idnits 2.17.1 draft-ietf-dnsop-algorithm-update-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC6944]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 17, 2019) is 1889 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 6944 (Obsoleted by RFC 8624) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop P. Wouters 3 Internet-Draft Red Hat 4 Obsoletes: 6944 (if approved) O. Sury 5 Intended status: Standards Track Internet Systems Consortium 6 Expires: August 21, 2019 February 17, 2019 8 Algorithm Implementation Requirements and Usage Guidance for DNSSEC 9 draft-ietf-dnsop-algorithm-update-06 11 Abstract 13 The DNSSEC protocol makes use of various cryptographic algorithms in 14 order to provide authentication of DNS data and proof of non- 15 existence. To ensure interoperability between DNS resolvers and DNS 16 authoritative servers, it is necessary to specify a set of algorithm 17 implementation requirements and usage guidelines to ensure that there 18 is at least one algorithm that all implementations support. This 19 document defines the current algorithm implementation requirements 20 and usage guidance for DNSSEC. This document obsoletes [RFC6944]. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on August 21, 2019. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Updating Algorithm Implementation Requirements and Usage 58 Guidance . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.2. Updating Algorithm Requirement Levels . . . . . . . . . . 3 60 1.3. Document Audience . . . . . . . . . . . . . . . . . . . . 4 61 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 62 3. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 4 63 3.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 4 64 3.2. DNSKEY Algorithm Recommendation . . . . . . . . . . . . . 6 65 3.3. DS and CDS Algorithms . . . . . . . . . . . . . . . . . . 6 66 3.4. DS and CDS Algorithm Recommendation . . . . . . . . . . . 7 67 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 68 5. Operational Considerations . . . . . . . . . . . . . . . . . 7 69 6. Implementation Report . . . . . . . . . . . . . . . . . . . . 8 70 6.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 8 71 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 72 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 73 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 75 9.2. Informative References . . . . . . . . . . . . . . . . . 9 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 78 1. Introduction 80 The DNSSEC signing algorithms are defined by various RFCs, including 81 [RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], [RFC8080]. 82 DNSSEC is used to provide authentication of data. To ensure 83 interoperability, a set of "mandatory-to-implement" DNSKEY algorithms 84 are defined. This document obsoletes [RFC6944]. 86 1.1. Updating Algorithm Implementation Requirements and Usage Guidance 88 The field of cryptography evolves continuously. New stronger 89 algorithms appear and existing algorithms are found to be less secure 90 then originally thought. Therefore, algorithm implementation 91 requirements and usage guidance need to be updated from time to time 92 to reflect the new reality. The choices for algorithms must be 93 conservative to minimize the risk of algorithm compromise. 95 1.2. Updating Algorithm Requirement Levels 97 The mandatory-to-implement algorithm of tomorrow should already be 98 available in most implementations of DNSSEC by the time it is made 99 mandatory. This document attempts to identify and introduce those 100 algorithms for future mandatory-to-implement status. There is no 101 guarantee that algorithms in use today will become mandatory in the 102 future. Published algorithms are continuously subjected to 103 cryptographic attack and may become too weak, or even be completely 104 broken, before this document is updated. 106 This document only provides recommendations with respect to 107 mandatory-to-implement algorithms or algorithms so weak that 108 recommendation cannot be recommended. Any algorithm listed in the 109 [DNSKEY-IANA] and [DS-IANA] registries, but not mentioned in this 110 document, MAY be implemented. For clarification and consistency, an 111 algorithm will be specified as MAY in this document only when it has 112 been downgraded. 114 Although this document's primary purpose is to update algorithm 115 recommendations to keep DNSSEC authentication secure over time, it 116 also aims to do so in such a way that DNSSEC implementations remain 117 interoperable. DNSSEC interoperability is addressed by an 118 incremental introduction or deprecation of algorithms. 120 [RFC2119] considers the term SHOULD equivalent to RECOMMENDED, and 121 SHOULD NOT equivalent to NOT RECOMMENDED. The authors of this 122 document have chosen to use the terms RECOMMENDED and NOT 123 RECOMMENDED, as this more clearly expresses the recommendations to 124 implementers. 