rfc9904xml2.original.xml   rfc9904.xml 
<?xml version="1.0" encoding="UTF-8"?> <?xml version='1.0' encoding='utf-8'?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" ipr="trust200902" do
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3. cName="draft-ietf-dnsop-rfc8624-bis-13" number="9904" category="std" consensus="
4.2) --> true" submissionType="IETF" obsoletes="8624" updates="9157" tocInclude="true" so
rtRefs="true" symRefs="true" xml:lang="en" prepTime="2025-11-30T15:58:15" indexI
<!DOCTYPE rfc [ nclude="true" scripts="Common,Latin" tocDepth="3">
<!ENTITY nbsp "&#160;"> <link href="https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8624-bis-13"
<!ENTITY zwsp "&#8203;"> rel="prev"/>
<!ENTITY nbhy "&#8209;"> <link href="https://dx.doi.org/10.17487/rfc9904" rel="alternate"/>
<!ENTITY wj "&#8288;"> <link href="urn:issn:2070-1721" rel="alternate"/>
]>
<?rfc docmapping="yes"?>
<rfc ipr="trust200902" docName="draft-ietf-dnsop-rfc8624-bis-13" category="std"
consensus="true" submissionType="IETF" obsoletes="8624" updates="9157" tocInclud
e="true" sortRefs="true" symRefs="true">
<front> <front>
<title abbrev="DNSSEC Algorithms Update Process">DNSSEC Cryptographic Algori thm Recommendation Update Process</title> <title abbrev="DNSSEC Algorithms Update Process">DNSSEC Cryptographic Algori thm Recommendation Update Process</title>
<seriesInfo name="RFC" value="9904" stream="IETF"/>
<author initials="W." surname="Hardaker" fullname="Wes Hardaker"> <author initials="W." surname="Hardaker" fullname="Wes Hardaker">
<organization>USC/ISI</organization> <organization showOnFrontPage="true">USC/ISI</organization>
<address> <address>
<email>ietf@hardakers.net</email> <email>ietf@hardakers.net</email>
</address> </address>
</author> </author>
<author initials="W." surname="Kumari" fullname="Warren Kumari"> <author initials="W." surname="Kumari" fullname="Warren Kumari">
<organization>Google</organization> <organization showOnFrontPage="true">Google</organization>
<address> <address>
<email>warren@kumari.net</email> <email>warren@kumari.net</email>
</address> </address>
</author> </author>
<date month="11" year="2025"/>
<date year="2025" month="June" day="04"/> <area>OPS</area>
<workgroup>dnsop</workgroup>
<abstract> <abstract pn="section-abstract">
<t indent="0" pn="section-abstract-1">The DNSSEC protocol makes use of var
<?line 60?> ious cryptographic algorithms to provide
authentication of DNS data and proof of nonexistence. To ensure
<t>The DNSSEC protocol makes use of various cryptographic algorithms to provide
authentication of DNS data and proof of non-existence. To ensure
interoperability between DNS resolvers and DNS authoritative servers, it is interoperability between DNS resolvers and DNS authoritative servers, it is
necessary to specify both a set of algorithm implementation requirements and necessary to specify both a set of algorithm implementation requirements and
usage guidelines to ensure that there is at least one algorithm that all usage guidelines to ensure that there is at least one algorithm that all
implementations support. This document replaces and obsoletes RFC8624 and mo ves the implementations support. This document replaces and obsoletes RFC 8624 and mo ves the
canonical source of algorithm implementation requirements and usage guidance canonical source of algorithm implementation requirements and usage guidance
for DNSSEC from RFC8624 to an IANA registry. This is done both to allow for DNSSEC from RFC 8624 to the IANA DNSSEC algorithm registries. This is don
the list of requirements to be more easily updated, and to allow the list to e to allow
be more easily the list of requirements to be more easily updated and referenced.
referenced. Future extensions to this registry can be made under new, Extensions to these registries can be made in future RFCs.
incremental update RFCs. This document also incorporates the revised This document also updates RFC 9157 and incorporates the revised
IANA DNSSEC considerations from RFC9157.</t> IANA DNSSEC considerations from that RFC.</t>
<t indent="0" pn="section-abstract-2">This document does not change the re
<t>The document does not change the status (MUST, MAY, RECOMMENDED, etc.) commendation status (<bcp14>MUST</bcp14>, <bcp14>MAY</bcp14>, <bcp14>RECOMMENDED
of the algorithms listed in RFC8624; that is the work of future documents.</t </bcp14>, etc.)
> of the algorithms listed in RFC 8624; that is the work of future documents.</
t>
</abstract> </abstract>
<boilerplate>
<section anchor="status-of-memo" numbered="false" removeInRFC="false" toc=
"exclude" pn="section-boilerplate.1">
<name slugifiedName="name-status-of-this-memo">Status of This Memo</name
>
<t indent="0" pn="section-boilerplate.1-1">
This is an Internet Standards Track document.
</t>
<t indent="0" pn="section-boilerplate.1-2">
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
</t>
<t indent="0" pn="section-boilerplate.1-3">
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
<eref target="https://www.rfc-editor.org/info/rfc9904" brackets="non
e"/>.
</t>
</section>
<section anchor="copyright" numbered="false" removeInRFC="false" toc="excl
ude" pn="section-boilerplate.2">
<name slugifiedName="name-copyright-notice">Copyright Notice</name>
<t indent="0" pn="section-boilerplate.2-1">
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
</t>
<t indent="0" pn="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<eref target="https://trustee.ietf.org/license-info" brackets="none
"/>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
</t>
</section>
</boilerplate>
<toc>
<section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" p
n="section-toc.1">
<name slugifiedName="name-table-of-contents">Table of Contents</name>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="section-to
c.1-1">
<li pn="section-toc.1-1.1">
<t indent="0" pn="section-toc.1-1.1.1"><xref derivedContent="1" form
at="counter" sectionFormat="of" target="section-1"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-introduction">Introduction</xref><
/t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.1.2">
<li pn="section-toc.1-1.1.2.1">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.1.1"><
xref derivedContent="1.1" format="counter" sectionFormat="of" target="section-1.
1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-do
cument-audience">Document Audience</xref></t>
</li>
<li pn="section-toc.1-1.1.2.2">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.2.1"><
xref derivedContent="1.2" format="counter" sectionFormat="of" target="section-1.
2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-up
dating-algorithm-requirem">Updating Algorithm Requirement Levels</xref></t>
</li>
<li pn="section-toc.1-1.1.2.3">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.3.1"><
xref derivedContent="1.3" format="counter" sectionFormat="of" target="section-1.
3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-re
quirements-notation">Requirements Notation</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.2">
<t indent="0" pn="section-toc.1-1.2.1"><xref derivedContent="2" form
at="counter" sectionFormat="of" target="section-2"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-adding-usage-and-implementa">Addin
g Usage and Implementation Recommendations to the IANA DNSSEC Algorithm Registri
es</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.2.2">
<li pn="section-toc.1-1.2.2.1">
<t indent="0" pn="section-toc.1-1.2.2.1.1"><xref derivedContent=
"2.1" format="counter" sectionFormat="of" target="section-2.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-column-descriptions">C
olumn Descriptions</xref></t>
</li>
<li pn="section-toc.1-1.2.2.2">
<t indent="0" pn="section-toc.1-1.2.2.2.1"><xref derivedContent=
"2.2" format="counter" sectionFormat="of" target="section-2.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-adding-and-changing-va
lues">Adding and Changing Values</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.3">
<t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" form
at="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-dns-security-algorithm-numb">DNS S
ecurity Algorithm Numbers Registry Column Values</xref></t>
</li>
<li pn="section-toc.1-1.4">
<t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" form
at="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-digest-algorithms-registry-">Diges
t Algorithms Registry Column Values</xref></t>
</li>
<li pn="section-toc.1-1.5">
<t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" form
at="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-security-considerations">Security
Considerations</xref></t>
</li>
<li pn="section-toc.1-1.6">
<t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" form
at="counter" sectionFormat="of" target="section-6"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-operational-considerations">Operat
ional Considerations</xref></t>
</li>
<li pn="section-toc.1-1.7">
<t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" form
at="counter" sectionFormat="of" target="section-7"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-iana-considerations">IANA Consider
ations</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.7.2">
<li pn="section-toc.1-1.7.2.1">
<t indent="0" pn="section-toc.1-1.7.2.1.1"><xref derivedContent=
"7.1" format="counter" sectionFormat="of" target="section-7.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-update-to-the-dns-secu
rity-">Update to the DNS Security Algorithm Numbers Registry</xref></t>
</li>
<li pn="section-toc.1-1.7.2.2">
<t indent="0" pn="section-toc.1-1.7.2.2.1"><xref derivedContent=
"7.2" format="counter" sectionFormat="of" target="section-7.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-update-to-the-digest-a
lgori">Update to the Digest Algorithms Registry</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.8">
<t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="8" form
at="counter" sectionFormat="of" target="section-8"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-references">References</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.8.2">
<li pn="section-toc.1-1.8.2.1">
<t indent="0" pn="section-toc.1-1.8.2.1.1"><xref derivedContent=
"8.1" format="counter" sectionFormat="of" target="section-8.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-normative-references">
Normative References</xref></t>
</li>
<li pn="section-toc.1-1.8.2.2">
<t indent="0" pn="section-toc.1-1.8.2.2.1"><xref derivedContent=
"8.2" format="counter" sectionFormat="of" target="section-8.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-informative-references
">Informative References</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.9">
<t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="" forma
t="none" sectionFormat="of" target="section-appendix.a"/><xref derivedContent=""
format="title" sectionFormat="of" target="name-acknowledgments">Acknowledgments
</xref></t>
</li>
<li pn="section-toc.1-1.10">
<t indent="0" pn="section-toc.1-1.10.1"><xref derivedContent="" form
at="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="
" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Add
resses</xref></t>
</li>
</ul>
</section>
</toc>
</front> </front>
<middle> <middle>
<section anchor="introduction" numbered="true" removeInRFC="false" toc="incl
<?line 78?> ude" pn="section-1">
<name slugifiedName="name-introduction">Introduction</name>
<section anchor="introduction"><name>Introduction</name> <t indent="0" pn="section-1-1">"DNS Security Extensions (DNSSEC)" <xref ta
rget="RFC9364" format="default" sectionFormat="of" derivedContent="RFC9364"/> is
<t>DNS Security Extensions (DNSSEC) <xref target="RFC9364"></xref> is used to pr used to provide
ovide
authentication of DNS data. The DNSSEC signing algorithms are authentication of DNS data. The DNSSEC signing algorithms are
defined by various RFCs, including <xref target="RFC4034"></xref>, <xref targ defined by various RFCs, including <xref target="RFC4034" format="default" se
et="RFC4509"></xref>, <xref target="RFC5155"></xref>, ctionFormat="of" derivedContent="RFC4034"/>, <xref target="RFC4509" format="defa
<xref target="RFC5702"></xref>, <xref target="RFC5933"></xref>, <xref target= ult" sectionFormat="of" derivedContent="RFC4509"/>, <xref target="RFC5155" forma
"RFC6605"></xref>, <xref target="RFC8080"></xref>.</t> t="default" sectionFormat="of" derivedContent="RFC5155"/>,
<xref target="RFC5702" format="default" sectionFormat="of" derivedContent="RF
<t>To ensure interoperability, a set of "mandatory to implement" C5702"/>, <xref target="RFC5933" format="default" sectionFormat="of" derivedCont
DNSKEY algorithms are defined in <xref target="RFC8624"></xref>. To make the ent="RFC5933"/>, <xref target="RFC6605" format="default" sectionFormat="of" deri
current vedContent="RFC6605"/>, and <xref target="RFC8080" format="default" sectionForma
t="of" derivedContent="RFC8080"/>.</t>
<t indent="0" pn="section-1-2">To ensure interoperability, a set of "manda
tory-to-implement"
DNS Public Key (DNSKEY) algorithms are defined in <xref target="RFC8624" form
at="default" sectionFormat="of" derivedContent="RFC8624"/>. To make the current
status of the algorithms more easily accessible and understandable, status of the algorithms more easily accessible and understandable,
and to make future changes to these recommendations easier to and to make future changes to these recommendations easier to
publish, this document moves the canonical status of the algorithms publish, this document moves the canonical status of the algorithms
from <xref target="RFC8624"></xref> to the IANA DNSSEC algorithm registries. from <xref target="RFC8624" format="default" sectionFormat="of" derivedConten
t="RFC8624"/> to the IANA DNSSEC algorithm registries.
This document also incorporates
the revised IANA DNSSEC considerations from <xref target="RFC9157" format="de
fault" sectionFormat="of" derivedContent="RFC9157"/>.
