7Internet Engineering Task Force (IETF) P. Wouters
8Request for Comments: 8624 Red Hat
10Category: Standards Track Internet Systems Consortium
11ISSN: 2070-1721 June 2019
14 Algorithm Implementation Requirements and Usage Guidance for DNSSEC
18 The DNSSEC protocol makes use of various cryptographic algorithms in
19 order to provide authentication of DNS data and proof of
20 nonexistence. To ensure interoperability between DNS resolvers and
21 DNS authoritative servers, it is necessary to specify a set of
22 algorithm implementation requirements and usage guidelines to ensure
23 that there is at least one algorithm that all implementations
24 support. This document defines the current algorithm implementation
25 requirements and usage guidance for DNSSEC. This document obsoletes
30 This is an Internet Standards Track document.
32 This document is a product of the Internet Engineering Task Force
33 (IETF). It represents the consensus of the IETF community. It has
34 received public review and has been approved for publication by the
35 Internet Engineering Steering Group (IESG). Further information on
36 Internet Standards is available in Section 2 of RFC 7841.
38 Information about the current status of this document, any errata,
39 and how to provide feedback on it may be obtained at
40 https://www.rfc-editor.org/info/rfc8624.
58Wouters & Sury Standards Track [Page 1]
60RFC 8624 DNSSEC Cryptographic Algorithms June 2019
65 Copyright (c) 2019 IETF Trust and the persons identified as the
66 document authors. All rights reserved.
68 This document is subject to BCP 78 and the IETF Trust's Legal
69 Provisions Relating to IETF Documents
70 (https://trustee.ietf.org/license-info) in effect on the date of
71 publication of this document. Please review these documents
72 carefully, as they describe your rights and restrictions with respect
73 to this document. Code Components extracted from this document must
74 include Simplified BSD License text as described in Section 4.e of
75 the Trust Legal Provisions and are provided without warranty as
76 described in the Simplified BSD License.
80 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
81 1.1. Updating Algorithm Implementation Requirements and Usage
82 Guidance . . . . . . . . . . . . . . . . . . . . . . . . 3
83 1.2. Updating Algorithm Requirement Levels . . . . . . . . . . 3
84 1.3. Document Audience . . . . . . . . . . . . . . . . . . . . 4
85 2. Conventions Used in This Document . . . . . . . . . . . . . . 4
86 3. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 5
87 3.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 5
88 3.2. DNSKEY Algorithm Recommendation . . . . . . . . . . . . . 6
89 3.3. DS and CDS Algorithms . . . . . . . . . . . . . . . . . . 7
90 3.4. DS and CDS Algorithm Recommendation . . . . . . . . . . . 7
91 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8
92 5. Operational Considerations . . . . . . . . . . . . . . . . . 8
93 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
94 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
95 7.1. Normative References . . . . . . . . . . . . . . . . . . 9
96 7.2. Informative References . . . . . . . . . . . . . . . . . 10
97 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 11
98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
114Wouters & Sury Standards Track [Page 2]
116RFC 8624 DNSSEC Cryptographic Algorithms June 2019
121 The DNSSEC signing algorithms are defined by various RFCs, including
122 [RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], and [RFC8080].
123 DNSSEC is used to provide authentication of data. To ensure
124 interoperability, a set of "mandatory-to-implement" DNSKEY algorithms
125 are defined. This document obsoletes [RFC6944].
1271.1. Updating Algorithm Implementation Requirements and Usage Guidance
129 The field of cryptography evolves continuously. New, stronger
130 algorithms appear, and existing algorithms are found to be less
131 secure than originally thought. Attacks previously thought to be
132 computationally infeasible become more accessible as the available
133 computational resources increase. Therefore, algorithm
134 implementation requirements and usage guidance need to be updated
135 from time to time to reflect the new reality. The choices for
136 algorithms must be conservative to minimize the risk of algorithm
1391.2. Updating Algorithm Requirement Levels
141 The mandatory-to-implement algorithm of tomorrow should already be
142 available in most implementations of DNSSEC by the time it is made
143 mandatory. This document attempts to identify and introduce those
144 algorithms for future mandatory-to-implement status. There is no
145 guarantee that algorithms in use today will become mandatory in the
146 future. Published algorithms are continuously subjected to
147 cryptographic attack and may become too weak or even be completely
148 broken before this document is updated.
