rfc8624-2022.xml   draft-hardaker-dnsop-rfc8624-bis-00.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0"?>
<?xml-stylesheet type='text/xsl' href='./rfc2629.xslt' ?> <?xml-stylesheet type='text/xsl' href='./rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <!ENTITY RFC2119 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/referen
nce.RFC.2119.xml"> ce.RFC.2119.xml">
<!ENTITY RFC4034 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC4034 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.4034.xml"> RFC.4034.xml">
<!ENTITY RFC5155 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC5155 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.5155.xml"> RFC.5155.xml">
<!ENTITY RFC5702 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC5702 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.5702.xml"> RFC.5702.xml">
<!ENTITY RFC5933 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC5933 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.5933.xml"> RFC.5933.xml">
<!ENTITY RFC8174 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC6605 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.8174.xml"> RFC.6605.xml">
<!ENTITY RFC6605 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC6781 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.6605.xml"> RFC.6781.xml">
<!ENTITY RFC6781 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC6944 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.6781.xml"> RFC.6944.xml">
<!ENTITY RFC6944 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC6979 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.6944.xml"> RFC.6979.xml">
<!ENTITY RFC6979 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC6986 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.6979.xml"> RFC.6986.xml">
<!ENTITY RFC6986 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC7091 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.6986.xml"> RFC.7091.xml">
<!ENTITY RFC7091 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC7344 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.7091.xml"> RFC.7344.xml">
<!ENTITY RFC7344 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC7583 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.7344.xml"> RFC.7583.xml">
<!ENTITY RFC7583 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC8032 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.7583.xml"> RFC.8032.xml">
<!ENTITY RFC8032 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC8078 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.8032.xml"> RFC.8078.xml">
<!ENTITY RFC8078 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference <!ENTITY RFC8080 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.
.RFC.8078.xml"> RFC.8080.xml">
<!ENTITY RFC8080 PUBLIC "" "https://xml2rfc.ietf.org/public/rfc/bibxml/reference
.RFC.8080.xml">
]> ]>
<?rfc toc="yes"?> <?rfc toc="yes"?>
<?rfc strict="yes" ?> <?rfc strict="yes" ?>
<?rfc linkmailto="yes" ?> <?rfc linkmailto="yes" ?>
<?rfc symrefs="yes"?> <?rfc symrefs="yes"?>
<?rfc compact="yes" ?> <?rfc compact="yes" ?>
<?rfc subcompact="no" ?> <?rfc subcompact="no" ?>
<?rfc sortrefs="no" ?> <?rfc sortrefs="no" ?>
<?rfc rfcedstyle="yes"?>
<rfc ipr="trust200902" category="std" obsoletes="6944" number="8624" <rfc ipr="trust200902" docName="draft-hardaker-dnsop-rfc8624-bis-00" category="s
submissionType="IETF" consensus="yes"> td" obsoletes="8624">
<front> <front>
<title abbrev="DNSSEC Cryptographic Algorithms">Algorithm Implementation Req uirements and Usage Guidance for DNSSEC</title> <title abbrev="DNSSEC Cryptographic Algorithms">Algorithm Implementation Req uirements and Usage Guidance for DNSSEC</title>
<author fullname="Wes Hardaker" initials="W." surname="Hardaker">
<organization>USC/ISI</organization>
<address>
<postal>
<street/>
<country>US</country>
</postal>
<email>ietf@hardakers.net</email>
</address>
</author>
<author fullname="Paul Wouters" initials="P." surname="Wouters"> <author fullname="Paul Wouters" initials="P." surname="Wouters">
<organization>Red Hat</organization> <organization>Red Hat</organization>
<address> <address>
<postal> <postal>
<street/> <street/>
<country>Canada</country> <country>CA</country>
</postal> </postal>
<email>pwouters@redhat.com</email> <email>pwouters@redhat.com</email>
</address> </address>
</author> </author>
<author fullname="Ondrej Sury" initials="O." surname="Sury"> <author fullname="Ondrej Sury" initials="O." surname="Sury">
<organization>Internet Systems Consortium</organization> <organization>Internet Systems Consortium</organization>
<address> <address>
<postal> <postal>
<street/> <street/>
<country>Czech Republic</country> <country>CZ</country>
</postal> </postal>
<email>ondrej@isc.org</email> <email>ondrej@isc.org</email>
</address> </address>
</author> </author>
<date month="June" year="2019"/> <date year="2022"/>
<area>Security</area> <area>Security</area>
<workgroup>dnsop</workgroup> <workgroup>dnsop</workgroup>
<keyword>Internet-Draft</keyword>
<keyword>DNS</keyword>
<abstract> <abstract>
<t> <t>
The DNSSEC protocol makes use of various cryptographic The DNSSEC protocol makes use of various cryptographic
algorithms in order to provide authentication of DNS data and algorithms in order to provide authentication of DNS data and
proof of nonexistence. To ensure interoperability between proof of non-existence. To ensure interoperability between
DNS resolvers and DNS authoritative servers, it is necessary DNS resolvers and DNS authoritative servers, it is necessary
to specify a set of algorithm implementation requirements and to specify a set of algorithm implementation requirements and
usage guidelines to ensure that there is at least one algorithm usage guidelines to ensure that there is at least one algorithm
that all implementations support. This document defines the that all implementations support. This document defines the
current algorithm implementation requirements and usage current algorithm implementation requirements and usage
guidance for DNSSEC. This document obsoletes RFC 6944. guidance for DNSSEC. This document obsoletes <xref target="RFC6944"/>.
