Internet DRAFT - draft-hardaker-dnsop-rfc8624-bis
draft-hardaker-dnsop-rfc8624-bis
Network Working Group W. Hardaker
Internet-Draft USC/ISI
Intended status: Informational W. Kumari
Expires: 30 August 2024 Google
27 February 2024
DNSSEC Cryptographic Algorithms
draft-hardaker-dnsop-rfc8624-bis-02
Abstract
[EDITOR NOTE: This document does not change the status (MUST, MAY,
RECOMMENDED, etc) of any of the algorithms listed in [RFC8624]; that
is the work of future documents. Instead, this document moves the
canonical list of algorithms from [RFC8624] to an IANA registry.
This is done for two reasons: 1) to allow the list to be updated more
easily, and, much more importantly, 2) to allow the list to be more
easily referenced.]
The DNSSEC protocol makes use of various cryptographic algorithms to
provide authentication of DNS data and proof of non-existence. To
ensure interoperability between DNS resolvers and DNS authoritative
servers, it is necessary to specify both a set of algorithm
implementation requirements and usage guidelines to ensure that there
is at least one algorithm that all implementations support. This
document updates [RFC8624] by moving the canonical source of
algorithm implementation requirements and usage guidance for DNSSEC
from [RFC8624] to an IANA registry. Future extensions to this
registry can be made under new, incremental update RFCs.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 30 August 2024.
Hardaker & Kumari Expires 30 August 2024 [Page 1]
Internet-Draft title February 2024
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Document Audience . . . . . . . . . . . . . . . . . . . . 3
1.2. Updating Algorithm Implementation Requirements and Usage
Guidance . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Updating Algorithm Requirement Levels . . . . . . . . . . 3
1.4. Requirements notation . . . . . . . . . . . . . . . . . . 4
2. Adding "Recommended" Columns to existing IANA tables . . . . 4
3. DNS System Algorithm Numbers Column Values . . . . . . . . . 5
4. DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest
Algorithms Column Values . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. Operational Considerations . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. ChangeLog . . . . . . . . . . . . . . . . . . . . . 10
A.1. Changes since RFC8624 . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
DNS Security Extensions (DNSSEC) [RFC4034] is used to provide
authentication of DNS data. The DNSSEC signing algorithms are
defined by various RFCs, including [RFC4034], [RFC5155], [RFC5702],
[RFC5933], [RFC6605], [RFC8080]. To ensure interoperability, a set
of "mandatory-to-implement" DNSKEY algorithms are defined in
[RFC8624]. To make the current status of the algorithms more easily
accessible and understandable, this document moves the canonical
status of the algorithms from [RFC8624] to the IANA DNSSEC algorithm
registries. [ Editor: This is similar to the process used for the
Hardaker & Kumari Expires 30 August 2024 [Page 2]
Internet-Draft title February 2024
[TLS-ciphersuites] registry, where the canonical list of ciphersuites
is in the IANA registry, and the RFCs reference the IANA registry. ]
This document simply moves the canonical list of algorithms from
[RFC8624] to the IANA registry, and defines the registry policies for
updating the registry. It does not change the status of any of the
algorithms listed in [RFC8624]; this is left to future documents.
1.1. Document Audience
The recommendations of this document mostly target DNSSEC
implementers, as implementations need to meet both high security
expectations as well as high interoperability between various vendors
and with different versions. Interoperability requires a smooth
transition to more secure algorithms. This perspective may differ
from that of a user who wishes to deploy and configure DNSSEC with
only the safest algorithm. On the other hand, the comments and
recommendations in this document are also expected to be useful for
such users.
1.2. Updating Algorithm Implementation Requirements and Usage Guidance
The field of cryptography evolves continuously. New, stronger
algorithms appear, and existing algorithms may be found to be less
secure then originally thought. Therefore, algorithm implementation
requirements and usage guidance need to be updated from time to time
in order to reflect the new reality. Cryptographic algorithm choices
implemented in and required by software must be conservative to
minimize the risk of algorithm compromise.
1.3. Updating Algorithm Requirement Levels
By the time a DNSSEC cryptographic algorithm is made mandatory-to-
implement, it should already be available in most implementations.