Additionally, as advice to operators, it adds recommendations for Additionally, as advice to operators, it adds recommendations for
deploying and the usage of these algorithms.</t> deploying and using these algorithms.</t>
<t indent="0" pn="section-1-3">This is similar to the process used for the
<t>This is similar to the process used for the <xref target="TLS-ciphersuites">< "TLS Cipher Suites" registry <xref target="TLS-ciphersuites" format="default" s
/xref> registry, ectionFormat="of" derivedContent="TLS-ciphersuites"/>,
where the canonical list of ciphersuites is in the IANA registry, and the where the canonical list of cipher suites is in the IANA registry, and
RFCs reference the IANA registry.</t> RFCs reference the IANA registry.</t>
<section anchor="document-audience" numbered="true" removeInRFC="false" to
<section anchor="document-audience"><name>Document Audience</name> c="include" pn="section-1.1">
<name slugifiedName="name-document-audience">Document Audience</name>
<t>The columns added to the IANA <xref target="DNSKEY-IANA">"DNS Security Algori <t indent="0" pn="section-1.1-1">The columns added to the IANA <xref tar
thm Numbers"</xref> get="DNSKEY-IANA" format="default" sectionFormat="of" derivedContent="DNSKEY-IAN
and <xref target="DS-IANA">"DNSSEC Delegation Signer (DS) Resource Record (RR A">"DNS Security Algorithm Numbers"</xref>
) Type Digest and <xref target="DS-IANA" format="default" sectionFormat="of" derivedContent
Algorithms"</xref> registries target DNSSEC operators and implementers.</t> ="DS-IANA">"Digest Algorithms"</xref> registries target DNSSEC operators and imp
lementers.</t>
<t>Implementations need to meet both high security expectations as <t indent="0" pn="section-1.1-2">Implementations need to meet high secur
ity expectations as
well as provide interoperability between various implementations and with well as provide interoperability between various implementations and with
different versions.</t> different versions.</t>
<t indent="0" pn="section-1.1-3">The field of cryptography evolves conti
<t>The field of cryptography evolves continuously. New, stronger algorithms nuously. New, stronger algorithms
appear, and existing algorithms may be found to be less secure than appear, and existing algorithms may be found to be less secure than
originally thought. Therefore, algorithm implementation requirements and originally thought. Therefore, algorithm implementation requirements and
usage guidance need to be updated from time to time in order to reflect the usage guidance need to be updated from time to time in order to reflect the
new reality, and to allow for a smooth transition to more secure algorithms, new reality and to allow for a smooth transition to more secure algorithms
as well as deprecation of algorithms deemed to no longer be secure.</t> as well as the deprecation of algorithms deemed to no longer be secure.</t>
<t indent="0" pn="section-1.1-4">Implementations need to be conservative
<t>Implementations need to be conservative in the selection of in the selection of
algorithms they implement in order to minimize both code complexity algorithms they implement in order to minimize both code complexity
and the attack surface.</t> and the attack surface.</t>
<t indent="0" pn="section-1.1-5">The perspective of implementers may dif
<t>The perspective of implementers may differ from that of an operator fer from that of an operator
who wishes to deploy and configure DNSSEC with only the safest who wishes to deploy and configure DNSSEC with only the safest
algorithm. As such this document also adds new recommendations algorithm. As such, this document also adds new recommendations
about which algorithms should be deployed regardless of about which algorithms should be deployed regardless of
implementation status. In general, it is expected that deployment implementation status. In general, it is expected that deployment
of aging algorithms should generally be reduced before of aging algorithms should generally be reduced before
implementations stop supporting them.</t> implementations stop supporting them.</t>
</section>
</section> <section anchor="updating-algorithm-requirement-levels" numbered="true" re
<section anchor="updating-algorithm-requirement-levels"><name>Updating Algorithm moveInRFC="false" toc="include" pn="section-1.2">
Requirement Levels</name> <name slugifiedName="name-updating-algorithm-requirem">Updating Algorith
m Requirement Levels</name>
<t>By the time a DNSSEC cryptographic algorithm is made <t indent="0" pn="section-1.2-1">By the time a DNSSEC cryptographic algo
rithm is made
mandatory to implement, it should already be available in most mandatory to implement, it should already be available in most
implementations. This document defines an IANA registration implementations. This document defines an IANA registration
modification to allow future documents to specify the modification to allow future documents to specify the
implementation recommendations for each algorithm, as the implementation recommendations for each algorithm, as the
recommendation status of each DNSSEC cryptographic algorithm is recommendation status of each DNSSEC cryptographic algorithm is
expected to change over time. For example, there is no guarantee expected to change over time. For example, there is no guarantee
that newly introduced algorithms will become mandatory to implement that newly introduced algorithms will become mandatory to implement
in the future. Likewise, published algorithms are continuously in the future. Likewise, published algorithms are continuously
subjected to cryptographic attack and may become too weak, or even subjected to cryptographic attack and may become too weak, or even
be completely broken, and will require deprecation in the future.</t> be completely broken, and will require deprecation in the future.</t>
<t indent="0" pn="section-1.2-2">It is expected that the deprecation of
<t>It is expected that the deprecation of an algorithm will be performed an algorithm will be performed
gradually. This provides time for implementations to update gradually. This provides time for implementations to update
their implemented algorithms while remaining interoperable. Unless their implemented algorithms while remaining interoperable. Unless
there are strong security reasons, an algorithm is expected to be there are strong security reasons, an algorithm is expected to be
downgraded from MUST to NOT RECOMMENDED or MAY, instead of directly downgraded from <bcp14>MUST</bcp14> to <bcp14>NOT RECOMMENDED</bcp14> or <bcp
from MUST to MUST NOT. Similarly, an algorithm that has not been 14>MAY</bcp14>, instead of directly
from <bcp14>MUST</bcp14> to <bcp14>MUST NOT</bcp14>. Similarly, an algorithm
that has not been
mentioned as mandatory to implement is expected to be first introduced mentioned as mandatory to implement is expected to be first introduced
as RECOMMENDED instead of a MUST.</t> as <bcp14>RECOMMENDED</bcp14> instead of a <bcp14>MUST</bcp14>.</t>
<t indent="0" pn="section-1.2-3">Since the effect of using an unknown DN
<t>Since the effect of using an unknown DNSKEY algorithm is that the SKEY algorithm is that the
zone is treated as insecure, it is recommended that algorithms zone is treated as insecure, it is recommended that algorithms
which have been downgraded to NOT RECOMMENDED or lower not be used that have been downgraded to <bcp14>NOT RECOMMENDED</bcp14> or lower not be u sed
by authoritative nameservers and DNSSEC signers to create new by authoritative nameservers and DNSSEC signers to create new
DNSKEY's. This ensures that the use of deprecated algorithms DNSKEYs. This ensures that the use of deprecated algorithms
decreases over time. Once an algorithm has reached a sufficiently decreases over time. Once an algorithm has reached a sufficiently
low level of deployment, it can be marked as MUST NOT, so that low level of deployment, it can be marked as <bcp14>MUST NOT</bcp14>, so that
recursive resolvers can remove support for validating it.</t> recursive resolvers can remove support for validating it.</t>
<t indent="0" pn="section-1.2-4">Validating recursive resolvers are enco
<t>Validating recursive resolvers are encouraged to retain support for all uraged to retain support for all
algorithms not marked as MUST NOT.</t> algorithms not marked as <bcp14>MUST NOT</bcp14>.</t>
</section>
</section> <section anchor="requirements-notation" numbered="true" removeInRFC="false
<section anchor="requirements-notation"><name>Requirements notation</name> " toc="include" pn="section-1.3">
<name slugifiedName="name-requirements-notation">Requirements Notation</
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", name>
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", <t indent="0" pn="section-1.3-1">
and "OPTIONAL" in this document are to be interpreted as described The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only wh IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOUL
en, they appear D</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>N
in all capitals, as shown here.</t> OT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
<t><xref target="RFC2119"></xref> considers the term SHOULD to be equivalent to be interpreted as
RECOMMENDED, and described in BCP 14 <xref target="RFC2119" format="default" sectionFormat="o
SHOULD NOT equivalent to NOT RECOMMENDED. This document has f" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFor
chosen to use the terms RECOMMENDED and NOT RECOMMENDED, as this mat="of" derivedContent="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
<t indent="0" pn="section-1.3-2"><xref target="RFC2119" format="default"
sectionFormat="of" derivedContent="RFC2119"/> considers the term <bcp14>SHOULD<
/bcp14> to be equivalent to <bcp14>RECOMMENDED</bcp14>, and
<bcp14>SHOULD NOT</bcp14> equivalent to <bcp14>NOT RECOMMENDED</bcp14>. This
document has
chosen to use the terms <bcp14>RECOMMENDED</bcp14> and <bcp14>NOT RECOMMENDED
</bcp14>, as this
more clearly expresses the recommendations to implementers.</t> more clearly expresses the recommendations to implementers.</t>
</section>
</section> </section>
</section> <section anchor="adding-usage-and-implementation-recommendations-to-the-iana
<section anchor="adding-usage-and-implementation-recommendations-to-the-iana-dns -dnssec-registries" numbered="true" removeInRFC="false" toc="include" pn="sectio
sec-registries"><name>Adding usage and implementation recommendations to the IAN n-2">
A DNSSEC registries</name> <name slugifiedName="name-adding-usage-and-implementa">Adding Usage and Im
plementation Recommendations to the IANA DNSSEC Algorithm Registries</name>
<t>Per this document, the following columns are being added to the <t indent="0" pn="section-2-1">Per this document, the following columns ha
following DNSSEC algorithm registries maintained with IANA:</t> ve been added to the
corresponding DNSSEC algorithm registries maintained by IANA:</t>
<texttable title="Columns to add to existing DNSSEC algorithm registries" anchor <table anchor="columns" align="center" pn="table-1">
="columns"> <name slugifiedName="name-columns-added-to-existing-d">Columns Added to
<ttcol align='left'>Registry</ttcol> Existing DNSSEC Algorithm Registries</name>
<ttcol align='left'>Column added</ttcol> <thead>
<c>DNS Security Algorithm Numbers</c> <tr>
<c>Use for DNSSEC Signing</c> <th align="left" colspan="1" rowspan="1">Registry</th>
<c>DNS Security Algorithm Numbers</c> <th align="left" colspan="1" rowspan="1">Column Added</th>
<c>Use for DNSSEC Validation</c> </tr>
<c>DNS Security Algorithm Numbers</c> </thead>
<c>Implement for DNSSEC Signing</c> <tbody>
<c>DNS Security Algorithm Numbers</c> <tr>
<c>Implement for DNSSEC Validation</c> <td align="left" colspan="1" rowspan="1">DNS Security Algorithm Numb
<c>Digest Algorithm</c> ers</td>
<c>Use for DNSSEC Delegation</c> <td align="left" colspan="1" rowspan="1">Use for DNSSEC Signing</td>
<c>Digest Algorithm</c> </tr>
<c>Use for DNSSEC Validation</c> <tr>
<c>Digest Algorithm</c> <td align="left" colspan="1" rowspan="1">DNS Security Algorithm Numb
<c>Implement for DNSSEC Delegation</c> ers</td>
<c>Digest Algorithm</c> <td align="left" colspan="1" rowspan="1">Use for DNSSEC Validation</
<c>Implement for DNSSEC Validation</c> td>
</texttable> </tr>
<tr>
<section anchor="column-descriptions"><name>Column Descriptions</name> <td align="left" colspan="1" rowspan="1">DNS Security Algorithm Numb
ers</td>
<t>The intended usage of the four columns in the "DNS Security Algorithm <td align="left" colspan="1" rowspan="1">Implement for DNSSEC Signin
Numbers" table are:</t> g</td>
</tr>
<dl> <tr>
<dt>Use for DNSSEC Signing:</dt> <td align="left" colspan="1" rowspan="1">DNS Security Algorithm Numb
<dd> ers</td>
<t>Indicates the recommendation for using the algorithm within <td align="left" colspan="1" rowspan="1">Implement for DNSSEC Valida
tion</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">Digest Algorithms</td>
<td align="left" colspan="1" rowspan="1">Use for DNSSEC Delegation</
td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">Digest Algorithms</td>
<td align="left" colspan="1" rowspan="1">Use for DNSSEC Validation</
td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">Digest Algorithms</td>
<td align="left" colspan="1" rowspan="1">Implement for DNSSEC Delega
tion</td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">Digest Algorithms</td>
<td align="left" colspan="1" rowspan="1">Implement for DNSSEC Valida
tion</td>
</tr>
</tbody>
</table>
<section anchor="column-descriptions" numbered="true" removeInRFC="false"
toc="include" pn="section-2.1">
<name slugifiedName="name-column-descriptions">Column Descriptions</name
>
<t indent="0" pn="section-2.1-1">The intended usage of the four columns
in the "DNS Security Algorithm
Numbers" registry is as follows:</t>
<dl indent="3" newline="false" spacing="normal" pn="section-2.1-2">
<dt pn="section-2.1-2.1">Use for DNSSEC Signing:</dt>
<dd pn="section-2.1-2.2">
<t indent="0" pn="section-2.1-2.2.1">Indicates the recommendation fo
r using the algorithm within
authoritative servers.</t> authoritative servers.</t>
</dd> </dd>
<dt>Use for DNSSEC Validation:</dt> <dt pn="section-2.1-2.3">Use for DNSSEC Validation:</dt>
<dd> <dd pn="section-2.1-2.4">
<t>Indicates the recommendation for using the algorithm in DNSSEC <t indent="0" pn="section-2.1-2.4.1">Indicates the recommendation fo
r using the algorithm in DNSSEC
validators.</t> validators.</t>
</dd> </dd>
<dt>Implement for DNSSEC Signing:</dt> <dt pn="section-2.1-2.5">Implement for DNSSEC Signing:</dt>
<dd> <dd pn="section-2.1-2.6">
<t>Indicates the recommendation for implementing the algorithm within <t indent="0" pn="section-2.1-2.6.1">Indicates the recommendation fo
r implementing the algorithm within
DNSSEC signing software.</t> DNSSEC signing software.</t>
</dd> </dd>
<dt>Implement for DNSSEC Validation:</dt> <dt pn="section-2.1-2.7">Implement for DNSSEC Validation:</dt>
<dd> <dd pn="section-2.1-2.8">
<t>Indicates the recommendation for implementing the algorithm within <t indent="0" pn="section-2.1-2.8.1">Indicates the recommendation fo
r implementing the algorithm within
DNSSEC validators.</t> DNSSEC validators.</t>
</dd> </dd>
</dl> </dl>
<t indent="0" pn="section-2.1-3">The intended usage of the four columns
<t>The intended usage of the four columns in the "Digest Algorithm" table are:</ in the "Digest Algorithms" registry is as follows:</t>
t> <dl indent="3" newline="false" spacing="normal" pn="section-2.1-4">
<dt pn="section-2.1-4.1">Use for DNSSEC Delegation:</dt>
<dl> <dd pn="section-2.1-4.2">
<dt>Use for DNSSEC Delegation:</dt> <t indent="0" pn="section-2.1-4.2.1">Indicates the recommendation fo
<dd> r using the algorithm within
<t>Indicates the recommendation for using the algorithm within
authoritative servers.</t> authoritative servers.</t>
</dd> </dd>
<dt>Use for DNSSEC Validation:</dt> <dt pn="section-2.1-4.3">Use for DNSSEC Validation:</dt>
<dd> <dd pn="section-2.1-4.4">
<t>Indicates the recommendation for using the algorithm in DNSSEC <t indent="0" pn="section-2.1-4.4.1">Indicates the recommendation fo
r using the algorithm in DNSSEC
validators.</t> validators.</t>
</dd> </dd>
<dt>Implement for DNSSEC Delegation:</dt> <dt pn="section-2.1-4.5">Implement for DNSSEC Delegation:</dt>
<dd> <dd pn="section-2.1-4.6">
<t>Indicates the recommendation for implementing the algorithm within <t indent="0" pn="section-2.1-4.6.1">Indicates the recommendation fo
r implementing the algorithm within
authoritative servers.</t> authoritative servers.</t>
</dd> </dd>
<dt>Implement for DNSSEC Validation:</dt> <dt pn="section-2.1-4.7">Implement for DNSSEC Validation:</dt>
<dd> <dd pn="section-2.1-4.8">
<t>Indicates the recommendation for implementing the algorithm within <t indent="0" pn="section-2.1-4.8.1">Indicates the recommendation fo
r implementing the algorithm within
validating resolvers.</t> validating resolvers.</t>
</dd> </dd>
</dl> </dl>
</section>
</section> <section anchor="adding-and-changing-values" numbered="true" removeInRFC="
<section anchor="adding-and-changing-values"><name>Adding and Changing Values</n false" toc="include" pn="section-2.2">
ame> <name slugifiedName="name-adding-and-changing-values">Adding and Changin
g Values</name>
<t>Adding a new entry to the "DNS System Algorithm Numbers" registry <t indent="0" pn="section-2.2-1">
with a recommended value of "MAY" in the "Use for DNSSEC Signing", The following note describing the procedures for adding and
changing values has been added to the "DNS Security Algorithm
Numbers" registry:
</t>
<blockquote pn="section-2.2-2">
<t indent="0" pn="section-2.2-2.1">Adding a new entry to the "DNS Secu
rity Algorithm Numbers" registry
with a recommended value of "<bcp14>MAY</bcp14>" in the "Use for DNSSEC Signi
ng",
"Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or
"Implement for DNSSEC Validation" columns will subject to the "Implement for DNSSEC Validation" columns will be subject to the
"Specification Required" policy as defined in <xref target="RFC8126"></xref> Specification Required policy as defined in <xref target="RFC8126" format="de
in order to fault" sectionFormat="of" derivedContent="RFC8126"/> in order to
promote continued evolution of DNSSEC algorithms and DNSSEC promote continued evolution of DNSSEC algorithms and DNSSEC
agility. New entries added through the "Specification Required" agility. New entries added through the Specification Required
process will have the value of "MAY" for all columns. (Ed note (RFC process will have the value of "<bcp14>MAY</bcp14>" for all columns.