</t> </t>
</abstract> </abstract>
</front> </front>
<!-- ====================================================================== -- >
<middle> <middle>
<section anchor="introduction" title="Introduction"> <section anchor="introduction" title="Introduction">
<t> <t>
The DNSSEC signing algorithms are defined by various RFCs, The DNSSEC signing algorithms are defined by various RFCs,
including <xref target="RFC4034"/>, <xref target="RFC5155"/>, including <xref target="RFC4034"/>, <xref target="RFC5155"/>,
<xref target="RFC5702"/>, <xref target="RFC5933"/>, <xref <xref target="RFC5702"/>, <xref target="RFC5933"/>, <xref
target="RFC6605"/>, and <xref target="RFC8080"/>. target="RFC6605"/>, <xref target="RFC8080"/>.
DNSSEC is used to provide authentication of data. To ensure DNSSEC is used to provide authentication of data. To ensure
interoperability, a set of "mandatory-to-implement" DNSKEY interoperability, a set of "mandatory-to-implement" DNSKEY
algorithms are defined. This document obsoletes algorithms are defined. This document obsoletes
<xref target="RFC6944"/>. <xref target="RFC6944"/>.
</t> </t>
<section title="Updating Algorithm Implementation Requirements and Usage G uidance"> <section title="Updating Algorithm Implementation Requirements and Usage G uidance">
<t> <t>
The field of cryptography evolves continuously. New, stronger The field of cryptography evolves continuously. New stronger
algorithms appear, and existing algorithms are found to be algorithms appear and existing algorithms are found to be
less secure than originally thought. Attacks previously thought less secure then originally thought. Therefore, algorithm
to be computationally infeasible become more accessible as the availabl
e
computational resources increase. Therefore, algorithm
implementation requirements and usage guidance need to be implementation requirements and usage guidance need to be
updated from time to time to reflect the new reality. The updated from time to time to reflect the new reality. The
choices for algorithms must be conservative to minimize the choices for algorithms must be conservative to minimize the
risk of algorithm compromise. risk of algorithm compromise.
</t> </t>
</section> </section>
<section title="Updating Algorithm Requirement Levels"> <section title="Updating Algorithm Requirement Levels">
<t> <t>
The mandatory-to-implement algorithm of tomorrow should The mandatory-to-implement algorithm of tomorrow should
already be available in most implementations of DNSSEC by the already be available in most implementations of DNSSEC by the
time it is made mandatory. This document attempts to time it is made mandatory. This document attempts to
identify and introduce those algorithms for future identify and introduce those algorithms for future
mandatory-to-implement status. There is no guarantee that mandatory-to-implement status. There is no guarantee that
algorithms in use today will become mandatory in the algorithms in use today will become mandatory in the
future. Published algorithms are continuously subjected to future. Published algorithms are continuously subjected to
cryptographic attack and may become too weak or even be cryptographic attack and may become too weak, or even be
completely broken before this document is updated. completely broken, before this document is updated.
</t> </t>
<t> <t>
This document only provides recommendations with respect to This document provides recommendations with respect to
mandatory-to-implement algorithms or algorithms so weak that mandatory-to-implement algorithms, algorithms so weak that
they cannot be recommended. Any they cannot be recommended, and algorithms defined in RFCs
algorithm listed in the <xref target="DNSKEY-IANA"/> and that are not on the standards track. Any algorithm listed in
<xref target="DS-IANA"/> registries that are not mentioned in this the <xref target="DNSKEY-IANA"/> and <xref
document MAY be implemented. For clarification and consistency, target="DS-IANA"/> registries that are not mentioned in this
an algorithm will be specified as MAY in this document only when document MAY be implemented. For clarification and
it has been downgraded from a MUST or a RECOMMENDED to a MAY. consistency, an algorithm will be specified as MAY in this
document only when it has been downgraded from a MUST or a
RECOMMENDED to a MAY.
