1

2

3

4

5Internet Engineering Task Force (IETF) P. Hoffman

6Request for Comments: 9157 ICANN

7Updates: 5155, 6014, 8624 November 2021

8Category: Standards Track

9ISSN: 2070-1721

10

11

12 Revised IANA Considerations for DNSSEC

13

14Abstract

15

16 This document changes the review requirements needed to get DNSSEC

17 algorithms and resource records added to IANA registries. It updates

18 RFC 6014 to include hash algorithms for Delegation Signer (DS)

19 records and NextSECure version 3 (NSEC3) parameters (for Hashed

20 Authenticated Denial of Existence). It also updates RFCs 5155 and

21 6014, which have requirements for DNSSEC algorithms, and updates RFC

22 8624 to clarify the implementation recommendation related to the

23 algorithms described in RFCs that are not on the standards track.

24 The rationale for these changes is to bring the requirements for DS

25 records and hash algorithms used in NSEC3 in line with the

26 requirements for all other DNSSEC algorithms.

27

28Status of This Memo

29

30 This is an Internet Standards Track document.

31

32 This document is a product of the Internet Engineering Task Force

33 (IETF). It represents the consensus of the IETF community. It has

34 received public review and has been approved for publication by the

35 Internet Engineering Steering Group (IESG). Further information on

36 Internet Standards is available in Section 2 of RFC 7841.

37

38 Information about the current status of this document, any errata,

39 and how to provide feedback on it may be obtained at

40 https://www.rfc-editor.org/info/rfc9157.

41

42Copyright Notice

43

44 Copyright (c) 2021 IETF Trust and the persons identified as the

45 document authors. All rights reserved.

46

47 This document is subject to BCP 78 and the IETF Trust's Legal

48 Provisions Relating to IETF Documents

49 (https://trustee.ietf.org/license-info) in effect on the date of

50 publication of this document. Please review these documents

51 carefully, as they describe your rights and restrictions with respect

52 to this document. Code Components extracted from this document must

53 include Revised BSD License text as described in Section 4.e of the

54 Trust Legal Provisions and are provided without warranty as described

55 in the Revised BSD License.

56

57Table of Contents

58

59 1. Introduction

60 1.1. Requirements Language

61 2. Update to RFC 6014

62 3. Update to RFC 8624

63 4. IANA Considerations

64 5. Security Considerations

65 6. References

66 6.1. Normative References

67 6.2. Informative References

68 Acknowledgements

69 Author's Address

70

711. Introduction

72

73 DNSSEC is primarily described in [RFC4033], [RFC4034], and [RFC4035].

74 DNSSEC commonly uses another resource record beyond those defined in

75 [RFC4034]: NSEC3 [RFC5155]. DS resource records were originally

76 defined in [RFC3658], and that definition was obsoleted by [RFC4034].

77

78 [RFC6014] updates the requirements for how DNSSEC cryptographic

79 algorithm identifiers in the IANA registries are assigned, reducing

80 the requirements from "Standards Action" to "RFC Required". However,

81 the IANA registry requirements for hash algorithms for DS records

82 [RFC3658] and for the hash algorithms used in NSEC3 records [RFC5155]

83 are still "Standards Action". This document updates those IANA

84 registry requirements. (For a reference on how IANA registries can

85 be updated in general, see [RFC8126].)

86

871.1. Requirements Language

88

89 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

90 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and

91 "OPTIONAL" in this document are to be interpreted as described in

92 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all

93 capitals, as shown here.

94

952. Update to RFC 6014

96

97 Section 4 updates [RFC6014] to bring the requirements for DS records

98 and NSEC3 hash algorithms in line with the rest of the DNSSEC

99 cryptographic algorithms by allowing any DS hash algorithms, NSEC3

100 hash algorithms, NSEC3 parameters, and NSEC3 flags that are fully

101 described in an RFC to have identifiers assigned in the IANA

102 registries. This is an addition to the IANA considerations in

103 [RFC6014].

104

1053. Update to RFC 8624

106

107 This document updates [RFC8624] for all DNSKEY and DS algorithms that

108 are not on the standards track.

109

110 The second paragraph of Section 1.2 of [RFC8624] currently says:

111

112 | This document only provides recommendations with respect to

113 | mandatory-to-implement algorithms or algorithms so weak that they

114 | cannot be recommended. Any algorithm listed in the [DNSKEY-IANA]

115 | and [DS-IANA] registries that are not mentioned in this document

116 | MAY be implemented. For clarification and consistency, an

117 | algorithm will be specified as MAY in this document only when it

118 | has been downgraded from a MUST or a RECOMMENDED to a MAY.