Editor - please delete this before publication): As a reminder: the </t>
"Specification Required" policy includes a requirement for a <t indent="0" pn="section-2.2-2.2">Adding a new entry to, or changing
designated expert to review the request.)</t> an existing value in,
the "DNS Security Algorithm Numbers" registry that has any value other than "
<t>Adding a new entry to, or changing existing values in, <bcp14>MAY</bcp14>" in the "Use for
the "DNS System Algorithm Numbers" registry for the "Use for
DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for
DNSSEC Signing", or "Implement for DNSSEC Validation" columns to DNSSEC Signing", or "Implement for DNSSEC Validation" columns requires Standa
any other value than "MAY" requires a Standards Action.</t> rds Action.</t>
<t indent="0" pn="section-2.2-2.3">If an item is not marked as "<bcp14
<t>Adding a new entry to the "Digest Algorithms" registry with a >RECOMMENDED</bcp14>", it does not necessarily
recommended value of "MAY" in the "Use for DNSSEC Delegation", mean that it is flawed; rather, it indicates that the item either
has not been through the IETF consensus process, has limited
applicability, or is intended only for specific use cases.</t>
</blockquote>
<t indent="0" pn="section-2.2-3">
The following note has been added to the "Digest Algorithms" registry:
</t>
<blockquote pn="section-2.2-4">
<t indent="0" pn="section-2.2-4.1">Adding a new entry to the "Digest A
lgorithms" registry with a
recommended value of "<bcp14>MAY</bcp14>" in the "Use for DNSSEC Delegation",
"Use for DNSSEC Validation", "Implement for DNSSEC Delegation", "Use for DNSSEC Validation", "Implement for DNSSEC Delegation",
or "Implement for DNSSEC Validation" columns SHALL follow the or "Implement for DNSSEC Validation" columns <bcp14>SHALL</bcp14> follow the
"Specification Required" policy as defined in <xref target="RFC8126"></xref>. Specification Required policy as defined in <xref target="RFC8126" format
</t> ="default" sectionFormat="of" derivedContent="RFC8126"/>.</t>
<t indent="0" pn="section-2.2-4.2">Adding a new entry to, or changing
<t>Adding a new entry to, or changing existing values in, an existing value in,
the "DNS System Algorithm Numbers" registry for the "Use for the "Digest Algorithms" registry that has any value other than "<bcp14>MAY</
DNSSEC Delegation", "Use for DNSSEC Validation", "Implement for bcp14>"
DNSSEC Delegation", or "Implement for DNSSEC Validation" columns in the "Use for DNSSEC Delegation", "Use for DNSSEC Validation", "Implement f
to any other value than "MAY" requires a Standards Action.</t> or
DNSSEC Delegation", or "Implement for DNSSEC Validation" columns requires
<t>If an item is not marked as "RECOMMENDED", it does not necessarily Standards Action.</t>
<t indent="0" pn="section-2.2-4.3">If an item is not marked as "<bcp14
>RECOMMENDED</bcp14>", it does not necessarily
mean that it is flawed; rather, it indicates that the item either mean that it is flawed; rather, it indicates that the item either
has not been through the IETF consensus process, has limited has not been through the IETF consensus process, has limited
applicability, or is intended only for specific use cases.</t> applicability, or is intended only for specific use cases.</t>
</blockquote>
<t>Only values of "MAY", "RECOMMENDED", "MUST NOT", and "NOT <t indent="0" pn="section-2.2-5">Only values of "<bcp14>MAY</bcp14>", "<
RECOMMENDED" may be placed into the "Use for DNSSEC Signing" and bcp14>RECOMMENDED</bcp14>", "<bcp14>MUST NOT</bcp14>", and "<bcp14>NOT RECOMMEND
"Use for DNSSEC Validation" columns. Only values of "MAY", ED</bcp14>" may be placed into the "Use for DNSSEC Signing" and
"RECOMMENDED", "MUST", "MUST NOT", and "NOT RECOMMENDED" may be "Use for DNSSEC Validation" columns. Only values of "<bcp14>MAY</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>
", and "<bcp14>NOT RECOMMENDED</bcp14>" may be
placed into the "Implement for DNSSEC Signing" and "Implement for placed into the "Implement for DNSSEC Signing" and "Implement for
DNSSEC Validation" columns. Note that a value of "MUST" is not an DNSSEC Validation" columns. Note that a value of "<bcp14>MUST</bcp14>" is no t an
allowed value for the two "Use for" columns.</t> allowed value for the two "Use for" columns.</t>
<t indent="0" pn="section-2.2-6">The following sections state the initia
<t>The following sections state the initial values to be populated l values that have been populated
into these rows. The "Implement for" column values are transcribed into these columns. The values in the "Implement for" columns are transcribed
from <xref target="RFC8624"></xref>. The "Use for" columns are set to the sam from <xref target="RFC8624" format="default" sectionFormat="of" derivedConten
e values as t="RFC8624"/>. The "Use for" columns are set to the same values as
the "Implement for" values since the general interpretation to date those in the "Implement for" columns since the general interpretation to date
indicates they have been treated as values for both indicates they have been treated as values for both
"implementation" and "use". Note that the "Use for" "use" and "implementation". Note that the value in the "Use for"
columns values use "RECOMMENDED" when the corresponding "Implement column is "<bcp14>RECOMMENDED</bcp14>" when the value in the corresponding "I
for" column is a "MUST" value. We note that the values for mplement
for" column is "<bcp14>MUST</bcp14>". We note that the values for
"Implement for" and "Use for" may diverge in the future as "Implement for" and "Use for" may diverge in the future as
implementations generally precede deployments.</t> implementations generally precede deployments.</t>
</section>
</section> </section>
</section> <section anchor="dns-system-algorithm-numbers-column-values" numbered="true"
<section anchor="dns-system-algorithm-numbers-column-values"><name>DNS System Al removeInRFC="false" toc="include" pn="section-3">
gorithm Numbers Column Values</name> <name slugifiedName="name-dns-security-algorithm-numb">DNS Security Algori
thm Numbers Registry Column Values</name>
<t>Initial recommendation columns of use and implementation <t indent="0" pn="section-3-1">Initial values for the use and implementati
recommendations for the "Domain Name System Security (DNSSEC) on
Algorithm Numbers" are shown in Table 2.</t> recommendation columns in the "DNS Security Algorithm Numbers" registry under
the "Domain Name System Security (DNSSEC) Algorithm Numbers" registry group are
<t>When there are multiple shown in <xref target="algtable" format="default" sectionFormat="of" derivedCon
RECOMMENDED algorithms in the "use" column, operators should choose tent="Table 2"/>.</t>
the best algorithm according to local policy.</t> <t indent="0" pn="section-3-2">When there are multiple
<bcp14>RECOMMENDED</bcp14> algorithms in the "Use for" columns, operators sho
<texttable title="Initial values for the DNS System Algorithm Numbers columns" a uld choose
nchor="algtable"> the best algorithm according to local policy.</t>
<ttcol align='left'>N</ttcol> <table anchor="algtable" align="center" pn="table-2">
<ttcol align='left'>Mnemonics</ttcol> <name slugifiedName="name-initial-values-for-the-dns-">Initial Values fo
<ttcol align='left'>Use for DNSSEC Signing</ttcol> r the DNS Security Algorithm Numbers Registry Columns</name>
<ttcol align='left'>Use for DNSSEC Validation</ttcol> <thead>
<ttcol align='left'>Implement for DNSSEC Signing</ttcol> <tr>
<ttcol align='left'>Implement for DNSSEC Validation</ttcol> <th align="left" colspan="1" rowspan="1">No.</th>
<c>1</c> <th align="left" colspan="1" rowspan="1">Mnemonics</th>
<c>RSAMD5</c> <th align="left" colspan="1" rowspan="1">Use for DNSSEC Signing</th>
<c>MUST NOT</c> <th align="left" colspan="1" rowspan="1">Use for DNSSEC Validation</
<c>MUST NOT</c> th>
<c>MUST NOT</c> <th align="left" colspan="1" rowspan="1">Implement for DNSSEC Signin
<c>MUST NOT</c> g</th>
<c>3</c> <th align="left" colspan="1" rowspan="1">Implement for DNSSEC Valida
<c>DSA</c> tion</th>
<c>MUST NOT</c> </tr>
<c>MUST NOT</c> </thead>
<c>MUST NOT</c> <tbody>
<c>MUST NOT</c> <tr>
<c>5</c> <td align="left" colspan="1" rowspan="1">1</td>
<c>RSASHA1</c> <td align="left" colspan="1" rowspan="1">RSAMD5</td>
<c>NOT RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>MUST NOT</bcp14></td>
<c>NOT RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>MUST</c> <bcp14>MUST NOT</bcp14></td>
<c>6</c> <td align="left" colspan="1" rowspan="1">
<c>DSA-NSEC3-SHA1</c> <bcp14>MUST NOT</bcp14></td>
<c>MUST NOT</c> <td align="left" colspan="1" rowspan="1">
<c>MUST NOT</c> <bcp14>MUST NOT</bcp14></td>
<c>MUST NOT</c> </tr>
<c>MUST NOT</c> <tr>
<c>7</c> <td align="left" colspan="1" rowspan="1">3</td>
<c>RSASHA1-NSEC3- SHA1</c> <td align="left" colspan="1" rowspan="1">DSA</td>
<c>NOT RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>MUST NOT</bcp14></td>
<c>NOT RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>MUST</c> <bcp14>MUST NOT</bcp14></td>
<c>8</c> <td align="left" colspan="1" rowspan="1">
<c>RSASHA256</c> <bcp14>MUST NOT</bcp14></td>
<c>RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>MUST NOT</bcp14></td>
<c>MUST</c> </tr>
<c>MUST</c> <tr>
<c>10</c> <td align="left" colspan="1" rowspan="1">5</td>
<c>RSASHA512</c> <td align="left" colspan="1" rowspan="1">RSASHA1</td>
<c>NOT RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>NOT RECOMMENDED</bcp14></td>
<c>NOT RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>MUST</c> <bcp14>RECOMMENDED</bcp14></td>
<c>12</c> <td align="left" colspan="1" rowspan="1">
<c>ECC-GOST</c> <bcp14>NOT RECOMMENDED</bcp14></td>
<c>MUST NOT</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>MUST</bcp14></td>
<c>MUST NOT</c> </tr>
<c>MAY</c> <tr>
<c>13</c> <td align="left" colspan="1" rowspan="1">6</td>
<c>ECDSAP256SHA256</c> <td align="left" colspan="1" rowspan="1">DSA-NSEC3-SHA1</td>
<c>RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>MUST NOT</bcp14></td>
<c>MUST</c> <td align="left" colspan="1" rowspan="1">
<c>MUST</c> <bcp14>MUST NOT</bcp14></td>
<c>14</c> <td align="left" colspan="1" rowspan="1">
<c>ECDSAP384SHA384</c> <bcp14>MUST NOT</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>MUST NOT</bcp14></td>
<c>MAY</c> </tr>
<c>RECOMMENDED</c> <tr>
<c>15</c> <td align="left" colspan="1" rowspan="1">7</td>
<c>ED25519</c> <td align="left" colspan="1" rowspan="1">RSASHA1-NSEC3- SHA1</td>
<c>RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>NOT RECOMMENDED</bcp14></td>
<c>RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>RECOMMENDED</bcp14></td>
<c>16</c> <td align="left" colspan="1" rowspan="1">
<c>ED448</c> <bcp14>NOT RECOMMENDED</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>MUST</bcp14></td>
<c>MAY</c> </tr>
<c>RECOMMENDED</c> <tr>
<c>17</c> <td align="left" colspan="1" rowspan="1">8</td>
<c>SM2/SM3</c> <td align="left" colspan="1" rowspan="1">RSASHA256</td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>RECOMMENDED</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>RECOMMENDED</bcp14></td>
<c>23</c> <td align="left" colspan="1" rowspan="1">
<c>GOST R 34.10-2012</c> <bcp14>MUST</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>MUST</bcp14></td>
<c>MAY</c> </tr>
<c>MAY</c> <tr>
<c>253</c> <td align="left" colspan="1" rowspan="1">10</td>
<c>private algorithm</c> <td align="left" colspan="1" rowspan="1">RSASHA512</td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>NOT RECOMMENDED</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>RECOMMENDED</bcp14></td>
<c>254</c> <td align="left" colspan="1" rowspan="1">
<c>private algorithm OID</c> <bcp14>NOT RECOMMENDED</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>MUST</bcp14></td>
<c>MAY</c> </tr>
<c>MAY</c> <tr>
</texttable> <td align="left" colspan="1" rowspan="1">12</td>
<td align="left" colspan="1" rowspan="1">ECC-GOST</td>
</section> <td align="left" colspan="1" rowspan="1">
<section anchor="dnssec-delegation-signer-ds-resource-record-rr-type-digest-algo <bcp14>MUST NOT</bcp14></td>
rithms-column-values"><name>DNSSEC Delegation Signer (DS) Resource Record (RR) T <td align="left" colspan="1" rowspan="1">
ype Digest Algorithms Column Values</name> <bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<t>Initial recommendation columns of use and implementation <bcp14>MUST NOT</bcp14></td>
recommendations for the "DNSSEC Delegation Signer (DS) Resource <td align="left" colspan="1" rowspan="1">
Record (RR) Type Digest Algorithms" registry are shown in Table 3.</t> <bcp14>MAY</bcp14></td>
</tr>
<t>When there are multiple RECOMMENDED algorithms in the "use" column, <tr>
<td align="left" colspan="1" rowspan="1">13</td>
<td align="left" colspan="1" rowspan="1">ECDSAP256SHA256</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MUST</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MUST</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">14</td>
<td align="left" colspan="1" rowspan="1">ECDSAP384SHA384</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">15</td>
<td align="left" colspan="1" rowspan="1">ED25519</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">16</td>
<td align="left" colspan="1" rowspan="1">ED448</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">17</td>
<td align="left" colspan="1" rowspan="1">SM2SM3</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">23</td>
