draft-ietf-dnsop-algorithm-update-01.txt   draft-ietf-dnsop-algorithm-update-02.txt 
dnsop P. Wouters dnsop P. Wouters
Internet-Draft Red Hat Internet-Draft Red Hat
Obsoletes: 6944 (if approved) O. Sury Obsoletes: 6944 (if approved) O. Sury
Intended status: Standards Track Internet Systems Consortium Intended status: Standards Track Internet Systems Consortium
Expires: December 7, 2018 June 5, 2018 Expires: April 17, 2019 October 14, 2018
Algorithm Implementation Requirements and Usage Guidance for DNSSEC Algorithm Implementation Requirements and Usage Guidance for DNSSEC
draft-ietf-dnsop-algorithm-update-01 draft-ietf-dnsop-algorithm-update-02
Abstract Abstract
The DNSSEC protocol makes use of various cryptographic algorithms in The DNSSEC protocol makes use of various cryptographic algorithms in
order to provide authentication of DNS data and proof of non- order to provide authentication of DNS data and proof of non-
existence. To ensure interoperability between DNS resolvers and DNS existence. To ensure interoperability between DNS resolvers and DNS
authoritative servers, it is necessary to specify a set of algorithm authoritative servers, it is necessary to specify a set of algorithm
implementation requirements and usage guidance to ensure that there implementation requirements and usage guidelines to ensure that there
is at least one algorithm that all implementations support. This is at least one algorithm that all implementations support. This
document defines the current algorithm implementation requirements document defines the current algorithm implementation requirements
and usage guidance for DNSSEC. This document obsoletes [RFC6944]. and usage guidance for DNSSEC. This document obsoletes [RFC6944].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 7, 2018. This Internet-Draft will expire on April 17, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Updating Algorithm Implementation Requirements and Usage 1.1. Updating Algorithm Implementation Requirements and Usage
Guidance . . . . . . . . . . . . . . . . . . . . . . . . 2 Guidance . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Updating Algorithm Requirement Levels . . . . . . . . . . 2 1.2. Updating Algorithm Requirement Levels . . . . . . . . . . 3
1.3. Document Audience . . . . . . . . . . . . . . . . . . . . 4 1.3. Document Audience . . . . . . . . . . . . . . . . . . . . 4
2. Conventions Used in This Document . . . . . . . . . . . . . . 4 2. Conventions Used in This Document . . . . . . . . . . . . . . 4
3. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 4 3. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 4
3.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 4 3.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 4
3.2. DNSKEY Algorithm Recommendation . . . . . . . . . . . . . 6 3.2. DNSKEY Algorithm Recommendation . . . . . . . . . . . . . 6
3.3. DS and CDS Algorithms . . . . . . . . . . . . . . . . . . 6 3.3. DS and CDS Algorithms . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. Operational Considerations . . . . . . . . . . . . . . . . . 7 5. Operational Considerations . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. Implementation Report . . . . . . . . . . . . . . . . . . . . 7
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 6.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
The DNSSEC signing algorithms are defined by various RFCs, including The DNSSEC signing algorithms are defined by various RFCs, including
[RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], [RFC8080]. [RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], [RFC8080].
DNSSEC is used to provide authentication of data. To ensure DNSSEC is used to provide authentication of data. To ensure
interoperability, a set of "mandatory-to-implement" DNSKEY algorithms interoperability, a set of "mandatory-to-implement" DNSKEY algorithms
are defined. This document obsoletes [RFC6944]. are defined. This document obsoletes [RFC6944].
1.1. Updating Algorithm Implementation Requirements and Usage Guidance 1.1. Updating Algorithm Implementation Requirements and Usage Guidance
skipping to change at page 3, line 5 skipping to change at page 3, line 11
requirements and usage guidance need to be updated from time to time requirements and usage guidance need to be updated from time to time
to reflect the new reality. The choices for algorithms must be to reflect the new reality. The choices for algorithms must be
conservative to minimize the risk of algorithm compromise. conservative to minimize the risk of algorithm compromise.
