| < draft-ietf-dnsext-dnssec-registry-fixes-07.txt | draft-ietf-dnsext-dnssec-registry-fixes-08.txt > | |||
|---|---|---|---|---|
| DNS Extensions Working Group S. Rose | DNS Extensions Working Group S. Rose | |||
| Internet-Draft NIST | Internet-Draft NIST | |||
| Updates: 2536, 2539, 3110, 4034, January 5, 2011 | Updates: 2536, 2539, 3110, 4034, 4398, May 26, 2011 | |||
| 4398, 5155, 5702, 5933 | 5155, 5702, 5933 (if approved) | |||
| (if approved) | ||||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: July 9, 2011 | Expires: November 27, 2011 | |||
| Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm IANA | Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm IANA | |||
| Registry | Registry | |||
| draft-ietf-dnsext-dnssec-registry-fixes-07 | draft-ietf-dnsext-dnssec-registry-fixes-08 | |||
| Abstract | Abstract | |||
| The DNS Security Extensions (DNSSEC) requires the use of | The DNS Security Extensions (DNSSEC) requires the use of | |||
| cryptographic algorithm suites for generating digital signatures over | cryptographic algorithm suites for generating digital signatures over | |||
| DNS data. There is currently an IANA registry for these algorithms | DNS data. There is currently an IANA registry for these algorithms | |||
| that is incomplete in that it lacks the implementation status of each | that is incomplete in that it lacks the implementation status of each | |||
| algorithm. This document provides an applicability statement on | algorithm. This document provides an applicability statement on | |||
| algorithm implementation compliance status for DNSSEC | algorithm implementation compliance status for DNSSEC | |||
| implementations. This status is to measure compliance to this RFC | implementations. This status is to measure compliance to this RFC | |||
| skipping to change at page 1, line 44 ¶ | skipping to change at page 1, line 43 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 9, 2011. | This Internet-Draft will expire on November 27, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 21 ¶ | skipping to change at page 2, line 21 ¶ | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The DNS Security Algorithm Number Sub-registry . . . . . . . . 3 | 2. The DNS Security Algorithm Number Sub-registry . . . . . . . . 3 | |||
| 2.1. Individual Changes . . . . . . . . . . . . . . . . . . . . 4 | 2.1. Updates and Additions . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Domain Name System (DNS) Security Algorithm Number | 2.2. Domain Name System (DNS) Security Algorithm Number | |||
| Registry Table . . . . . . . . . . . . . . . . . . . . . . 5 | Registry Table . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.3. Specifying New Algorithms and Updating Status of | 2.3. Specifying New Algorithms and Updating Status of | |||
| Existing Entries . . . . . . . . . . . . . . . . . . . . . 6 | Existing Entries . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Normative References . . . . . . . . . . . . . . . . . . . . . 6 | 5. Normative References . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| The Domain Name System (DNS) Security Extensions (DNSSEC) [RFC4033], | The Domain Name System (DNS) Security Extensions (DNSSEC) [RFC4033], | |||
| [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702] uses | [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702] uses | |||
| digital signatures over DNS data to provide source authentication and | digital signatures over DNS data to provide source authentication and | |||
| integrity protection. DNSSEC uses an IANA registry to allocate codes | integrity protection. DNSSEC uses an IANA registry to list codes for | |||
| for digital signature algorithms (consisting of a cryptographic | digital signature algorithms (consisting of a cryptographic algorithm | |||
| algorithm and one-way hash function). | and one-way hash function). | |||
| The original list of algorithm status is found in [RFC4034]. Other | The original list of algorithm status is found in [RFC4034]. Other | |||
| DNSSEC documents have added new algorithms or changed the status of | DNSSEC RFC's have added new algorithms or changed the status of | |||
| algorithms in the registry. However, currently implementers must | algorithms in the registry. However, implementers must read through | |||
| read through all the documents in order to discover which algorithms | all the documents in order to discover which algorithms are | |||
| are considered wise to implement, which are not, and which algorithms | considered wise to implement, which are not, and which algorithms may | |||
| may become widely used in the future. | become widely used in the future. This document replaces the | |||
| original list with a new table that includes the current compliance | ||||
| status for certain algorithms. | ||||
