[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

DNSOP                                                          R. Arends
Internet-Draft                                                     ICANN
Intended status: Standards Track                             J. Schlyter
Expires: September 13, 2017                                     Kirei AB
                                                               M. Larson
                                                                   ICANN
                                                          March 12, 2017


      DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates
             draft-arends-dnsop-dnssec-algorithm-update-00

Abstract

   The DNS Security Extensions (DNSSEC) require the use of cryptographic
   algorithm suites for generating digital signatures and cryptographic
   hashes over DNS data.  The algorithms specified for use with DNSSEC
   are reflected in IANA registries.  This document updates some entries
   in these registries.  The main reason for these updates is to retire
   the use of SHA1.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 13, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



Arends, et al.         Expires September 13, 2017               [Page 1]


Internet-Draft          DNSSEC Algorithm Updates              March 2017


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Reserved Words  . . . . . . . . . . . . . . . . . . . . .   2
   2.  The DNS Security Algorithm Implementation Status Lists  . . .   2
     2.1.  Status Definitions  . . . . . . . . . . . . . . . . . . .   2
     2.2.  Algorithm Implementation Status Assignment Rationale  . .   3
     2.3.  DNSSEC Implementation Status Table  . . . . . . . . . . .   3
     2.4.  Specifying New Algorithms and Updating the Status of
           Existing Entries  . . . . . . . . . . . . . . . . . . . .   4
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   The Domain Name System (DNS) Security Extensions (DNSSEC, defined by
   [RFC4033], [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702])
   use digital signatures over DNS data to provide source authentication
   and integrity protection.  DNSSEC uses IANA registries to list codes
   for digital signature algorithms and hash functions.

   This document updates a set of entries in the IANA registries titled
   "DNS Security (DNSSEC) Algorithm Numbers" and "Delegation Signer (DS)
   Resource Record (RR) Type Digest Algorithms".

1.1.  Reserved Words

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  The DNS Security Algorithm Implementation Status Lists

2.1.  Status Definitions

   Must Implement: The algorithm MUST be implemented to interoperate
   with other implementations of this specification.





Arends, et al.         Expires September 13, 2017               [Page 2]


Internet-Draft          DNSSEC Algorithm Updates              March 2017


   Must Not Implement: The algorithm MUST NOT be implemented.  An
   algorithm with this status has known weaknesses.

   Recommended to Implement: The algorithm SHOULD be implemented.
   Utility and interoperability with other implementations will be
   improved when an algorithm with this status is implemented, though
   there might be occasions where it is reasonable not to implement the
   algorithm.  An implementer must understand and weigh the full
   implications of choosing not to implement this particular algorithm.

   Optional: The algorithm MAY be implemented, but all implementations
   MUST be prepared to interoperate with implementations that do or do
   not implement this algorithm.

2.2.  Algorithm Implementation Status Assignment Rationale

   RSASHA1 had an implementation status of "Must Implement", consistent
   with [RFC4034].  The status of RSASHA1 is set to "Recommended to
   Implement" consistent with RSASHA1-NSEC3-SHA1.  The shift from "Must
   Implement" to "Recommended to Implement" is due to a perceived
   weakness in SHA1.

   The status of RSASHA256 is set to "Must Implement" as major
   deployments, such as the root zone [RZDPS], use these algorithms.  It
   is believed that RSA/SHA-256 or RSA/SHA-512 algorithms will replace
   older algorithms (e.g., RSA/SHA-1) that have a perceived weakness.

   All other algorithms used in DNSSEC specified without an
   implementation status are currently set to "Optional".

2.3.  DNSSEC Implementation Status Table

   The DNSSEC algorithm implementation status table is listed below.
   Only the algorithms already specified for use with DNSSEC at the time
   of writing are listed.

   +-----------+-----------+--------------------+----------------------+
   | Must      | Must Not  | Recommended        | Optional             |
   | Implement | Implement |                    |                      |
   +-----------+-----------+--------------------+----------------------+
   | RSASHA256 | RSAMD5    | RSASHA1            | Any registered       |
   |           |           |                    | algorithm not listed |
   |           |           |                    | in this table        |
   |           |           | RSASHA1-NSEC3-SHA1 |                      |
   |           |           | RSASHA512          |                      |
   |           |           | ECDSAP256SHA256    |                      |
   |           |           | ECDSAP384SHA384    |                      |
   +-----------+-----------+--------------------+----------------------+



Arends, et al.         Expires September 13, 2017               [Page 3]


Internet-Draft          DNSSEC Algorithm Updates              March 2017


   This table does not list the Reserved values in the IANA registry
   table or the values for INDIRECT (252), PRIVATE (253), and PRIVATEOID
   (254).  These values may relate to more than one algorithm and are
   therefore up to the implementer's discretion.  As noted, any
   algorithm not listed in the table is "Optional".