126 It is expected that deprecation of an algorithm will be performed 127 gradually. This provides time for various implementations to update 128 their implemented algorithms while remaining interoperable. Unless 129 there are strong security reasons, an algorithm is expected to be 130 downgraded from MUST to NOT RECOMMENDED or MAY, instead of to MUST 131 NOT. Similarly, an algorithm that has not been mentioned as 132 mandatory-to-implement is expected to be introduced with a 133 RECOMMENDED instead of a MUST. 135 Since the effect of using an unknown DNSKEY algorithm is that the 136 zone is treated as insecure, it is recommended that algorithms 137 downgraded to NOT RECOMMENDED or lower not be used by authoritative 138 nameservers and DNSSEC signers to create new DNSKEY's. This will 139 allow for deprecated algorithms to become less and less common over 140 time. Once an algorithm has reached a sufficiently low level of 141 deployment, it can be marked as MUST NOT, so that recursive resolvers 142 can remove support for validating it. 144 Recursive nameservers are encouraged to retain support for all 145 algorithms not marked as MUST NOT. 147 1.3. Document Audience 149 The recommendations of this document mostly target DNSSEC 150 implementers, as implementations need to meet both high security 151 expectations as well as high interoperability between various vendors 152 and with different versions. Interoperability requires a smooth 153 transition to more secure algorithms. This perspective may differ 154 from from that of a user who wishes to deploy and configure DNSSEC 155 with only the safest algorithm. On the other hand, the comments and 156 recommendations in this document are also expected to be useful for 157 such users. 159 2. Conventions Used in This Document 161 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 162 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 163 "OPTIONAL" in this document are to be interpreted as described in BCP 164 14 [RFC2119] [RFC8174] when, and only when, they appear in all 165 capitals, as shown here. 167 3. Algorithm Selection 169 3.1. DNSKEY Algorithms 171 Implementation recommendations for DNSKEY algorithms [DNSKEY-IANA]. 173 +--------+--------------------+-----------------+-------------------+ 174 | Number | Mnemonics | DNSSEC Signing | DNSSEC Validation | 175 +--------+--------------------+-----------------+-------------------+ 176 | 1 | RSAMD5 | MUST NOT | MUST NOT | 177 | 3 | DSA | MUST NOT | MUST NOT | 178 | 5 | RSASHA1 | NOT RECOMMENDED | MUST | 179 | 6 | DSA-NSEC3-SHA1 | MUST NOT | MUST NOT | 180 | 7 | RSASHA1-NSEC3-SHA1 | NOT RECOMMENDED | MUST | 181 | 8 | RSASHA256 | MUST | MUST | 182 | 10 | RSASHA512 | NOT RECOMMENDED | MUST | 183 | 12 | ECC-GOST | MUST NOT | MAY | 184 | 13 | ECDSAP256SHA256 | MUST | MUST | 185 | 14 | ECDSAP384SHA384 | MAY | RECOMMENDED | 186 | 15 | ED25519 | RECOMMENDED | RECOMMENDED | 187 | 16 | ED448 | MAY | RECOMMENDED | 188 +--------+--------------------+-----------------+-------------------+ 190 RSAMD5 is not widely deployed and there is an industry-wide trend to 191 deprecate MD5 usage. 193 RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although zones 194 deploying it are recommended to switch to ECDSAP256SHA256 as there is 195 an industry-wide trend to move to elliptic curve cryptography. 196 RSASHA1 does not support NSEC3. RSASHA1-NSEC3-SHA1 can be used with 197 or without NSEC3. 199 DSA and DSA-NSEC3-SHA1 are not widely deployed and vulnerable to 200 private key compromise when generating signatures using a weak or 201 compromised random number generator. 203 RSASHA256 is in wide use and considered strong. 205 RSASHA512 is NOT RECOMMENDED for DNSSEC Signing because it has not 206 seen wide deployment, but there are some deployments hence DNSSEC 207 Validation MUST implement RSASHA512 to ensure interoperability. 208 There is no significant difference in cryptographics strength between 209 RSASHA512 and RSASHA256, therefore it is discouraged to use 210 RSASHA512, as it will only make deprecation of older algorithms 211 harder. People that wish to use a cryptographically stronger 212 algorithm should switch to elliptic curve cryptography algorithms. 214 ECC-GOST (GOST R 34.10-2001) has been superseded by GOST R 34.10-2012 215 in [RFC7091]. The GOST R 34.10-2012 hasn't been standardized for use 216 in DNSSEC. 218 ECDSAP256SHA256 provides more cryptographic strength with a shorter 219 signature length than either RSASHA256 or RSASHA512. ECDSAP256SHA256 220 has been widely deployed and therefore it is now at MUST level for 221 both validation and signing. It is RECOMMENDED to use deterministic 222 digital signature generation procedure of the ECDSA ([RFC6979]) when 223 implementing ECDSAP256SHA256 (and ECDSAP384SHA384). 