| This compliance status indication is only to be considered for | This compliance status indication is only to be considered for | |||
| implementation, not deployment or operations. Operators are free to | implementation, not deployment or operations. Operators are free to | |||
| deploy any digital signature algorithm available in implementations | deploy any digital signature algorithm available in implementations | |||
| or algorithms chosen by local security policies. This status is to | or algorithms chosen by local security policies. This status is to | |||
| measure compliance to this RFC only. | measure compliance to this RFC only. | |||
| This document replaces the current IANA registry for Domain Name | This document replaces the current IANA registry for Domain Name | |||
| System Security (DNSSEC) Algorithm Numbers with a newly defined | System Security (DNSSEC) Algorithm Numbers with a newly defined | |||
| registry table. This new table (Section 2.2 below) contains a column | registry table. This new table (Section 2.2 below) contains a column | |||
| skipping to change at page 3, line 47 ¶ | skipping to change at page 3, line 49 ¶ | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. The DNS Security Algorithm Number Sub-registry | 2. The DNS Security Algorithm Number Sub-registry | |||
| The DNS Security Algorithm Number sub-registry (part of the Domain | The DNS Security Algorithm Number sub-registry (part of the Domain | |||
| Name System (DNS) Security Number registry) will be replaced with the | Name System (DNS) Security Number registry) will be replaced with the | |||
| table below. This table contains a column that contains the current | table below. This table is based on the existing DNS Security | |||
| implementation requirements of the given algorithm. | Algorithm Number sub-registry and adds a column that contains the | |||
| current implementation status of the given algorithm. | ||||
| There are additional differences to entries that are described in | There are additional differences to entries that are described in | |||
| sub-section 2.1. The overall new registry table is in sub-section | sub-section 2.1. The overall new registry table is in sub-section | |||
| 2.2. The values for the compliance status were obtained from | 2.2. The values for the compliance status were obtained from | |||
| [RFC4034] with updates for algorithms specified after the original | [RFC4034] with updates for algorithms specified after the original | |||
| DNSSEC specification. If no status was listed in the original | DNSSEC specification. If no status was listed in the original | |||
| specification, this document assigns one for some of the entries. | specification, this document assigns one. | |||
| 2.1. Individual Changes | 2.1. Updates and Additions | |||
| This document changes three entries in the Domain Name System | This document updates three entries in the Domain Name System | |||
| Security (DNSSEC) Algorithm Registry. They are: | Security (DNSSEC) Algorithm Registry. They are: | |||
| The description for assignment number 4 is changed to "Reserved until | The description for assignment number 4 is changed to "Reserved until | |||
| 2020". | 2020". | |||
| The description for assignment number 9 is changed to "Reserved until | The description for assignment number 9 is changed to "Reserved until | |||
| 2020". | 2020". | |||
| The description for assignment number 11 is changed to "Reserved | The description for assignment number 11 is changed to "Reserved | |||
| until 2020". | until 2020". | |||
| Registry entries 13-251 remains Unassigned. | Registry entries 13-251 remains Unassigned. | |||
| The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED. This is due | The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED TO IMPLEMENT. | |||
| to the fact that RSA/SHA-1 is REQUIRED. The status of RSA/SHA-256 | This is due to the fact that RSA/SHA-1 is a MUST IMPLEMENT. The | |||
| and RSA/SHA-512 are also set to RECOMMENDED as it is believed that | status of RSA/SHA-256 and RSA/SHA-512 are also set to RECOMMENDED TO | |||
| these algorithms will replace older algorithms (e.g. RSA/SHA-1) that | IMPLEMENT as it is believed that these algorithms will replace an | |||
| have a perceived weakness in their hash algorithm (SHA-1). | older algorithm (e.g. RSA/SHA-1) that have a perceived weakness in | |||
| its hash algorithm (SHA-1). | ||||
| 2.2. Domain Name System (DNS) Security Algorithm Number Registry Table | 2.2. Domain Name System (DNS) Security Algorithm Number Registry Table | |||
| The Domain Name System (DNS) Security Algorithm Number registry is | The Domain Name System (DNS) Security Algorithm Number registry is | |||
| hereby specified as follows: | hereby specified as follows below. The new column is titled | |||
| "Compliance to RFC TBD" (where TBD will change when published) as the | ||||
