| < draft-ietf-dnsext-dnssec-algo-imp-status-00.txt | draft-ietf-dnsext-dnssec-algo-imp-status-01.txt > | |||
|---|---|---|---|---|
| DNS Extensions Working Group S. Rose | DNS Extensions Working Group S. Rose | |||
| Internet-Draft NIST | Internet-Draft NIST | |||
| Updates: 2536, 2539, 3110, 4034, 4398, January 30, 2012 | Updates: 2536, 2539, 3110, 4034, 4398, March 26, 2012 | |||
| 5155, 5702, 5933 (if approved) | 5155, 5702, 5933 (if approved) | |||
| Intended status: BCP | Intended status: BCP | |||
| Expires: August 2, 2012 | Expires: September 27, 2012 | |||
| Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm | Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm | |||
| Implementation Status | Implementation Status | |||
| draft-ietf-dnsext-dnssec-algo-imp-status-00 | draft-ietf-dnsext-dnssec-algo-imp-status-01 | |||
| Abstract | Abstract | |||
| The DNS Security Extensions (DNSSEC) requires the use of | The DNS Security Extensions (DNSSEC) requires the use of | |||
| cryptographic algorithm suites for generating digital signatures over | cryptographic algorithm suites for generating digital signatures over | |||
| DNS data. There is currently an IANA registry for these algorithms | DNS data. There is currently an IANA registry for these algorithms | |||
| that is incomplete in that it lacks the recommended implementation | that is incomplete in that it lacks the recommended implementation | |||
| status of each algorithm. This document provides an applicability | status of each algorithm. This document provides an applicability | |||
| statement on algorithm implementation compliance status for DNSSEC | statement on algorithm implementation status for DNSSEC component | |||
| implementations. This document lists each algorithm's status based | software. This document lists each algorithm's status based on the | |||
| on the current reference. In the case that an algorithm is specified | current reference. In the case that an algorithm is specified | |||
| without an implementation status, this document assigns one. | without an implementation status, this document assigns one. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 2, 2012. | This Internet-Draft will expire on September 27, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 27 ¶ | skipping to change at page 2, line 27 ¶ | |||
| 2. The DNS Security Algorithm Implementation Status Lists . . . . 3 | 2. The DNS Security Algorithm Implementation Status Lists . . . . 3 | |||
| 2.1. Algorithm Implementation Status Assignement Rationale . . . 3 | 2.1. Algorithm Implementation Status Assignement Rationale . . . 3 | |||
| 2.2. DNSSEC Implementation Status Table . . . . . . . . . . . . 4 | 2.2. DNSSEC Implementation Status Table . . . . . . . . . . . . 4 | |||
| 2.3. Specifying New Algorithms and Updating Status of | 2.3. Specifying New Algorithms and Updating Status of | |||
| Existing Entries . . . . . . . . . . . . . . . . . . . . . 4 | Existing Entries . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 | 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Normative References . . . . . . . . . . . . . . . . . . . . . 5 | 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . . 5 | ||||
| 5.2. Informative References . . . . . . . . . . . . . . . . . . 6 | ||||
| 1. Introduction | 1. Introduction | |||
| The Domain Name System (DNS) Security Extensions (DNSSEC) [RFC4033], | The Domain Name System (DNS) Security Extensions (DNSSEC) [RFC4033], | |||
| [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702] uses | [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702] uses | |||
| digital signatures over DNS data to provide source authentication and | digital signatures over DNS data to provide source authentication and | |||
| integrity protection. DNSSEC uses an IANA registry to list codes for | integrity protection. DNSSEC uses an IANA registry to list codes for | |||
| digital signature algorithms (consisting of a cryptographic algorithm | digital signature algorithms (consisting of a cryptographic algorithm | |||
| and one-way hash function). | and one-way hash function). | |||
| The original list of algorithm status is found in [RFC4034]. Other | The original list of algorithm status is found in [RFC4034]. Other | |||
| DNSSEC RFC's have added new algorithms or changed the status of | DNSSEC RFC's have added new algorithms or changed the status of | |||
| algorithms in the registry. However, implementers must read through | algorithms in the registry. However, implementers must read through | |||
| all the documents in order to discover which algorithms are | all the documents in order to discover which algorithms are | |||
| considered wise to implement, which are not, and which algorithms may | considered wise to implement, which are not, and which algorithms may | |||
| become widely used in the future. This document includes the current | become widely used in the future. This document includes the current | |||