<td align="left" colspan="1" rowspan="1">ECC-GOST12</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">253</td>
<td align="left" colspan="1" rowspan="1">PRIVATEDNS</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">254</td>
<td align="left" colspan="1" rowspan="1">PRIVATEOID</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
</tr>
</tbody>
</table>
</section>
<section anchor="dnssec-delegation-signer-ds-resource-record-rr-type-digest-
algorithms-column-values" numbered="true" removeInRFC="false" toc="include" pn="
section-4">
<name slugifiedName="name-digest-algorithms-registry-">Digest Algorithms R
egistry Column Values</name>
<t indent="0" pn="section-4-1">Initial values for the use and implementati
on
recommendation columns in the "Digest Algorithms" registry under the "DNSSEC
Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms" registry gro
up are shown in <xref target="dstable" format="default" sectionFormat="of" deriv
edContent="Table 3"/>.</t>
<t indent="0" pn="section-4-2">When there are multiple <bcp14>RECOMMENDED<
/bcp14> algorithms in the "Use for" columns,
operators should choose the best algorithm according to local operators should choose the best algorithm according to local
policy.</t> policy.</t>
<table anchor="dstable" align="center" pn="table-3">
<texttable title="Initial values for the DNSSEC Delegation Signer (DS) Resource <name slugifiedName="name-initial-values-for-the-dige">Initial Values fo
Record (RR) Type Digest Algorithms columns" anchor="dstable"> r the Digest Algorithms Registry Columns</name>
<ttcol align='left'>Number</ttcol> <thead>
<ttcol align='left'>Mnemonics</ttcol> <tr>
<ttcol align='left'>Use for DNSSEC Delegation</ttcol> <th align="left" colspan="1" rowspan="1">Value</th>
<ttcol align='left'>Use for DNSSEC Validation</ttcol> <th align="left" colspan="1" rowspan="1">Description</th>
<ttcol align='left'>Implement for DNSSEC Delegation</ttcol> <th align="left" colspan="1" rowspan="1">Use for DNSSEC Delegation</
<ttcol align='left'>Implement for DNSSEC Validation</ttcol> th>
<c>0</c> <th align="left" colspan="1" rowspan="1">Use for DNSSEC Validation</
<c>NULL (CDS only)</c> th>
<c>MUST NOT</c> <th align="left" colspan="1" rowspan="1">Implement for DNSSEC Delega
<c>MUST NOT</c> tion</th>
<c>MUST NOT</c> <th align="left" colspan="1" rowspan="1">Implement for DNSSEC Valida
<c>MUST NOT</c> tion</th>
<c>1</c> </tr>
<c>SHA-1</c> </thead>
<c>MUST NOT</c> <tbody>
<c>RECOMMENDED</c> <tr>
<c>MUST NOT</c> <td align="left" colspan="1" rowspan="1">0</td>
<c>MUST</c> <td align="left" colspan="1" rowspan="1">NULL (CDS only)</td>
<c>2</c> <td align="left" colspan="1" rowspan="1">
<c>SHA-256</c> <bcp14>MUST NOT</bcp14></td>
<c>RECOMMENDED</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>MUST NOT</bcp14></td>
<c>MUST</c> <td align="left" colspan="1" rowspan="1">
<c>MUST</c> <bcp14>MUST NOT</bcp14></td>
<c>3</c> <td align="left" colspan="1" rowspan="1">
<c>GOST R 34.11-94</c> <bcp14>MUST NOT</bcp14></td>
<c>MUST NOT</c> </tr>
<c>MAY</c> <tr>
<c>MUST NOT</c> <td align="left" colspan="1" rowspan="1">1</td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">SHA-1</td>
<c>4</c> <td align="left" colspan="1" rowspan="1">
<c>SHA-384</c> <bcp14>MUST NOT</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>RECOMMENDED</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>RECOMMENDED</c> <bcp14>MUST NOT</bcp14></td>
<c>5</c> <td align="left" colspan="1" rowspan="1">
<c>GOST R 34.11-2012</c> <bcp14>MUST</bcp14></td>
<c>MAY</c> </tr>
<c>MAY</c> <tr>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">2</td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">SHA-256</td>
<c>6</c> <td align="left" colspan="1" rowspan="1">
<c>SM3</c> <bcp14>RECOMMENDED</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>RECOMMENDED</bcp14></td>
<c>MAY</c> <td align="left" colspan="1" rowspan="1">
<c>MAY</c> <bcp14>MUST</bcp14></td>
</texttable> <td align="left" colspan="1" rowspan="1">
<bcp14>MUST</bcp14></td>
</section> </tr>
<section anchor="security-considerations"><name>Security Considerations</name> <tr>
<td align="left" colspan="1" rowspan="1">3</td>
<t>The security of cryptographic systems depends on both the strength of <td align="left" colspan="1" rowspan="1">GOST R 34.11-94</td>
the cryptographic algorithms chosen and the strength of the keys used <td align="left" colspan="1" rowspan="1">
<bcp14>MUST NOT</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MUST NOT</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">4</td>
<td align="left" colspan="1" rowspan="1">SHA-384</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>RECOMMENDED</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">5</td>
<td align="left" colspan="1" rowspan="1">GOST R 34.11-2012</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
</tr>
<tr>
<td align="left" colspan="1" rowspan="1">6</td>
<td align="left" colspan="1" rowspan="1">SM3</td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
<td align="left" colspan="1" rowspan="1">
<bcp14>MAY</bcp14></td>
</tr>
</tbody>
</table>
</section>
<section anchor="security-considerations" numbered="true" removeInRFC="false
" toc="include" pn="section-5">
<name slugifiedName="name-security-considerations">Security Considerations
</name>
<t indent="0" pn="section-5-1">The security of cryptographic systems depen
ds on the strength of
both the cryptographic algorithms chosen and the keys used
with those algorithms. The security also depends on the engineering with those algorithms. The security also depends on the engineering
of the protocol used by the system to ensure that there are no non- of the protocol used by the system to ensure that there are no non-
cryptographic ways to bypass the security of the overall system.</t> cryptographic ways to bypass the security of the overall system.</t>
<t indent="0" pn="section-5-2">This document concerns itself with the sele
<t>This document concerns itself with the selection of cryptographic algorithms ction of cryptographic algorithms
for the use of DNSSEC, specifically with the selection of for the use of DNSSEC, specifically with the selection of
"mandatory to implement" algorithms. The algorithms identified in this "mandatory-to-implement" algorithms. In this document, the algorithms identi
document as "MUST" or "RECOMMENDED" to implement are not known to be broken a fied as <bcp14>MUST</bcp14> or <bcp14>RECOMMENDED</bcp14> to implement are not k
t nown to be broken at
the current time, and cryptographic research so far leads us to believe that the current time, and cryptographic research so far leads us to believe that
they are likely to remain adequately secure unless significant and they are likely to remain adequately secure unless significant and
unexpected discovery is made. However, this isn't necessarily forever, and unexpected discovery is made. However, this isn't necessarily forever, and
it is expected that future documents will be issued from time to time to it is expected that future documents will be issued from time to time to
reflect the current best practices in this area.</t> reflect the current best practices in this area.</t>
<t indent="0" pn="section-5-3">Retiring an algorithm too soon would result
<t>Retiring an algorithm too soon would result in a zone signed with in a zone signed with
the retired algorithm being downgraded to the equivalent of an the retired algorithm being downgraded to the equivalent of an
unsigned zone. Therefore, algorithm deprecation must be done only unsigned zone. Therefore, algorithm deprecation must be done only
after careful consideration and ideally slowly when possible.</t> after careful consideration and ideally slowly when possible.</t>
</section>
</section> <section anchor="operational-considerations" numbered="true" removeInRFC="fa
<section anchor="operational-considerations"><name>Operational Considerations</n lse" toc="include" pn="section-6">
ame> <name slugifiedName="name-operational-considerations">Operational Consider
ations</name>
<t>DNSKEY algorithm rollover in a live zone is a complex process. See <t indent="0" pn="section-6-1">DNSKEY algorithm rollover in a live zone is
<xref target="RFC6781"></xref> and <xref target="RFC7583"></xref> for guideli a complex process. See
nes on how to perform algorithm <xref target="RFC6781" format="default" sectionFormat="of" derivedContent="RF
C6781"/> and <xref target="RFC7583" format="default" sectionFormat="of" derivedC
ontent="RFC7583"/> for guidelines on how to perform algorithm
rollovers.</t> rollovers.</t>
<t indent="0" pn="section-6-2">DS algorithm rollover in a live zone is als
<t>DS algorithm rollover in a live zone is also a complex process. o a complex process.
Upgrading algorithm at the same time as rolling to the new Key Upgrading an algorithm at the same time as rolling to the new Key
Signing Key (KSK) key will lead to DNSSEC validation failures, and Signing Key (KSK) key will lead to DNSSEC validation failures, and
users MUST upgrade the DS algorithm first before rolling to a new users <bcp14>MUST</bcp14> upgrade the DS algorithm first before rolling to a new
KSK.</t> KSK.</t>
</section>
</section> <section anchor="iana-considerations" numbered="true" removeInRFC="false" to
<section anchor="iana-considerations"><name>IANA Considerations</name> c="include" pn="section-7">
<name slugifiedName="name-iana-considerations">IANA Considerations</name>
<t>The IANA is requested to update the <xref target="DNSKEY-IANA"></xref> and <x <t indent="0" pn="section-7-1">IANA has updated the "DNS Security Algorith
ref target="DS-IANA"></xref> registries m Numbers" <xref target="DNSKEY-IANA" format="default" sectionFormat="of" derive
according to the following sections.</t> dContent="DNSKEY-IANA"/> and "Digest Algorithms" <xref target="DS-IANA" format="
default" sectionFormat="of" derivedContent="DS-IANA"/> registries
<section anchor="update-to-the-dns-security-algorithm-numbers-registry"><name>Up according to the sections that follow.</t>
date to the "DNS Security Algorithm Numbers" registry</name> <section anchor="update-to-the-dns-security-algorithm-numbers-registry" nu
mbered="true" removeInRFC="false" toc="include" pn="section-7.1">
<t>This document requests IANA update the "DNS Security Algorithm <name slugifiedName="name-update-to-the-dns-security-">Update to the DNS
Numbers" registry (<xref target="DNSKEY-IANA"></xref>) registry with the follo Security Algorithm Numbers Registry</name>
wing <t indent="0" pn="section-7.1-1">IANA has updated the "DNS Security Algo
additional columns:</t> rithm
Numbers" registry <xref target="DNSKEY-IANA" format="default" sectionFormat="o
<t><list style="symbols"> f" derivedContent="DNSKEY-IANA"/> with the following
<t>"Use for DNSSEC Signing"</t> columns and has populated these columns with the values from <xref target="alg
<t>"Use for DNSSEC Validation"</t> table" format="default" sectionFormat="of" derivedContent="Table 2"/> of this do
<t>"Implement for DNSSEC Signing"</t> cument:</t>
<t>"Implement for DNSSEC Validation"</t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-7
</list></t> .1-2">
<li pn="section-7.1-2.1">
<t>These values must be populated using values from Table 2 of this <t indent="0" pn="section-7.1-2.1.1">"Use for DNSSEC Signing"</t>
document.</t> </li>
<li pn="section-7.1-2.2">
<t>Additionally, the registration policy for the <xref target="DNSKEY-IANA"></xr <t indent="0" pn="section-7.1-2.2.1">"Use for DNSSEC Validation"</t>
ef> registry </li>
should match the text describing the requirements in this document, <li pn="section-7.1-2.3">
and Section 2's note concerning values not marked as "RECOMMENDED" <t indent="0" pn="section-7.1-2.3.1">"Implement for DNSSEC Signing"<
should be added to the registry.</t> /t>
</li>
<t>This document should be listed as a reference to the "DNS Security <li pn="section-7.1-2.4">
Algorithm Numbers" registry.</t> <t indent="0" pn="section-7.1-2.4.1">"Implement for DNSSEC Validatio
n"</t>
</section> </li>
<section anchor="update-to-the-digest-algorithms-registry"><name>Update to the " </ul>
Digest Algorithms" registry</name> <t indent="0" pn="section-7.1-3">Additionally, IANA has completed the fo
llowing actions for the "DNS Security
<t>This document requests IANA update the "Digest Algorithms" registry Algorithm Numbers" registry <xref target="DNSKEY-IANA" format="default" secti
(<xref target="DS-IANA"></xref>) registry with the following additional column onFormat="of" derivedContent="DNSKEY-IANA"/>:</t>
s:</t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-7
.1-4">
<t><list style="symbols"> <li pn="section-7.1-4.1">Changed the registration procedure to Standar
<t>"Use for DNSSEC Delegation"</t> ds Action or
<t>"Use for DNSSEC Validation"</t> Specification Required.
<t>"Implement for DNSSEC Delegation"</t> </li>
<t>"Implement for DNSSEC Validation"</t> <li pn="section-7.1-4.2">Added a note to the registry that describes t
</list></t> he values not marked as
"<bcp14>RECOMMENDED</bcp14>" per <xref target="adding-and-changing-values"
<t>These values must be populated using values from Table 3 of this format="default" sectionFormat="of" derivedContent="Section 2.2"/>.
document.</t> </li>
<li pn="section-7.1-4.3">Listed this document as an additional referen
<t><list style="symbols"> ce for the registry.