This document attempts to identify and introduce those algorithms for
future mandatory-to-implement status. There is no guarantee that
algorithms in use today will become mandatory to implement in the
future. Published algorithms are continuously subjected to
cryptographic attack and may become too weak, or even be completely
broken, before this document is updated.
Hardaker & Kumari Expires 30 August 2024 [Page 3]
Internet-Draft title February 2024
It is expected that the deprecation of an algorithm will be performed
gradually. This provides time for implementations to update their
implemented algorithms while remaining interoperable. Unless there
are strong security reasons, an algorithm is expected to be
downgraded from MUST to NOT RECOMMENDED or MAY, instead of directly
from MUST to MUST NOT. Similarly, an algorithm that has not been
mentioned as mandatory-to-implement is expected to be first
introduced as RECOMMENDED instead of a MUST.
Since the effect of using an unknown DNSKEY algorithm is that the
zone is treated as insecure, it is recommended that algorithms
downgraded to NOT RECOMMENDED or lower not be used by authoritative
nameservers and DNSSEC signers to create new DNSKEY's. This will
allow for deprecated algorithms to become used less and less over
time. Once an algorithm has reached a sufficiently low level of
deployment, it can be marked as MUST NOT, so that recursive resolvers
can remove support for validating it.
Validating recursive resolvers are encouraged to retain support for
all algorithms not marked as MUST NOT.
1.4. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
[RFC2119] considers the term SHOULD equivalent to RECOMMENDED, and
SHOULD NOT equivalent to NOT RECOMMENDED. The authors of this
document have chosen to use the terms RECOMMENDED and NOT
RECOMMENDED, as this more clearly expresses the recommendations to
implementers.
2. Adding "Recommended" Columns to existing IANA tables
Per this document, the following "Recommended" columns have been
added to the following DNSSEC algorithm tables registered with IANA:
Hardaker & Kumari Expires 30 August 2024 [Page 4]
Internet-Draft title February 2024
+===================================+====================+
| Table | Column added |
+===================================+====================+
| Domain Security Algorithm Numbers | Recommended for |
| | DNSSSEC Signing |
+-----------------------------------+--------------------+
| Domain sSecurity Algorithm | Recommended for |
| Numbers | DNSSSEC Validation |
+-----------------------------------+--------------------+
| Digest Algorithms | |
+-----------------------------------+--------------------+
Table 1
Adding a new entry to the "DNS System Algorithm Numbers" registry
with a recommended value of MAY in both the "Recommended for DNSSSEC
Signing" and "Recommended for DNSSSEC Validation" columns requires
RFC publication. Adding a new entry to, or changing existing values
in the "DNS System Algorithm Numbers" registry with a value in the
"Recommended for DNSSSEC Signing" or "Recommended for DNSSSEC
Validation" columns other than MAY requires a Standards Action.
Adding a new entry to the "Digest Algorithms" registry with a
recommended value of MAY in the "Recommended" column requires RFC
publication. Adding a new entry to the "Digest Algorithms" registry
with a value in the "Recommended" column other than MAY requires a
Standards Action.
If an item is not marked as "RECOMMENDED", it does not necessarily
mean that it is flawed; rather, it indicates that the item either has
not been through the IETF consensus process, has limited
applicability, or is intended only for specific use cases.
The following sections state the initial values to be populated into
these rows, with values transcribed from [RFC8624].
3. DNS System Algorithm Numbers Column Values
Initial recommendation columns of implementation recommendations for
the "Domain Name System Security (DNSSEC) Algorithm Numbers" are show
in Table 1.