1.2. Updating Algorithm Requirement Levels 1.2. Updating Algorithm Requirement Levels
The mandatory-to-implement algorithm of tomorrow should already be The mandatory-to-implement algorithm of tomorrow should already be
available in most implementations of DNSSEC by the time it is made available in most implementations of DNSSEC by the time it is made
mandatory. This document attempts to identify and introduce those mandatory. This document attempts to identify and introduce those
algorithms for future mandatory-to-implement status. There is no algorithms for future mandatory-to-implement status. There is no
guarantee that the algorithms in use today may become mandatory in guarantee that algorithms in use today will become mandatory in the
the future. Published algorithms are continuously subjected to future. Published algorithms are continuously subjected to
cryptographic attack and may become too weak or could become cryptographic attack and may become too weak, or even be completely
completely broken before this document is updated. broken, before this document is updated.
This document only provides recommendations for the mandatory-to- This document only provides recommendations with respect to
implement algorithms or algorithms too weak that are recommended not mandatory-to-implement algorithms or algorithms so weak that
to be implemented. As a result, any algorithm listed at the recommendation cannot be recommended. Any algorithm listed in the
[DNSKEY-IANA] and [DS-IANA] registries not mentioned in this document [DNSKEY-IANA] and [DS-IANA] registries, but not mentioned in this
MAY be implemented. For clarification and consistency, an algorithm document, MAY be implemented. For clarification and consistency, an
will be set to MAY only when it has been downgraded. algorithm will be specified as MAY in this document only when it has
been downgraded.
Although this document updates the algorithms to keep the DNSSEC Although this document's primary purpose is to update algorithm
authentication secure over time, it also aims at providing recommendations to keep DNSSEC authentication secure over time, it
recommendations so that DNSSEC implementations remain interoperable. also aims to do so in such a way that DNSSEC implementations remain
DNSSEC interoperability is addressed by an incremental introduction interoperable. DNSSEC interoperability is addressed by an
or deprecation of algorithms. incremental introduction or deprecation of algorithms.
While [RFC2119] consider term SHOULD equivalent to RECOMMENDED, and [RFC2119] considers the term SHOULD equivalent to RECOMMENDED, and
term SHOULD NOT to NOT RECOMMENDED, the authors of this document has SHOULD NOT equivalent to NOT RECOMMENDED. The authors of this
chosen to use terms RECOMMENDED and NOT RECOMMENDED, as it better document have chosen to use the terms RECOMMENDED and NOT
reflects the recommendations for implementations. RECOMMENDED, as this more clearly expresses the recommendations to
implementers.
It is expected that deprecation of an algorithm is performed It is expected that deprecation of an algorithm will be performed
gradually. This provides time for various implementations to update gradually. This provides time for various implementations to update
their implemented algorithms while remaining interoperable. Unless their implemented algorithms while remaining interoperable. Unless
there are strong security reasons, an algorithm is expected to be there are strong security reasons, an algorithm is expected to be
downgraded from MUST to NOT RECOMMENDED or MAY, instead of MUST NOT. downgraded from MUST to NOT RECOMMENDED or MAY, instead of to MUST
Similarly, an algorithm that has not been mentioned as mandatory-to- NOT. Similarly, an algorithm that has not been mentioned as
implement is expected to be introduced with a RECOMMENDED instead of mandatory-to-implement is expected to be introduced with a
a MUST. RECOMMENDED instead of a MUST.
Since the effects of using an unknown DNSKEY algorithm is for the Since the effect of using an unknown DNSKEY algorithm is that the
zone to be treated as insecure, it is recommended that algorithms zone is treated as insecure, it is recommended that algorithms
downgraded to NOT RECOMMENDED or below are no longer used by downgraded to NOT RECOMMENDED or lower not be used by authoritative
authoritative nameservers and DNSSEC signers to create new DNSKEY's. nameservers and DNSSEC signers to create new DNSKEY's. This will
This will allow for algorithms to slowly become more unused over allow for deprecated algorithms to become less and less common over
time. Once deployment has reached a sufficiently low point these time. Once an algorithm has reached a sufficiently low level of
algorithms can finally be marked as MUST NOT so that recursive deployment, it can be marked as MUST NOT, so that recursive resolvers
nameservers can remove support for these algorithms. can remove support for validating it.
