <section title="Updating Algorithm Requirement Levels">
	<t>
	  The mandatory-to-implement algorithm of tomorrow should
	  already be available in most implementations of DNSSEC by the
	  time it is made mandatory.  This document attempts to
	  identify and introduce those algorithms for future
	  mandatory-to-implement status.  There is no guarantee that
	  the algorithms in use today may become mandatory in the
	  future.  Published algorithms are continuously subjected to
	  cryptographic attack and may become too weak or could become
	  completely broken before this document is updated.
	</t>

	<t>
	  This document only provides recommendations for the
	  mandatory-to-implement algorithms or algorithms too weak that
	  are recommended not to be implemented.  As a result, any
	  algorithm listed at the <xref target="DNSKEY-IANA"/> and
	  <xref target="DS-IANA"/> registries not mentioned in this
	  document MAY be implemented.  For clarification and consistency,
	  an algorithm will be set to MAY only when it has been downgraded.
	</t>

	<t>
	  Although this document updates the algorithms to keep the
	  DNSSEC authentication secure over time, it also aims at
	  providing recommendations so that DNSSEC implementations
	  remain interoperable.  DNSSEC interoperability is addressed
	  by an incremental introduction or deprecation of algorithms.
	</t>

	<t>
	  While <xref target="RFC2119"/> consider term SHOULD
	  equivalent to RECOMMENDED, and term SHOULD NOT to NOT
	  RECOMMENDED, the authors of this document has chosen to use
	  terms RECOMMENDED and NOT RECOMMENDED, as it better reflects
	  the recommendations for implementations.
	</t>
	
	<t>
	  It is expected that deprecation of an algorithm is performed
	  gradually.  This provides time for various implementations
	  to update their implemented algorithms while remaining
	  interoperable.  Unless there are strong security reasons, an
	  algorithm is expected to be downgraded from MUST to NOT
	  RECOMMENDED or MAY, instead of MUST NOT.  Similarly, an
	  algorithm that has not been mentioned as
	  mandatory-to-implement is expected to be introduced with a
	  RECOMMENDED instead of a MUST.
	</t>

	<t>
	  Since the effects of using an unknown DNSKEY algorithm is
	  for the zone to be treated as insecure, it is recommended
	  that algorithms downgraded to NOT RECOMMENDED or below are
	  no longer used by authoritative nameservers and DNSSEC
	  signers to create new DNSKEY's.  This will allow for
	  algorithms to slowly become more unused over time.  Once
	  deployment has reached a sufficiently low point these
	  algorithms can finally be marked as MUST NOT so that
	  recursive nameservers can remove support for these
	  algorithms.
	</t>

	<t>
	  Recursive nameservers are encouraged to keep support for all
	  algorithms not marked as MUST NOT.
	</t>
      </section>

      <section title="Document Audience">
	<t>
	  The recommendations of this document mostly target DNSSEC
	  implementers as implementations need to meet both high
	  security expectations as well as high interoperability
	  between various vendors and with different versions.
	  Interoperability requires a smooth move to more secure
	  algorithms.  This may differ from a user point of view that
	  may deploy and configure DNSSEC with only the safest
	  algorithm.  On the other hand, comments and recommendations
	  from this document are also expected to be useful for such
	  users.
	</t>
      </section>

    </section>
    <section anchor="mustshouldmay" title="Conventions Used in This Document">

      <t>
	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
	NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
	"OPTIONAL" in this document are to be interpreted as described
	in <xref target="RFC2119"/>.
      </t>

    </section>

    <section anchor="algs" title="Algorithm Selection">

      <section anchor="algs_dnskey" title="DNSKEY Algorithms">

	<t>
	  Implemenation recommendations for DNSKEY algorithms <xref target="DNSKEY-IANA"/>.
	</t>

	<texttable anchor="tbl_dnskey" suppress-title="true">
          <ttcol align="left">Number</ttcol>
          <ttcol align="left">Mnemonics</ttcol>
          <ttcol align="left">DNSSEC Signing</ttcol>
          <ttcol align="left">DNSSEC Validation</ttcol>

          <c>1</c><c>RSAMD5</c><c>MUST NOT</c><c>MUST NOT</c>
          <c>3</c><c>DSA</c><c>MUST NOT</c><c>MUST NOT</c>
          <c>5</c><c>RSASHA1</c><c>NOT RECOMMENDED</c><c>MUST</c>
          <c>6</c><c>DSA-NSEC3-SHA1</c><c>MUST NOT</c><c>MUST NOT</c>
          <c>7</c><c>RSASHA1-NSEC3-SHA1</c><c>NOT RECOMMENDED</c><c>MUST</c>
          <c>8</c><c>RSASHA256</c><c>MUST</c><c>MUST</c>
          <c>10</c><c>RSASHA512</c><c>NOT RECOMMENDED</c><c>MUST</c>
          <c>12</c><c>ECC-GOST</c><c>MUST NOT</c><c>MAY</c>
          <c>13</c><c>ECDSAP256SHA256</c><c>MUST</c><c>MUST</c>
          <c>14</c><c>ECDSAP384SHA384</c><c>NOT RECOMMENDED</c><c>RECOMMENDED</c>
	  <c>15</c><c>ED25519</c><c>RECOMMENDED</c><c>RECOMMENDED</c>
	  <c>16</c><c>ED448</c><c>MAY</c><c>RECOMMENDED</c>
	</texttable>