2.4.  Specifying New Algorithms and Updating the Status of Existing
      Entries

   [RFC6014] establishes a parallel procedure for adding a registry
   entry for a new algorithm other than a standards track document.
   Because any algorithm not listed in the foregoing table is
   "Optional", algorithms entered into the registry using the [RFC6014]
   procedure are automatically "Optional".

   It has turned out to be useful for implementations to refer to a
   single document that specifies the implementation status of every
   algorithm.  Accordingly, when a new algorithm is to be registered
   with a status other than "Optional", this document shall be made
   obsolete by a new document that adds the new algorithm to the table
   in Section 2.3.  Similarly, if the status of any algorithm in the
   table in Section 2.3 changes, a new document shall make this document
   obsolete; that document shall include a replacement of the table in
   Section 2.3.  This way, the goal of having one authoritative document
   to specify all the status values is achieved.

   This document cannot be updated, only made obsolete and replaced by a
   successor document.

3.  IANA Considerations

   This document lists the implementation status of cryptographic
   algorithms used with DNSSEC.  These algorithms are maintained in an
   IANA registry at <http://www.iana.org/assignments/dns-sec-alg-
   numbers>.  Because this document establishes the implementation
   status of every algorithm, it has been listed as a reference for the
   registry itself.

4.  Security Considerations

   This document lists, and in some cases assigns, the implementation
   status of cryptographic algorithms used with DNSSEC.  It is not meant
   to be a discussion on algorithm superiority.

   Since the status of two algorithms have changed, it is important to
   consider the long term effect of these changes in implementations.





Arends, et al.         Expires September 13, 2017               [Page 4]


Internet-Draft          DNSSEC Algorithm Updates              March 2017


   An implementation may have provided a default algorithm to use when
   generating a DNSKEY.  An implementation may select a default
   algorithm to sign DNSSEC records.  It is recommended that
   implementations that provide a default algorithm use an algorithm
   with the status "Must Implement".

5.  References

5.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

5.2.  Informative References

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, DOI 10.17487/RFC4033, March 2005,
              <http://www.rfc-editor.org/info/rfc4033>.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, DOI 10.17487/RFC4034, March 2005,
              <http://www.rfc-editor.org/info/rfc4034>.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
              <http://www.rfc-editor.org/info/rfc4035>.

   [RFC4509]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
              (DS) Resource Records (RRs)", RFC 4509,
              DOI 10.17487/RFC4509, May 2006,
              <http://www.rfc-editor.org/info/rfc4509>.

   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
              Security (DNSSEC) Hashed Authenticated Denial of
              Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
              <http://www.rfc-editor.org/info/rfc5155>.

   [RFC5702]  Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY
              and RRSIG Resource Records for DNSSEC", RFC 5702,
              DOI 10.17487/RFC5702, October 2009,
              <http://www.rfc-editor.org/info/rfc5702>.





Arends, et al.         Expires September 13, 2017               [Page 5]


Internet-Draft          DNSSEC Algorithm Updates              March 2017


   [RFC6014]  Hoffman, P., "Cryptographic Algorithm Identifier
              Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014,
              November 2010, <http://www.rfc-editor.org/info/rfc6014>.

   [RZDPS]    Ljunggren, F., Okubo, T., Lamb, R., and J. Schlyter,
              "DNSSEC Practice Statement for the Root Zone KSK
              Operator", October 2010, <https://www.iana.org/dnssec/
              icann-dps.txt>.

Authors' Addresses

   Roy Arends
   ICANN

   Email: roy.arends@icann.org


   Jakob Schlyter
   Kirei AB

   Email: jakob@kirei.se


   Matt Larson
   ICANN

   Email: matt.larson@icann.org
























Arends, et al.         Expires September 13, 2017               [Page 6]


Html markup produced by rfcmarkup 1.123, available from https://tools.ietf.org/tools/rfcmarkup/