| < draft-ietf-dnsop-dnssec-iana-cons-02.txt | draft-ietf-dnsop-dnssec-iana-cons-03.txt > | |||
|---|---|---|---|---|
| Network Working Group P. Hoffman | Network Working Group P. Hoffman | |||
| Internet-Draft ICANN | Internet-Draft ICANN | |||
| Updates: 3658, 5155, 6014, 8624 (if approved) 23 August 2021 | Updates: 5155, 6014, 8624 (if approved) 16 September 2021 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 24 February 2022 | Expires: 20 March 2022 | |||
| Revised IANA Considerations for DNSSEC | Revised IANA Considerations for DNSSEC | |||
| draft-ietf-dnsop-dnssec-iana-cons-02 | draft-ietf-dnsop-dnssec-iana-cons-03 | |||
| Abstract | Abstract | |||
| This document changes the review requirements needed to get DNSSEC | This document changes the review requirements needed to get DNSSEC | |||
| algorithms and resource records added to IANA registries. It updates | algorithms and resource records added to IANA registries. It updates | |||
| RFC 6014 to include hash algorithms for DS records and NSEC3 | RFC 6014 to include hash algorithms for DS records and NSEC3 | |||
| parameters. It also updates RFC 5155 and RFC 6014, which have | parameters. It also updates RFC 5155 and RFC 6014, which have | |||
| requirements for DNSSEC algorithms, and updates RFC 8624 to say that | requirements for DNSSEC algorithms, and updates RFC 8624 to say that | |||
| algorithms that are described in RFCs that are not on standards track | algorithms that are described in RFCs that are not on standards track | |||
| are only at the "MAY" level of implementation recommendation. The | are only at the "MAY" level of implementation recommendation. The | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 24 February 2022. | This Internet-Draft will expire on 20 March 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Update to RFC 6014 . . . . . . . . . . . . . . . . . . . . . 2 | 2. Update to RFC 6014 . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Update to RFC 8624 . . . . . . . . . . . . . . . . . . . . . 2 | 3. Update to RFC 8624 . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 3 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 4 | 6.2. Informative References . . . . . . . . . . . . . . . . . 5 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 4 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1. Introduction | 1. Introduction | |||
| DNSSEC is primarily described in [RFC4033], [RFC4034], and [RFC4035]. | DNSSEC is primarily described in [RFC4033], [RFC4034], and [RFC4035]. | |||
| DNSSEC commonly uses two resource records beyond those defined in RFC | DNSSEC commonly uses two resource records beyond those defined in RFC | |||
| 4034: DS [RFC3658] and NSEC3 [RFC5155]. | 4034: DS [RFC3658] (which was obsoleted by RFC 4034) and NSEC3 | |||
| [RFC5155]. | ||||
| [RFC8126] gives guidelines for listing in the myriad IANA registries. | [RFC8126] gives guidelines for listing in the myriad IANA registries. | |||
| [RFC6014] updated the requirements for how DNSSEC cryptographic | [RFC6014] updated the requirements for how DNSSEC cryptographic | |||
| algorithm identifiers in the IANA registries are assigned, reducing | algorithm identifiers in the IANA registries are assigned, reducing | |||
| the requirements from being "Standards Action" to "RFC Required". | the requirements from being "Standards Action" to "RFC Required". | |||
| However, the IANA registry requirements for hash algorithms for DS | However, the IANA registry requirements for hash algorithms for DS | |||
| records [RFC3658] and for the hash algorithms used in NSEC3 [RFC5155] | records [RFC3658] and for the hash algorithms used in NSEC3 [RFC5155] | |||
| are still "Standards Action". This document updates those IANA | are still "Standards Action". This document updates those IANA | |||
| registry requirements. | registry requirements. (For reference on how IANA registries can be | |||
| updated in general, see [RFC8126].) | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | ||||
| "OPTIONAL" in this document are to be interpreted as described in BCP | ||||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | ||||
| capitals, as shown here. | ||||
| 2. Update to RFC 6014 | 2. Update to RFC 6014 | |||
| Section 4 updates RFC 6014 to bring the requirements for DS records | Section 4 updates RFC 6014 to bring the requirements for DS records | |||
| and NSEC3 hash algorithms in line with the rest of the DNSSEC | and NSEC3 hash algorithms in line with the rest of the DNSSEC | |||