150 This document only provides recommendations with respect to
151 mandatory-to-implement algorithms or algorithms so weak that they
152 cannot be recommended. Any algorithm listed in the [DNSKEY-IANA] and
153 [DS-IANA] registries that are not mentioned in this document MAY be
154 implemented. For clarification and consistency, an algorithm will be
155 specified as MAY in this document only when it has been downgraded
156 from a MUST or a RECOMMENDED to a MAY.
158 Although this document's primary purpose is to update algorithm
159 recommendations to keep DNSSEC authentication secure over time, it
160 also aims to do so in such a way that DNSSEC implementations remain
161 interoperable. DNSSEC interoperability is addressed by an
162 incremental introduction or deprecation of algorithms.
164 [RFC2119] considers the term SHOULD equivalent to RECOMMENDED, and
165 SHOULD NOT equivalent to NOT RECOMMENDED. The authors of this
166 document have chosen to use the terms RECOMMENDED and NOT
170Wouters & Sury Standards Track [Page 3]
172RFC 8624 DNSSEC Cryptographic Algorithms June 2019
175 RECOMMENDED, as this more clearly expresses the intent to
178 It is expected that deprecation of an algorithm will be performed
179 gradually in a series of updates to this document. This provides
180 time for various implementations to update their implemented
181 algorithms while remaining interoperable. Unless there are strong
182 security reasons, an algorithm is expected to be downgraded from MUST
183 to NOT RECOMMENDED or MAY, instead of to MUST NOT. Similarly, an
184 algorithm that has not been mentioned as mandatory-to-implement is
185 expected to be introduced with a RECOMMENDED instead of a MUST.
187 Since the effect of using an unknown DNSKEY algorithm is that the
188 zone is treated as insecure, it is recommended that algorithms
189 downgraded to NOT RECOMMENDED or lower not be used by authoritative
190 nameservers and DNSSEC signers to create new DNSKEYs. This will
191 allow for deprecated algorithms to become less and less common over
192 time. Once an algorithm has reached a sufficiently low level of
193 deployment, it can be marked as MUST NOT so that recursive resolvers
194 can remove support for validating it.
196 Recursive nameservers are encouraged to retain support for all
197 algorithms not marked as MUST NOT.
1991.3. Document Audience
201 The recommendations of this document mostly target DNSSEC
202 implementers, as implementations need to meet both high security
203 expectations as well as high interoperability between various vendors
204 and with different versions. Interoperability requires a smooth
205 transition to more secure algorithms. This perspective may differ
206 from that of a user who wishes to deploy and configure DNSSEC with
207 only the safest algorithm. On the other hand, the comments and
208 recommendations in this document are also expected to be useful for
2112. Conventions Used in This Document
213 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
214 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
215 "OPTIONAL" in this document are to be interpreted as described in
216 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
217 capitals, as shown here.
226Wouters & Sury Standards Track [Page 4]
228RFC 8624 DNSSEC Cryptographic Algorithms June 2019
2313. Algorithm Selection
2333.1. DNSKEY Algorithms
235 The following table lists the implementation recommendations for
236 DNSKEY algorithms [DNSKEY-IANA].
238 +--------+--------------------+-----------------+-------------------+
239 | Number | Mnemonics | DNSSEC Signing | DNSSEC Validation |
240 +--------+--------------------+-----------------+-------------------+
241 | 1 | RSAMD5 | MUST NOT | MUST NOT |
242 | 3 | DSA | MUST NOT | MUST NOT |
243 | 5 | RSASHA1 | NOT RECOMMENDED | MUST |
244 | 6 | DSA-NSEC3-SHA1 | MUST NOT | MUST NOT |
245 | 7 | RSASHA1-NSEC3-SHA1 | NOT RECOMMENDED | MUST |
246 | 8 | RSASHA256 | MUST | MUST |
247 | 10 | RSASHA512 | NOT RECOMMENDED | MUST |
248 | 12 | ECC-GOST | MUST NOT | MAY |
249 | 13 | ECDSAP256SHA256 | MUST | MUST |
250 | 14 | ECDSAP384SHA384 | MAY | RECOMMENDED |
251 | 15 | ED25519 | RECOMMENDED | RECOMMENDED |
252 | 16 | ED448 | MAY | RECOMMENDED |
253 +--------+--------------------+-----------------+-------------------+
255 RSAMD5 is not widely deployed, and there is an industry-wide trend to
258 RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although the
259 zones deploying it are recommended to switch to ECDSAP256SHA256 as
260 there is an industry-wide trend to move to elliptic curve
261 cryptography. RSASHA1 does not support NSEC3. RSASHA1-NSEC3-SHA1
262 can be used with or without NSEC3.
