Diff: draft-ietf-dnsop-algorithm-update-09.txt - draft-ietf-dnsop-algorithm-update-10.txt

	draft-ietf-dnsop-algorithm-update-09.txt	draft-ietf-dnsop-algorithm-update-10.txt

	dnsop P. Wouters	dnsop P. Wouters
	Internet-Draft Red Hat	Internet-Draft Red Hat
	Obsoletes: 6944 (if approved) O. Sury	Obsoletes: 6944 (if approved) O. Sury
	Intended status: Standards Track Internet Systems Consortium	Intended status: Standards Track Internet Systems Consortium

	Expires: October 12, 2019 April 10, 2019	Expires: October 22, 2019 April 20, 2019

	Algorithm Implementation Requirements and Usage Guidance for DNSSEC	Algorithm Implementation Requirements and Usage Guidance for DNSSEC

	draft-ietf-dnsop-algorithm-update-09	draft-ietf-dnsop-algorithm-update-10

	Abstract	Abstract

	The DNSSEC protocol makes use of various cryptographic algorithms in	The DNSSEC protocol makes use of various cryptographic algorithms in
	order to provide authentication of DNS data and proof of non-	order to provide authentication of DNS data and proof of non-
	existence. To ensure interoperability between DNS resolvers and DNS	existence. To ensure interoperability between DNS resolvers and DNS
	authoritative servers, it is necessary to specify a set of algorithm	authoritative servers, it is necessary to specify a set of algorithm
	implementation requirements and usage guidelines to ensure that there	implementation requirements and usage guidelines to ensure that there
	is at least one algorithm that all implementations support. This	is at least one algorithm that all implementations support. This
	document defines the current algorithm implementation requirements	document defines the current algorithm implementation requirements

	skipping to change at page 1, line 38 ¶	skipping to change at page 1, line 38 ¶
	Internet-Drafts are working documents of the Internet Engineering	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute	Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-	working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.	Drafts is at https://datatracker.ietf.org/drafts/current/.

	Internet-Drafts are draft documents valid for a maximum of six months	Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."	material or to cite them other than as "work in progress."


	This Internet-Draft will expire on October 12, 2019.	This Internet-Draft will expire on October 22, 2019.

	Copyright Notice	Copyright Notice

	Copyright (c) 2019 IETF Trust and the persons identified as the	Copyright (c) 2019 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents	Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of	(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents	publication of this document. Please review these documents

	skipping to change at page 2, line 30 ¶	skipping to change at page 2, line 30 ¶
	3.3. DS and CDS Algorithms . . . . . . . . . . . . . . . . . . 6	3.3. DS and CDS Algorithms . . . . . . . . . . . . . . . . . . 6
	3.4. DS and CDS Algorithm Recommendation . . . . . . . . . . . 7	3.4. DS and CDS Algorithm Recommendation . . . . . . . . . . . 7
	4. Implementation Status . . . . . . . . . . . . . . . . . . . . 7	4. Implementation Status . . . . . . . . . . . . . . . . . . . . 7
	4.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 7	4.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 7
	5. Security Considerations . . . . . . . . . . . . . . . . . . . 8	5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
	6. Operational Considerations . . . . . . . . . . . . . . . . . 8	6. Operational Considerations . . . . . . . . . . . . . . . . . 8
	7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9	7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
	8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9	8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
	9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9	9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
	9.1. Normative References . . . . . . . . . . . . . . . . . . 9	9.1. Normative References . . . . . . . . . . . . . . . . . . 9

	9.2. Informative References . . . . . . . . . . . . . . . . . 9	9.2. Informative References . . . . . . . . . . . . . . . . . 10
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11