| compliance status for certain algorithms. | implementation status for certain algorithms. | |||
| This compliance status indication is only to be considered for | This implementation status indication is only to be considered for | |||
| implementation, not deployment or operations. Operators are free to | implementation, not deployment or operations. Operators are free to | |||
| deploy any digital signature algorithm available in implementations | deploy any digital signature algorithm available in implementations | |||
| or algorithms chosen by local security policies. This status is to | or algorithms chosen by local security policies. This status is to | |||
| measure compliance to this RFC only. | measure compliance to this document only. | |||
| This document updates the following: [RFC2536], [RFC2539], [RFC3110], | This document updates the following: [RFC2536], [RFC2539], [RFC3110], | |||
| [RFC4034], [RFC4398], [RFC5155], [RFC5702], and [RFC5933]. | [RFC4034], [RFC4398], [RFC5155], [RFC5702], and [RFC5933]. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD", | The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD", | |||
| "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document | "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document | |||
| are to be interpreted as described in [RFC2119]. | are to be interpreted as described in [RFC2119]. | |||
| 2. The DNS Security Algorithm Implementation Status Lists | 2. The DNS Security Algorithm Implementation Status Lists | |||
| 2.1. Algorithm Implementation Status Assignement Rationale | 2.1. Algorithm Implementation Status Assignement Rationale | |||
| The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED TO IMPLEMENT. | The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED TO IMPLEMENT | |||
| This is due to the fact that RSA/SHA-1 is a MUST IMPLEMENT. The | as major deployments (such as the root zone) use NSEC3 [ROOTDPS]. | |||
| status of RSA/SHA-256 and RSA/SHA-512 are also set to RECOMMENDED TO | The status of RSA/SHA-256 and RSA/SHA-512 are also set to RECOMMENDED | |||
| IMPLEMENT as it is believed that these algorithms will replace an | TO IMPLEMENT as it is believed that these algorithms will replace an | |||
| older algorithm (e.g. RSA/SHA-1) that have a perceived weakness in | older algorithm (e.g. RSA/SHA-1) that have a perceived weakness in | |||
| its hash algorithm (SHA-1). | its hash algorithm (SHA-1) as well as seen in major deployments. | |||
| All other algorithms used in DNSSEC specified without an | ||||
| implementation status are currently set to OPTIONAL. | ||||
| 2.2. DNSSEC Implementation Status Table | 2.2. DNSSEC Implementation Status Table | |||
| The DNSSEC algorithm implementation status table is listed below. | The DNSSEC algorithm implementation status table is listed below. | |||
| Only the algorithms already specified for use with DNSSEC (at the | Only the algorithms already specified for use with DNSSEC (at the | |||
| time of writing) are listed. | time of writing) are listed. | |||
| +------------+------------+-----------------+-------------+ | +------------+------------+-----------------+-------------------+ | |||
| | MUST | MUST NOT | RECOMMENDED | OPTIONAL | | | MUST | MUST NOT | RECOMMENDED | OPTIONAL | | |||
| | IMPLEMENT | IMPLEMENT | TO IMPLEMENT | | | | IMPLEMENT | IMPLEMENT | TO IMPLEMENT | | | |||
| +------------+------------+-----------------+-------------+ | +------------+------------+-----------------+-------------------+ | |||
| | | | | | | | | | | | | |||
| | RSASHA1 | RSAMD5 | RSASHA256 | DSASHA1 | | | RSASHA1 | RSAMD5 | RSASHA256 | DSASHA1 | | |||
| | | | RSASHA1-NSEC3 | DH | | | | | RSASHA1-NSEC3 | DH | | |||
| | | | -SHA1 | DSA-NSEC3 | | | | | -SHA1 | DSA-NSEC3-SHA1 | | |||
| | | | RSASHA512 | -SHA1 | | | | | RSASHA512 | GOST-ECC | | |||
| | | | | GOST-ECC | | | | | | ECDSAP256SHA256 | | |||
| | | | | | | | | | | ECDSAP384SHA384 | | |||
| +------------+------------+-----------------+-------------+ | +------------+------------+-----------------+-------------------+ | |||
| This table does not list the Reserved values in the IANA registry | This table does not list the Reserved values in the IANA registry | |||
| table or the values for INDIRECT (252), PRIVATE (253) and PRIVATEOID | table or the values for INDIRECT (252), PRIVATE (253) and PRIVATEOID | |||
| (254). These values may relate to more than one algorithm and are | (254). These values may relate to more than one algorithm and are | |||
| therefore up to the implementer's discretion. Their implementation | therefore up to the implementer's discretion. Their implementation | |||
| (or lack thereof) therefore cannot be included when judging | (or lack thereof) therefore cannot be included when judging | |||
| compliance to this document. | compliance to this document. | |||
| 2.3. Specifying New Algorithms and Updating Status of Existing Entries | 2.3. Specifying New Algorithms and Updating Status of Existing Entries | |||