<t>Update the registration policy for the <xref target="DS-IANA"></xref> regis </li>
try to </ul>
match the text describing update requirements above</t> </section>
<t>Mark values 128 - 252 as "Reserved"</t> <section anchor="update-to-the-digest-algorithms-registry" numbered="true"
<t>Mark values 253 and 254 as "Reserved for Private Use"</t> removeInRFC="false" toc="include" pn="section-7.2">
<t>Delete the (now superfluous) column "Status" from the registry</t> <name slugifiedName="name-update-to-the-digest-algori">Update to the Dig
</list></t> est Algorithms Registry</name>
<t indent="0" pn="section-7.2-1">IANA has updated the "Digest Algorithms
<t>Section 2's note concerning values not marked as "RECOMMENDED" " registry
should be added to the registry.</t> <xref target="DS-IANA" format="default" sectionFormat="of" derivedContent="DS-
IANA"/> with the following columns and has populated these columns with the valu
<t>This document should be listed as a reference to the "Digest Algorithms" regi es from <xref target="dstable" format="default" sectionFormat="of" derivedConten
stry.</t> t="Table 3"/> of this document:</t>
<ul spacing="normal" bare="false" empty="false" indent="3" pn="section-7
</section> .2-2">
</section> <li pn="section-7.2-2.1">
<section anchor="acknowledgments"><name>Acknowledgments</name> <t indent="0" pn="section-7.2-2.1.1">"Use for DNSSEC Delegation"</t>
</li>
<t>This document is based on, and extends, RFC 8624, which was authored by Paul <li pn="section-7.2-2.2">
Wouters and Ondrej Sury.</t> <t indent="0" pn="section-7.2-2.2.1">"Use for DNSSEC Validation"</t>
</li>
<t>The content of this document was heavily discussed by participants <li pn="section-7.2-2.3">
of the DNSOP working group. The authors appreciate the <t indent="0" pn="section-7.2-2.3.1">"Implement for DNSSEC Delegatio
thoughtfulness of the many opinions expressed by working group n"</t>
participants that all helped shaped this document. We thank Paul </li>
Hoffman and Paul Wouters for their contributed text, and also <li pn="section-7.2-2.4">
Nabeel Cocker, Shumon Huque, Nicolai Leymann, S Moonesamy, Magnus Nyström, <t indent="0" pn="section-7.2-2.4.1">"Implement for DNSSEC Validatio
Peter Thomassen, Stefan Ubbink, and Loganaden Velvindron for n"</t>
their reviews and comments.</t> </li>
</ul>
</section> <t indent="0" pn="section-7.2-3">Additionally, IANA has completed the fo
llowing actions for the "Digest Algorithms" registry <xref target="DS-IANA" form
at="default" sectionFormat="of" derivedContent="DS-IANA"/>:
</t>
<ul spacing="normal" bare="false" empty="false" indent="3" pn="section-7
.2-4">
<li pn="section-7.2-4.1">
<t indent="0" pn="section-7.2-4.1.1">Changed the registration proced
ure to Standards Action or Specification Required.</t>
</li>
<li pn="section-7.2-4.2">Added a note to the registry that describes t
he values not marked as
"<bcp14>RECOMMENDED</bcp14>" per <xref target="adding-and-changing-values"
format="default" sectionFormat="of" derivedContent="Section 2.2"/>.
</li>
<li pn="section-7.2-4.3">Listed this document as an additional referen
ce for the registry.
</li>
<li pn="section-7.2-4.4">
<t indent="0" pn="section-7.2-4.4.1">Marked values 128-252 as "Reser
ved".</t>
</li>
<li pn="section-7.2-4.5">
<t indent="0" pn="section-7.2-4.5.1">Marked values 253 and 254 as "R
eserved for Private Use".</t>
</li>
<li pn="section-7.2-4.6">
<t indent="0" pn="section-7.2-4.6.1">Deleted the (now superfluous) c
olumn "Status" from the registry.</t>
</li>
</ul>
</section>
</section>
</middle> </middle>
<back> <back>
<references anchor="sec-combined-references" pn="section-8">
<references title='References' anchor="sec-combined-references"> <name slugifiedName="name-references">References</name>
<references anchor="sec-normative-references" pn="section-8.1">
<references title='Normative References' anchor="sec-normative-references"> <name slugifiedName="name-normative-references">Normative References</na
me>
<reference anchor="RFC2119"> <reference anchor="DNSKEY-IANA" target="https://www.iana.org/assignments
<front> /dns-sec-alg-numbers" quoteTitle="true" derivedAnchor="DNSKEY-IANA">
<title>Key words for use in RFCs to Indicate Requirement Levels</title> <front>
<author fullname="S. Bradner" initials="S." surname="Bradner"/> <title>DNS Security Algorithm Numbers</title>
<date month="March" year="1997"/> <author>
<abstract> <organization showOnFrontPage="true">IANA</organization>
<t>In many standards track documents several words are used to signify the </author>
requirements in the specification. These words are often capitalized. This docu </front>
ment defines these words as they should be interpreted in IETF documents. This d </reference>
ocument specifies an Internet Best Current Practices for the Internet Community, <reference anchor="DS-IANA" target="http://www.iana.org/assignments/ds-r
and requests discussion and suggestions for improvements.</t> r-types" quoteTitle="true" derivedAnchor="DS-IANA">
</abstract> <front>
</front> <title>Digest Algorithms</title>
<seriesInfo name="BCP" value="14"/> <author>
<seriesInfo name="RFC" value="2119"/> <organization showOnFrontPage="true">IANA</organization>
<seriesInfo name="DOI" value="10.17487/RFC2119"/> </author>
</reference> </front>
<reference anchor="RFC8126"> </reference>
<front> <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2
<title>Guidelines for Writing an IANA Considerations Section in RFCs</title> 119" quoteTitle="true" derivedAnchor="RFC2119">
<author fullname="M. Cotton" initials="M." surname="Cotton"/> <front>
<author fullname="B. Leiba" initials="B." surname="Leiba"/> <title>Key words for use in RFCs to Indicate Requirement Levels</tit
<author fullname="T. Narten" initials="T." surname="Narten"/> le>
<date month="June" year="2017"/> <author fullname="S. Bradner" initials="S." surname="Bradner"/>
<abstract> <date month="March" year="1997"/>
<t>Many protocols make use of points of extensibility that use constants t <abstract>
o identify various protocol parameters. To ensure that the values in these field <t indent="0">In many standards track documents several words are
s do not have conflicting uses and to promote interoperability, their allocation used to signify the requirements in the specification. These words are often cap
s are often coordinated by a central record keeper. For IETF protocols, that rol italized. This document defines these words as they should be interpreted in IET
e is filled by the Internet Assigned Numbers Authority (IANA).</t> F documents. This document specifies an Internet Best Current Practices for the
<t>To make assignments in a given registry prudently, guidance describing Internet Community, and requests discussion and suggestions for improvements.</t
the conditions under which new values should be assigned, as well as when and ho >
w modifications to existing values can be made, is needed. This document defines </abstract>
a framework for the documentation of these guidelines by specification authors, </front>
in order to assure that the provided guidance for the IANA Considerations is cl <seriesInfo name="BCP" value="14"/>
ear and addresses the various issues that are likely in the operation of a regis <seriesInfo name="RFC" value="2119"/>
try.</t> <seriesInfo name="DOI" value="10.17487/RFC2119"/>
<t>This is the third edition of this document; it obsoletes RFC 5226.</t> </reference>
</abstract> <reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8
</front> 126" quoteTitle="true" derivedAnchor="RFC8126">
<seriesInfo name="BCP" value="26"/> <front>
<seriesInfo name="RFC" value="8126"/> <title>Guidelines for Writing an IANA Considerations Section in RFCs
<seriesInfo name="DOI" value="10.17487/RFC8126"/> </title>
</reference> <author fullname="M. Cotton" initials="M." surname="Cotton"/>
<reference anchor="RFC8174"> <author fullname="B. Leiba" initials="B." surname="Leiba"/>
<front> <author fullname="T. Narten" initials="T." surname="Narten"/>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <date month="June" year="2017"/>
<author fullname="B. Leiba" initials="B." surname="Leiba"/> <abstract>
<date month="May" year="2017"/> <t indent="0">Many protocols make use of points of extensibility t
<abstract> hat use constants to identify various protocol parameters. To ensure that the va
<t>RFC 2119 specifies common key words that may be used in protocol specif lues in these fields do not have conflicting uses and to promote interoperabilit
ications. This document aims to reduce the ambiguity by clarifying that only UPP y, their allocations are often coordinated by a central record keeper. For IETF
ERCASE usage of the key words have the defined special meanings.</t> protocols, that role is filled by the Internet Assigned Numbers Authority (IANA)
</abstract> .</t>
</front> <t indent="0">To make assignments in a given registry prudently, g
<seriesInfo name="BCP" value="14"/> uidance describing the conditions under which new values should be assigned, as
<seriesInfo name="RFC" value="8174"/> well as when and how modifications to existing values can be made, is needed. Th
<seriesInfo name="DOI" value="10.17487/RFC8174"/> is document defines a framework for the documentation of these guidelines by spe
</reference> cification authors, in order to assure that the provided guidance for the IANA C
<reference anchor="RFC9157"> onsiderations is clear and addresses the various issues that are likely in the o
<front> peration of a registry.</t>
<title>Revised IANA Considerations for DNSSEC</title> <t indent="0">This is the third edition of this document; it obsol
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> etes RFC 5226.</t>
<date month="December" year="2021"/> </abstract>
<abstract> </front>
<t>This document changes the review requirements needed to get DNSSEC algo <seriesInfo name="BCP" value="26"/>
rithms and resource records added to IANA registries. It updates RFC 6014 to inc <seriesInfo name="RFC" value="8126"/>
lude hash algorithms for Delegation Signer (DS) records and NextSECure version 3 <seriesInfo name="DOI" value="10.17487/RFC8126"/>
(NSEC3) parameters (for Hashed Authenticated Denial of Existence). It also upda </reference>
tes RFCs 5155 and 6014, which have requirements for DNSSEC algorithms, and updat <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8
es RFC 8624 to clarify the implementation recommendation related to the algorith 174" quoteTitle="true" derivedAnchor="RFC8174">
ms described in RFCs that are not on the standards track. The rationale for thes <front>
e changes is to bring the requirements for DS records and hash algorithms used i <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
n NSEC3 in line with the requirements for all other DNSSEC algorithms.</t> tle>
</abstract> <author fullname="B. Leiba" initials="B." surname="Leiba"/>
</front> <date month="May" year="2017"/>
<seriesInfo name="RFC" value="9157"/> <abstract>
<seriesInfo name="DOI" value="10.17487/RFC9157"/> <t indent="0">RFC 2119 specifies common key words that may be used
</reference> in protocol specifications. This document aims to reduce the ambiguity by clari
fying that only UPPERCASE usage of the key words have the defined special meanin
<reference anchor="DNSKEY-IANA" target="https://www.iana.org/assignments/dns-sec gs.</t>
-alg-numbers/dns-sec-alg-numbers.xml#dns-sec-alg-numbers-1"> </abstract>
<front> </front>
<title>DNS Security Algorithm Numbers</title> <seriesInfo name="BCP" value="14"/>
<author initials="" surname="IANA" fullname="IANA"> <seriesInfo name="RFC" value="8174"/>
<organization></organization> <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</author> </reference>
<date year="n.d."/> <reference anchor="RFC9157" target="https://www.rfc-editor.org/info/rfc9
</front> 157" quoteTitle="true" derivedAnchor="RFC9157">
</reference> <front>
<reference anchor="DS-IANA" target="http://www.iana.org/assignments/ds-rr-types" <title>Revised IANA Considerations for DNSSEC</title>
> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<front> <date month="December" year="2021"/>
<title>Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms</t <abstract>
itle> <t indent="0">This document changes the review requirements needed
<author initials="" surname="IANA" fullname="IANA"> to get DNSSEC algorithms and resource records added to IANA registries. It upda
<organization></organization> tes RFC 6014 to include hash algorithms for Delegation Signer (DS) records and N
</author> extSECure version 3 (NSEC3) parameters (for Hashed Authenticated Denial of Exist
<date year="n.d."/> ence). It also updates RFCs 5155 and 6014, which have requirements for DNSSEC al
</front> gorithms, and updates RFC 8624 to clarify the implementation recommendation rela
</reference> ted to the algorithms described in RFCs that are not on the standards track. The
rationale for these changes is to bring the requirements for DS records and has
</references> h algorithms used in NSEC3 in line with the requirements for all other DNSSEC al
gorithms.</t>
<references title='Informative References' anchor="sec-informative-reference </abstract>
s"> </front>
<seriesInfo name="RFC" value="9157"/>
<reference anchor="RFC4034"> <seriesInfo name="DOI" value="10.17487/RFC9157"/>
<front> </reference>
<title>Resource Records for the DNS Security Extensions</title> </references>
<author fullname="R. Arends" initials="R." surname="Arends"/> <references anchor="sec-informative-references" pn="section-8.2">
<author fullname="R. Austein" initials="R." surname="Austein"/> <name slugifiedName="name-informative-references">Informative References
<author fullname="M. Larson" initials="M." surname="Larson"/> </name>
<author fullname="D. Massey" initials="D." surname="Massey"/> <reference anchor="RFC4034" target="https://www.rfc-editor.org/info/rfc4
<author fullname="S. Rose" initials="S." surname="Rose"/> 034" quoteTitle="true" derivedAnchor="RFC4034">
<date month="March" year="2005"/> <front>
<abstract> <title>Resource Records for the DNS Security Extensions</title>
<t>This document is part of a family of documents that describe the DNS Se <author fullname="R. Arends" initials="R." surname="Arends"/>
curity Extensions (DNSSEC). The DNS Security Extensions are a collection of reso <author fullname="R. Austein" initials="R." surname="Austein"/>
urce records and protocol modifications that provide source authentication for t <author fullname="M. Larson" initials="M." surname="Larson"/>
he DNS. This document defines the public key (DNSKEY), delegation signer (DS), r <author fullname="D. Massey" initials="D." surname="Massey"/>
esource record digital signature (RRSIG), and authenticated denial of existence <author fullname="S. Rose" initials="S." surname="Rose"/>
(NSEC) resource records. The purpose and format of each resource record is descr <date month="March" year="2005"/>
ibed in detail, and an example of each resource record is given.</t> <abstract>
<t>This document obsoletes RFC 2535 and incorporates changes from all upda <t indent="0">This document is part of a family of documents that
tes to RFC 2535. [STANDARDS-TRACK]</t> describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a
</abstract> collection of resource records and protocol modifications that provide source a
</front> uthentication for the DNS. This document defines the public key (DNSKEY), delega
<seriesInfo name="RFC" value="4034"/> tion signer (DS), resource record digital signature (RRSIG), and authenticated d
<seriesInfo name="DOI" value="10.17487/RFC4034"/> enial of existence (NSEC) resource records. The purpose and format of each resou
</reference> rce record is described in detail, and an example of each resource record is giv
<reference anchor="RFC4509"> en.</t>
<front> <t indent="0">This document obsoletes RFC 2535 and incorporates ch
<title>Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs anges from all updates to RFC 2535. [STANDARDS-TRACK]</t>
)</title> </abstract>
<author fullname="W. Hardaker" initials="W." surname="Hardaker"/> </front>
<date month="May" year="2006"/> <seriesInfo name="RFC" value="4034"/>
<abstract> <seriesInfo name="DOI" value="10.17487/RFC4034"/>
<t>This document specifies how to use the SHA-256 digest type in DNS Deleg </reference>
ation Signer (DS) Resource Records (RRs). DS records, when stored in a parent zo <reference anchor="RFC4509" target="https://www.rfc-editor.org/info/rfc4
ne, point to DNSKEYs in a child zone. [STANDARDS-TRACK]</t> 509" quoteTitle="true" derivedAnchor="RFC4509">
</abstract> <front>
</front> <title>Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Reco
<seriesInfo name="RFC" value="4509"/> rds (RRs)</title>
<seriesInfo name="DOI" value="10.17487/RFC4509"/> <author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
</reference> <date month="May" year="2006"/>
<reference anchor="RFC5155"> <abstract>
<front> <t indent="0">This document specifies how to use the SHA-256 diges
<title>DNS Security (DNSSEC) Hashed Authenticated Denial of Existence</title t type in DNS Delegation Signer (DS) Resource Records (RRs). DS records, when st
> ored in a parent zone, point to DNSKEYs in a child zone. [STANDARDS-TRACK]</t>
<author fullname="B. Laurie" initials="B." surname="Laurie"/> </abstract>
<author fullname="G. Sisson" initials="G." surname="Sisson"/> </front>
<author fullname="R. Arends" initials="R." surname="Arends"/> <seriesInfo name="RFC" value="4509"/>
<author fullname="D. Blacka" initials="D." surname="Blacka"/> <seriesInfo name="DOI" value="10.17487/RFC4509"/>
<date month="March" year="2008"/> </reference>
<abstract> <reference anchor="RFC5155" target="https://www.rfc-editor.org/info/rfc5
<t>The Domain Name System Security (DNSSEC) Extensions introduced the NSEC 155" quoteTitle="true" derivedAnchor="RFC5155">
resource record (RR) for authenticated denial of existence. This document intro <front>
duces an alternative resource record, NSEC3, which similarly provides authentica <title>DNS Security (DNSSEC) Hashed Authenticated Denial of Existenc
ted denial of existence. However, it also provides measures against zone enumera e</title>
tion and permits gradual expansion of delegation-centric zones. [STANDARDS-TRACK <author fullname="B. Laurie" initials="B." surname="Laurie"/>
]</t> <author fullname="G. Sisson" initials="G." surname="Sisson"/>
</abstract> <author fullname="R. Arends" initials="R." surname="Arends"/>
</front> <author fullname="D. Blacka" initials="D." surname="Blacka"/>
<seriesInfo name="RFC" value="5155"/> <date month="March" year="2008"/>
<seriesInfo name="DOI" value="10.17487/RFC5155"/> <abstract>
</reference> <t indent="0">The Domain Name System Security (DNSSEC) Extensions
<reference anchor="RFC5702"> introduced the NSEC resource record (RR) for authenticated denial of existence.