</t> </t>
<t> <t>
Although this document's primary purpose is to update Although this document's primary purpose is to update
algorithm recommendations to keep DNSSEC authentication secure algorithm recommendations to keep DNSSEC authentication secure
over time, it also aims to do so in such a way that DNSSEC over time, it also aims to do so in such a way that DNSSEC
implementations remain interoperable. DNSSEC interoperability implementations remain interoperable. DNSSEC interoperability
is addressed by an incremental introduction or deprecation of is addressed by an incremental introduction or deprecation of
algorithms. algorithms.
</t> </t>
<t> <t>
<xref target="RFC2119"/> considers the term SHOULD <xref target="RFC2119"/> considers the term SHOULD
equivalent to RECOMMENDED, and SHOULD NOT equivalent to NOT equivalent to RECOMMENDED, and SHOULD NOT equivalent to NOT
RECOMMENDED. The authors of this document have chosen to use the RECOMMENDED. The authors of this document have chosen to use the
terms RECOMMENDED and NOT RECOMMENDED, as this more clearly terms RECOMMENDED and NOT RECOMMENDED, as this more clearly
expresses the intent to implementers. expresses the recommendations to implementers.
</t> </t>
<t> <t>
It is expected that deprecation of an algorithm will be It is expected that deprecation of an algorithm will be
performed gradually in a series of updates to this document. performed gradually. This provides time for various
This provides time for various implementations to update their implementations to update their implemented algorithms while
implemented algorithms while remaining interoperable. Unless remaining interoperable. Unless there are strong security
there are strong security reasons, an algorithm is expected to be reasons, an algorithm is expected to be downgraded from MUST
downgraded from MUST to NOT RECOMMENDED or MAY, instead of to MUST NOT. to NOT RECOMMENDED or MAY, instead of to MUST NOT. Similarly,
Similarly, an algorithm that has not been mentioned as an algorithm that has not been mentioned as
mandatory-to-implement is expected to be introduced with a mandatory-to-implement is expected to be introduced with a
RECOMMENDED instead of a MUST. RECOMMENDED instead of a MUST.
</t> </t>
<t> <t>
Since the effect of using an unknown DNSKEY algorithm is Since the effect of using an unknown DNSKEY algorithm is
that the zone is treated as insecure, it is recommended that the zone is treated as insecure, it is recommended
that algorithms downgraded to NOT RECOMMENDED or lower that algorithms downgraded to NOT RECOMMENDED or lower
not be used by authoritative nameservers and DNSSEC not be used by authoritative nameservers and DNSSEC
signers to create new DNSKEYs. This will allow for signers to create new DNSKEY's. This will allow for
deprecated algorithms to become less and less common over deprecated algorithms to become less and less common over
time. Once an algorithm has reached a sufficiently low time. Once an algorithm has reached a sufficiently low
level of deployment, it can be marked as MUST NOT so that level of deployment, it can be marked as MUST NOT, so that
recursive resolvers can remove support for validating it. recursive resolvers can remove support for validating it.
</t> </t>
<t> <t>
Recursive nameservers are encouraged to retain support for all Recursive nameservers are encouraged to retain support for all
algorithms not marked as MUST NOT. algorithms not marked as MUST NOT.
</t> </t>
</section> </section>
<section title="Document Audience"> <section title="Document Audience">
<t> <t>
The recommendations of this document mostly target DNSSEC The recommendations of this document mostly target DNSSEC
implementers, as implementations need to meet both high implementers, as implementations need to meet both high
security expectations as well as high interoperability security expectations as well as high interoperability
between various vendors and with different versions. between various vendors and with different versions.
Interoperability requires a smooth transition to more secure Interoperability requires a smooth transition to more secure
algorithms. This perspective may differ from that of algorithms. This perspective may differ from from that of
a user who wishes to deploy and configure DNSSEC with only the a user who wishes to deploy and configure DNSSEC with only the
safest algorithm. On the other hand, the comments and safest algorithm. On the other hand, the comments and
recommendations in this document are also expected to be recommendations in this document are also expected to be
useful for such users. useful for such users.
</t> </t>
</section> </section>
</section> </section>
<section anchor="mustshouldmay" title="Conventions Used in This Document"> <section anchor="mustshouldmay" title="Conventions Used in This Document">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL <t>
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
"MAY", and "OPTIONAL" in this document are to be interpreted as NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/> "OPTIONAL" in this document are to be interpreted as described
when, and only when, they appear in all capitals, as shown here. in <xref target="RFC2119"/>.
</t> </t>
</section> </section>
<section anchor="algs" title="Algorithm Selection"> <section anchor="algs" title="Algorithm Selection">
<section anchor="algs_dnskey" title="DNSKEY Algorithms"> <section anchor="algs_dnskey" title="DNSKEY Algorithms">
<t> <t>
The following table lists the implementation recommendations for DNSKEY algorithms <xref target="DNSKEY-IANA"/>. Implementation recommendations for DNSKEY algorithms <xref target="DNSK EY-IANA"/>.