Recursive nameservers are encouraged to keep support for all Recursive nameservers are encouraged to retain support for all
algorithms not marked as MUST NOT. algorithms not marked as MUST NOT.
1.3. Document Audience 1.3. Document Audience
The recommendations of this document mostly target DNSSEC The recommendations of this document mostly target DNSSEC
implementers as implementations need to meet both high security implementers, as implementations need to meet both high security
expectations as well as high interoperability between various vendors expectations as well as high interoperability between various vendors
and with different versions. Interoperability requires a smooth move and with different versions. Interoperability requires a smooth
to more secure algorithms. This may differ from a user point of view transition to more secure algorithms. This perspective may differ
that may deploy and configure DNSSEC with only the safest algorithm. from from that of a user who wishes to deploy and configure DNSSEC
On the other hand, comments and recommendations from this document with only the safest algorithm. On the other hand, the comments and
are also expected to be useful for such users. recommendations in this document are also expected to be useful for
such users.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Algorithm Selection 3. Algorithm Selection
3.1. DNSKEY Algorithms 3.1. DNSKEY Algorithms
Implemenation recommendations for DNSKEY algorithms [DNSKEY-IANA]. Implementation recommendations for DNSKEY algorithms [DNSKEY-IANA].
+--------+--------------------+-----------------+-------------------+ +--------+--------------------+-----------------+-------------------+
| Number | Mnemonics | DNSSEC Signing | DNSSEC Validation | | Number | Mnemonics | DNSSEC Signing | DNSSEC Validation |
+--------+--------------------+-----------------+-------------------+ +--------+--------------------+-----------------+-------------------+
| 1 | RSAMD5 | MUST NOT | MUST NOT | | 1 | RSAMD5 | MUST NOT | MUST NOT |
| 3 | DSA | MUST NOT | MUST NOT | | 3 | DSA | MUST NOT | MUST NOT |
| 5 | RSASHA1 | NOT RECOMMENDED | MUST | | 5 | RSASHA1 | NOT RECOMMENDED | MUST |
| 6 | DSA-NSEC3-SHA1 | MUST NOT | MUST NOT | | 6 | DSA-NSEC3-SHA1 | MUST NOT | MUST NOT |
| 7 | RSASHA1-NSEC3-SHA1 | NOT RECOMMENDED | MUST | | 7 | RSASHA1-NSEC3-SHA1 | NOT RECOMMENDED | MUST |
| 8 | RSASHA256 | MUST | MUST | | 8 | RSASHA256 | MUST | MUST |
skipping to change at page 5, line 14 skipping to change at page 5, line 20
DSA and DSA-NSEC3-SHA1 are not widely deployed and vulnerable to DSA and DSA-NSEC3-SHA1 are not widely deployed and vulnerable to
private key compromise when generating signatures using a weak or private key compromise when generating signatures using a weak or
compromised random number generator. compromised random number generator.
RSASHA256 is in wide use and considered strong. RSASHA256 is in wide use and considered strong.
RSASHA512 is NOT RECOMMENDED for DNSSEC Signing because it has not RSASHA512 is NOT RECOMMENDED for DNSSEC Signing because it has not
seen wide deployment, but there are some deployments hence DNSSEC seen wide deployment, but there are some deployments hence DNSSEC
Validation MUST implement RSASHA512 to ensure interoperability. Validation MUST implement RSASHA512 to ensure interoperability.
There's isn't significant difference in cryptographics strength There is no significant difference in cryptographics strength between
between RSASHA512 and RSASHA256, therefore it is discouraged to use RSASHA512 and RSASHA256, therefore it is discouraged to use
RSASHA512, as it will only make deprecation of older algorithms RSASHA512, as it will only make deprecation of older algorithms
harder. People that want to use cryptographically stronger algorithm harder. People that wish to use a cryptographically stronger
should switch to elliptic curve cryptography algorithms. algorithm should switch to elliptic curve cryptography algorithms.