225 ECDSAP384SHA384 shares the same properties as ECDSAP256SHA256, but 226 offers a modest security advantage over ECDSAP256SHA256 (192 bits of 227 strength versus 128 bits). For most DNSSEC applications, 228 ECDSAP256SHA256 should be satisfactory and robust for the foreseeable 229 future, and is therefore recommended for signing. While it is 230 unlikely for a DNSSEC use case requiring 192-bit security strength to 231 arise, ECDSA384SHA384 is provided for such applications and it MAY be 232 used for signing in these cases. 234 ED25519 and ED448 use Edwards-curve Digital Security Algorithm 235 (EdDSA). There are three main advantages of the EdDSA algorithm: It 236 does not require the use of a unique random number for each 237 signature, there are no padding or truncation issues as with ECDSA, 238 and it is more resilient to side-channel attacks. Furthermore, EdDSA 239 cryptography is less prone to implementation errors ([RFC8032], 240 [RFC8080]). It is expected that ED25519 will become the future 241 RECOMMENDED default algorithm once there's enough support for this 242 algorithm in the deployed DNSSEC validators. 244 3.2. DNSKEY Algorithm Recommendation 246 Operation recommendation for new and existing deployments. 248 Due to industry-wide trend to move to elliptic curve cryptography, 249 the ECDSAP256SHA256 is RECOMMENDED DNSKEY algorithm for use by new 250 DNSSEC deployments, and users of RSA based algorithms SHOULD upgrade 251 to ECDSAP256SHA256. 253 3.3. DS and CDS Algorithms 255 Recommendations for Delegation Signer Digest Algorithms [DNSKEY-IANA] 256 These also apply to the CDS RRTYPE as specified in [RFC7344] 258 +--------+-----------------+-------------------+-------------------+ 259 | Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation | 260 +--------+-----------------+-------------------+-------------------+ 261 | 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] | 262 | 1 | SHA-1 | MUST NOT | MUST | 263 | 2 | SHA-256 | MUST | MUST | 264 | 3 | GOST R 34.11-94 | MUST NOT | MAY | 265 | 4 | SHA-384 | MAY | RECOMMENDED | 266 +--------+-----------------+-------------------+-------------------+ 268 [*] - This is a special type of CDS record signaling removal of DS at 269 the parent in [RFC8078] 271 NULL is a special case, see [RFC8078] 273 SHA-1 is still in wide use for DS records, so validators MUST 274 implement validation, but it MUST NOT be used to generate new DS and 275 CDS records. (See Operational Considerations for caveats when 276 upgrading from SHA-1 to SHA-256 DS Algorithm.) 278 SHA-256 is in wide use and considered strong. 280 GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in 281 [RFC6986]. The GOST R 34.11-2012 hasn't been standardized for use in 282 DNSSEC. 284 SHA-384 shares the same properties as SHA-256, but offers a modest 285 security advantage over SHA-384 (384-bits of strength versus 286 256-bits). For most applications of DNSSEC, SHA-256 should be 287 satisfactory and robust for the foreseeable future, and is therefore 288 recommended for DS and CDS records. While it is unlikely for a 289 DNSSEC use case requiring 384-bit security strength to arise, SHA-384 290 is provided for such applications and it MAY be used for generating 291 DS and CDS records in these cases. 293 3.4. DS and CDS Algorithm Recommendation 295 Operation recommendation for new and existing deployments. 297 The SHA-256 is RECOMMENDED DS and CDS algorithm. 299 4. Security Considerations 301 The security of cryptographic systems depends on both the strength of 302 the cryptographic algorithms chosen and the strength of the keys used 303 with those algorithms. The security also depends on the engineering 304 of the protocol used by the system to ensure that there are no non- 305 cryptographic ways to bypass the security of the overall system. 307 This document concerns itself with the selection of cryptographic 308 algorithms for the use of DNSSEC, specifically with the selection of 309 "mandatory-to-implement" algorithms. The algorithms identified in 310 this document as MUST or RECOMMENDED to implement are not known to be 311 broken at the current time, and cryptographic research so far leads 312 us to believe that they are likely to remain secure into the 313 foreseeable future. However, this isn't necessarily forever, and it 314 is expected that new revisions of this document will be issued from 315 time to time to reflect the current best practices in this area. 317 Retiring an algorithm too soon would result in a zone signed with the 318 retired algorithm being downgraded to the equivalent of an unsigned 319 zone. Therefore, algorithm deprecation must be done very slowly and 320 only after careful consideration and measurement of its use. 322 5. Operational Considerations 324 DNSKEY algorithm rollover in a live zone is a complex process. See 325 [RFC6781] and [RFC7583] for guidelines on how to perform algorithm 326 rollovers. 328 DS algorithm rollover in a live zone is also a complex process. 