</t> </t>
<texttable anchor="tbl_dnskey" suppress-title="true"> <texttable anchor="tbl_dnskey" suppress-title="true">
<ttcol align="left">Number</ttcol> <ttcol align="left">Number</ttcol>
<ttcol align="left">Mnemonics</ttcol> <ttcol align="left">Mnemonics</ttcol>
<ttcol align="left">DNSSEC Signing</ttcol> <ttcol align="left">DNSSEC Signing</ttcol>
<ttcol align="left">DNSSEC Validation</ttcol> <ttcol align="left">DNSSEC Validation</ttcol>
<c>1</c><c>RSAMD5</c><c>MUST NOT</c><c>MUST NOT</c> <c>1</c><c>RSAMD5</c><c>MUST NOT</c><c>MUST NOT</c>
<c>3</c><c>DSA</c><c>MUST NOT</c><c>MUST NOT</c> <c>3</c><c>DSA</c><c>MUST NOT</c><c>MUST NOT</c>
<c>5</c><c>RSASHA1</c><c>NOT RECOMMENDED</c><c>MUST</c> <c>5</c><c>RSASHA1</c><c>MUST NOT</c><c>SHOULD NOT</c>
<c>6</c><c>DSA-NSEC3-SHA1</c><c>MUST NOT</c><c>MUST NOT</c> <c>6</c><c>DSA-NSEC3-SHA1</c><c>MUST NOT</c><c>MUST NOT</c>
<c>7</c><c>RSASHA1-NSEC3-SHA1</c><c>NOT RECOMMENDED</c><c>MUST</c> <c>7</c><c>RSASHA1-NSEC3-SHA1</c><c>MUST NOT</c><c>SHOULD NOT</c>
<c>8</c><c>RSASHA256</c><c>MUST</c><c>MUST</c> <c>8</c><c>RSASHA256</c><c>MUST</c><c>MUST</c>
<c>10</c><c>RSASHA512</c><c>NOT RECOMMENDED</c><c>MUST</c> <c>10</c><c>RSASHA512</c><c>NOT RECOMMENDED</c><c>MUST</c>
<c>12</c><c>ECC-GOST</c><c>MUST NOT</c><c>MAY</c> <c>12</c><c>ECC-GOST</c><c>MUST NOT</c><c>MUST NOT</c>
<c>13</c><c>ECDSAP256SHA256</c><c>MUST</c><c>MUST</c> <c>13</c><c>ECDSAP256SHA256</c><c>MUST</c><c>MUST</c>
<c>14</c><c>ECDSAP384SHA384</c><c>MAY</c><c>RECOMMENDED</c> <c>14</c><c>ECDSAP384SHA384</c><c>MAY</c><c>RECOMMENDED</c>
<c>15</c><c>ED25519</c><c>RECOMMENDED</c><c>RECOMMENDED</c> <c>15</c><c>ED25519</c><c>RECOMMENDED</c><c>RECOMMENDED</c>
<c>16</c><c>ED448</c><c>MAY</c><c>RECOMMENDED</c> <c>16</c><c>ED448</c><c>MAY</c><c>RECOMMENDED</c>
</texttable> </texttable>
<t> <t>
RSAMD5 is not widely deployed, and there is an industry-wide trend RSAMD5 is not widely deployed and there is an industry-wide
to deprecate MD5 usage. trend to deprecate MD5 usage.
</t> </t>
<t> <t>
RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although
the zones deploying it are recommended to switch to zones deploying it are recommended to switch to
ECDSAP256SHA256 as there is an industry-wide trend to move ECDSAP256SHA256 as there is an industry-wide trend to move
to elliptic curve cryptography. RSASHA1 does not support to elliptic curve cryptography. RSASHA1 does not support
NSEC3. RSASHA1-NSEC3-SHA1 can be used with or without NSEC3. RSASHA1-NSEC3-SHA1 can be used with or without
NSEC3. NSEC3.
</t> </t>
<t> <t>
DSA and DSA-NSEC3-SHA1 are not widely deployed and DSA and DSA-NSEC3-SHA1 are not widely deployed and
are vulnerable to private key compromise when generating vulnerable to private key compromise when generating
signatures using a weak or compromised random number signatures using a weak or compromised random number
generator. generator.
</t> </t>
<t> <t>
RSASHA256 is widely used and considered strong. It has been the default RSASHA256 is in wide use and considered strong.
algorithm for a number of years and is now slowly being replaced with
ECDSAP256SHA256 due to its shorter key and signature size, resulting in
smaller DNS packets.