<front> This document introduces an alternative resource record, NSEC3, which similarly
<title>Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records provides authenticated denial of existence. However, it also provides measures a
for DNSSEC</title> gainst zone enumeration and permits gradual expansion of delegation-centric zone
<author fullname="J. Jansen" initials="J." surname="Jansen"/> s. [STANDARDS-TRACK]</t>
<date month="October" year="2009"/> </abstract>
<abstract> </front>
<t>This document describes how to produce RSA/SHA-256 and RSA/SHA-512 DNSK <seriesInfo name="RFC" value="5155"/>
EY and RRSIG resource records for use in the Domain Name System Security Extensi <seriesInfo name="DOI" value="10.17487/RFC5155"/>
ons (RFC 4033, RFC 4034, and RFC 4035). [STANDARDS TRACK]</t> </reference>
</abstract> <reference anchor="RFC5702" target="https://www.rfc-editor.org/info/rfc5
</front> 702" quoteTitle="true" derivedAnchor="RFC5702">
<seriesInfo name="RFC" value="5702"/> <front>
<seriesInfo name="DOI" value="10.17487/RFC5702"/> <title>Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource
</reference> Records for DNSSEC</title>
<reference anchor="RFC5933"> <author fullname="J. Jansen" initials="J." surname="Jansen"/>
<front> <date month="October" year="2009"/>
<title>Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records <abstract>
for DNSSEC</title> <t indent="0">This document describes how to produce RSA/SHA-256 a
<author fullname="V. Dolmatov" initials="V." role="editor" surname="Dolmatov nd RSA/SHA-512 DNSKEY and RRSIG resource records for use in the Domain Name Syst
"/> em Security Extensions (RFC 4033, RFC 4034, and RFC 4035). [STANDARDS TRACK]</t>
<author fullname="A. Chuprina" initials="A." surname="Chuprina"/> </abstract>
<author fullname="I. Ustinov" initials="I." surname="Ustinov"/> </front>
<date month="July" year="2010"/> <seriesInfo name="RFC" value="5702"/>
<abstract> <seriesInfo name="DOI" value="10.17487/RFC5702"/>
<t>This document describes how to produce digital signatures and hash func </reference>
tions using the GOST R 34.10-2001 and GOST R 34.11-94 algorithms for DNSKEY, RRS <reference anchor="RFC5933" target="https://www.rfc-editor.org/info/rfc5
IG, and DS resource records, for use in the Domain Name System Security Extensio 933" quoteTitle="true" derivedAnchor="RFC5933">
ns (DNSSEC).</t> <front>
</abstract> <title>Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource
</front> Records for DNSSEC</title>
<seriesInfo name="RFC" value="5933"/> <author fullname="V. Dolmatov" initials="V." role="editor" surname="
<seriesInfo name="DOI" value="10.17487/RFC5933"/> Dolmatov"/>
</reference> <author fullname="A. Chuprina" initials="A." surname="Chuprina"/>
<reference anchor="RFC6605"> <author fullname="I. Ustinov" initials="I." surname="Ustinov"/>
<front> <date month="July" year="2010"/>
<title>Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC</title> <abstract>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <t indent="0">This document describes how to produce digital signa
<author fullname="W.C.A. Wijngaards" initials="W.C.A." surname="Wijngaards"/ tures and hash functions using the GOST R 34.10-2001 and GOST R 34.11-94 algorit
> hms for DNSKEY, RRSIG, and DS resource records, for use in the Domain Name Syste
<date month="April" year="2012"/> m Security Extensions (DNSSEC).</t>
<abstract> </abstract>
<t>This document describes how to specify Elliptic Curve Digital Signature </front>
Algorithm (DSA) keys and signatures in DNS Security (DNSSEC). It lists curves o <seriesInfo name="RFC" value="5933"/>
f different sizes and uses the SHA-2 family of hashes for signatures. [STANDARDS <seriesInfo name="DOI" value="10.17487/RFC5933"/>
-TRACK]</t> </reference>
</abstract> <reference anchor="RFC6605" target="https://www.rfc-editor.org/info/rfc6
</front> 605" quoteTitle="true" derivedAnchor="RFC6605">
<seriesInfo name="RFC" value="6605"/> <front>
<seriesInfo name="DOI" value="10.17487/RFC6605"/> <title>Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC</
</reference> title>
<reference anchor="RFC6781"> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<front> <author fullname="W.C.A. Wijngaards" initials="W.C.A." surname="Wijn
<title>DNSSEC Operational Practices, Version 2</title> gaards"/>
<author fullname="O. Kolkman" initials="O." surname="Kolkman"/> <date month="April" year="2012"/>
<author fullname="W. Mekking" initials="W." surname="Mekking"/> <abstract>
<author fullname="R. Gieben" initials="R." surname="Gieben"/> <t indent="0">This document describes how to specify Elliptic Curv
<date month="December" year="2012"/> e Digital Signature Algorithm (DSA) keys and signatures in DNS Security (DNSSEC)
<abstract> . It lists curves of different sizes and uses the SHA-2 family of hashes for sig
<t>This document describes a set of practices for operating the DNS with s natures. [STANDARDS-TRACK]</t>
ecurity extensions (DNSSEC). The target audience is zone administrators deployin </abstract>
g DNSSEC.</t> </front>
<t>The document discusses operational aspects of using keys and signatures <seriesInfo name="RFC" value="6605"/>
in the DNS. It discusses issues of key generation, key storage, signature gener <seriesInfo name="DOI" value="10.17487/RFC6605"/>
ation, key rollover, and related policies.</t> </reference>
<t>This document obsoletes RFC 4641, as it covers more operational ground <reference anchor="RFC6781" target="https://www.rfc-editor.org/info/rfc6
and gives more up-to-date requirements with respect to key sizes and the DNSSEC 781" quoteTitle="true" derivedAnchor="RFC6781">
operations.</t> <front>
</abstract> <title>DNSSEC Operational Practices, Version 2</title>
</front> <author fullname="O. Kolkman" initials="O." surname="Kolkman"/>
<seriesInfo name="RFC" value="6781"/> <author fullname="W. Mekking" initials="W." surname="Mekking"/>
<seriesInfo name="DOI" value="10.17487/RFC6781"/> <author fullname="R. Gieben" initials="R." surname="Gieben"/>
</reference> <date month="December" year="2012"/>
<reference anchor="RFC7583"> <abstract>
<front> <t indent="0">This document describes a set of practices for opera
<title>DNSSEC Key Rollover Timing Considerations</title> ting the DNS with security extensions (DNSSEC). The target audience is zone admi
<author fullname="S. Morris" initials="S." surname="Morris"/> nistrators deploying DNSSEC.</t>
<author fullname="J. Ihren" initials="J." surname="Ihren"/> <t indent="0">The document discusses operational aspects of using
<author fullname="J. Dickinson" initials="J." surname="Dickinson"/> keys and signatures in the DNS. It discusses issues of key generation, key stora
<author fullname="W. Mekking" initials="W." surname="Mekking"/> ge, signature generation, key rollover, and related policies.</t>
<date month="October" year="2015"/> <t indent="0">This document obsoletes RFC 4641, as it covers more
<abstract> operational ground and gives more up-to-date requirements with respect to key si
<t>This document describes the issues surrounding the timing of events in zes and the DNSSEC operations.</t>
the rolling of a key in a DNSSEC-secured zone. It presents timelines for the key </abstract>
rollover and explicitly identifies the relationships between the various parame </front>
ters affecting the process.</t> <seriesInfo name="RFC" value="6781"/>
</abstract> <seriesInfo name="DOI" value="10.17487/RFC6781"/>
</front> </reference>
<seriesInfo name="RFC" value="7583"/> <reference anchor="RFC7583" target="https://www.rfc-editor.org/info/rfc7
<seriesInfo name="DOI" value="10.17487/RFC7583"/> 583" quoteTitle="true" derivedAnchor="RFC7583">
</reference> <front>
<reference anchor="RFC8080"> <title>DNSSEC Key Rollover Timing Considerations</title>
<front> <author fullname="S. Morris" initials="S." surname="Morris"/>
<title>Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC</title> <author fullname="J. Ihren" initials="J." surname="Ihren"/>
<author fullname="O. Sury" initials="O." surname="Sury"/> <author fullname="J. Dickinson" initials="J." surname="Dickinson"/>
<author fullname="R. Edmonds" initials="R." surname="Edmonds"/> <author fullname="W. Mekking" initials="W." surname="Mekking"/>
<date month="February" year="2017"/> <date month="October" year="2015"/>
<abstract> <abstract>
<t>This document describes how to specify Edwards-curve Digital Security A <t indent="0">This document describes the issues surrounding the t
lgorithm (EdDSA) keys and signatures in DNS Security (DNSSEC). It uses EdDSA wit iming of events in the rolling of a key in a DNSSEC-secured zone. It presents ti
h the choice of two curves: Ed25519 and Ed448.</t> melines for the key rollover and explicitly identifies the relationships between
</abstract> the various parameters affecting the process.</t>
</front> </abstract>
<seriesInfo name="RFC" value="8080"/> </front>
<seriesInfo name="DOI" value="10.17487/RFC8080"/> <seriesInfo name="RFC" value="7583"/>
</reference> <seriesInfo name="DOI" value="10.17487/RFC7583"/>
<reference anchor="RFC8624"> </reference>
<front> <reference anchor="RFC8080" target="https://www.rfc-editor.org/info/rfc8
<title>Algorithm Implementation Requirements and Usage Guidance for DNSSEC</ 080" quoteTitle="true" derivedAnchor="RFC8080">
title> <front>
<author fullname="P. Wouters" initials="P." surname="Wouters"/> <title>Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC</
<author fullname="O. Sury" initials="O." surname="Sury"/> title>
<date month="June" year="2019"/> <author fullname="O. Sury" initials="O." surname="Sury"/>
<abstract> <author fullname="R. Edmonds" initials="R." surname="Edmonds"/>
<t>The DNSSEC protocol makes use of various cryptographic algorithms in or <date month="February" year="2017"/>
der to provide authentication of DNS data and proof of nonexistence. To ensure i <abstract>
nteroperability between DNS resolvers and DNS authoritative servers, it is neces <t indent="0">This document describes how to specify Edwards-curve
sary to specify a set of algorithm implementation requirements and usage guideli Digital Security Algorithm (EdDSA) keys and signatures in DNS Security (DNSSEC)
nes to ensure that there is at least one algorithm that all implementations supp . It uses EdDSA with the choice of two curves: Ed25519 and Ed448.</t>
ort. This document defines the current algorithm implementation requirements and </abstract>
usage guidance for DNSSEC. This document obsoletes RFC 6944.</t> </front>
</abstract> <seriesInfo name="RFC" value="8080"/>
</front> <seriesInfo name="DOI" value="10.17487/RFC8080"/>
<seriesInfo name="RFC" value="8624"/> </reference>
<seriesInfo name="DOI" value="10.17487/RFC8624"/> <reference anchor="RFC8624" target="https://www.rfc-editor.org/info/rfc8
</reference> 624" quoteTitle="true" derivedAnchor="RFC8624">
<reference anchor="RFC9364"> <front>
<front> <title>Algorithm Implementation Requirements and Usage Guidance for
<title>DNS Security Extensions (DNSSEC)</title> DNSSEC</title>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <author fullname="P. Wouters" initials="P." surname="Wouters"/>
<date month="February" year="2023"/> <author fullname="O. Sury" initials="O." surname="Sury"/>
<abstract> <date month="June" year="2019"/>
<t>This document describes the DNS Security Extensions (commonly called "D <abstract>
NSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of <t indent="0">The DNSSEC protocol makes use of various cryptograph
others. One purpose is to introduce all of the RFCs in one place so that the re ic algorithms in order to provide authentication of DNS data and proof of nonexi
ader can understand the many aspects of DNSSEC. This document does not update an stence. To ensure interoperability between DNS resolvers and DNS authoritative s
y of those RFCs. A second purpose is to state that using DNSSEC for origin authe ervers, it is necessary to specify a set of algorithm implementation requirement
ntication of DNS data is the best current practice. A third purpose is to provid s and usage guidelines to ensure that there is at least one algorithm that all i
e a single reference for other documents that want to refer to DNSSEC.</t> mplementations support. This document defines the current algorithm implementati
</abstract> on requirements and usage guidance for DNSSEC. This document obsoletes RFC 6944.