264 DSA and DSA-NSEC3-SHA1 are not widely deployed and are vulnerable to
265 private key compromise when generating signatures using a weak or
266 compromised random number generator.
268 RSASHA256 is widely used and considered strong. It has been the
269 default algorithm for a number of years and is now slowly being
270 replaced with ECDSAP256SHA256 due to its shorter key and signature
271 size, resulting in smaller DNS packets.
273 RSASHA512 is NOT RECOMMENDED for DNSSEC signing because it has not
274 seen wide deployment, but there are some deployments; hence, DNSSEC
275 validation MUST implement RSASHA512 to ensure interoperability.
276 There is no significant difference in cryptographic strength between
277 RSASHA512 and RSASHA256; therefore, use of RSASHA512 is discouraged
282Wouters & Sury Standards Track [Page 5]
284RFC 8624 DNSSEC Cryptographic Algorithms June 2019
287 as it will only make deprecation of older algorithms harder. People
288 who wish to use a cryptographically stronger algorithm should switch
289 to elliptic curve cryptography algorithms.
291 ECC-GOST (GOST R 34.10-2001) has been superseded by GOST R 34.10-2012
292 in [RFC7091]. GOST R 34.10-2012 hasn't been standardized for use in
295 ECDSAP256SHA256 provides more cryptographic strength with a shorter
296 signature length than either RSASHA256 or RSASHA512. ECDSAP256SHA256
297 has been widely deployed; therefore, it is now at MUST level for both
298 validation and signing. It is RECOMMENDED to use the deterministic
299 digital signature generation procedure of the Elliptic Curve Digital
300 Signature Algorithm (ECDSA), specified in [RFC6979], when
301 implementing ECDSAP256SHA256 (and ECDSAP384SHA384).
303 ECDSAP384SHA384 shares the same properties as ECDSAP256SHA256 but
304 offers a modest security advantage over ECDSAP256SHA256 (192 bits of
305 strength versus 128 bits). For most DNSSEC applications,
306 ECDSAP256SHA256 should be satisfactory and robust for the foreseeable
307 future and is therefore recommended for signing. While it is
308 unlikely for a DNSSEC use case requiring 192-bit security strength to
309 arise, ECDSA384SHA384 is provided for such applications, and it MAY
310 be used for signing in these cases.
312 ED25519 and ED448 use the Edwards-curve Digital Security Algorithm
313 (EdDSA). There are three main advantages of EdDSA: it does not
314 require the use of a unique random number for each signature, there
315 are no padding or truncation issues as with ECDSA, and it is more
316 resilient to side-channel attacks. Furthermore, EdDSA cryptography
317 is less prone to implementation errors ([RFC8032], [RFC8080]). It is
318 expected that ED25519 will become the future RECOMMENDED default
319 algorithm once there's enough support for this algorithm in the
320 deployed DNSSEC validators.
