draft-ietf-dnsop-algorithm-update-05.txt   draft-ietf-dnsop-algorithm-update-06.txt 
dnsop P. Wouters dnsop P. Wouters
Internet-Draft Red Hat Internet-Draft Red Hat
Obsoletes: 6944 (if approved) O. Sury Obsoletes: 6944 (if approved) O. Sury
Intended status: Standards Track Internet Systems Consortium Intended status: Standards Track Internet Systems Consortium
Expires: August 16, 2019 February 12, 2019 Expires: August 21, 2019 February 17, 2019
Algorithm Implementation Requirements and Usage Guidance for DNSSEC Algorithm Implementation Requirements and Usage Guidance for DNSSEC
draft-ietf-dnsop-algorithm-update-05 draft-ietf-dnsop-algorithm-update-06
Abstract Abstract
The DNSSEC protocol makes use of various cryptographic algorithms in The DNSSEC protocol makes use of various cryptographic algorithms in
order to provide authentication of DNS data and proof of non- order to provide authentication of DNS data and proof of non-
existence. To ensure interoperability between DNS resolvers and DNS existence. To ensure interoperability between DNS resolvers and DNS
authoritative servers, it is necessary to specify a set of algorithm authoritative servers, it is necessary to specify a set of algorithm
implementation requirements and usage guidelines to ensure that there implementation requirements and usage guidelines to ensure that there
is at least one algorithm that all implementations support. This is at least one algorithm that all implementations support. This
document defines the current algorithm implementation requirements document defines the current algorithm implementation requirements
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 16, 2019. This Internet-Draft will expire on August 21, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 37 skipping to change at page 6, line 37
| 3 | GOST R 34.11-94 | MUST NOT | MAY | | 3 | GOST R 34.11-94 | MUST NOT | MAY |
| 4 | SHA-384 | MAY | RECOMMENDED | | 4 | SHA-384 | MAY | RECOMMENDED |
+--------+-----------------+-------------------+-------------------+ +--------+-----------------+-------------------+-------------------+
[*] - This is a special type of CDS record signaling removal of DS at [*] - This is a special type of CDS record signaling removal of DS at
the parent in [RFC8078] the parent in [RFC8078]
NULL is a special case, see [RFC8078] NULL is a special case, see [RFC8078]
SHA-1 is still in wide use for DS records, so validators MUST SHA-1 is still in wide use for DS records, so validators MUST
implement validation, but it is NOT RECOMMENDED for use in generating implement validation, but it MUST NOT be used to generate new DS and
new DS and CDS records. (See Operational Considerations for caveats CDS records. (See Operational Considerations for caveats when
when upgrading from SHA-1 to SHA-256 DS Algorithm.) upgrading from SHA-1 to SHA-256 DS Algorithm.)
SHA-256 is in wide use and considered strong. SHA-256 is in wide use and considered strong.
GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in
[RFC6986]. The GOST R 34.11-2012 hasn't been standardized for use in [RFC6986]. The GOST R 34.11-2012 hasn't been standardized for use in
DNSSEC. DNSSEC.
SHA-384 shares the same properties as SHA-256, but offers a modest SHA-384 shares the same properties as SHA-256, but offers a modest
security advantage over SHA-384 (384-bits of strength versus security advantage over SHA-384 (384-bits of strength versus
256-bits). For most applications of DNSSEC, SHA-256 should be 256-bits). For most applications of DNSSEC, SHA-256 should be
 End of changes. 4 change blocks. 
6 lines changed or deleted 6 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/