| IANA Registry table is not normative. The IANA registry table is | ||||
| only a reflection of the RFC, which is normative. | ||||
| Trans- | Trans- | |||
| Zone action Compliance to | Zone action Compliance to | |||
| Number Description Mnemonic Sign Sign RFC TBD1 Reference | Number Description Mnemonic Sign Sign RFC TBD1 Reference | |||
| ------ ----------- ------ ---- ----- ------------ --------- | ------ ----------- ------ ---- ----- ------------ --------- | |||
| 0 Reserved [RFC4398] | 0 Reserved [RFC4398] | |||
| 1 RSA/MD5 RSAMD5 N Y MUST NOT [RFC2537] | 1 RSA/MD5 RSAMD5 N Y MUST NOT [RFC2537] | |||
| IMPLEMENT | IMPLEMENT | |||
| 2 Diffie-Hellman DH N Y [RFC2539] | 2 Diffie-Hellman DH N Y [RFC2539] | |||
| 3 DSA/SHA-1 DSASHA1 Y Y [RFC2536] | 3 DSA/SHA-1 DSASHA1 Y Y [RFC2536] | |||
| skipping to change at page 5, line 48 ¶ | skipping to change at page 5, line 51 ¶ | |||
| 13-251 Unassigned | 13-251 Unassigned | |||
| 252 Reserved for INDIRECT N N [RFC4034] | 252 Reserved for INDIRECT N N [RFC4034] | |||
| Indirect keys | Indirect keys | |||
| 253 private PRIVATE Y Y [RFC4034] | 253 private PRIVATE Y Y [RFC4034] | |||
| algorithm | algorithm | |||
| 254 private PRIVATEOID Y Y [RFC4034] | 254 private PRIVATEOID Y Y [RFC4034] | |||
| algorithm OID | algorithm OID | |||
| 255 Reserved | 255 Reserved | |||
| Table rows where the compliance column is not filled in are left to | Table rows where the compliance column is not filled in are left to | |||
| the discretion of implementers and their implementation (or lack | the discretion of implementers. Their implementation (or lack | |||
| thereof) therefore cannot be included when judging compliance to this | thereof) therefore cannot be included when judging compliance to this | |||
| document. | document. | |||
| 2.3. Specifying New Algorithms and Updating Status of Existing Entries | 2.3. Specifying New Algorithms and Updating Status of Existing Entries | |||
| [RFC6014] establishes a parallel procedure for obtaining an algorithm | [RFC6014] establishes a parallel procedure for adding a registry | |||
| number for new algorithms other than a standards track document. | entry for a new algorithm other than a standards track document. | |||
| Algorithms entered into the registry using that procedure do not have | Algorithms entered into the registry using that procedure do not have | |||
| a listed status. Specifications that follow this path do not need to | a listed compliance status. Specifications that follow this path do | |||
| obsolete or update this document. | not need to obsolete or update this document. | |||
| Adding a newly specified algorithm to the registry with a compliance | Adding a newly specified algorithm to the registry with a compliance | |||
| status SHALL entail obsolescing this document and replacing the | status SHALL entail obsolescing this document and replacing the | |||
| registry table (with the new algorithm entry). Altering the status | registry table (with the new algorithm entry). Altering the status | |||
| column value of any existing algorithm in the registry SHALL entail | column value of any existing algorithm in the registry SHALL entail | |||
| obsolescing this document and replacing the registry table. | obsoleting this document and replacing the registry table. | |||
| This document cannot be updated, only made obsolete and replaced by a | This document cannot be updated, only made obsolete and replaced by a | |||
| successor document. | successor document. | |||
| 3. IANA Considerations | 3. IANA Considerations | |||
| This document replaces the Domain Name System (DNS) Security | This document replaces the Domain Name System (DNS) Security | |||
| Algorithm Numbers registry. The new registry table is in Section | Algorithm Numbers registry. The new registry table is in Section | |||
| 2.2. In the column "Compliance to RFC TBD1", "RFC TBD1" should be | 2.2. In the column "Compliance to RFC TBD", "RFC TBD" should be | |||
| changed to the official RFC when published. | changed to the official RFC when published. | |||
| The original Domain Name System (DNS) Security Algorithm Number | The original Domain Name System (DNS) Security Algorithm Number | |||
| registry is available at | registry is available at | |||
| http://www.iana.org/assignments/dns-sec-alg-numbers. | http://www.iana.org/assignments/dns-sec-alg-numbers. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| This document replaces the Domain Name System (DNS) Security | This document replaces the Domain Name System (DNS) Security | |||
| Algorithm Numbers registry. It is not meant to be a discussion on | Algorithm Numbers registry. It is not meant to be a discussion on | |||
| End of changes. 19 change blocks. | ||||
| 34 lines changed or deleted | 39 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||