</t> </t>
<t> <t>
RSASHA512 is NOT RECOMMENDED for DNSSEC signing because it RSASHA512 is NOT RECOMMENDED for DNSSEC Signing because it
has not seen wide deployment, but there are some deployments; hence, DN has not seen wide deployment, but there are some deployments
SSEC validation MUST implement RSASHA512 to ensure hence DNSSEC Validation MUST implement RSASHA512 to ensure
interoperability. There is no significant difference in interoperability. There is no significant difference in
cryptographic strength between RSASHA512 and RSASHA256; cryptographics strength between RSASHA512 and RSASHA256,
therefore, use of RSASHA512 is discouraged as it will therefore it is discouraged to use RSASHA512, as it will
only make deprecation of older algorithms harder. People only make deprecation of older algorithms harder. People
who wish to use a cryptographically stronger algorithm that wish to use a cryptographically stronger algorithm
should switch to elliptic curve cryptography algorithms. should switch to elliptic curve cryptography algorithms.
</t> </t>
<t> <t>
ECC-GOST (GOST R 34.10-2001) has been superseded by GOST R ECC-GOST (GOST R 34.10-2001) has been superseded by GOST R
34.10-2012 in <xref target="RFC7091"/>. GOST R 34.10-2012 34.10-2012 in <xref target="RFC7091"/>. The GOST R
hasn't been standardized for use in DNSSEC. 34.10-2012 hasn't been standardized for use in DNSSEC.
</t> </t>
<t> <t>
ECDSAP256SHA256 provides more cryptographic strength ECDSAP256SHA256 provides more cryptographic strength
with a shorter signature length than either RSASHA256 or with a shorter signature length than either RSASHA256 or
RSASHA512. ECDSAP256SHA256 has been widely deployed; therefore, it is RSASHA512. ECDSAP256SHA256 has been widely deployed and
now at MUST level for both validation and therefore it is now at MUST level for both validation and
signing. It is RECOMMENDED to use the deterministic digital signing. It is RECOMMENDED to use deterministic digital signature
signature generation procedure of the Elliptic Curve Digital generation procedure of the ECDSA (<xref target="RFC6979"/>)
Signature Algorithm (ECDSA), specified in <xref target="RFC6979"/>,
when implementing ECDSAP256SHA256 (and ECDSAP384SHA384). when implementing ECDSAP256SHA256 (and ECDSAP384SHA384).
</t> </t>
<t> <t>
ECDSAP384SHA384 shares the same properties as ECDSAP384SHA384 shares the same properties as
ECDSAP256SHA256 but offers a modest security advantage over ECDSAP256SHA256, but offers a modest security advantage over
ECDSAP256SHA256 (192 bits of strength versus 128 bits). For ECDSAP256SHA256 (192 bits of strength versus 128 bits). For
most DNSSEC applications, ECDSAP256SHA256 should be most DNSSEC applications, ECDSAP256SHA256 should be
satisfactory and robust for the foreseeable future and is satisfactory and robust for the foreseeable future, and is
therefore recommended for signing. While it is unlikely for therefore recommended for signing. While it is unlikely for
a DNSSEC use case requiring 192-bit security strength a DNSSEC use case requiring 192-bit security strength
to arise, ECDSA384SHA384 is provided for such applications, to arise, ECDSA384SHA384 is provided for such applications
and it MAY be used for signing in these cases. and it MAY be used for signing in these cases.
</t> </t>
<t> <t>
ED25519 and ED448 use the Edwards-curve Digital Security ED25519 and ED448 use Edwards-curve Digital Security
Algorithm (EdDSA). There are three main advantages of Algorithm (EdDSA). There are three main advantages of the
EdDSA: it does not require the use of a unique EdDSA algorithm: It does not require the use of a unique
random number for each signature, there are no padding or random number for each signature, there are no padding or
truncation issues as with ECDSA, and it is more resilient to truncation issues as with ECDSA, and it is more resilient to
side-channel attacks. Furthermore, EdDSA cryptography is side-channel attacks. Furthermore, EdDSA cryptography is
less prone to implementation errors (<xref less prone to implementation errors (<xref
target="RFC8032"/>, <xref target="RFC8080"/>). It is target="RFC8032"/>, <xref target="RFC8080"/>). It is
expected that ED25519 will become the future RECOMMENDED expected that ED25519 will become the future RECOMMENDED
default algorithm once there's enough support for this default algorithm once there's enough support for this
algorithm in the deployed DNSSEC validators. algorithm in the deployed DNSSEC validators.
</t> </t>
</section> </section>
<section anchor="algs_dnskey_recommendation" title="DNSKEY Algorithm Recom mendation"> <section anchor="algs_dnskey_recommendation" title="DNSKEY Algorithm Recom mendation">
<t> <t>
Due to the industry-wide trend towards elliptic curve cryptography, Operation recommendation for new and existing deployments.
ECDSAP256SHA256 is the RECOMMENDED DNSKEY algorithm for use by new DNSS </t>
EC
deployments, and users of RSA-based algorithms SHOULD upgrade to <t>
Due to industry-wide trend to move to elliptic curve cryptography, the
ECDSAP256SHA256 is RECOMMENDED DNSKEY algorithm for use by new DNSSEC
deployments, and users of RSA based algorithms SHOULD upgrade to
ECDSAP256SHA256. ECDSAP256SHA256.