3223.2. DNSKEY Algorithm Recommendation
324 Due to the industry-wide trend towards elliptic curve cryptography,
325 ECDSAP256SHA256 is the RECOMMENDED DNSKEY algorithm for use by new
326 DNSSEC deployments, and users of RSA-based algorithms SHOULD upgrade
338Wouters & Sury Standards Track [Page 6]
340RFC 8624 DNSSEC Cryptographic Algorithms June 2019
3433.3. DS and CDS Algorithms
345 The following table lists the recommendations for Delegation Signer
346 Digest Algorithms [DS-IANA]. These recommendations also apply to the
347 Child Delegation Signer (CDS) RRTYPE as specified in [RFC7344].
349 +--------+-----------------+-------------------+-------------------+
350 | Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation |
351 +--------+-----------------+-------------------+-------------------+
352 | 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] |
353 | 1 | SHA-1 | MUST NOT | MUST |
354 | 2 | SHA-256 | MUST | MUST |
355 | 3 | GOST R 34.11-94 | MUST NOT | MAY |
356 | 4 | SHA-384 | MAY | RECOMMENDED |
357 +--------+-----------------+-------------------+-------------------+
359 [*] - This is a special type of CDS record signaling removal of DS at
360 the parent in [RFC8078].
362 NULL is a special case; see [RFC8078].
364 SHA-1 is still widely used for Delegation Signer (DS) records, so
365 validators MUST implement validation, but it MUST NOT be used to
366 generate new DS and CDS records (see "Operational Considerations" for
367 caveats when upgrading from the SHA-1 to SHA-256 DS algorithm.)
369 SHA-256 is widely used and considered strong.
371 GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in
372 [RFC6986]. GOST R 34.11-2012 has not been standardized for use in
375 SHA-384 shares the same properties as SHA-256 but offers a modest
376 security advantage over SHA-256 (384 bits of strength versus 256
377 bits). For most applications of DNSSEC, SHA-256 should be
378 satisfactory and robust for the foreseeable future and is therefore
379 recommended for DS and CDS records. While it is unlikely for a
380 DNSSEC use case requiring 384-bit security strength to arise, SHA-384
381 is provided for such applications, and it MAY be used for generating
382 DS and CDS records in these cases.
3843.4. DS and CDS Algorithm Recommendation
386 An operational recommendation for new and existing deployments:
387 SHA-256 is the RECOMMENDED DS and CDS algorithm.
394Wouters & Sury Standards Track [Page 7]
396RFC 8624 DNSSEC Cryptographic Algorithms June 2019
3994. Security Considerations
401 The security of cryptographic systems depends on both the strength of
402 the cryptographic algorithms chosen and the strength of the keys used
403 with those algorithms. The security also depends on the engineering
404 of the protocol used by the system to ensure that there are no non-
405 cryptographic ways to bypass the security of the overall system.
407 This document concerns itself with the selection of cryptographic
408 algorithms for use in DNSSEC, specifically with the selection of
409 "mandatory-to-implement" algorithms. The algorithms identified in
410 this document as MUST or RECOMMENDED to implement are not known to be
411 broken (in the cryptographic sense) at the current time, and
412 cryptographic research so far leads us to believe that they are
413 likely to remain secure into the foreseeable future. However, this
414 isn't necessarily forever, and it is expected that new revisions of
415 this document will be issued from time to time to reflect the current
416 best practices in this area.
418 Retiring an algorithm too soon would result in a zone (signed with a
419 retired algorithm) being downgraded to the equivalent of an unsigned
420 zone. Therefore, algorithm deprecation must be done very slowly and
421 only after careful consideration and measurement of its use.
4235. Operational Considerations
425 DNSKEY algorithm rollover in a live zone is a complex process. See
426 [RFC6781] and [RFC7583] for guidelines on how to perform algorithm
429 DS algorithm rollover in a live zone is also a complex process.
430 Upgrading an algorithm at the same time as rolling a new Key Signing
431 Key (KSK) will lead to DNSSEC validation failures. Administrators
432 MUST complete the process of the DS algorithm upgrade before starting
433 a rollover process for a new KSK.
4356. IANA Considerations
437 This document has no IANA actions.
450Wouters & Sury Standards Track [Page 8]
452RFC 8624 DNSSEC Cryptographic Algorithms June 2019
4577.1. Normative References
459 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
460 Requirement Levels", BCP 14, RFC 2119,
461 DOI 10.17487/RFC2119, March 1997,
462 <https://www.rfc-editor.org/info/rfc2119>.
464 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
465 Rose, "Resource Records for the DNS Security Extensions",
466 RFC 4034, DOI 10.17487/RFC4034, March 2005,
467 <https://www.rfc-editor.org/info/rfc4034>.