	1. Introduction	1. Introduction

	The DNSSEC signing algorithms are defined by various RFCs, including	The DNSSEC signing algorithms are defined by various RFCs, including
	[RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], [RFC8080].	[RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], [RFC8080].
	DNSSEC is used to provide authentication of data. To ensure	DNSSEC is used to provide authentication of data. To ensure
	interoperability, a set of "mandatory-to-implement" DNSKEY algorithms	interoperability, a set of "mandatory-to-implement" DNSKEY algorithms
	are defined. This document obsoletes [RFC6944].	are defined. This document obsoletes [RFC6944].


	skipping to change at page 9, line 36 ¶	skipping to change at page 9, line 36 ¶

	9. References	9. References

	9.1. Normative References	9.1. Normative References

	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119,	Requirement Levels", BCP 14, RFC 2119,
	DOI 10.17487/RFC2119, March 1997,	DOI 10.17487/RFC2119, March 1997,
	<https://www.rfc-editor.org/info/rfc2119>.	<https://www.rfc-editor.org/info/rfc2119>.


	[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
	2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
	May 2017, <https://www.rfc-editor.org/info/rfc8174>.

	9.2. Informative References

	[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.	[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
	Rose, "Resource Records for the DNS Security Extensions",	Rose, "Resource Records for the DNS Security Extensions",
	RFC 4034, DOI 10.17487/RFC4034, March 2005,	RFC 4034, DOI 10.17487/RFC4034, March 2005,
	<https://www.rfc-editor.org/info/rfc4034>.	<https://www.rfc-editor.org/info/rfc4034>.

	[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS	[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
	Security (DNSSEC) Hashed Authenticated Denial of	Security (DNSSEC) Hashed Authenticated Denial of
	Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,	Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
	<https://www.rfc-editor.org/info/rfc5155>.	<https://www.rfc-editor.org/info/rfc5155>.

	[RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY	[RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY
	and RRSIG Resource Records for DNSSEC", RFC 5702,	and RRSIG Resource Records for DNSSEC", RFC 5702,
	DOI 10.17487/RFC5702, October 2009,	DOI 10.17487/RFC5702, October 2009,
	<https://www.rfc-editor.org/info/rfc5702>.	<https://www.rfc-editor.org/info/rfc5702>.


	[RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of
	GOST Signature Algorithms in DNSKEY and RRSIG Resource
	Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July
	2010, <https://www.rfc-editor.org/info/rfc5933>.

	[RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital	[RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital
	Signature Algorithm (DSA) for DNSSEC", RFC 6605,	Signature Algorithm (DSA) for DNSSEC", RFC 6605,
	DOI 10.17487/RFC6605, April 2012,	DOI 10.17487/RFC6605, April 2012,
	<https://www.rfc-editor.org/info/rfc6605>.	<https://www.rfc-editor.org/info/rfc6605>.


	[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
	Operational Practices, Version 2", RFC 6781,
	DOI 10.17487/RFC6781, December 2012,
	<https://www.rfc-editor.org/info/rfc6781>.

	[RFC6944] Rose, S., "Applicability Statement: DNS Security (DNSSEC)
	DNSKEY Algorithm Implementation Status", RFC 6944,
	DOI 10.17487/RFC6944, April 2013,
	<https://www.rfc-editor.org/info/rfc6944>.

	[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature	[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
	Algorithm (DSA) and Elliptic Curve Digital Signature	Algorithm (DSA) and Elliptic Curve Digital Signature
	Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August	Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
	2013, <https://www.rfc-editor.org/info/rfc6979>.	2013, <https://www.rfc-editor.org/info/rfc6979>.

	[RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:	[RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:
	Hash Function", RFC 6986, DOI 10.17487/RFC6986, August	Hash Function", RFC 6986, DOI 10.17487/RFC6986, August
	2013, <https://www.rfc-editor.org/info/rfc6986>.	2013, <https://www.rfc-editor.org/info/rfc6986>.


	[RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
	Digital Signature Algorithm", RFC 7091,
	DOI 10.17487/RFC7091, December 2013,
	<https://www.rfc-editor.org/info/rfc7091>.