	<t>
	  RSAMD5 is not widely deployed and there is an industry-wide
	  trend to deprecate MD5 usage.
	</t>

	<t>
	  RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although
	  zones deploying it are recommended to switch to
	  ECDSAP256SHA256 as there is an industry-wide trend to move
	  to elliptic curve cryptography.  RSASHA1 does not support
	  NSEC3.  RSASHA1-NSEC3-SHA1 can be used with or without
	  NSEC3.
	</t>

        <t>
	  DSA and DSA-NSEC3-SHA1 are not widely deployed and
	  vulnerable to private key compromise when generating
	  signatures using a weak or compromised random number
	  generator.
	</t>

	<t>
	  RSASHA256 is in wide use and considered strong.
	</t>

        <t>
	  RSASHA512 is NOT RECOMMENDED for DNSSEC Signing because it
	  has not seen wide deployment, but there are some deployments
	  hence DNSSEC Validation MUST implement RSASHA512 to ensure
	  interoperability.  There's isn't significant difference in
	  cryptographics strength between RSASHA512 and RSASHA256,
	  therefore it is discouraged to use RSASHA512, as it will
	  only make deprecation of older algorithms harder.  People
	  that want to use cryptographically stronger algorithm should
	  switch to elliptic curve cryptography algorithms.
	</t>

        <t>
	  ECC-GOST (GOST R 34.11-94) has been superseded by GOST R
	  34.11-2012 in <xref target="RFC6986"/>.  The GOST R
	  34.11-2012 hasn't been standardized for use in DNSSEC.
	</t>

        <t>
	  ECDSAP256SHA256 provide more strength for signature size
	  than RSASHA256 and RSASHA512 variants.  ECDSAP256SHA256 has
	  been widely deployed and therefore it is now at MUST level
	  for both validation and signing.  It is RECOMMENDED to use
	  deterministic digital signature generation procedure of the
	  ECDSA (<xref target="RFC6979"/>) when implementing
	  ECDSAP256SHA256 (and ECDSAP384SHA384).
	</t>

	<t>
	  ECDSAP384SHA384 share the same properties as
	  ECDSAP256SHA256, but offers only a little advantage over
	  ECDSAP256SHA256 and has not seen wide deployment, so the
	  usage of this algorithm is discouraged, especially for
	  signing.
	</t>

	<t>
	  ED25519 and ED448 uses Edwards-curve Digital Security
	  Algorithm (EdDSA).  There are three main advantages of the
	  EdDSA algorithm: It does not require the use of a unique
	  random number for each signature, there are no padding or
	  truncation issues as with ECDSA, and it is more resilient to
	  side-channel attacks.  Furthermore, EdDSA cryptography is
	  less prone to implementation errors (<xref
	  target="RFC8080"/>).  It is expected that ED25519 will
	  become the future RECOMMENDED default algorithm once there's
	  enough support for this algorithm in the deployed DNSSEC
	  validators.
	</t>

      </section>

      <section anchor="algs_dnskey_recommendation" title="DNSKEY Algorithm Recommendation">

	<t>
	  Operation recommendation for new and existing deployments.
	</t>

	<t>
	  Due to industry-wide trend to move to elliptic curve
	  cryptography, the ECDSAP256SHA256 is RECOMMENDED to be used
	  by new DNSSEC deployments, and users of RSA based algorithms
	  SHOULD upgrade to ECDSAP256SHA256.
	</t>

      </section>

      <section anchor="algs_ds" title="DS and CDS Algorithms">

	<t>
	  Recommendations for Delegation Signer Digest Algorithms
	  <xref target="DNSKEY-IANA"/> These also apply to the CDS
	  RRTYPE as specified in <xref target="RFC7344"/>
	</t>

	<texttable anchor="tbl_ds" suppress-title="true">
          <ttcol align="left">Number</ttcol>
          <ttcol align="left">Mnemonics</ttcol>
          <ttcol align="left">DNSSEC Delegation</ttcol>
          <ttcol align="left">DNSSEC Validation</ttcol>