119

120 That paragraph is now replaced with the following:

121

122 | This document provides recommendations with respect to mandatory-

123 | to-implement algorithms, algorithms so weak that they cannot be

124 | recommended, and algorithms defined in RFCs that are not on the

125 | standards track. Any algorithm listed in the [DNSKEY-IANA] and

126 | [DS-IANA] registries that are not mentioned in this document MAY

127 | be implemented. For clarification and consistency, an algorithm

128 | will be specified as MAY in this document only when it has been

129 | downgraded from a MUST or a RECOMMENDED to a MAY.

130

131 This update is also reflected in the IANA considerations in

132 Section 4.

133

1344. IANA Considerations

135

136 In the "Domain Name System Security (DNSSEC) NextSECure3 (NSEC3)

137 Parameters" registry, the registration procedure for "DNSSEC NSEC3

138 Flags", "DNSSEC NSEC3 Hash Algorithms", and "DNSSEC NSEC3PARAM Flags"

139 has been changed from "Standards Action" to "RFC Required", and this

140 document has been added as a reference.

141

142 In the "DNSSEC Delegation Signer (DS) Resource Record (RR) Type

143 Digest Algorithms" registry, the registration procedure for "Digest

144 Algorithms" has been changed from "Standards Action" to "RFC

145 Required", and this document has been added as a reference.

146

1475. Security Considerations

148

149 Changing the requirements for adding security algorithms to IANA

150 registries as described in this document will make it easier to add

151 both good and bad algorithms to the registries. It is impossible to

152 weigh the security impact of those two changes.

153

154 Administrators of DNSSEC-signed zones and validating resolvers may

155 have been making security decisions based on the contents of the IANA

156 registries. This was a bad idea in the past, and now it is an even

157 worse idea because there will be more algorithms in those registries

158 that may not have gone through IETF review. Security decisions about

159 which algorithms are safe and not safe should be made by reading the

160 security literature, not by looking in IANA registries.

161

1626. References

163

1646.1. Normative References

165

166 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate

167 Requirement Levels", BCP 14, RFC 2119,

168 DOI 10.17487/RFC2119, March 1997,

169 <https://www.rfc-editor.org/info/rfc2119>.

170

171 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.

172 Rose, "DNS Security Introduction and Requirements",

173 RFC 4033, DOI 10.17487/RFC4033, March 2005,

174 <https://www.rfc-editor.org/info/rfc4033>.

175

176 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.

177 Rose, "Resource Records for the DNS Security Extensions",

178 RFC 4034, DOI 10.17487/RFC4034, March 2005,

179 <https://www.rfc-editor.org/info/rfc4034>.

180

181 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.

182 Rose, "Protocol Modifications for the DNS Security

183 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,

184 <https://www.rfc-editor.org/info/rfc4035>.

185

186 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS

187 Security (DNSSEC) Hashed Authenticated Denial of

188 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,

189 <https://www.rfc-editor.org/info/rfc5155>.

190

191 [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier

192 Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014,

193 November 2010, <https://www.rfc-editor.org/info/rfc6014>.

194

195 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for

196 Writing an IANA Considerations Section in RFCs", BCP 26,

197 RFC 8126, DOI 10.17487/RFC8126, June 2017,

198 <https://www.rfc-editor.org/info/rfc8126>.

199

200 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC

201 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,

202 May 2017, <https://www.rfc-editor.org/info/rfc8174>.

203

204 [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation

205 Requirements and Usage Guidance for DNSSEC", RFC 8624,

206 DOI 10.17487/RFC8624, June 2019,

207 <https://www.rfc-editor.org/info/rfc8624>.

208

2096.2. Informative References

210

211 [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record

212 (RR)", RFC 3658, DOI 10.17487/RFC3658, December 2003,

213 <https://www.rfc-editor.org/info/rfc3658>.

214

215Acknowledgements

216

217 Donald Eastlake, Murray Kucherawy, Dan Harkins, Martin Duke, and

218 Benjamin Kaduk contributed to this document.

219

220Author's Address

221

222 Paul Hoffman

223 ICANN

224

225 Email: paul.hoffman@icann.org

226