Hardaker & Kumari Expires 30 August 2024 [Page 5]
Internet-Draft title February 2024
+========+====================+=================+===================+
| | | Recommended for | Recommended for |
+========+====================+=================+===================+
| Number | Mnemonics | DNSSEC Signing | DNSSEC |
| | | | Validation |
+--------+--------------------+-----------------+-------------------+
| 1 | RSAMD5 | MUST NOT | MUST NOT |
+--------+--------------------+-----------------+-------------------+
| 3 | DSA | MUST NOT | MUST NOT |
+--------+--------------------+-----------------+-------------------+
| 5 | RSASHA1 | MUST NOT | SHOULD NOT |
+--------+--------------------+-----------------+-------------------+
| 6 | DSA-NSEC3-SHA1 | MUST NOT | MUST NOT |
+--------+--------------------+-----------------+-------------------+
| 7 | RSASHA1-NSEC3-SHA1 | MUST NOT | SHOULD NOT |
+--------+--------------------+-----------------+-------------------+
| 8 | RSASHA256 | MUST | MUST |
+--------+--------------------+-----------------+-------------------+
| 10 | RSASHA512 | NOT | MUST |
+--------+--------------------+-----------------+-------------------+
| | | RECOMMENDED | |
+--------+--------------------+-----------------+-------------------+
| 12 | ECC-GOST | MUST NOT | MUST NOT |
+--------+--------------------+-----------------+-------------------+
| 13 | ECDSAP256SHA256 | MUST | MUST |
+--------+--------------------+-----------------+-------------------+
| 14 | ECDSAP384SHA384 | MAY | RECOMMENDED |
+--------+--------------------+-----------------+-------------------+
| 15 | ED25519 | RECOMMENDED | RECOMMENDED |
+--------+--------------------+-----------------+-------------------+
| 16 | ED448 | MAY | RECOMMENDED |
+--------+--------------------+-----------------+-------------------+
Table 2
Table 1
4. DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest
Algorithms Column Values
Initial recommendation columns of implementation recommendations for
the "DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest
Algorithms" registry are shown in Table 2.
Hardaker & Kumari Expires 30 August 2024 [Page 6]
Internet-Draft title February 2024
+========+=================+===================+===================+
| Number | Mnemonics | DNSSEC Delegation | DNSSEC Validation |
+========+=================+===================+===================+
| 0 | NULL (CDS only) | MUST NOT [*] | MUST NOT [*] |
+--------+-----------------+-------------------+-------------------+
| 1 | SHA-1 | MUST NOT | MUST |
+--------+-----------------+-------------------+-------------------+
| 2 | SHA-256 | MUST | MUST |
+--------+-----------------+-------------------+-------------------+
| 3 | GOST R 34.11-94 | MUST NOT | MAY |
+--------+-----------------+-------------------+-------------------+
| 4 | SHA-384 | MAY | RECOMMENDED |
+--------+-----------------+-------------------+-------------------+
Table 3
Table 2
5. Security Considerations
The security of cryptographic systems depends on both the strength of
the cryptographic algorithms chosen and the strength of the keys used
with those algorithms. The security also depends on the engineering
of the protocol used by the system to ensure that there are no non-
cryptographic ways to bypass the security of the overall system.
This document concerns itself with the selection of cryptographic
algorithms for the use of DNSSEC, specifically with the selection of
"mandatory-to-implement" algorithms. The algorithms identified in
this document as MUST or RECOMMENDED to implement are not known to be
broken at the current time, and cryptographic research so far leads
us to believe that they are likely to remain secure into the
foreseeable future. However, this isn't necessarily forever, and it
is expected that new revisions of this document will be issued from
time to time to reflect the current best practices in this area.
Retiring an algorithm too soon would result in a zone signed with the
retired algorithm being downgraded to the equivalent of an unsigned
zone. Therefore, algorithm deprecation must be done very slowly and
only after careful consideration and measurement of its use.
6. Operational Considerations
DNSKEY algorithm rollover in a live zone is a complex process. See
[RFC6781] and [RFC7583] for guidelines on how to perform algorithm
rollovers.
Hardaker & Kumari Expires 30 August 2024 [Page 7]
Internet-Draft title February 2024
DS algorithm rollover in a live zone is also a complex process.
Upgrading algorithm at the same time as rolling the new KSK key will
lead to DNSSEC validation failures, and users MUST upgrade the DS
algorithm first before rolling the Key Signing Key.
7. IANA Considerations
The IANA is requested to update the [DNSKEY-IANA] and [DS-IANA]
registries as follows:
* Add "Recommended for DNSSSEC Signing" and "Recommended for DNSSSEC
Validation" columns to the "DNS Security Algorithm Numbers"
registry ([DNSKEY-IANA]) and populate these columens with the
values from Table 1.