329 Upgrading algorithm at the same time as rolling the new KSK key will 330 lead to DNSSEC validation failures, and users MUST upgrade the DS 331 algorithm first before rolling the Key Signing Key. 333 6. Implementation Report 335 6.1. DNSKEY Algorithms 337 The following table contains the status of support in the open-source 338 DNS signers and validators in the current released versions as of the 339 time writing this document. Usually, the support for specific 340 algorithm has to be also included in the cryptographic libraries that 341 the software use. 343 +--------------------+------+--------+---------+----------+---------+ 344 | Mnemonics | BIND | Knot | OpenDNS | PowerDNS | Unbound | 345 | | | DNS | | | | 346 +--------------------+------+--------+---------+----------+---------+ 347 | RSAMD5 | Y | N | Y | N | N | 348 | DSA | Y | N | Y | N | Y | 349 | RSASHA1 | Y | Y | Y | Y | Y | 350 | DSA-NSEC3-SHA1 | Y | N | Y | N | Y | 351 | RSASHA1-NSEC3-SHA1 | Y | Y | Y | Y | Y | 352 | RSASHA256 | Y | Y | Y | Y | Y | 353 | RSASHA512 | Y | Y | Y | Y | Y | 354 | ECC-GOST | N | N | Y | Y | Y | 355 | ECDSAP256SHA256 | Y | Y | Y | Y | Y | 356 | ECDSAP384SHA384 | Y | Y | Y | Y | Y | 357 | ED25519 | Y | Y | N | Y | Y | 358 | ED448 | N | N | N | Y | Y | 359 +--------------------+------+--------+---------+----------+---------+ 361 7. IANA Considerations 363 This document makes no requests of IANA. 365 8. Acknowledgements 367 This document borrows text from RFC 4307 by Jeffrey I. Schiller of 368 the Massachusetts Institute of Technology (MIT) and the 4307bis 369 document by Yoav Nir, Tero Kivinen, Paul Wouters and Daniel Migault. 370 Much of the original text has been copied verbatim. 372 We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur 373 Gudmundsson, Paul Hoffman and Evan Hunt for their imminent feedback. 375 Kudos to Roy Arends for bringing the DS rollover issue to the 376 daylight. 378 9. References 380 9.1. Normative References 382 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 383 Requirement Levels", BCP 14, RFC 2119, 384 DOI 10.17487/RFC2119, March 1997, 385 . 387 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 388 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 389 May 2017, . 391 9.2. Informative References 393 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 394 Rose, "Resource Records for the DNS Security Extensions", 395 RFC 4034, DOI 10.17487/RFC4034, March 2005, 396 . 398 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 399 Security (DNSSEC) Hashed Authenticated Denial of 400 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 401 . 403 [RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY 404 and RRSIG Resource Records for DNSSEC", RFC 5702, 405 DOI 10.17487/RFC5702, October 2009, 406 . 408 [RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of 409 GOST Signature Algorithms in DNSKEY and RRSIG Resource 410 Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July 411 2010, . 413 [RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital 414 Signature Algorithm (DSA) for DNSSEC", RFC 6605, 415 DOI 10.17487/RFC6605, April 2012, 416 . 418 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC 419 Operational Practices, Version 2", RFC 6781, 420 DOI 10.17487/RFC6781, December 2012, 421 . 423 [RFC6944] Rose, S., "Applicability Statement: DNS Security (DNSSEC) 424 DNSKEY Algorithm Implementation Status", RFC 6944, 425 DOI 10.17487/RFC6944, April 2013, 426 . 428 [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature 429 Algorithm (DSA) and Elliptic Curve Digital Signature 430 Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August 431 2013, . 433 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 434 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 435 2013, . 437 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 438 Digital Signature Algorithm", RFC 7091, 439 DOI 10.17487/RFC7091, December 2013, 440 . 442 [RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating 443 DNSSEC Delegation Trust Maintenance", RFC 7344, 444 DOI 10.17487/RFC7344, September 2014, 445 . 447 [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, 448 "DNSSEC Key Rollover Timing Considerations", RFC 7583, 449 DOI 10.17487/RFC7583, October 2015, 450 . 452 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 453 Signature Algorithm (EdDSA)", RFC 8032, 454 DOI 10.17487/RFC8032, January 2017, 455 . 457 [RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from 458 the Parent via CDS/CDNSKEY", RFC 8078, 459 DOI 10.17487/RFC8078, March 2017, 460 . 462 [RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security 463 Algorithm (EdDSA) for DNSSEC", RFC 8080, 464 DOI 10.17487/RFC8080, February 2017, 465 . 467 [DNSKEY-IANA] 468 "DNSKEY Algorithms", . 471 [DS-IANA] "Delegation Signer Digest Algorithms", 472 . 475 Authors' Addresses 477 Paul Wouters 478 Red Hat 479 CA 481 EMail: pwouters@redhat.com 483 Ondrej Sury 484 Internet Systems Consortium 485 CZ 487 EMail: ondrej@isc.org