469 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
470 Security (DNSSEC) Hashed Authenticated Denial of
471 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
472 <https://www.rfc-editor.org/info/rfc5155>.
474 [RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY
475 and RRSIG Resource Records for DNSSEC", RFC 5702,
476 DOI 10.17487/RFC5702, October 2009,
477 <https://www.rfc-editor.org/info/rfc5702>.
479 [RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital
480 Signature Algorithm (DSA) for DNSSEC", RFC 6605,
481 DOI 10.17487/RFC6605, April 2012,
482 <https://www.rfc-editor.org/info/rfc6605>.
484 [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
485 Algorithm (DSA) and Elliptic Curve Digital Signature
486 Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
487 2013, <https://www.rfc-editor.org/info/rfc6979>.
489 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:
490 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August
491 2013, <https://www.rfc-editor.org/info/rfc6986>.
493 [RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
494 DNSSEC Delegation Trust Maintenance", RFC 7344,
495 DOI 10.17487/RFC7344, September 2014,
496 <https://www.rfc-editor.org/info/rfc7344>.
498 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
499 Signature Algorithm (EdDSA)", RFC 8032,
500 DOI 10.17487/RFC8032, January 2017,
501 <https://www.rfc-editor.org/info/rfc8032>.
506Wouters & Sury Standards Track [Page 9]
508RFC 8624 DNSSEC Cryptographic Algorithms June 2019
511 [RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from
512 the Parent via CDS/CDNSKEY", RFC 8078,
513 DOI 10.17487/RFC8078, March 2017,
514 <https://www.rfc-editor.org/info/rfc8078>.
516 [RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security
517 Algorithm (EdDSA) for DNSSEC", RFC 8080,
518 DOI 10.17487/RFC8080, February 2017,
519 <https://www.rfc-editor.org/info/rfc8080>.
521 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
522 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
523 May 2017, <https://www.rfc-editor.org/info/rfc8174>.
5257.2. Informative References
527 [RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of
528 GOST Signature Algorithms in DNSKEY and RRSIG Resource
529 Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July
530 2010, <https://www.rfc-editor.org/info/rfc5933>.
532 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
533 Operational Practices, Version 2", RFC 6781,
534 DOI 10.17487/RFC6781, December 2012,
535 <https://www.rfc-editor.org/info/rfc6781>.
537 [RFC6944] Rose, S., "Applicability Statement: DNS Security (DNSSEC)
538 DNSKEY Algorithm Implementation Status", RFC 6944,
539 DOI 10.17487/RFC6944, April 2013,
540 <https://www.rfc-editor.org/info/rfc6944>.
542 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
543 Digital Signature Algorithm", RFC 7091,
544 DOI 10.17487/RFC7091, December 2013,
545 <https://www.rfc-editor.org/info/rfc7091>.
547 [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking,
548 "DNSSEC Key Rollover Timing Considerations", RFC 7583,
549 DOI 10.17487/RFC7583, October 2015,
550 <https://www.rfc-editor.org/info/rfc7583>.
553 IANA, "Domain Name System Security (DNSSEC) Algorithm
555 <http://www.iana.org/assignments/dns-sec-alg-numbers>.
562Wouters & Sury Standards Track [Page 10]
564RFC 8624 DNSSEC Cryptographic Algorithms June 2019
567 [DS-IANA] IANA, "Delegation Signer (DS) Resource Record (RR) Type
569 <http://www.iana.org/assignments/ds-rr-types>.
573 This document borrows text from RFC 4307 by Jeffrey I. Schiller of
574 the Massachusetts Institute of Technology (MIT) and RFC 8247 by Yoav
575 Nir, Tero Kivinen, Paul Wouters, and Daniel Migault. Much of the
576 original text has been copied verbatim.
578 We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur
579 Gudmundsson, Paul Hoffman, Evan Hunt, and Peter Yee for their
582 Kudos to Roy Arends for bringing the DS rollover issue to light.
590 Email: pwouters@redhat.com
594 Internet Systems Consortium
597 Email: ondrej@isc.org
618Wouters & Sury Standards Track [Page 11]