Internet DRAFT - draft-arends-dnsop-dnssec-algorithm-update
draft-arends-dnsop-dnssec-algorithm-update
DNSOP R. Arends
Internet-Draft ICANN
Intended status: Standards Track J. Schlyter
Expires: September 13, 2017 Kirei AB
M. Larson
ICANN
March 12, 2017
DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates
draft-arends-dnsop-dnssec-algorithm-update-00
Abstract
The DNS Security Extensions (DNSSEC) require the use of cryptographic
algorithm suites for generating digital signatures and cryptographic
hashes over DNS data. The algorithms specified for use with DNSSEC
are reflected in IANA registries. This document updates some entries
in these registries. The main reason for these updates is to retire
the use of SHA1.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Arends, et al. Expires September 13, 2017 [Page 1]
�
Internet-Draft DNSSEC Algorithm Updates March 2017
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . 2
2. The DNS Security Algorithm Implementation Status Lists . . . 2
2.1. Status Definitions . . . . . . . . . . . . . . . . . . . 2
2.2. Algorithm Implementation Status Assignment Rationale . . 3
2.3. DNSSEC Implementation Status Table . . . . . . . . . . . 3
2.4. Specifying New Algorithms and Updating the Status of
Existing Entries . . . . . . . . . . . . . . . . . . . . 4
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. Normative References . . . . . . . . . . . . . . . . . . 5
5.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
The Domain Name System (DNS) Security Extensions (DNSSEC, defined by
[RFC4033], [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702])
use digital signatures over DNS data to provide source authentication
and integrity protection. DNSSEC uses IANA registries to list codes
for digital signature algorithms and hash functions.
This document updates a set of entries in the IANA registries titled
"DNS Security (DNSSEC) Algorithm Numbers" and "Delegation Signer (DS)
Resource Record (RR) Type Digest Algorithms".
1.1. Reserved Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. The DNS Security Algorithm Implementation Status Lists
2.1. Status Definitions
Must Implement: The algorithm MUST be implemented to interoperate
with other implementations of this specification.
Arends, et al. Expires September 13, 2017 [Page 2]
�
Internet-Draft DNSSEC Algorithm Updates March 2017
Must Not Implement: The algorithm MUST NOT be implemented. An
algorithm with this status has known weaknesses.
Recommended to Implement: The algorithm SHOULD be implemented.
Utility and interoperability with other implementations will be
improved when an algorithm with this status is implemented, though
there might be occasions where it is reasonable not to implement the
algorithm. An implementer must understand and weigh the full
implications of choosing not to implement this particular algorithm.
Optional: The algorithm MAY be implemented, but all implementations
MUST be prepared to interoperate with implementations that do or do
not implement this algorithm.
2.2. Algorithm Implementation Status Assignment Rationale
RSASHA1 had an implementation status of "Must Implement", consistent
with [RFC4034]. The status of RSASHA1 is set to "Recommended to
Implement" consistent with RSASHA1-NSEC3-SHA1. The shift from "Must
Implement" to "Recommended to Implement" is due to a perceived
weakness in SHA1.
The status of RSASHA256 is set to "Must Implement" as major
deployments, such as the root zone [RZDPS], use these algorithms. It
is believed that RSA/SHA-256 or RSA/SHA-512 algorithms will replace
older algorithms (e.g., RSA/SHA-1) that have a perceived weakness.
All other algorithms used in DNSSEC specified without an
implementation status are currently set to "Optional".
2.3. DNSSEC Implementation Status Table
The DNSSEC algorithm implementation status table is listed below.
Only the algorithms already specified for use with DNSSEC at the time
of writing are listed.
