DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates

The Domain Name System (DNS) Security Extensions (DNSSEC) , , , , , and uses digital signatures over DNS data to provide source authentication and integrity protection. DNSSEC uses an IANA registry to list codes for digital signature algorithms (consisting of a cryptographic algorithm and one-way hash function). This document replaces the current IANA registry for Domain Name System Security (DNSSEC) Algorithm Numbers with a newly defined registry table. This new table (Section 2.2 below) contains a collection of changes to selected entries originally set aside for future algorithm specification that did not occur. These entries are changed to "Reserved" to avoid potential conflicts with older implementations. This document also brings the list of references for entries up to date.

The DNS Security Algorithm Number sub-registry (part of the Domain Name System (DNS) Security Number registry) will be replaced with the table below. There are additional differences to entries that are described in sub-section 2.1 and the overall new registry table is in sub-section 2.2.

This document updates three entries in the Domain Name System Security (DNSSEC) Algorithm Registry. They are: The description for assignment number 4 is changed to "Reserved". The description for assignment number 9 is changed to "Reserved". The description for assignment number 11 is changed to "Reserved". The above values are changed to "Reserved" because they were placeholders for algorithms that were not fully specified for use with DNSSEC. Older implementations may still have these algorithm codes assigned, so these codes are reserved to prevent potential incompatibilities.

The Domain Name System (DNS) Security Algorithm Number registry is hereby specified as follows below. Trans- Zone action Number Description Mnemonic Sign Sign Reference ------ ----------- ------ ---- ----- --------- 0 Reserved [RFC4034] [RFC4398] 1 RSA/MD5 RSAMD5 N Y [RFC3110] 2 Diffie-Hellman DH N Y [RFC2539] 3 DSA/SHA-1 DSASHA1 Y Y [RFC2536] 4 Reserved 5 RSA/SHA-1 RSASHA1 Y Y [RFC3110] 6 DSA-NSEC3-SHA1 DSA-NSEC3 Y Y [RFC5155] -SHA1 7 RSASHA1-NSEC3 RSASHA1- Y Y [RFC5155] -SHA1 NSEC3- SHA1 8 RSA/SHA-256 RSASHA256 Y * [RFC5702] 9 Reserved 10 RSA/SHA-512 RSASHA512 Y * [RFC5702] 11 Reserved 12 GOST R GOST-ECC Y * [RFC5933] 34.10-2001 13-122 Unassigned 123-251 Reserved [RFC6014] 252 Reserved for INDIRECT N N [RFC4034] Indirect keys 253 private PRIVATE Y Y [RFC4034] algorithm 254 private PRIVATEOID Y Y [RFC4034] algorithm OID 255 Reserved [RFC4034]

This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry with new registry table is in Section 2.2. The changes include moving three registry entries to "Reserved" and updating the reference list for entries. The original Domain Name System (DNS) Security Algorithm Number registry is available at http://www.iana.org/assignments/dns-sec-alg-numbers.

This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry with an updated table. It is not meant to be a discussion on algorithm superiority. No new security considerations are raised in this document.