</t> </t>
</section> </section>
<section anchor="algs_ds" title="DS and CDS Algorithms"> <section anchor="algs_ds" title="DS and CDS Algorithms">
<t> <t>
The following table lists the recommendations for Delegation Signer Dig Recommendations for Delegation Signer Digest Algorithms
est Algorithms <xref target="DNSKEY-IANA"/> These also apply to the CDS
<xref target="DS-IANA"/>. These recommendations also apply to the RRTYPE as specified in <xref target="RFC7344"/>
Child Delegation Signer (CDS)
RRTYPE as specified in <xref target="RFC7344"/>.
</t> </t>
<texttable anchor="tbl_ds" suppress-title="true"> <texttable anchor="tbl_ds" suppress-title="true">
<ttcol align="left">Number</ttcol> <ttcol align="left">Number</ttcol>
<ttcol align="left">Mnemonics</ttcol> <ttcol align="left">Mnemonics</ttcol>
<ttcol align="left">DNSSEC Delegation</ttcol> <ttcol align="left">DNSSEC Delegation</ttcol>
<ttcol align="left">DNSSEC Validation</ttcol> <ttcol align="left">DNSSEC Validation</ttcol>
<c>0</c><c>NULL (CDS only)</c><c>MUST NOT [*]</c><c>MUST NOT [*]</c> <c>0</c><c>NULL (CDS only)</c><c>MUST NOT [*]</c><c>MUST NOT [*]</c>
<c>1</c><c>SHA-1</c><c>MUST NOT</c><c>MUST</c> <c>1</c><c>SHA-1</c><c>MUST NOT</c><c>SHOULD NOT</c>
<c>2</c><c>SHA-256</c><c>MUST</c><c>MUST</c> <c>2</c><c>SHA-256</c><c>MUST</c><c>MUST</c>
<c>3</c><c>GOST R 34.11-94</c><c>MUST NOT</c><c>MAY</c> <c>3</c><c>GOST R 34.11-94</c><c>MUST NOT</c><c>MUST NOT</c>
<c>4</c><c>SHA-384</c><c>MAY</c><c>RECOMMENDED</c> <c>4</c><c>SHA-384</c><c>MAY</c><c>RECOMMENDED</c>
<postamble> <postamble>
[*] - This is a special type of CDS record signaling removal of [*] - This is a special type of CDS record signaling removal of
DS at the parent in <xref target="RFC8078"/>. DS at the parent in <xref target="RFC8078"/>
</postamble> </postamble>
</texttable> </texttable>
<t> <t>
NULL is a special case; see <xref target="RFC8078"/>. NULL is a special case, see <xref target="RFC8078"/>
</t> </t>
<t> <t>
SHA-1 is still widely used for Delegation Signer (DS) records, so valid SHA-1 is in declining use for DS records, so it is NOT
ators RECOMMENDED for validators to implement SHA-1 validation.
MUST implement validation, but it MUST NOT be used to SHA-1 MUST NOT be used in generating new DS and CDS records.
generate new DS and CDS records (see "<xref target="operation" format=" (See Operational Considerations for caveats when upgrading
title"/>" for caveats when upgrading from the SHA-1 to from SHA-1 to SHA-256 DS Algorithm.)
SHA-256 DS algorithm.)
</t> </t>
<t> <t>
SHA-256 is widely used and considered strong. SHA-256 is in wide use and considered strong.
</t> </t>
<t> <t>
GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in
<xref target="RFC6986"/>. GOST R 34.11-2012 has not been <xref target="RFC6986"/>. The GOST R 34.11-2012 hasn't been
standardized for use in DNSSEC. standardized for use in DNSSEC.
</t> </t>
<t> <t>
SHA-384 shares the same properties as SHA-256 but offers a SHA-384 shares the same properties as SHA-256, but offers a
modest security advantage over SHA-256 (384 bits of strength modest security advantage over SHA-384 (384-bits of strength
versus 256 bits). For most applications of DNSSEC, SHA-256 versus 256-bits). For most applications of DNSSEC, SHA-256
should be satisfactory and robust for the foreseeable should be satisfactory and robust for the foreseeable
future and is therefore recommended for DS and CDS records. future, and is therefore recommended for DS and CDS records.
While it is unlikely for a DNSSEC use case requiring While it is unlikely for a DNSSEC use case requiring
384-bit security strength to arise, SHA-384 is provided for 384-bit security strength to arise, SHA-384 is provided for
such applications, and it MAY be used for generating DS and such applications and it MAY be used for generating DS and
CDS records in these cases. CDS records in these cases.