| [RFC6014] establishes a parallel procedure for adding a registry | [RFC6014] establishes a parallel procedure for adding a registry | |||
| entry for a new algorithm other than a standards track document. | entry for a new algorithm other than a standards track document. | |||
| Algorithms entered into the registry using that procedure are to be | Algorithms entered into the registry using that procedure are to be | |||
| considered OPTIONAL for implementation purposes. Specifications that | considered OPTIONAL for implementation purposes. Specifications that | |||
| follow this path do not need to obsolete or update this document. | follow this path do not need to obsolete or update this document. | |||
| Adding a newly specified algorithm to the registry with a compliance | Adding a newly specified algorithm to the registry with a | |||
| status SHALL entail obsolescing this document and replacing the | implementation status other than OPTIONAL SHALL entail obsolescing | |||
| registry table (with the new algorithm entry). Altering the status | this document and replacing the table in Section 2.2 (with the new | |||
| column value of any existing algorithm in the registry SHALL entail | algorithm entry). Altering the status column value of any existing | |||
| obsolescing this document and replacing the registry table. | algorithm in the registry SHALL entail obsolescing this document and | |||
| replacing the table in Section 2.2 above. | ||||
| This document cannot be updated, only made obsolete and replaced by a | This document cannot be updated, only made obsolete and replaced by a | |||
| successor document. | successor document. | |||
| 3. IANA Considerations | 3. IANA Considerations | |||
| This document lists the implementation status of cryptographic | This document lists the implementation status of cryptographic | |||
| algorithms used with DNSSEC. These algorithms are maintained in an | algorithms used with DNSSEC. These algorithms are maintained in an | |||
| IANA registry. There are no changes to the registry in this | IANA registry. There are no changes to the registry in this | |||
| document. However this document asks to be listed as a reference for | document. However this document asks to be listed as a reference for | |||
| the entire registry. | the entire registry. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| This document replaces the Domain Name System (DNS) Security | This document lists, and in some cases assigns, the implementation | |||
| Algorithm Numbers registry. It is not meant to be a discussion on | status of cryptographic algorithms used with DNSSEC. It is not meant | |||
| algorithm superiority. No new security considerations are raised in | to be a discussion on algorithm superiority. No new security | |||
| this document. | considerations are raised in this document. | |||
| 5. Normative References | 5. References | |||
| 5.1. Normative References | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System | [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System | |||
| (DNS)", RFC 2536, March 1999. | (DNS)", RFC 2536, March 1999. | |||
| [RFC2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the | [RFC2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the | |||
| Domain Name System (DNS)", RFC 2539, March 1999. | Domain Name System (DNS)", RFC 2539, March 1999. | |||
| skipping to change at page 6, line 18 ¶ | skipping to change at page 6, line 20 ¶ | |||
| and RRSIG Resource Records for DNSSEC", RFC 5702, | and RRSIG Resource Records for DNSSEC", RFC 5702, | |||
| October 2009. | October 2009. | |||
| [RFC5933] Dolmatov, V., Chuprina, A., and I. Ustinov, "Use of GOST | [RFC5933] Dolmatov, V., Chuprina, A., and I. Ustinov, "Use of GOST | |||
| Signature Algorithms in DNSKEY and RRSIG Resource Records | Signature Algorithms in DNSKEY and RRSIG Resource Records | |||
| for DNSSEC", RFC 5933, July 2010. | for DNSSEC", RFC 5933, July 2010. | |||
| [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier | [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier | |||
| Allocation for DNSSEC", RFC 6014, November 2010. | Allocation for DNSSEC", RFC 6014, November 2010. | |||
| 5.2. Informative References | ||||
| [ROOTDPS] Ljunggren, F., Okubo, T., Lamb, R., and J. Schlyter, | ||||
| "DNSSEC Practice Statement for the Root Zone KSK | ||||
| Operator", DNS ROOTDPS, May 2010, <http:// | ||||
| www.root-dnssec.org/wp-content/uploads/2010/06/ | ||||
| icann-dps-00.txt>. | ||||
| Author's Address | Author's Address | |||
| Scott Rose | Scott Rose | |||
| NIST | NIST | |||
| 100 Bureau Dr. | 100 Bureau Dr. | |||
| Gaithersburg, MD 20899 | Gaithersburg, MD 20899 | |||
| USA | USA | |||
| Phone: +1-301-975-8439 | Phone: +1-301-975-8439 | |||
| EMail: scottr.nist@gmail.com | EMail: scottr.nist@gmail.com | |||
| End of changes. 16 change blocks. | ||||
| 38 lines changed or deleted | 54 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||