</front> </t>
<seriesInfo name="BCP" value="237"/> </abstract>
<seriesInfo name="RFC" value="9364"/> </front>
<seriesInfo name="DOI" value="10.17487/RFC9364"/> <seriesInfo name="RFC" value="8624"/>
</reference> <seriesInfo name="DOI" value="10.17487/RFC8624"/>
</reference>
<reference anchor="TLS-ciphersuites" target="https://www.iana.org/assignments/tl <reference anchor="RFC9364" target="https://www.rfc-editor.org/info/rfc9
s-parameters/tls-parameters.xhtml#tls-parameters-4"> 364" quoteTitle="true" derivedAnchor="RFC9364">
<front> <front>
<title>Transport Layer Security (TLS) Parameters</title> <title>DNS Security Extensions (DNSSEC)</title>
<author initials="" surname="IANA" fullname="IANA"> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<organization></organization> <date month="February" year="2023"/>
</author> <abstract>
<date year="n.d."/> <t indent="0">This document describes the DNS Security Extensions
</front> (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as w
</reference> ell as a handful of others. One purpose is to introduce all of the RFCs in one p
lace so that the reader can understand the many aspects of DNSSEC. This document
does not update any of those RFCs. A second purpose is to state that using DNSS
EC for origin authentication of DNS data is the best current practice. A third p
urpose is to provide a single reference for other documents that want to refer t
o DNSSEC.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="237"/>
<seriesInfo name="RFC" value="9364"/>
<seriesInfo name="DOI" value="10.17487/RFC9364"/>
</reference>
<reference anchor="TLS-ciphersuites" target="https://www.iana.org/assign
ments/tls-parameters" quoteTitle="true" derivedAnchor="TLS-ciphersuites">
<front>
<title>Transport Layer Security (TLS) Parameters</title>
<author>
<organization showOnFrontPage="true">IANA</organization>
</author>
</front>
</reference>
</references>
</references> </references>
<section anchor="acknowledgments" numbered="false" removeInRFC="false" toc="
</references> include" pn="section-appendix.a">
<name slugifiedName="name-acknowledgments">Acknowledgments</name>
<?line 480?> <t indent="0" pn="section-appendix.a-1">This document is based on, and ext
ends, RFC 8624, which was authored
<section anchor="changelog"><name>ChangeLog</name> by <contact fullname="Paul Wouters"/> and <contact fullname="Ondrej
Sury"/>.</t>
<t>(RFC Editor: please remove this ChangeLog section upon publication.)</t> <t indent="0" pn="section-appendix.a-2">The content of this document was h
eavily discussed by participants of
<section anchor="changes-from-ietf-10-to-ietf-11"><name>Changes from ietf-10 to the DNSOP Working Group. The authors appreciate the thoughtfulness of
ietf-11:</name> the many opinions expressed by working group participants that all
helped shaped this document. We thank <contact fullname="Paul Hoffman"/>
<figure><artwork><![CDATA[ and <contact fullname="Paul Wouters"/> for their contributed text and
* Many more comments to address IESG reviews also <contact fullname="Nabeel Cocker"/>, <contact fullname="Shumon
]]></artwork></figure> Huque"/>, <contact fullname="Nicolai Leymann"/>, <contact fullname="S. Moo
nesamy"/>, <contact fullname="Magnus Nyström"/>, <contact fullname="Peter Thomas
</section> sen"/>, <contact fullname="Stefan Ubbink"/>, and
<section anchor="changes-from-ietf-09-to-ietf-10"><name>Changes from ietf-09 to <contact fullname="Loganaden Velvindron"/> for their reviews and
ietf-10:</name> comments.</t>
</section>
<figure><artwork><![CDATA[ <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc
* Many comments addressed from IESG reviews ="include" pn="section-appendix.b">
]]></artwork></figure> <name slugifiedName="name-authors-addresses">Authors' Addresses</name>
<author initials="W." surname="Hardaker" fullname="Wes Hardaker">
</section> <organization showOnFrontPage="true">USC/ISI</organization>
<section anchor="changes-from-ietf-08-to-ietf-09"><name>Changes from ietf-08 to <address>
ietf-09</name> <email>ietf@hardakers.net</email>
</address>
<figure><artwork><![CDATA[ </author>
* Added missing alogirthms (SM2/SM3 and GOST R 34.10-2012) <author initials="W." surname="Kumari" fullname="Warren Kumari">
]]></artwork></figure> <organization showOnFrontPage="true">Google</organization>
<address>
</section> <email>warren@kumari.net</email>
<section anchor="changes-from-ietf-07-to-ietf-08"><name>Changes from ietf-07 to </address>
ietf-08</name> </author>
</section>
<figure><artwork><![CDATA[
* Handle issues raised during IETF last call:
* updates 9157
* other nit fixes
]]></artwork></figure>
</section>
<section anchor="changes-from-ietf-06-to-ietf-07"><name>Changes from ietf-06 to
ietf-07</name>
<figure><artwork><![CDATA[
* changed to a standards track document
]]></artwork></figure>
</section>
<section anchor="changes-from-ietf-05-to-ietf-06"><name>Changes from ietf-05 to
ietf-06</name>
<figure><artwork><![CDATA[
* Address Eric Vyncke (RAD!) AD review comments.
]]></artwork></figure>
</section>
<section anchor="changes-from-ietf-03-to-ietf-05"><name>Changes from ietf-03 to
ietf-05</name>
<figure><artwork><![CDATA[
* Updated "entry requirements" to be "Specification Required".
* Marked values 128 - 252 as "Reserved" in "Digest Algorithms" as
break-glass mechanism in case we get a flood of these. To align with the
"DNS Security Algorithm Numbers" registry (that reserves 123 - ...)
* Marked values 253 and 254 as "Reserved for Private Use" in "Digest
Algorithms"
* Deleted the (now superfluous) column "Status" from the "Digest
]]></artwork></figure>
</section>
<section anchor="changes-from-ietf-02-to-ietf-03"><name>Changes from ietf-02 to
ietf-03</name>
<t><list style="symbols">
<t>Fixed the reference in the Abstract (no links in Abstracts)</t>
<t>Added Updates: to the header.</t>
</list></t>
</section>
<section anchor="changes-from-ietf-01-to-ietf-02"><name>Changes from ietf-01 to
ietf-02</name>
<t><list style="symbols">
<t>Changed the MUST values in the tables for the Use columns to
RECOMMENDED based on discussions on the dnsop mailing list.</t>
<t>Other minor wording and formatting changes</t>
</list></t>
</section>
<section anchor="changes-from-ietf-00-to-ietf-01"><name>Changes from ietf-00 to
ietf-01</name>
<t><list style="symbols">
<t>Only NIT fixing</t>
</list></t>
</section>
<section anchor="changes-from-hardaker-04-to-ietf-00"><name>Changes from hardake
r-04 to ietf-00</name>
<t><list style="symbols">
<t>Just a draft name and number change.</t>
</list></t>
</section>
<section anchor="changes-from-03-to-04"><name>Changes from -03 to -04</name>
<t><list style="symbols">
<t>Changed the columns being added from 2 per table to 4, based on
discussion within the dnsop working group mailing list. This was
a fairly major set of changes.</t>
</list></t>
</section>
<section anchor="changes-since-rfc8624"><name>Changes since RFC8624</name>
<t><list style="symbols">
<t>The primary purpose of this revision is to introduce the new
columns to existing registries. It makes no changes to the
previously defined values.</t>
<t>Merged in RFC9157 updates.</t>
<t>Set authors as Wes Hardaker, Warren Kumari.</t>
</list></t>
</section>
</section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA+09a3MbOY7f9St4zoeNtySN33G8dVXrsz0bXxw7FzkzNZVy
XVHdkMR1N9lDsqVod+Zv3R+4P3YFgOyHXn7M4zI7k6rdabe6QQAEQAAE0b1e
r+OVz+BEbJ1fDwYXZ+LMzgtvxlYWE5WI02xsrPKTXHyAxOQ56FR6ZbT4WKTS
g3hvTQLObXXkcGhhWoOpXnRLj6Ym0TKHE5FaOfI9BX7US7UzRc+OkuOjvYPe
ULne7n4nkR7Gxs5PhPNpRxX2RHhbOr+3s/N6Z6/jvAWZn4jLi9uvOyUN4k7E
693DVx0zdCYD+hsBdjrOS53+t8yMhhMxB9cp1In45E3SFc5Yb2HkusLNc75I
TZLLolB6fNfpyNJPjD3pCNHrCCGE0u5EfNsXb6RN5T1YuskEfQuufdvY8Yn4
ODj76nJwSTcglyo7EUjzXyfhSdfX4JfAvy1zaVUTuLQWdPM+Qf+bMeMMmsBn
9OBf7+lBgt3RxubSqykgGR++Ptvb3X0dLo93946qy1cH4RK5iJfn14O3F9/1
Lk+vT09ojJobNWb4K93w0o7Bn4itifeFO/nqq9ls1ldSy76x46+kc2qsc9De
fZVq13OQ9GQ27ukyH4Jdea//Oc9erLjf293iAVl2z68HYgBJaZWfN0T2mh9G
MgbPImEjBa5nbc/PC3BtXCCDMevIQI01WPHyfLAtPoAzpU2A9Mim4uWHD9vi
dl6AOFdjcL6hMJ2O0qOFCTvY2Y9Tc3C4E+fucPfwMF6+2tmLl6/398Pl0dFO
fODo1fFuuHx1eBwfON453omXR3vV7O8f0eXt1aCXqGIC1pUKtennFAGfuV4h
rczB4+y3/+x/nvg8e9G+2TtocfrWSu0KY724knOwtQS8vL0abIv31XudTq/X
E3LovJWJ7yCM2wmIYKkKa7xJTCZyeQ9OlA6EGYmptMqUTiQtcyhrq+YNvjlV
Keke8gS0VwnPvBmRTKbSSyF1ik+aEd7VRvfgs3IedAJ9IW6NAO1KS0CU9mBN
AVYOVYaEDMHPADTBsuBMNgXrCCDe4XlQnuREOLD4a1coLxTKvNCA9lbaOeLq