ECC-GOST (GOST R 34.11-94) has been superseded by GOST R 34.11-2012 ECC-GOST (GOST R 34.11-94) has been superseded by GOST R 34.11-2012
in [RFC6986]. The GOST R 34.11-2012 hasn't been standardized for use in [RFC6986]. The GOST R 34.11-2012 hasn't been standardized for use
in DNSSEC. in DNSSEC.
ECDSAP256SHA256 provide more strength for signature size than ECDSAP256SHA256 provides more cryptographic strength with a shorter
RSASHA256 and RSASHA512 variants. ECDSAP256SHA256 has been widely signature length than either RSASHA256 or RSASHA512. ECDSAP256SHA256
deployed and therefore it is now at MUST level for both validation has been widely deployed and therefore it is now at MUST level for
and signing. It is RECOMMENDED to use deterministic digital both validation and signing. It is RECOMMENDED to use deterministic
signature generation procedure of the ECDSA ([RFC6979]) when digital signature generation procedure of the ECDSA ([RFC6979]) when
implementing ECDSAP256SHA256 (and ECDSAP384SHA384). implementing ECDSAP256SHA256 (and ECDSAP384SHA384).
ECDSAP384SHA384 share the same properties as ECDSAP256SHA256, but ECDSAP384SHA384 shares the same properties as ECDSAP256SHA256, but
offers a modest security advantage over ECDSAP256SHA256 (192-bits of offers a modest security advantage over ECDSAP256SHA256 (192 bits of
strength versus 128-bits). For most applications of DNSSEC, strength versus 128 bits). For most DNSSEC applications,
ECDSAP256SHA256 should be satisfactory and robust for the foreseeable ECDSAP256SHA256 should be satisfactory and robust for the foreseeable
future, and is therefore recommended for signing. While it is future, and is therefore recommended for signing. While it is
unlikely for a DNSSEC use case which requires 192-bit security unlikely for a DNSSEC use case requiring 192-bit security strength to
strength to arise, ECDSA384SHA384 is provided for such applications arise, ECDSA384SHA384 is provided for such applications and it MAY be
and it MAY be used for signing in these cases. used for signing in these cases.
ED25519 and ED448 uses Edwards-curve Digital Security Algorithm ED25519 and ED448 use Edwards-curve Digital Security Algorithm
(EdDSA). There are three main advantages of the EdDSA algorithm: It (EdDSA). There are three main advantages of the EdDSA algorithm: It
does not require the use of a unique random number for each does not require the use of a unique random number for each
signature, there are no padding or truncation issues as with ECDSA, signature, there are no padding or truncation issues as with ECDSA,
and it is more resilient to side-channel attacks. Furthermore, EdDSA and it is more resilient to side-channel attacks. Furthermore, EdDSA
cryptography is less prone to implementation errors ([RFC8032], cryptography is less prone to implementation errors ([RFC8032],
[RFC8080]). It is expected that ED25519 will become the future [RFC8080]). It is expected that ED25519 will become the future
RECOMMENDED default algorithm once there's enough support for this RECOMMENDED default algorithm once there's enough support for this
algorithm in the deployed DNSSEC validators. algorithm in the deployed DNSSEC validators.
3.2. DNSKEY Algorithm Recommendation 3.2. DNSKEY Algorithm Recommendation
Operation recommendation for new and existing deployments. Operation recommendation for new and existing deployments.
Due to industry-wide trend to move to elliptic curve cryptography, Due to industry-wide trend to move to elliptic curve cryptography,
the ECDSAP256SHA256 is RECOMMENDED to be used by new DNSSEC the ECDSAP256SHA256 is RECOMMENDED for use by new DNSSEC deployments,
deployments, and users of RSA based algorithms SHOULD upgrade to and users of RSA based algorithms SHOULD upgrade to ECDSAP256SHA256.
ECDSAP256SHA256.
