DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates NIST 100 Bureau Dr.Gaithersburg20899MDUSA+1-301-975-8439 scottr.nist@gmail.com
Internet Area
DNS Extensions Working Group DNSDNSSEC
The DNS Security Extensions (DNSSEC) requires the use of
cryptographic algorithm suites for generating digital signatures over DNS data. The algorithms specified for
use with DNSSEC are reflected in an IANA maintained registry. This document presents a set of changes for
some entries of the registry and presents a new registry table.
The Domain Name System (DNS) Security Extensions (DNSSEC) , ,
, , , and uses digital signatures over DNS data
to provide source authentication and integrity protection. DNSSEC uses an IANA registry
to list codes for digital signature algorithms (consisting of a cryptographic
algorithm and one-way hash function).
This document replaces the current IANA registry for Domain Name
System Security (DNSSEC) Algorithm Numbers with a newly defined registry table. This new table (Section 2.2 below)
contains a collection of changes to selected entries originally set aside for future algorithm specification that did
not occur. These entries are changed to "Reserved" to avoid potential conflicts with older implementations. This
document also brings the list of references for entries up to date.
The DNS Security Algorithm Number sub-registry (part of the Domain Name
System (DNS) Security Number registry) will be replaced with the table below.
There are additional differences to entries that are described in sub-section 2.1 and
the overall new registry table is in sub-section 2.2.
This document updates three entries in the Domain Name System Security (DNSSEC)
Algorithm Registry. They are:
The description for assignment number 4 is changed to "Reserved".
The description for assignment number 9 is changed to "Reserved".
The description for assignment number 11 is changed to "Reserved".
The above values are changed to "Reserved" because they were placeholders for algorithms that
were not fully specified for use with DNSSEC. Older implementations may still have these algorithm
codes assigned, so these codes are reserved to prevent potential incompatibilities.
This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry
with new registry table is in Section 2.2. The changes include moving three registry entries to "Reserved" and updating the reference list for entries.
The original Domain
Name System (DNS) Security Algorithm Number registry is
available at http://www.iana.org/assignments/dns-sec-alg-numbers.
This document replaces the Domain Name System (DNS) Security Algorithm Numbers registry with an updated table.
It is not meant
to be a discussion on algorithm superiority. No new security considerations are
raised in this document.