Algorithm Implementation Requirements and Usage Guidance for DNSSEC
RFC 8624

Document Type RFC - Proposed Standard (June 2019; No errata)
Obsoletes RFC 6944
Last updated 2019-06-11
Replaces draft-wouters-sury-dnsop-algorithm-update
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Tim Wicinski
Shepherd write-up Show (last changed 2019-02-08)
IESG IESG state RFC 8624 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Warren Kumari
Send notices to Tim Wicinski <tjw.ietf@gmail.com>
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IANA Actions
Internet Engineering Task Force (IETF)                        P. Wouters
Request for Comments: 8624                                       Red Hat
Obsoletes: 6944                                                  O. Sury
Category: Standards Track                    Internet Systems Consortium
ISSN: 2070-1721                                                June 2019

  Algorithm Implementation Requirements and Usage Guidance for DNSSEC

Abstract

   The DNSSEC protocol makes use of various cryptographic algorithms in
   order to provide authentication of DNS data and proof of
   nonexistence.  To ensure interoperability between DNS resolvers and
   DNS authoritative servers, it is necessary to specify a set of
   algorithm implementation requirements and usage guidelines to ensure
   that there is at least one algorithm that all implementations
   support.  This document defines the current algorithm implementation
   requirements and usage guidance for DNSSEC.  This document obsoletes
   RFC 6944.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8624.

Wouters & Sury               Standards Track                    [Page 1]
RFC 8624             DNSSEC Cryptographic Algorithms           June 2019

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Updating Algorithm Implementation Requirements and Usage
           Guidance  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Updating Algorithm Requirement Levels . . . . . . . . . .   3
     1.3.  Document Audience . . . . . . . . . . . . . . . . . . . .   4
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   4
   3.  Algorithm Selection . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . .   5
     3.2.  DNSKEY Algorithm Recommendation . . . . . . . . . . . . .   6
     3.3.  DS and CDS Algorithms . . . . . . . . . . . . . . . . . .   7
     3.4.  DS and CDS Algorithm Recommendation . . . . . . . . . . .   7
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   5.  Operational Considerations  . . . . . . . . . . . . . . . . .   8
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

Wouters & Sury               Standards Track                    [Page 2]
RFC 8624             DNSSEC Cryptographic Algorithms           June 2019

1.  Introduction

   The DNSSEC signing algorithms are defined by various RFCs, including
   [RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], and [RFC8080].
   DNSSEC is used to provide authentication of data.  To ensure
   interoperability, a set of "mandatory-to-implement" DNSKEY algorithms
   are defined.  This document obsoletes [RFC6944].

1.1.  Updating Algorithm Implementation Requirements and Usage Guidance

   The field of cryptography evolves continuously.  New, stronger
   algorithms appear, and existing algorithms are found to be less
   secure than originally thought.  Attacks previously thought to be
   computationally infeasible become more accessible as the available
   computational resources increase.  Therefore, algorithm
   implementation requirements and usage guidance need to be updated
   from time to time to reflect the new reality.  The choices for
   algorithms must be conservative to minimize the risk of algorithm
   compromise.
Show full document text