3.3. DS and CDS Algorithms 3.3. DS and CDS Algorithms
Recommendations for Delegation Signer Digest Algorithms [DNSKEY-IANA] Recommendations for Delegation Signer Digest Algorithms [DNSKEY-IANA]
These also apply to the CDS RRTYPE as specified in [RFC7344] These also apply to the CDS RRTYPE as specified in [RFC7344]
+--------+-----------------+-------------------+-------------------+ +--------+-----------------+-------------------+-------------------+
| Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation | | Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation |
+--------+-----------------+-------------------+-------------------+ +--------+-----------------+-------------------+-------------------+
| 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] | | 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] |
skipping to change at page 6, line 35 skipping to change at page 6, line 36
| 3 | GOST R 34.11-94 | MUST NOT | MAY | | 3 | GOST R 34.11-94 | MUST NOT | MAY |
| 4 | SHA-384 | MAY | RECOMMENDED | | 4 | SHA-384 | MAY | RECOMMENDED |
+--------+-----------------+-------------------+-------------------+ +--------+-----------------+-------------------+-------------------+
[*] - This is a special type of CDS record signaling removal of DS at [*] - This is a special type of CDS record signaling removal of DS at
the parent in [RFC8078] the parent in [RFC8078]
NULL is a special case, see [RFC8078] NULL is a special case, see [RFC8078]
SHA-1 is still in wide use for DS records, so validators MUST SHA-1 is still in wide use for DS records, so validators MUST
implement the validation, but it is disallowed to use SHA-1 to implement validation, but it is NOT RECOMMENDED for use in generating
generate new DS records. (See Operational Considerations for caveats new DS and CDS records. (See Operational Considerations for caveats
when upgrading from SHA-1 to SHA-256 DS Algorithm.) when upgrading from SHA-1 to SHA-256 DS Algorithm.)
SHA-256 is in wide use and considered strong. SHA-256 is in wide use and considered strong.
GOST R 34.11-94 has been deprecated by [RFC6986]. GOST R 34.11-94 has been deprecated by [RFC6986].
SHA-384 share the same properties as SHA-256, but offers a modest SHA-384 shares the same properties as SHA-256, but offers a modest
security advantage over SHA-384 (384-bits of strength versus security advantage over SHA-384 (384-bits of strength versus
256-bits). For most applications of DNSSEC, SHA-256 should be 256-bits). For most applications of DNSSEC, SHA-256 should be
satisfactory and robust for the foreseeable future, and is therefore satisfactory and robust for the foreseeable future, and is therefore
recommended for DS/CDS records. While it is unlikely for a DNSSEC recommended for DS and CDS records. While it is unlikely for a
use case which requires 384-bit security strength to arise, SHA-384 DNSSEC use case requiring 384-bit security strength to arise, SHA-384
is provided for such applications and it MAY be used for generating is provided for such applications and it MAY be used for generating
DS/CDS records in these cases. DS and CDS records in these cases.
4. Security Considerations 4. Security Considerations
The security of cryptographic-based systems depends on both the The security of cryptographic systems depends on both the strength of
strength of the cryptographic algorithms chosen and the strength of the cryptographic algorithms chosen and the strength of the keys used
the keys used with those algorithms. The security also depends on with those algorithms. The security also depends on the engineering
the engineering of the protocol used by the system to ensure that of the protocol used by the system to ensure that there are no non-
there are no non-cryptographic ways to bypass the security of the cryptographic ways to bypass the security of the overall system.
overall system.
This document concerns itself with the selection of cryptographic This document concerns itself with the selection of cryptographic
algorithms for the use of DNSSEC, specifically with the selection of algorithms for the use of DNSSEC, specifically with the selection of
"mandatory-to-implement" algorithms. The algorithms identified in "mandatory-to-implement" algorithms. The algorithms identified in
this document as MUST or RECOMMENDED to implement are not known to be this document as MUST or RECOMMENDED to implement are not known to be
broken at the current time, and cryptographic research so far leads broken at the current time, and cryptographic research so far leads
us to believe that they will likely remain secure into the us to believe that they are likely to remain secure into the
foreseeable future. However, this isn't necessarily forever and it foreseeable future. However, this isn't necessarily forever, and it
is expected that new revisions of this document will be issued from is expected that new revisions of this document will be issued from
time to time to reflect the current best practice in this area. time to time to reflect the current best practices in this area.
