idnits 2.17.1 draft-srose-dnssec-registry-update-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 115 has weird spacing: '... Zone actio...' -- The document date (November 18, 2011) is 4541 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 170, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNS Extensions Working Group S. Rose 3 Internet-Draft NIST 4 Intended status: Standards Track November 18, 2011 5 Expires: May 21, 2012 7 DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates 8 draft-srose-dnssec-registry-update-00 10 Abstract 12 The DNS Security Extensions (DNSSEC) requires the use of 13 cryptographic algorithm suites for generating digital signatures over 14 DNS data. The algorithms specified for use with DNSSEC are reflected 15 in an IANA maintained registry. This document presents a set of 16 changes for some entries of the registry and presents a new registry 17 table. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on May 21, 2012. 36 Copyright Notice 38 Copyright (c) 2011 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. The DNS Security Algorithm Number Sub-registry . . . . . . . . 3 56 2.1. Updates and Additions . . . . . . . . . . . . . . . . . . . 3 57 2.2. Domain Name System (DNS) Security Algorithm Number 58 Registry Table . . . . . . . . . . . . . . . . . . . . . . 4 60 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 62 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 64 5. Normative References . . . . . . . . . . . . . . . . . . . . . 5 66 1. Introduction 68 The Domain Name System (DNS) Security Extensions (DNSSEC) [RFC4033], 69 [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702] uses 70 digital signatures over DNS data to provide source authentication and 71 integrity protection. DNSSEC uses an IANA registry to list codes for 72 digital signature algorithms (consisting of a cryptographic algorithm 73 and one-way hash function). 75 This document replaces the current IANA registry for Domain Name 76 System Security (DNSSEC) Algorithm Numbers with a newly defined 77 registry table. This new table (Section 2.2 below) contains a 78 collection of changes to selected entries originally set aside for 79 future algorithm specification that did not occur. These entries are 80 changed to "Reserved" to avoid potential conflicts with older 81 implementations. This document also brings the list of references 82 for entries up to date. 84 2. The DNS Security Algorithm Number Sub-registry 86 The DNS Security Algorithm Number sub-registry (part of the Domain 87 Name System (DNS) Security Number registry) will be replaced with the 88 table below. There are additional differences to entries that are 89 described in sub-section 2.1 and the overall new registry table is in 90 sub-section 2.2. 92 2.1. Updates and Additions 94 This document updates three entries in the Domain Name System 95 Security (DNSSEC) Algorithm Registry. They are: 97 The description for assignment number 4 is changed to "Reserved". 99 The description for assignment number 9 is changed to "Reserved". 101 The description for assignment number 11 is changed to "Reserved". 103 The above values are changed to "Reserved" because they were 104 placeholders for algorithms that were not fully specified for use 105 with DNSSEC. Older implementations may still have these algorithm 106 codes assigned, so these codes are reserved to prevent potential 107 incompatibilities. 109 2.2. Domain Name System (DNS) Security Algorithm Number Registry Table 111 The Domain Name System (DNS) Security Algorithm Number registry is 112 hereby specified as follows below. 114 Trans- 115 Zone action 116 Number Description Mnemonic Sign Sign Reference 117 ------ ----------- ------ ---- ----- --------- 118 0 Reserved [RFC4034] 119 [RFC4398] 120 1 RSA/MD5 RSAMD5 N Y [RFC3110] 122 2 Diffie-Hellman DH N Y [RFC2539] 123 3 DSA/SHA-1 DSASHA1 Y Y [RFC2536] 124 4 Reserved 125 5 RSA/SHA-1 RSASHA1 Y Y [RFC3110] 127 6 DSA-NSEC3-SHA1 DSA-NSEC3 Y Y [RFC5155] 128 -SHA1 129 7 RSASHA1-NSEC3 RSASHA1- Y Y [RFC5155] 130 -SHA1 NSEC3- 131 SHA1 132 8 RSA/SHA-256 RSASHA256 Y * [RFC5702] 134 9 Reserved 135 10 RSA/SHA-512 RSASHA512 Y * [RFC5702] 137 11 Reserved 138 12 GOST R GOST-ECC Y * [RFC5933] 139 34.10-2001 140 13-122 Unassigned 141 123-251 Reserved [RFC6014] 142 252 Reserved for INDIRECT N N [RFC4034] 143 Indirect keys 144 253 private PRIVATE Y Y [RFC4034] 145 algorithm 146 254 private PRIVATEOID Y Y [RFC4034] 147 algorithm OID 148 255 Reserved [RFC4034] 150 3. IANA Considerations 152 This document replaces the Domain Name System (DNS) Security 153 Algorithm Numbers registry with new registry table is in Section 2.2. 154 The changes include moving three registry entries to "Reserved" and 155 updating the reference list for entries. 157 The original Domain Name System (DNS) Security Algorithm Number 158 registry is available at 159 http://www.iana.org/assignments/dns-sec-alg-numbers. 161 4. Security Considerations 163 This document replaces the Domain Name System (DNS) Security 164 Algorithm Numbers registry with an updated table. It is not meant to 165 be a discussion on algorithm superiority. No new security 166 considerations are raised in this document. 168 5. Normative References 170 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 171 Requirement Levels", BCP 14, RFC 2119, March 1997. 173 [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System 174 (DNS)", RFC 2536, March 1999. 176 [RFC2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the 177 Domain Name System (DNS)", RFC 2539, March 1999. 179 [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain 180 Name System (DNS)", RFC 3110, May 2001. 182 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 183 Rose, "DNS Security Introduction and Requirements", 184 RFC 4033, March 2005. 186 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 187 Rose, "Resource Records for the DNS Security Extensions", 188 RFC 4034, March 2005. 190 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 191 Rose, "Protocol Modifications for the DNS Security 192 Extensions", RFC 4035, March 2005. 194 [RFC4398] Josefsson, S., "Storing Certificates in the Domain Name 195 System (DNS)", RFC 4398, March 2006. 197 [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer 198 (DS) Resource Records (RRs)", RFC 4509, May 2006. 200 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 201 Security (DNSSEC) Hashed Authenticated Denial of 202 Existence", RFC 5155, March 2008. 204 [RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY 205 and RRSIG Resource Records for DNSSEC", RFC 5702, 206 October 2009. 208 [RFC5933] Dolmatov, V., Chuprina, A., and I. Ustinov, "Use of GOST 209 Signature Algorithms in DNSKEY and RRSIG Resource Records 210 for DNSSEC", RFC 5933, July 2010. 212 [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier 213 Allocation for DNSSEC", RFC 6014, November 2010. 215 Author's Address 217 Scott Rose 218 NIST 219 100 Bureau Dr. 220 Gaithersburg, MD 20899 221 USA 223 Phone: +1-301-975-8439 224 EMail: scottr.nist@gmail.com