	[RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating	[RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
	DNSSEC Delegation Trust Maintenance", RFC 7344,	DNSSEC Delegation Trust Maintenance", RFC 7344,
	DOI 10.17487/RFC7344, September 2014,	DOI 10.17487/RFC7344, September 2014,
	<https://www.rfc-editor.org/info/rfc7344>.	<https://www.rfc-editor.org/info/rfc7344>.


	[RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking,
	"DNSSEC Key Rollover Timing Considerations", RFC 7583,
	DOI 10.17487/RFC7583, October 2015,
	<https://www.rfc-editor.org/info/rfc7583>.

	[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
	Code: The Implementation Status Section", BCP 205,
	RFC 7942, DOI 10.17487/RFC7942, July 2016,
	<https://www.rfc-editor.org/info/rfc7942>.

	[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital	[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
	Signature Algorithm (EdDSA)", RFC 8032,	Signature Algorithm (EdDSA)", RFC 8032,
	DOI 10.17487/RFC8032, January 2017,	DOI 10.17487/RFC8032, January 2017,
	<https://www.rfc-editor.org/info/rfc8032>.	<https://www.rfc-editor.org/info/rfc8032>.

	[RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from	[RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from
	the Parent via CDS/CDNSKEY", RFC 8078,	the Parent via CDS/CDNSKEY", RFC 8078,
	DOI 10.17487/RFC8078, March 2017,	DOI 10.17487/RFC8078, March 2017,
	<https://www.rfc-editor.org/info/rfc8078>.	<https://www.rfc-editor.org/info/rfc8078>.

	[RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security	[RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security
	Algorithm (EdDSA) for DNSSEC", RFC 8080,	Algorithm (EdDSA) for DNSSEC", RFC 8080,
	DOI 10.17487/RFC8080, February 2017,	DOI 10.17487/RFC8080, February 2017,
	<https://www.rfc-editor.org/info/rfc8080>.	<https://www.rfc-editor.org/info/rfc8080>.


		[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
		2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
		May 2017, <https://www.rfc-editor.org/info/rfc8174>.

		9.2. Informative References

		[RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of
		GOST Signature Algorithms in DNSKEY and RRSIG Resource
		Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July
		2010, <https://www.rfc-editor.org/info/rfc5933>.

		[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
		Operational Practices, Version 2", RFC 6781,
		DOI 10.17487/RFC6781, December 2012,
		<https://www.rfc-editor.org/info/rfc6781>.

		[RFC6944] Rose, S., "Applicability Statement: DNS Security (DNSSEC)
		DNSKEY Algorithm Implementation Status", RFC 6944,
		DOI 10.17487/RFC6944, April 2013,
		<https://www.rfc-editor.org/info/rfc6944>.

		[RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
		Digital Signature Algorithm", RFC 7091,
		DOI 10.17487/RFC7091, December 2013,
		<https://www.rfc-editor.org/info/rfc7091>.

		[RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking,
		"DNSSEC Key Rollover Timing Considerations", RFC 7583,
		DOI 10.17487/RFC7583, October 2015,
		<https://www.rfc-editor.org/info/rfc7583>.

		[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
		Code: The Implementation Status Section", BCP 205,
		RFC 7942, DOI 10.17487/RFC7942, July 2016,
		<https://www.rfc-editor.org/info/rfc7942>.

	[DNSKEY-IANA]	[DNSKEY-IANA]
	"DNSKEY Algorithms", <http://www.iana.org/assignments/	"DNSKEY Algorithms", <http://www.iana.org/assignments/
	dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>.	dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>.

	[DS-IANA] "Delegation Signer Digest Algorithms",	[DS-IANA] "Delegation Signer Digest Algorithms",
	<http://www.iana.org/assignments/ds-rr-types/	<http://www.iana.org/assignments/ds-rr-types/
	ds-rr-types.xhtml>.	ds-rr-types.xhtml>.

	Authors' Addresses	Authors' Addresses


End of changes. 10 change blocks.
	40 lines changed or deleted	40 lines changed or added
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/