Retiring an algorithm too soon would result in a signed zone with Retiring an algorithm too soon would result in a zone signed with the
such an algorithm to be downgraded to the equivalent of an unsigned retired algorithm being downgraded to the equivalent of an unsigned
zone. Therefore, algorithm deprecation must be done very slowly and zone. Therefore, algorithm deprecation must be done very slowly and
only after careful consideration and measurements of its use. only after careful consideration and measurement of its use.
5. Operational Considerations 5. Operational Considerations
DNSKEY algorithm rollover in a live zone is a complex process. See DNSKEY algorithm rollover in a live zone is a complex process. See
[RFC6781] and [RFC7583] for guidelines on how to perform algorithm [RFC6781] and [RFC7583] for guidelines on how to perform algorithm
rollovers. rollovers.
DS algorithm rollover in a live zone is also a complex process. DS algorithm rollover in a live zone is also a complex process.
Upgrading algorithm at the same time as rolling the new KSK key will Upgrading algorithm at the same time as rolling the new KSK key will
lead to DNSSEC validation failures, and users MUST upgrade the DS lead to DNSSEC validation failures, and users MUST upgrade the DS
algorithm first before rolling the Key Signing Key. algorithm first before rolling the Key Signing Key.
6. IANA Considerations 6. Implementation Report
6.1. DNSKEY Algorithms
The following table contains minimal version of the software that
implements the required functionality. Usually, the support for
specific algorithm has to be also included in the cryptographic
libraries that the DNS servers use.
+--------------------+------+--------+---------+----------+---------+
| Mnemonics | BIND | Knot | OpenDNS | PowerDNS | Unbound |
| | | DNS | | | |
+--------------------+------+--------+---------+----------+---------+
| RSAMD5 | Y | N | Y | N | N |
| DSA | Y | N | Y | N | Y |
| RSASHA1 | Y | Y | Y | Y | Y |
| DSA-NSEC3-SHA1 | Y | N | Y | N | Y |
| RSASHA1-NSEC3-SHA1 | Y | Y | Y | Y | Y |
| RSASHA256 | Y | Y | Y | Y | Y |
| RSASHA512 | Y | Y | Y | Y | Y |
| ECC-GOST | N | N | Y | Y | Y |
| ECDSAP256SHA256 | Y | Y | Y | Y | Y |
| ECDSAP384SHA384 | Y | Y | Y | Y | Y |
| ED25519 | Y | Y | N | Y | Y |
| ED448 | N | N | N | Y | Y |
+--------------------+------+--------+---------+----------+---------+
7. IANA Considerations
This document makes no requests of IANA. This document makes no requests of IANA.
7. Acknowledgements 8. Acknowledgements
This document borrows text from RFC 4307 by Jeffrey I. Schiller of This document borrows text from RFC 4307 by Jeffrey I. Schiller of
the Massachusetts Institute of Technology (MIT) and the 4307bis the Massachusetts Institute of Technology (MIT) and the 4307bis
document by Yoav Nir, Tero Kivinen, Paul Wouters and Daniel Migault. document by Yoav Nir, Tero Kivinen, Paul Wouters and Daniel Migault.
Much of the original text has been copied verbatim. Much of the original text has been copied verbatim.
We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur
Gudmundsson and Paul Hoffman for their imminent feedback. Gudmundsson, Paul Hoffman and Evan Hunt for their imminent feedback.
Kudos to Roy Arends for bringing the DS rollover issue to the Kudos to Roy Arends for bringing the DS rollover issue to the
daylight. daylight.
8. References 9. References
8.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
8.2. Informative References 9.2. Informative References
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005, RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>. <https://www.rfc-editor.org/info/rfc4034>.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
<https://www.rfc-editor.org/info/rfc5155>. <https://www.rfc-editor.org/info/rfc5155>.
 End of changes. 39 change blocks. 
94 lines changed or deleted 124 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/