Internet-Draft title February 2024
Hardaker & Kumari Expires 30 August 2024 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-hardaker-dnsop-rfc8624-bis-02
Published:
Intended Status:
Informational
Expires:
Authors:
W. Hardaker
USC/ISI
W. Kumari
Google

DNSSEC Cryptographic Algorithms

Abstract

[EDITOR NOTE: This document does not change the status (MUST, MAY, RECOMMENDED, etc) of any of the algorithms listed in [RFC8624]; that is the work of future documents. Instead, this document moves the canonical list of algorithms from [RFC8624] to an IANA registry. This is done for two reasons: 1) to allow the list to be updated more easily, and, much more importantly, 2) to allow the list to be more easily referenced.]

The DNSSEC protocol makes use of various cryptographic algorithms to provide authentication of DNS data and proof of non-existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify both a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document updates [RFC8624] by moving the canonical source of algorithm implementation requirements and usage guidance for DNSSEC from [RFC8624] to an IANA registry. Future extensions to this registry can be made under new, incremental update RFCs.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 30 August 2024.

Table of Contents

1. Introduction

DNS Security Extensions (DNSSEC) [RFC4034] is used to provide authentication of DNS data. The DNSSEC signing algorithms are defined by various RFCs, including [RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], [RFC8080]. To ensure interoperability, a set of "mandatory-to-implement" DNSKEY algorithms are defined in [RFC8624]. To make the current status of the algorithms more easily accessible and understandable, this document moves the canonical status of the algorithms from [RFC8624] to the IANA DNSSEC algorithm registries. [ Editor: This is similar to the process used for the [TLS-ciphersuites] registry, where the canonical list of ciphersuites is in the IANA registry, and the RFCs reference the IANA registry. ]

This document simply moves the canonical list of algorithms from [RFC8624] to the IANA registry, and defines the registry policies for updating the registry. It does not change the status of any of the algorithms listed in [RFC8624]; this is left to future documents.

1.1. Document Audience

The recommendations of this document mostly target DNSSEC implementers, as implementations need to meet both high security expectations as well as high interoperability between various vendors and with different versions. Interoperability requires a smooth transition to more secure algorithms. This perspective may differ from that of a user who wishes to deploy and configure DNSSEC with only the safest algorithm. On the other hand, the comments and recommendations in this document are also expected to be useful for such users.

1.2. Updating Algorithm Implementation Requirements and Usage Guidance

The field of cryptography evolves continuously. New, stronger algorithms appear, and existing algorithms may be found to be less secure then originally thought. Therefore, algorithm implementation requirements and usage guidance need to be updated from time to time in order to reflect the new reality. Cryptographic algorithm choices implemented in and required by software must be conservative to minimize the risk of algorithm compromise.

1.3. Updating Algorithm Requirement Levels

By the time a DNSSEC cryptographic algorithm is made mandatory-to-implement, it should already be available in most implementations. This document attempts to identify and introduce those algorithms for future mandatory-to-implement status. There is no guarantee that algorithms in use today will become mandatory to implement in the future. Published algorithms are continuously subjected to cryptographic attack and may become too weak, or even be completely broken, before this document is updated.

It is expected that the deprecation of an algorithm will be performed gradually. This provides time for implementations to update their implemented algorithms while remaining interoperable. Unless there are strong security reasons, an algorithm is expected to be downgraded from MUST to NOT RECOMMENDED or MAY, instead of directly from MUST to MUST NOT. Similarly, an algorithm that has not been mentioned as mandatory-to-implement is expected to be first introduced as RECOMMENDED instead of a MUST.

Since the effect of using an unknown DNSKEY algorithm is that the zone is treated as insecure, it is recommended that algorithms downgraded to NOT RECOMMENDED or lower not be used by authoritative nameservers and DNSSEC signers to create new DNSKEY's. This will allow for deprecated algorithms to become used less and less over time. Once an algorithm has reached a sufficiently low level of deployment, it can be marked as MUST NOT, so that recursive resolvers can remove support for validating it.

Validating recursive resolvers are encouraged to retain support for all algorithms not marked as MUST NOT.

1.4. Requirements notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

[RFC2119] considers the term SHOULD equivalent to RECOMMENDED, and SHOULD NOT equivalent to NOT RECOMMENDED. The authors of this document have chosen to use the terms RECOMMENDED and NOT RECOMMENDED, as this more clearly expresses the recommendations to implementers.

3. DNS System Algorithm Numbers Column Values

Initial recommendation columns of implementation recommendations for the "Domain Name System Security (DNSSEC) Algorithm Numbers" are show in Table 1.