</t> </t>
</section> </section>
<section anchor="algs_ds_recommendation" title="DS and CDS Algorithm Recom mendation"> <section anchor="algs_ds_recommendation" title="DS and CDS Algorithm Recom mendation">
<t> <t>
An operational recommendation for new and existing deployments: SHA-256 Operation recommendation for new and existing deployments.
is the RECOMMENDED DS and CDS algorithm. </t>
<t>
The SHA-256 is RECOMMENDED DS and CDS algorithm.
</t> </t>
</section> </section>
</section> </section>
<section anchor="security" title="Security Considerations"> <section anchor="security" title="Security Considerations">
<t> <t>
The security of cryptographic systems depends on both The security of cryptographic systems depends on both
the strength of the cryptographic algorithms chosen and the the strength of the cryptographic algorithms chosen and the
strength of the keys used with those algorithms. The security strength of the keys used with those algorithms. The security
also depends on the engineering of the protocol used by the also depends on the engineering of the protocol used by the
system to ensure that there are no non-cryptographic ways to system to ensure that there are no non-cryptographic ways to
bypass the security of the overall system. bypass the security of the overall system.
</t> </t>
<t> <t>
This document concerns itself with the selection of cryptographic This document concerns itself with the selection of
algorithms for use in DNSSEC, specifically with the selection cryptographic algorithms for the use of DNSSEC, specifically
of "mandatory-to-implement" algorithms. The algorithms identified with the selection of "mandatory-to-implement" algorithms.
in this document as MUST or RECOMMENDED to implement are not known The algorithms identified in this document as MUST or
to be broken (in the cryptographic sense) at the current time, and RECOMMENDED to implement are not known to be broken at the
cryptographic research so far leads us to believe that they are current time, and cryptographic research so far leads us to
likely to remain secure into the foreseeable future. However, this believe that they are likely to remain secure into the
isn't necessarily forever, and it is expected that new revisions of foreseeable future. However, this isn't necessarily forever,
this document will be issued from time to time to reflect the current and it is expected that new revisions of this document will be
best practices in this area. issued from time to time to reflect the current best practices
in this area.
</t> </t>
<t> <t>
Retiring an algorithm too soon would result in a zone (signed with Retiring an algorithm too soon would result in a zone signed
a retired algorithm) being downgraded to the equivalent of an unsigned with the retired algorithm being downgraded to the equivalent of
zone. Therefore, algorithm deprecation must be an unsigned zone. Therefore, algorithm deprecation must be
done very slowly and only after careful consideration and done very slowly and only after careful consideration and
measurement of its use. measurement of its use.
</t> </t>
</section> </section>
<section anchor="operation" title="Operational Considerations"> <section anchor="operation" title="Operational Considerations">
<t> <t>
DNSKEY algorithm rollover in a live zone is a complex DNSKEY algorithm rollover in a live zone is a complex
process. See <xref target="RFC6781"/> and <xref target="RFC7583"/> process. See <xref target="RFC6781"/> and <xref target="RFC7583"/>
for guidelines on how to perform algorithm rollovers. for guidelines on how to perform algorithm rollovers.
</t> </t>
<t> <t>
DS algorithm rollover in a live zone is also a complex process. DS algorithm rollover in a live zone is also a complex
Upgrading an algorithm at the same time as rolling a new Key process. Upgrading algorithm at the same time as rolling the
Signing Key (KSK) will lead to DNSSEC validation failures. new KSK key will lead to DNSSEC validation failures, and users
Administrators MUST complete the process of the DS algorithm upgrade MUST upgrade the DS algorithm first before rolling the Key
before starting a rollover process for a new KSK. Signing Key.
</t> </t>
</section> </section>
<section anchor="implementations" title="Implementation Report">
<section anchor="implementations_dnskey" title="DNSKEY Algorithms">
<t>TODO: this needs updating, and current practice is to have
this deleted at publication too.</t>
<t>
The following table contains the status of support in the open-source
DNS signers and validators in the current released versions as of the
time writing this document. Usually, the support for specific
algorithm has to be also included in the cryptographic libraries that
the software use.