CkjUaC6Gxk+EFA48olPRI1ReZIATwwRY+L5Ulm7QgAivdHIMYlyqFDKlgVjA
yAs/kV74CVgQygnpRQbSeWE0NIagh2SWEamt4ZxwZYEziRyZKIcGuMRfhYUi
kwkw0ZVVj+JKd3MzRVwmxMJEaqNVIjMR1O0pRDYolDoheCNjo5yMrMmrgb0R
UpPUCwtj5byd9xl1wl4DMxofyzIzQ1B+AiJTjvjeGtkbMQSRGwsCpFPZXPBi
lnYJqQijBrD0AoK3MAKLUpX2xdelx1mBzx60I/56IzxiF5FFRhEQmYIodQpW
aJh1WQoTxkxmARGk2i1NjcycwYeNLYzFtZcQtDBVDlKBkIg9gXuJ0U6lYMN8
R2biOtOvNLKCnRpwQhsvkonUYyDIzktfOvHy3cfBbVe8O/2uKz5cnN28e3dx
fX5x3hXgk/42jWtG9EJDWZFtkAql4wT+haVRMdIzY+/xrRHzLaLh+mw5cpWm
GXQ6L8Sl9takZYJEENatleei5vdLJntbfArm9A7HKpEzjzUc/aaRQrOp9LhJ
k2SjkcJIaUjFcF7ZLJyuLk5NVqb40qewgNx1+fJw53W4xAXkjmb9U1hD4g+v
9/fDJa4h4RJXi7swXZXuL1qtbm1etnKJ/qJhE1Rp31bg3NuL7xYIqqhRmgc8
2ju4YzOJ1pkmKynRvUGHKYrE8nw3lUkmaAbVMAPWcRR2cgflMAOiPWgZjRBE
gOUu6A04lOum++sIOFjhDQIoymGm3KTLOlZJcWWZmmZpDcpkbFApKrLD2C0t
qk1ZUGQFro+vnqapQsRkluEEOCHTqUoAYdDUeBOWBpmmbomYkbEsSkVm5iRm
yJEJBIPIyLomuiQE0d45latM2ohwwY4+SzsaULz5adGXuKtsEc7BjNaONqui
sWy+hcMpXfOlghFRZgfG1eZw+dl+p/PihRDncZpOy1Thk5UZSkxW5hp5mLK+
ViA+bW12NbfuPjU85rsoXJ9iVPRM55BmuOI9DsL+7F1DDILnFSWlmnVCoFI9
dK2IzsuFBVgDk5oDeF67Jmo8ES6SCp8LSOLDksR1BlmGohas2Xr3JdqlxUUf
MZspPyHZUyOaMC/Qi8Gf62VhpCBLSRJqZ2wuYIr+kMOVxStdmtJl874Q1zDr
Cuet0WOwCwomiwKkZVkhL2zBpOYSkRYjU7JFGILIUJKJC+TlaFpfrBorUjXh
J6YcT9hvAQsjY6H7XK8KfY5qHoYQvQA2C17lpM30X6WFsSmZHxT0DBIfHSAN
M2FBBkPcdB9QE6VwuSHHBH1nshg06WguA5E1O9g2umqeUygs1OtUg28pQM5o
ayMy5vwwQtwsb0Mg1wDslN3YoNwOkCgeidBoON4TmNeMbfEiV1rl6h/B+UpM
isDxyc/KzytLPwEhpPcyuReutCOZQC1qBVj0lAkVM2rpDUkHi2mYEvQgkBG6
0jZSi4kRM+UmvHqwTaWBE6NHaow8DjqKsi+MJjEC4eQoqHpFbF+IU/SNk8nC
ykK+F5lynu+WOScQQ1N6MZuoZNLknZuYMkuR6YwXpGhBpE1JzJnVCzLLC1Zf
XGoxBg1WZiHECCYBpxEZwQDzsDIjW8YL2hUGD1AyUjULaZmg90KqszIy8KaI
4QEC9BPIgwWnxBLea2apKg0TVzCFzNHU/gezmJRHVi7p6tAOSUO3GN9b7b8Q
AwI1MrMgU6JFTqXK0KlAmcwNz+UCOUteNDs8bjGaoKcJA5OqUfQOa11ecFSb
EV4wBEumZ2nJFyCb0kFuQ3i5/XTDaaFXHuQfgqilw0Qv3kxRTVWOge/XOP5n
iUh268hRGzEupZXaA3DMJD2KeDbH1YVcb0ibMjVTWSaGiC2smSwOaWj6mWt9
Ia7UPcyUg2703NpA0RFtrirkapbDv9f0tClnW0KxKC0ghI03RsxA3ncFUjoF
ms1hNEgeUP6tuQfdDetglsX1oWVp27izLV2hfvjMooHWjUkJjEIDh7kloLVn
bGVaoipGsQxLuWNNQRlZVEdvwroUQlrVeGRhaiYqQwXPpaLQpeEeZDgJHzUa
nQAGFx5cg2jdrr0OC9IZ7bptWlrE4xJCDoSZaaQnLpgYJuKv1ze3zTgRZ4Ni
R6WdB0luRaosJJ7nufUu/ff65rYvxIB9XPKu9WJSYyI5Wh0CTzMyQxmMY6Rb
I5bLRIiRss435Dwsv03kG0hLwo4FYqCiowujEToDZiRKx468KPW9NjO9FHBx
8Csrz+EfmLXAexbI7ZDoafMSHi1+ZRai1LXdK15uJnIKxInmlKyeiMzMMPFA
nKNwgXRkvpDZwgxjyG7F3FcMifEW6SOijIaijiz/VNlajlNrYmOKL6pLS2w5
DkKADlzLYt0gj1tzj9Nu0SIiBOHK0UglCnSQJLTTGS5BYaywOhIvq+yLvWdO
R0nD7QhCNFjh0jpkQZ38wzctYGQZF0VS06nMVFgMlWeh+Ka+tQoQqhvoxJRW
jnmCLHipdAtsyNY1tBonaxltXpA/NN1bbdhkVK7VPcwx0ZI6sYWvbXX5v/g6
Xn+4+K+Plx8uzvF68Ob06qq64CcQzNbgzc3Hq/AIXtUvV3KFfy6IGg11+t1W
Fexv3by/vby5Pr3aYvPacq0sBH0kg1VYCMqQgkusGrKQKi3+4+y92D0Q//xn
2E/58Ue+xl2UH3/EiDaYdvLw+E/yXTkKCVBklolEFsrLzNEK7CaorGgReRo/
BfB3VQqNUwoebC4CFxhf5P5UZkiEN+3cWIg1aqYtPLzAsCUvZcIRXzIxDsgN
QRWKWLRNFFK8AC54FuwXUKyRZIC2FC2gBeeq3GHbR2naSw5cX1CiQ49D1NQK
bVf7OSuSKHXMTAx+jyrepLbLC65BTwvHqtIBFu0aWdVGYoCzxPHZDXkagQsh
ahhw1Ct4Rwrf/6H38L9HPPMDwRIfYo537b8fxBnRFAhZ+cjPj9fm1Anj9dFB
M+c+CGnPLwytaFqN/v9Fqwqq1/DsS0KrwbNfAq2FTdRVMr8wiY1c3C83iU9H
61eRrUegtXISGzz7ktD6xWTrnyfiRTT/tOv871tn8U9KwNAeaMwkbjD+Wz+S
hxTM7jm5EgVnazroHKGvQW51M+OOiUhbLT8hEFyTge7EDLTwlIKQFk46ndXm
9KRzIi51ilmFlSsvvcLxQ2uTgpYthRHOyq3n/tJ49bw8e0ilA7COiE6uoaE2
2b5HjVY5DhvoXNh9c2bkZ5I8swfk8OfGoEX6kyVmQa82ykit4v+6YvJEGh8z
T+tI/bXkZNqM9kKMh6JCZic4zegun2EqDv/4RmYlONGJu4f4O2WTQXvOVdTW
Zu485Ct2u6otNYr+FVWWNHMEUxyDNoIx/KrkcbVVCiHeWtnAKG6T0m9hpo1A
PMDzrUpBKCkWMnsNd35rQKnUmHUNYW26JQqTqWTOwWB7n3p37+iuuRVBu8LW
5MZXqURIacuqbOzzt1aLZnKDAtUx7aLxlhbNCgYRIfSYWNx3YnauwTagQFux
RCglZvCNhWkJgX7kSl+8vEgxfAfx8sPXhMpFqryxoicKrOvBRCNmMDlq4sw9
J1IZhe0T3LVAScgVbrafPJavXLEA/G6dxyf8OC+DhpgSNpg6s56zFlMFs6A6
35fgfH97vVBTNjaJOlCt3FNWBqW7sVLnkYJf7W9HuQ0JqLZcPkGoV75v7BOE
moVP6rkwmFgNs417l2G+A2+RzQOqg8CczCnttvUfNAeLxYoNVrABaG0fPNoG
1Bb52WZgEcSTmMaJJo7jf6IZ2MDDX1P6mux4pgC2QDyFnUSG+UkyeEn7FwoZ
oBazjgvpPtWoF4s1j6EoLgepQ6UXJbBHmZxB+hdhJaLFae3G6hvywzQqKHwE
gTSz+y3Li4XnvHutXemise3SC5nKlQ85/KJA0xiro3BBd7X7RtlBZKcL0ka5
tQTTz1TZg/+7wWeClERNWs56NrKplOS8vrnFl5tPxQoHKqpEsY16vWZJjonD
DfJTLxur0aTXV2C6BuNV6NJKtojxRleAwa2T69XYXxsfClll02ghqlEEufyD
tmAryxZV0M9MxaYabF3DUqUIHRc2ONpV5QVZaeWVzCLvOJ1bmKLMpI/55roS
zcwc1wa2CYyDRiiUyMYyjzpr3S4wC0AWceaNOIgOkXAyhwqmqyzUwtjhAVft
RIVt/jqLXm1hx93DpubBvLFv1NiBCmCRyVjTQcLUzviGuS4dbPUbc9iUanKF
InUBIipZSywpQ88VaMZacIXRZMFrQjnTW/MZK52jgBDUvhDfAntOFQ41Acuu
aUC9mgAuMJmCHUN72xc5sao2oi6lwJ0sSKGxz8TpcrFpIYnpCA4F2OwGSVyI
QiLzaF9xVd59uWjA1YvTucHUt7hGQQq41LX6oVC20yxxq1c6kkXaEVFa3FLU
usdK9W2YrrBznJeZVwUfhGltR9TudXQ9UFQCRd1GnVwo6Egmxri4uy2G6O3U
4ZZMsD6PwjAsdMIqRXYG+nUef3ViaW26aVMe6oEc1cMprJBYu8b/e6chx8pK
tyn7GJPHm9KSD+Sdn5Kj+wJ5tUtbKIPTd+eHi7nHuFwtJSXX/PDAbw//3Mr+
foG82qes7eD08XT9fnl1GORq8OZ0d4GuxcqI6ocVNx96qcWrDf++aF4dBbnq
XQ8uzvZ7Ncv+kKslXr1qyFXglyCG/SFXS7w6rnm1d3jUomsNyZt5tZEZv3Fe
7e5UvDrc3XuMiPx+5Wp3T/wgLs7Oen+7aVOxyV6dfrdZcDbYq7Wv/hZ4tU+8
Oh+cvt87PGpo4h86uMyrg4pX+8cHgzen+8cHm2XgAV5tEpxNr/4WeHWIvDrf
Ozzcff04ujbzaiMzfuu8OiJeHRwcP1ZEfsdy9Ur8IAbv9r4avNt/LK822vbN
vPpN2/Y9tO20Bn4Q+wf93Z3e3g75Dn/waplXh8iswqopZoHrFNMfvFrFq4OV
vLq5PP+DXS12YcGazMZc3xMq1i7buwsxLbsxMxwSvlS2tmI/8LmtbX61jPOj
EKZc8YM4N7ZbV2Sj9zdmo5+SiqY969XZ6MelommbbDEbvU5wniuHjxDCh58I
WWmStZWZ6U3Fus9ITbfefloF6RfKu53Ip+uPV1fi5dn5gDaSt39CKuwRebAn
ZMrWUfMF8K7KJQ7enPYWc7Gb+PNgGPow7zb8+03wbq/Ju0fm0H5aCP+vw7v9
SE3DQ97tvT54WC+fmyp6oiuzjpovgHcHkRqUu5gFeQx/nh22PjFyXUfNF8C7
w0hNS+4oMnuuj/wY3v1LyN1RpGYx+n8+f34PvMMwJHWPiUJ+xtiiilkEBS1V
iclZq/VcVZFVNRloNxZSiXAUFVHDG9CpE0aHbn7Uhc6CHmPfllGsEVnbIjIc
l41NZxqv0t/3MHfVqXcqnvX4QrPL1gKm1PalgRWd+MdiUgCr9LhT976rmlpS
E65h6DDD0d7Kto0YtWhD/SmpWqpF00zOuSptXkjnQoOemnv4N56UxyJyHiPW
vTXPECdGJ2DxWIp3kI0ixe1eP2uZGYqvmuf3WXK6VeEkFUKthEqlV2t60S2z
uxmnpXjqYqS4xDceYa7Pisez7FQd26oma/V6YOZ6wY0YuLyPm38IPunf6GtH
7Qa4HrLNCwsOpE0m2CFgJC222ExRfhhepmAKVecAPmdusV/kPXYaoTp5KsKS
KXxfSmo/Eho+lZp7XGH5DnIR8Q2tqXTVoSJVLsEpnsfuOH3xxsxgikW0ntvA
6T+1ym9xtvj3AG1V06ClPjaxTYlyrlzZ+oqr2xtNryq+UXxcYIdXlYCrDvZL
C5LF8QN4ZUNTjEYDD2OEM0aLGQXcFlyZUVcpyR0xqM1E3aeMzxl4LARvAOFj
4e1+F6Sc9Sl7asjCXA0gEfy6xmHNVi556ahBBrUVxSiPilBHHqxIpIVRmbW7
a3KyJAXSB5eZWWg/IArDfRC5MvCmCM/LbJWJXGoXYrGCFfthEG8yPOYUW4bI
2GYr1kBjwxSg/Mqn0Hr4jhvhhe7Dd6TLjVayRosJVt6b2KCmHpjmO4wdCmrP
B4/Ei9pkLSGHID4WOFOtDlUilGxSwSu3inIEPSRZ8Des5n8LNAOx3u0tzMXL
t4O329zhAgUYVRPfaB/eo+NcUmXYjKRbt3/DdBt58SWhxMmeFoXcGCYctGkg
JGPHk7eDtzyn1OZgeTJvYwcE6uFCh2RYRkN/V2rQ2GxcyJO1ossgnnRrJp78
ytJmbgcS+r63TpKt75xYnyXrLDcBJpQd09DAed1ZWLHiqMTLFoHbC8dWWnQg
kVU/zehWUKeGP6+tlF/5Y6PQnH/fWLS+4ZEmIJ5PV5UWR/NQ1YuHA5LR0UIT
GipnebGmRSwylxSq3T2UTVzdhiyed6laebYkpXEEMOQsc+mTSegO8tnHvinx
7GKrB+Ji9xVMgqLoDcLSvfcnx/XUwXlo0LXhSEiNCnZlazbxrFuA0sGKtpjV
74R2wZJPolWNRFcIcmdl1XK70+iiHqxPMD9J9DeAESjtg0dI+uPlvHEW6CeI
+hKUX1Da99dJ+5+rGXlQ0BcM4Dy4HxtEPExRu9Pn0EyBBn4n7X1EdXfvWPTE
3uEeyy+3uEq3lp7DjULUCdwEaz5JaL4Pe2IfHfCb5/FoJoiX2sywmxPYUYaN
7LbjwYWtAfXz24ptLKElgL+87j1f89bLPK9/pwm62BmkY+L88kh4YFU6OnYV
28DiOSzXxa7B9K2QbmhjNkMc6FA3B1DvZYk7LN+a0sdGZDc6tfB3MSgroviw
b3D32n2lEN4E5BRdY/SmSxcis0JarxJVSES4CuDOrwc376kxOfJ9bE1ZxPCE
kHJ4rMxCooIgd0TsRTsqM83dPAlQTqfwCqW5bXVouEQjt6B3RAuTqlu/mEBW
QCrcRBbktjeI6uN5FzzVdx/Z88aMRrlkFxRvVfwKOqUscciqYUkuCHz2PA/k
quHCLYcA6JAm9xg7DCZlbrR4U35fQldcq8RkUokrmOdS664YiHfGaHAyn3fF
OznWpRPXc+ft//5P3kVw7/EDEOJ2YnLpHHbgGngYSS0+DodK3/PQV2YstUxB
i28gmyqdWj5334kNDvmIsQtNXPN4uoabww9lco+yRwfr4cqMOx08Nh3OTJ/E
I9OhZxuxr3o0OkyiLND61Eeo8QjziwgzWDX6Ts7uDkWWdLnLzaPIXOh5aKwV
0AvtSXCuxeXF4G+RhjVgd17XYHfaYCuIAVyMyh4D9biCuvM6Aj0lm5Arx/0J
MzNWlmLtl7HIBtm8VESyjiE7r+oxjuMYb6ROsxBEOmElfZEgLSn4o0ObGX6d
AhMG8Ssm+Fb4hBB/Qai+zSdYtfJipD6TByzEOmSOamReRWS4+Sk3YhauOuyK
3yK5rzRpHcDDGuBRg4M0rxdWJeKbuU7u8aT+6fm/bYvT83geviGnqyHv15AP
I+SPoeP0Fh9Ybi5iWyFtse5QdL+SGVoWNq9x6PetMuZ8vFAMLcj73jjDXFMO
yD/lqMUHnooVMzxbiIc0R5kxadWcvo8fCZCZGuvKzyFgj447xEsyeZaRRNz3
RU/0+/3tlaQ9elluEEuAGgQHwLxmp09dtCPQNRO8V0/wPk3wn8XX6nMYpl5b
QynCafg6DiIgMqXvyTmPd912p6G8H+O3tsK6PAGZgl0rabs1InsBkbOoExPg
2Lc6As9OFTpwdY4YXc12d4P2Gb+4osd1lVa6kB6lD4th6z0KmtG96Accbkiv
c6WNpb6UsUMKf3qJDuaHr0CsI6y2xTu7ESgegb6+vEVbgZHk0pvxo1+9nYP6
7Z3w9n+icyv5u2jU9pQQ4m9eBWRWcDnocm/nYAV3I9+ajQvprT3MtIRGQN6I
g27FRmZwzcvQZKbBzpbj0GZucLhmQZVRTaXCVo+5/DsecucPgwTGtonhs8Ph
dHIghXqyW5XjV4yK0hbGQeVa0admqEUyt4qMjXNjooYRqAWnbrjQ+HgGdVPm
Lz9ps/DZDwZQ4DjUB7pq98DSGgXpHR7YjR+XwcUjriTxgQGaq+i1udZX4rrt
z7r1O/8HgJHb15JvAAA=
</rfc> </rfc>
 End of changes. 56 change blocks. 
1153 lines changed or deleted 1371 lines changed or added

This html diff was produced by rfcdiff 1.48.