Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status NIST 100 Bureau Dr.Gaithersburg20899MDUSA+1-301-975-8439 scottr.nist@gmail.com
Internet Area
DNS Extensions Working Group DNSDNSSEC
The DNS Security Extensions (DNSSEC) requires the use of
cryptographic algorithm suites for generating digital signatures over DNS data. There is currently an
IANA registry for these algorithms that is incomplete in that it lacks the recommended implementation status of
each algorithm. This document provides an applicability statement on algorithm implementation compliance status for DNSSEC implementations.
This document lists each algorithm's status based on the
current reference. In the case that an algorithm is specified without an implementation status, this document assigns one.
The Domain Name System (DNS) Security Extensions (DNSSEC) , ,
, , , and uses digital signatures over DNS data
to provide source authentication and integrity protection. DNSSEC uses an IANA registry
to list codes for digital signature algorithms (consisting of a cryptographic
algorithm and one-way hash function).
The original list of algorithm status is found in .
Other DNSSEC RFC's have added new algorithms or changed the status of
algorithms in the registry. However, implementers
must read through all the documents in order to discover which algorithms are
considered wise to implement, which are not, and which algorithms may become widely
used in the future. This document includes the current compliance status for certain algorithms.
This compliance status indication is only to be considered for implementation, not deployment or operations.
Operators are free to deploy any digital signature algorithm available in
implementations or algorithms chosen by local security policies. This status is to measure compliance to this RFC only.
This
document updates the following: , , ,
, , , , and
.
The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in .
The status of RSASHA1-NSEC3-SHA1 is set to RECOMMENDED TO IMPLEMENT. This is due to the fact that RSA/SHA-1 is a MUST IMPLEMENT.
The status of RSA/SHA-256 and RSA/SHA-512 are also set to RECOMMENDED TO IMPLEMENT as it is believed
that these algorithms will replace an older algorithm (e.g. RSA/SHA-1) that have a
perceived weakness in its hash algorithm (SHA-1).
establishes a parallel procedure for
adding a registry entry for a new algorithm other than a standards track document.
Algorithms entered into the registry using that procedure are to be considered OPTIONAL for
implementation purposes. Specifications
that follow this path do not need to obsolete or update this document.
Adding a newly specified algorithm to the registry with a compliance status
SHALL entail obsolescing this document and replacing the registry table (with the new
algorithm entry). Altering the status column value of any existing algorithm in the registry SHALL entail obsolescing
this document and replacing the registry table.
This document cannot be updated, only made obsolete and replaced by a successor document.
This document lists the implementation status of cryptographic algorithms used with DNSSEC. These algorithms
are maintained in an IANA registry. There are no changes to the registry in this document. However this document
asks to be listed as a reference for the entire registry.
This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry. It is not meant
to be a discussion on algorithm superiority. No new security considerations are
raised in this document.