Table 2
    Recommended for Recommended for
Number Mnemonics DNSSEC Signing DNSSEC Validation
1 RSAMD5 MUST NOT MUST NOT
3 DSA MUST NOT MUST NOT
5 RSASHA1 MUST NOT SHOULD NOT
6 DSA-NSEC3-SHA1 MUST NOT MUST NOT
7 RSASHA1-NSEC3-SHA1 MUST NOT SHOULD NOT
8 RSASHA256 MUST MUST
10 RSASHA512 NOT MUST
    RECOMMENDED  
12 ECC-GOST MUST NOT MUST NOT
13 ECDSAP256SHA256 MUST MUST
14 ECDSAP384SHA384 MAY RECOMMENDED
15 ED25519 RECOMMENDED RECOMMENDED
16 ED448 MAY RECOMMENDED
                                Table 1

4. DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Column Values

Initial recommendation columns of implementation recommendations for the "DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms" registry are shown in Table 2.

Table 3
Number Mnemonics DNSSEC Delegation DNSSEC Validation
0 NULL (CDS only) MUST NOT [*] MUST NOT [*]
1 SHA-1 MUST NOT MUST
2 SHA-256 MUST MUST
3 GOST R 34.11-94 MUST NOT MAY
4 SHA-384 MAY RECOMMENDED
                                Table 2

5. Security Considerations

The security of cryptographic systems depends on both the strength of the cryptographic algorithms chosen and the strength of the keys used with those algorithms. The security also depends on the engineering of the protocol used by the system to ensure that there are no non- cryptographic ways to bypass the security of the overall system.

This document concerns itself with the selection of cryptographic algorithms for the use of DNSSEC, specifically with the selection of "mandatory-to-implement" algorithms. The algorithms identified in this document as MUST or RECOMMENDED to implement are not known to be broken at the current time, and cryptographic research so far leads us to believe that they are likely to remain secure into the foreseeable future. However, this isn't necessarily forever, and it is expected that new revisions of this document will be issued from time to time to reflect the current best practices in this area.

Retiring an algorithm too soon would result in a zone signed with the retired algorithm being downgraded to the equivalent of an unsigned zone. Therefore, algorithm deprecation must be done very slowly and only after careful consideration and measurement of its use.

6. Operational Considerations

DNSKEY algorithm rollover in a live zone is a complex process. See [RFC6781] and [RFC7583] for guidelines on how to perform algorithm rollovers.

DS algorithm rollover in a live zone is also a complex process. Upgrading algorithm at the same time as rolling the new KSK key will lead to DNSSEC validation failures, and users MUST upgrade the DS algorithm first before rolling the Key Signing Key.

7. IANA Considerations

The IANA is requested to update the [DNSKEY-IANA] and [DS-IANA] registries as follows:

8. Acknowledgments

This document is based on, and extends, RFC 8624, which was authored by Paul Wouters, and Ondrej Sury.

9. References

9.1. Normative References

[DNSKEY-IANA]
IANA, "Domain Name System Security (DNSSEC) Algorithm Numbers", n.d., <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>.
[DS-IANA]
IANA, "Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms", n.d., <http://www.iana.org/assignments/ds-rr-types>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8624]
Wouters, P. and O. Sury, "Algorithm Implementation Requirements and Usage Guidance for DNSSEC", RFC 8624, DOI 10.17487/RFC8624, , <https://www.rfc-editor.org/rfc/rfc8624>.

9.2. Informative References

[RFC4034]
Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, , <https://www.rfc-editor.org/rfc/rfc4034>.
[RFC5155]
Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence", RFC 5155, DOI 10.17487/RFC5155, , <https://www.rfc-editor.org/rfc/rfc5155>.
[RFC5702]
Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC", RFC 5702, DOI 10.17487/RFC5702, , <https://www.rfc-editor.org/rfc/rfc5702>.
[RFC5933]
Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, , <https://www.rfc-editor.org/rfc/rfc5933>.
[RFC6605]
Hoffman, P. and W.C.A. Wijngaards, "Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC", RFC 6605, DOI 10.17487/RFC6605, , <https://www.rfc-editor.org/rfc/rfc6605>.
[RFC6781]
Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC Operational Practices, Version 2", RFC 6781, DOI 10.17487/RFC6781, , <https://www.rfc-editor.org/rfc/rfc6781>.
[RFC7583]
Morris, S., Ihren, J., Dickinson, J., and W. Mekking, "DNSSEC Key Rollover Timing Considerations", RFC 7583, DOI 10.17487/RFC7583, , <https://www.rfc-editor.org/rfc/rfc7583>.
[RFC8080]
Sury, O. and R. Edmonds, "Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC", RFC 8080, DOI 10.17487/RFC8080, , <https://www.rfc-editor.org/rfc/rfc8080>.
[TLS-ciphersuites]
IANA, "Transport Layer Security (TLS) Parameters", n.d., <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4>.

Appendix A. ChangeLog

A.1. Changes since RFC8624

  • The primary purpose of this revision is to introduce the new columns to existing registries. It makes no changes to the previously defined values.

  • Merged in RFC9157 updates.

  • Set authors as Wes Hardaker, Warren Kumari.

Authors' Addresses

Wes Hardaker
USC/ISI
Warren Kumari
Google