</t>
<texttable anchor="tbl_implementations" suppress-title="true">
<ttcol align="left">Mnemonics</ttcol>
<ttcol align="left">BIND</ttcol>
<ttcol align="left">Knot DNS</ttcol>
<ttcol align="left">OpenDNS</ttcol>
<ttcol align="left">PowerDNS</ttcol>
<ttcol align="left">Unbound</ttcol>
<!-- Algorithm BIND Knot DNS ODNSSEC PDNS U
nbound -->
<c>RSAMD5</c> <c>Y</c> <c>N</c> <c>Y</c> <c>N</c> <c>N</c>
<c>DSA</c> <c>Y</c> <c>N</c> <c>Y</c> <c>N</c> <c>Y</c>
<c>RSASHA1</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c>
<c>DSA-NSEC3-SHA1</c> <c>Y</c> <c>N</c> <c>Y</c> <c>N</c> <c>Y</c>
<c>RSASHA1-NSEC3-SHA1</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c>
<c>RSASHA256</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c>
<c>RSASHA512</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c>
<c>ECC-GOST</c> <c>N</c> <c>N</c> <c>Y</c> <c>Y</c> <c>Y</c>
<c>ECDSAP256SHA256</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c>
<c>ECDSAP384SHA384</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c> <c>Y</c>
<c>ED25519</c> <c>Y</c> <c>Y</c> <c>N</c> <c>Y</c> <c>Y</c>
<c>ED448</c> <c>N</c> <c>N</c> <c>N</c> <c>Y</c> <c>Y</c>
</texttable>
</section>
</section>
<section anchor="iana" title="IANA Considerations"> <section anchor="iana" title="IANA Considerations">
<t>This document has no IANA actions.</t> <t>This document makes no requests of IANA.</t>
</section> </section>
</middle>
<section anchor="ack" title="Acknowledgements">
<t>
This document borrows text from RFC 4307 by Jeffrey I.
Schiller of the Massachusetts Institute of Technology (MIT)
and the 4307bis document by Yoav Nir, Tero Kivinen, Paul
Wouters and Daniel Migault. Much of the original text has
been copied verbatim.
</t>
<t>
We wish to thank Michael Sinatra, Roland van Rijswijk-Deij,
Olafur Gudmundsson, Paul Hoffman and Evan Hunt for their imminent
feedback.
</t>
<t>
Kudos to Roy Arends for bringing the DS rollover issue to the daylight.
</t>
</section>
</middle>
<!-- ====================================================================== --
>
<back> <back>
<references title="Normative References"> <references title="Normative References">
&RFC2119; &RFC2119;
</references>
<references title="Informative References">
&RFC4034; &RFC4034;
&RFC5155; &RFC5155;
&RFC5702; &RFC5702;
&RFC5933;
&RFC6605; &RFC6605;
&RFC6781;
&RFC6944;
&RFC6979; &RFC6979;
&RFC6986; &RFC6986;
&RFC7091;
&RFC7344; &RFC7344;
&RFC7583;
&RFC8032; &RFC8032;
&RFC8078; &RFC8078;
&RFC8080; &RFC8080;
&RFC8174; <reference anchor="DNSKEY-IANA" target="http://www.iana.org/assignments/dn
</references> s-sec-alg-numbers/dns-sec-alg-numbers.xhtml">
<references title="Informative References">
&RFC5933;
&RFC6781;
&RFC6944;
&RFC7091;
&RFC7583;
<reference anchor="DNSKEY-IANA" target="http://www.iana.org/assignments/dn
s-sec-alg-numbers">
<front> <front>
<title>Domain Name System Security (DNSSEC) Algorithm Numbers</title> <title>DNSKEY Algorithms</title>
<author> <author initials="" surname="" fullname="">
<organization>IANA</organization> <organization />
</author> </author>
<date /> <date />
</front> </front>
</reference> </reference>
<reference anchor="DS-IANA" target="http://www.iana.org/assignments/ds-rr- types"> <reference anchor="DS-IANA" target="http://www.iana.org/assignments/ds-rr- types/ds-rr-types.xhtml">
<front> <front>
<title>Delegation Signer (DS) Resource Record (RR) Type Digest Algorit <title>Delegation Signer Digest Algorithms</title>
hms</title> <author initials="" surname="" fullname="">
<author> <organization />
<organization>IANA</organization>
</author> </author>
<date /> <date />
</front> </front>
</reference> </reference>
</references> </references>
<!-- ======================================================================
<section anchor="ack" title="Acknowledgements" numbered="no"> -->
<t> <section anchor="changes" title="Changes since RFC8624">
This document borrows text from RFC 4307 by Jeffrey I.&nbsp;Schiller <t>The following changes were made since RFC8624:</t>
of the Massachusetts Institute of Technology (MIT) and RFC 8247 by Yoav N
ir, Tero Kivinen, Paul Wouters, and Daniel Migault.
Much of the original text has been copied verbatim.
</t>
<t>
We wish to thank Michael Sinatra, Roland van Rijswijk-Deij,
Olafur Gudmundsson, Paul Hoffman, Evan Hunt, and Peter Yee for their feed
back.
</t>
<t> <t>
Kudos to Roy Arends for bringing the DS rollover issue to light. <list style="symbols">
<t>Deprecated validation of all SHA-1 algorithms to SHOULD NOT.</t>
<t>Deprecated validation all listed GOST algorithms to MUST
NOT.</t>
<t>Merged in RFC9157 updates.</t>
<t>Added Wes Hardaker as an author</t>
</list>
</t> </t>
</section> </section>
</back> </back>
</rfc> </rfc>
 End of changes. 72 change blocks. 
195 lines changed or deleted 255 lines changed or added

This html diff was produced by rfcdiff 1.48.