* Add a "Recommended" column to the "Digest Algorithms" registry
([DS-IANA]) and populate this column with the values from Table 2.
* Update the registration policy for the [DNSKEY-IANA] registry to
match the text describing update requirements above.
{Ed: We're not sure if this is the right policy, and this requires
a good discussion with the WG. The purpose of much of this
document is so that we can introduce TheNextBestAlgorithm by
documenting TheNextBestAlgorithm in a new RFC and having it
updating the IANA registry, instead of having to update RFC8624-
bis-bis-bis-bis. We also, obviously, don't want someone to do
something silly and mark an algorithm as "Recommended" without a
good reason. This implies Standards Track. On the other hand we
want to allow the ISE to add new algorithms (like the latest GOST
algorithm), and, rightly or wrongly, the ISE doesn't publishes Std
Track RFCs. Standards Action or IESG Approval seems like a
reasonable compromise, but I'm not sure if it's the right one. We
hope to present this to the WG at IEFT119 and get feedback.}
8. Acknowledgments
This document is based on, and extends, RFC 8624, which was authored
by Paul Wouters, and Ondrej Sury.
9. References
9.1. Normative References
[DNSKEY-IANA]
IANA, "Domain Name System Security (DNSSEC) Algorithm
Numbers", n.d., <https://www.iana.org/assignments/dns-sec-
alg-numbers/dns-sec-alg-numbers.xhtml>.
Hardaker & Kumari Expires 30 August 2024 [Page 8]
Internet-Draft title February 2024
[DS-IANA] IANA, "Delegation Signer (DS) Resource Record (RR) Type
Digest Algorithms", n.d.,
<http://www.iana.org/assignments/ds-rr-types>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation
Requirements and Usage Guidance for DNSSEC", RFC 8624,
DOI 10.17487/RFC8624, June 2019,
<https://www.rfc-editor.org/rfc/rfc8624>.
9.2. Informative References
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/rfc/rfc4034>.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
<https://www.rfc-editor.org/rfc/rfc5155>.
[RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY
and RRSIG Resource Records for DNSSEC", RFC 5702,
DOI 10.17487/RFC5702, October 2009,
<https://www.rfc-editor.org/rfc/rfc5702>.
[RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of
GOST Signature Algorithms in DNSKEY and RRSIG Resource
Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July
2010, <https://www.rfc-editor.org/rfc/rfc5933>.
[RFC6605] Hoffman, P. and W.C.A. Wijngaards, "Elliptic Curve Digital
Signature Algorithm (DSA) for DNSSEC", RFC 6605,
DOI 10.17487/RFC6605, April 2012,
<https://www.rfc-editor.org/rfc/rfc6605>.
Hardaker & Kumari Expires 30 August 2024 [Page 9]
Internet-Draft title February 2024
[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
Operational Practices, Version 2", RFC 6781,
DOI 10.17487/RFC6781, December 2012,
<https://www.rfc-editor.org/rfc/rfc6781>.
[RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking,
"DNSSEC Key Rollover Timing Considerations", RFC 7583,
DOI 10.17487/RFC7583, October 2015,
<https://www.rfc-editor.org/rfc/rfc7583>.
[RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security
Algorithm (EdDSA) for DNSSEC", RFC 8080,
DOI 10.17487/RFC8080, February 2017,
<https://www.rfc-editor.org/rfc/rfc8080>.
[TLS-ciphersuites]
IANA, "Transport Layer Security (TLS) Parameters", n.d.,
<https://www.iana.org/assignments/tls-parameters/tls-
parameters.xhtml#tls-parameters-4>.
Appendix A. ChangeLog
A.1. Changes since RFC8624
* The primary purpose of this revision is to introduce the new
columns to existing registries. It makes no changes to the
previously defined values.
* Merged in RFC9157 updates.
* Set authors as Wes Hardaker, Warren Kumari.
Authors' Addresses
Wes Hardaker
USC/ISI
Email: ietf@hardakers.net
Warren Kumari
Google
Email: warren@kumari.net
Hardaker & Kumari Expires 30 August 2024 [Page 10]