| < draft-ietf-dnsext-dnssec-algo-imp-status-02.txt | draft-ietf-dnsext-dnssec-algo-imp-status-03.txt > | |||
|---|---|---|---|---|
| DNS Extensions Working Group S. Rose | DNS Extensions Working Group S. Rose | |||
| Internet-Draft NIST | Internet-Draft NIST | |||
| Updates: 2536, 2539, 3110, 4034, 4398, April 19, 2012 | Updates: 2536, 2539, 3110, 4034, 4398, June 12, 2012 | |||
| 5155, 5702, 5933 (if approved) | 5155, 5702, 5933 (if approved) | |||
| Intended status: BCP | Intended status: BCP | |||
| Expires: October 21, 2012 | Expires: December 14, 2012 | |||
| Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm | Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm | |||
| Implementation Status | Implementation Status | |||
| draft-ietf-dnsext-dnssec-algo-imp-status-02 | draft-ietf-dnsext-dnssec-algo-imp-status-03 | |||
| Abstract | Abstract | |||
| The DNS Security Extensions (DNSSEC) requires the use of | The DNS Security Extensions (DNSSEC) requires the use of | |||
| cryptographic algorithm suites for generating digital signatures over | cryptographic algorithm suites for generating digital signatures over | |||
| DNS data. There is currently an IANA registry for these algorithms | DNS data. There is currently an IANA registry for these algorithms | |||
| that is incomplete in that it lacks the recommended implementation | that lacks the recommended implementation status of each algorithm. | |||
| status of each algorithm. This document provides an applicability | This document provides an applicability statement on algorithm | |||
| statement on algorithm implementation status for DNSSEC component | implementation status for DNSSEC component software. This document | |||
| software. This document lists each algorithm's status based on the | lists each algorithm's status based on the current reference. In the | |||
| current reference. In the case that an algorithm is specified | case that an algorithm is specified without an implementation status, | |||
| without an implementation status, this document assigns one. | this document assigns one. This document updates RFCs 2536, 2539, | |||
| 3110, 4034, 4398, 5155, 5702, and 5933. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 21, 2012. | This Internet-Draft will expire on December 14, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 33 ¶ | skipping to change at page 3, line 33 ¶ | |||
| implementation, not deployment or operations. Operators are free to | implementation, not deployment or operations. Operators are free to | |||
| deploy any digital signature algorithm available in implementations | deploy any digital signature algorithm available in implementations | |||
| or algorithms chosen by local security policies. This status is to | or algorithms chosen by local security policies. This status is to | |||
| measure compliance to this document only. | measure compliance to this document only. | |||
| This document updates the following: [RFC2536], [RFC2539], [RFC3110], | This document updates the following: [RFC2536], [RFC2539], [RFC3110], | |||
| [RFC4034], [RFC4398], [RFC5155], [RFC5702], and [RFC5933]. | [RFC4034], [RFC4398], [RFC5155], [RFC5702], and [RFC5933]. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. The DNS Security Algorithm Implementation Status Lists | 2. The DNS Security Algorithm Implementation Status Lists | |||
| 2.1. Algorithm Implementation Status Assignement Rationale | 2.1. Algorithm Implementation Status Assignement Rationale | |||
| The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED TO IMPLEMENT | The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED TO IMPLEMENT | |||
| as major deployments (such as the root zone) use NSEC3 [ROOTDPS]. | as many deployments use NSEC3. The status of RSA/SHA-256 and RSA/ | |||
| The status of RSA/SHA-256 and RSA/SHA-512 are also set to RECOMMENDED | SHA-512 are also set to RECOMMENDED TO IMPLEMENT as major deployments | |||
| TO IMPLEMENT as it is believed that these algorithms will replace | (such as the root zone) use these algorithms [ROOTDPS]. It is | |||
| believed that RSA/SHA-256 or RSA/SHA-512 algorithms will replace | ||||
| older algorithms (e.g. RSA/SHA-1) that have a perceived weakness or | older algorithms (e.g. RSA/SHA-1) that have a perceived weakness or | |||
| these recommended algorithms are seen in major deployments. | these recommended algorithms are seen in major deployments. | |||
| Likewise, ECDSA with the two identified curves (ECDSAP256SHA256 and | ||||
| ECDSAP384SHA384) are algorithms that may see widespread use due to | ||||
| the precieved similar level of security offered with smaller key size | ||||
| compared to the key sizes of algorithms such as RSA. | ||||
| All other algorithms used in DNSSEC specified without an | All other algorithms used in DNSSEC specified without an | |||
| implementation status are currently set to OPTIONAL. | implementation status are currently set to OPTIONAL. | |||
| 2.2. DNSSEC Implementation Status Table | 2.2. DNSSEC Implementation Status Table | |||
| The DNSSEC algorithm implementation status table is listed below. | The DNSSEC algorithm implementation status table is listed below. | |||
| Only the algorithms already specified for use with DNSSEC (at the | Only the algorithms already specified for use with DNSSEC (at the | |||
| time of writing) are listed. | time of writing) are listed. | |||
| +------------+------------+-------------------+-------------------+ | +------------+------------+-------------------+-------------------+ | |||
| skipping to change at page 5, line 9 ¶ | skipping to change at page 5, line 9 ¶ | |||
| algorithm in the registry SHALL entail making this document obsolete | algorithm in the registry SHALL entail making this document obsolete | |||
| and replacing the table in Section 2.2 above. | and replacing the table in Section 2.2 above. | |||
| This document cannot be updated, only made obsolete and replaced by a | This document cannot be updated, only made obsolete and replaced by a | |||
| successor document. | successor document. | |||
| 3. IANA Considerations | 3. IANA Considerations | |||
| This document lists the implementation status of cryptographic | This document lists the implementation status of cryptographic | |||
| algorithms used with DNSSEC. These algorithms are maintained in an | algorithms used with DNSSEC. These algorithms are maintained in an | |||
| IANA registry. There are no changes to the registry in this | IANA registry at http://www.iana.org/assignments/dns-sec-alg-numbers. | |||
| document. However this document asks to be listed as a reference for | There are no changes to the registry in this document. However this | |||
| the entire registry. | document asks to be listed as a reference for the entire registry. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| This document lists, and in some cases assigns, the implementation | This document lists, and in some cases assigns, the implementation | |||
| status of cryptographic algorithms used with DNSSEC. It is not meant | status of cryptographic algorithms used with DNSSEC. It is not meant | |||
| to be a discussion on algorithm superiority. No new security | to be a discussion on algorithm superiority. No new security | |||
| considerations are raised in this document. | considerations are raised in this document. | |||
| 5. References | 5. References | |||
| End of changes. 9 change blocks. | ||||
| 19 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||