| cryptographic algorithms by allowing any DS or NSEC3 hash algorithms | cryptographic algorithms by allowing any DS or NSEC3 hash algorithms | |||
| that are fully described in an RFC to have identifiers assigned in | that are fully described in an RFC to have identifiers assigned in | |||
| the IANA registries. This is an addition to the IANA considerations | the IANA registries. This is an addition to the IANA considerations | |||
| in RFC 6014. | in RFC 6014. | |||
| skipping to change at page 3, line 49 ¶ | skipping to change at page 4, line 17 ¶ | |||
| Algorithms" is changed from "Standards Action" to "RFC Required". | Algorithms" is changed from "Standards Action" to "RFC Required". | |||
| 5. Security Considerations | 5. Security Considerations | |||
| Changing the requirements for getting security algorithms added to | Changing the requirements for getting security algorithms added to | |||
| IANA registries as described in this document will make it easier to | IANA registries as described in this document will make it easier to | |||
| get good algorithms added to the registries, and will make it easier | get good algorithms added to the registries, and will make it easier | |||
| to get bad algorithms added to the registries. It is impossible to | to get bad algorithms added to the registries. It is impossible to | |||
| weigh the security impact of those two changes. | weigh the security impact of those two changes. | |||
| Administrators of DNSSEC-signed zones, and of validating resolvers, | ||||
| may have been making security decisions based on the contents of the | ||||
| IANA registries. This was a bad idea in the past, and now is an even | ||||
| worse idea because there will be more algorithms in those registries | ||||
| that may not have gone through IETF review. Security decisions about | ||||
| which algorithms are safe and not safe should be made by reading the | ||||
| security literature, not by looking in IANA registries. | ||||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", BCP 14, RFC 2119, | ||||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <https://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", | Rose, "DNS Security Introduction and Requirements", | |||
| RFC 4033, DOI 10.17487/RFC4033, March 2005, | RFC 4033, DOI 10.17487/RFC4033, March 2005, | |||
| <https://www.rfc-editor.org/info/rfc4033>. | <https://www.rfc-editor.org/info/rfc4033>. | |||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Resource Records for the DNS Security Extensions", | Rose, "Resource Records for the DNS Security Extensions", | |||
| RFC 4034, DOI 10.17487/RFC4034, March 2005, | RFC 4034, DOI 10.17487/RFC4034, March 2005, | |||
| <https://www.rfc-editor.org/info/rfc4034>. | <https://www.rfc-editor.org/info/rfc4034>. | |||
| skipping to change at page 4, line 34 ¶ | skipping to change at page 5, line 14 ¶ | |||
| [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier | [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier | |||
| Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014, | Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014, | |||
| November 2010, <https://www.rfc-editor.org/info/rfc6014>. | November 2010, <https://www.rfc-editor.org/info/rfc6014>. | |||
| [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| <https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation | [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation | |||
| Requirements and Usage Guidance for DNSSEC", RFC 8624, | Requirements and Usage Guidance for DNSSEC", RFC 8624, | |||
| DOI 10.17487/RFC8624, June 2019, | DOI 10.17487/RFC8624, June 2019, | |||
| <https://www.rfc-editor.org/info/rfc8624>. | <https://www.rfc-editor.org/info/rfc8624>. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record | [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record | |||
| (RR)", RFC 3658, DOI 10.17487/RFC3658, December 2003, | (RR)", RFC 3658, DOI 10.17487/RFC3658, December 2003, | |||
| <https://www.rfc-editor.org/info/rfc3658>. | <https://www.rfc-editor.org/info/rfc3658>. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| Donald Eastlake and Murray Kucherawy contributed to this document. | Donald Eastlake, Murray Kucherawy, and Dan Harkins contributed to | |||
| this document. | ||||
| Author's Address | Author's Address | |||
| Paul Hoffman | Paul Hoffman | |||
| ICANN | ICANN | |||
| Email: paul.hoffman@icann.org | Email: paul.hoffman@icann.org | |||
| End of changes. 13 change blocks. | ||||
| 15 lines changed or deleted | 42 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||