+-----------+-----------+--------------------+----------------------+
| Must | Must Not | Recommended | Optional |
| Implement | Implement | | |
+-----------+-----------+--------------------+----------------------+
| RSASHA256 | RSAMD5 | RSASHA1 | Any registered |
| | | | algorithm not listed |
| | | | in this table |
| | | RSASHA1-NSEC3-SHA1 | |
| | | RSASHA512 | |
| | | ECDSAP256SHA256 | |
| | | ECDSAP384SHA384 | |
+-----------+-----------+--------------------+----------------------+
Arends, et al. Expires September 13, 2017 [Page 3]
�
Internet-Draft DNSSEC Algorithm Updates March 2017
This table does not list the Reserved values in the IANA registry
table or the values for INDIRECT (252), PRIVATE (253), and PRIVATEOID
(254). These values may relate to more than one algorithm and are
therefore up to the implementer's discretion. As noted, any
algorithm not listed in the table is "Optional".
2.4. Specifying New Algorithms and Updating the Status of Existing
Entries
[RFC6014] establishes a parallel procedure for adding a registry
entry for a new algorithm other than a standards track document.
Because any algorithm not listed in the foregoing table is
"Optional", algorithms entered into the registry using the [RFC6014]
procedure are automatically "Optional".
It has turned out to be useful for implementations to refer to a
single document that specifies the implementation status of every
algorithm. Accordingly, when a new algorithm is to be registered
with a status other than "Optional", this document shall be made
obsolete by a new document that adds the new algorithm to the table
in Section 2.3. Similarly, if the status of any algorithm in the
table in Section 2.3 changes, a new document shall make this document
obsolete; that document shall include a replacement of the table in
Section 2.3. This way, the goal of having one authoritative document
to specify all the status values is achieved.
This document cannot be updated, only made obsolete and replaced by a
successor document.
3. IANA Considerations
This document lists the implementation status of cryptographic
algorithms used with DNSSEC. These algorithms are maintained in an
IANA registry at <http://www.iana.org/assignments/dns-sec-alg-
numbers>. Because this document establishes the implementation
status of every algorithm, it has been listed as a reference for the
registry itself.
4. Security Considerations
This document lists, and in some cases assigns, the implementation
status of cryptographic algorithms used with DNSSEC. It is not meant
to be a discussion on algorithm superiority.
Since the status of two algorithms have changed, it is important to
consider the long term effect of these changes in implementations.
Arends, et al. Expires September 13, 2017 [Page 4]
�
Internet-Draft DNSSEC Algorithm Updates March 2017
An implementation may have provided a default algorithm to use when
generating a DNSKEY. An implementation may select a default
algorithm to sign DNSSEC records. It is recommended that
implementations that provide a default algorithm use an algorithm
with the status "Must Implement".
5. References
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
5.2. Informative References
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005,
<http://www.rfc-editor.org/info/rfc4033>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<http://www.rfc-editor.org/info/rfc4034>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<http://www.rfc-editor.org/info/rfc4035>.
[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
(DS) Resource Records (RRs)", RFC 4509,
DOI 10.17487/RFC4509, May 2006,
<http://www.rfc-editor.org/info/rfc4509>.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
<http://www.rfc-editor.org/info/rfc5155>.
[RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY
and RRSIG Resource Records for DNSSEC", RFC 5702,
DOI 10.17487/RFC5702, October 2009,
<http://www.rfc-editor.org/info/rfc5702>.
Arends, et al. Expires September 13, 2017 [Page 5]
�
Internet-Draft DNSSEC Algorithm Updates March 2017
[RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier
Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014,
November 2010, <http://www.rfc-editor.org/info/rfc6014>.
[RZDPS] Ljunggren, F., Okubo, T., Lamb, R., and J. Schlyter,
"DNSSEC Practice Statement for the Root Zone KSK
Operator", October 2010, <https://www.iana.org/dnssec/
icann-dps.txt>.
Authors' Addresses
Roy Arends
ICANN
Email: roy.arends@icann.org
Jakob Schlyter
Kirei AB
Email: jakob@kirei.se
Matt Larson
ICANN
Email: matt.larson@icann.org
Arends, et al. Expires September 13, 2017 [Page 6]