          <c>0</c><c>NULL (CDS only)</c><c>MUST NOT [*]</c><c>MUST NOT [*]</c>
          <c>1</c><c>SHA-1</c><c>MUST NOT</c><c>MUST</c>
          <c>2</c><c>SHA-256</c><c>MUST</c><c>MUST</c>
          <c>3</c><c>GOST R 34.11-94</c><c>MUST NOT</c><c>MAY</c>
          <c>4</c><c>SHA-384</c><c>MAY</c><c>RECOMMENDED</c>
         <postamble>
          [*] - This is a special type of CDS record signaling removal of
	  DS at the parent in <xref target="RFC8078"/>
         </postamble>
	</texttable>

	<t>
	  NULL is a special case, see <xref target="RFC8078"/>
	</t>

	<t>
	  SHA-1 is still in wide use for DS records, so validators
	  MUST implement the validation, but it is disallowed to use
	  SHA-1 to generate new DS records.  (See Operational
	  Considerations for caveats when upgrading from SHA-1 to
	  SHA-256 DS Algorithm.)
	</t>

        <t>
	  SHA-256 is in wide use and considered strong.
	</t>

        <t>
	  GOST R 34.11-94 has been deprecated by <xref target="RFC6986"/>.
	</t>

	<t>
	  SHA-384 is not in wide use. It is still recommended to be
	  supported in validators so that adoption can increase.
	</t>

      </section>
    </section>

    <section anchor="security" title="Security Considerations">

      <t>
	The security of cryptographic-based systems depends on both
	the strength of the cryptographic algorithms chosen and the
	strength of the keys used with those algorithms.  The security
	also depends on the engineering of the protocol used by the
	system to ensure that there are no non-cryptographic ways to
	bypass the security of the overall system.
      </t>

      <t>
	This document concerns itself with the selection of
	cryptographic algorithms for the use of DNSSEC, specifically
	with the selection of "mandatory-to-implement" algorithms.
	The algorithms identified in this document as MUST or
	RECOMMENDED to implement are not known to be broken at the
	current time, and cryptographic research so far leads us to
	believe that they will likely remain secure into the
	foreseeable future.  However, this isn't necessarily forever
	and it is expected that new revisions of this document will be
	issued from time to time to reflect the current best practice
	in this area.
      </t>

      <t>
	Retiring an algorithm too soon would result in a signed zone
	with such an algorithm to be downgraded to the equivalent of
	an unsigned zone.  Therefore, algorithm deprecation must be
	done very slowly and only after careful consideration and
	measurements of its use.
      </t>
    </section>

    <section anchor="operation" title="Operational Considerations">
      <t>
	DNSKEY algorithm rollover in a live zone is a complex
	process.  See <xref target="RFC6781"/> and <xref target="RFC7583"/>
	for guidelines on how to perform algorithm rollovers.
      </t>
      <t>
	DS algorithm rollover in a live zone is also a complex
	process.  Upgrading algorithm at the same time as rolling the
	new KSK key will lead to DNSSEC validation failures, and users
	MUST upgrade the DS algorithm first before rolling the Key
	Signing Key.
      </t>
    </section>

    <section anchor="iana" title="IANA Considerations">
      <t>This document makes no requests of IANA.</t>
    </section>

    <section anchor="ack" title="Acknowledgements">
      <t>
	This document borrows text from RFC 4307 by Jeffrey I.
	Schiller of the Massachusetts Institute of Technology (MIT)
	and the 4307bis document by Yoav Nir, Tero Kivinen, Paul
	Wouters and Daniel Migault.  Much of the original text has
	been copied verbatim.
      </t>
      <t>
	We wish to thank Roland van Rijswijk-Deij, Olafur Gudmundsson
	and Paul Hoffman for their imminent feedback.
      </t>
      <t>
	Kudos to Roy Arends for bringing the DS rollover issue to the daylight.
      </t>
    </section>

  </middle>
  <!-- ====================================================================== -->
  <back>
    <references title="Normative References">
      &RFC2119;
    </references>
    <references title="Informative References">
      &RFC4034;
      &RFC5155;
      &RFC5702;
      &RFC5933;
      &RFC6605;
      &RFC6781;
      &RFC6944;
      &RFC6979;
      &RFC6986;
      &RFC7344;
      &RFC7583;
      &RFC8078;
      &RFC8080;
      <reference anchor="DNSKEY-IANA" target="http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml">
        <front>
          <title>DNSKEY Algorithms</title>
          <author initials="" surname="" fullname="">
            <organization />
          </author>
          <date />
        </front>
      </reference>
      <reference anchor="DS-IANA" target="http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml">
        <front>
          <title>Delegation Signer Digest Algorithms</title>
          <author initials="" surname="" fullname="">
            <organization />
          </author>
          <date />
        </front>
      </reference>
    </references>
    <!-- ====================================================================== -->
  </back>
</rfc>
