forked from oerdnj/draft-ietf-dnsop-algorithm-update
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-ietf-dnsop-algorithm-update.xml
492 lines (439 loc) · 18.5 KB
/
draft-ietf-dnsop-algorithm-update.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
<?xml version="1.0"?>
<?xml-stylesheet type='text/xsl' href='./rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC4034 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4034.xml">
<!ENTITY RFC5155 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5155.xml">
<!ENTITY RFC5702 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5702.xml">
<!ENTITY RFC5933 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5933.xml">
<!ENTITY RFC6605 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6605.xml">
<!ENTITY RFC6781 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6781.xml">
<!ENTITY RFC6944 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6944.xml">
<!ENTITY RFC6979 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml">
<!ENTITY RFC6986 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6986.xml">
<!ENTITY RFC7344 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7344.xml">
<!ENTITY RFC7583 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7583.xml">
<!ENTITY RFC8032 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml">
<!ENTITY RFC8078 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8078.xml">
<!ENTITY RFC8080 PUBLIC "" "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8080.xml">
]>
<?rfc toc="yes"?>
<?rfc strict="yes" ?>
<?rfc linkmailto="yes" ?>
<?rfc symrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc sortrefs="no" ?>
<?rfc rfcedstyle="yes"?>
<rfc ipr="trust200902" docName="draft-ietf-dnsop-algorithm-update-01" category="std" obsoletes="6944">
<front>
<title abbrev="DNSSEC Cryptographic Algorithms">Algorithm Implementation Requirements and Usage Guidance for DNSSEC</title>
<author fullname="Paul Wouters" initials="P." surname="Wouters">
<organization>Red Hat</organization>
<address>
<postal>
<street/>
<country>CA</country>
</postal>
<email>pwouters@redhat.com</email>
</address>
</author>
<author fullname="Ondrej Sury" initials="O." surname="Sury">
<organization>Internet Systems Consortium</organization>
<address>
<postal>
<street/>
<country>CZ</country>
</postal>
<email>ondrej@isc.org</email>
</address>
</author>
<date year="2018"/>
<area>Security</area>
<workgroup>dnsop</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<t>
The DNSSEC protocol makes use of various cryptographic
algorithms in order to provide authentication of DNS data and
proof of non-existence. To ensure interoperability between
DNS resolvers and DNS authoritative servers, it is necessary
to specify a set of algorithm implementation requirements and
usage guidance to ensure that there is at least one algorithm
that all implementations support. This document defines the
current algorithm implementation requirements and usage
guidance for DNSSEC. This document obsoletes <xref target="RFC6944"/>.
</t>
</abstract>
</front>
<!-- ====================================================================== -->
<middle>
<section anchor="introduction" title="Introduction">
<t>
The DNSSEC signing algorithms are defined by various RFCs,
including <xref target="RFC4034"/>, <xref target="RFC5155"/>,
<xref target="RFC5702"/>, <xref target="RFC5933"/>, <xref
target="RFC6605"/>, <xref target="RFC8080"/>.
DNSSEC is used to provide authentication of data. To ensure interoperability,
a set of "mandatory-to-implement" DNSKEY algorithms are defined.
This document obsoletes <xref target="RFC6944"/>.
</t>
<section title="Updating Algorithm Implementation Requirements and Usage Guidance">
<t>
The field of cryptography evolves continuously. New stronger
algorithms appear and existing algorithms are found to be
less secure then originally thought. Therefore, algorithm
implementation requirements and usage guidance need to be
updated from time to time to reflect the new reality. The
choices for algorithms must be conservative to minimize the
risk of algorithm compromise.
</t>
</section>
<section title="Updating Algorithm Requirement Levels">
<t>
The mandatory-to-implement algorithm of tomorrow should
already be available in most implementations of DNSSEC by the
time it is made mandatory. This document attempts to
identify and introduce those algorithms for future
mandatory-to-implement status. There is no guarantee that
the algorithms in use today may become mandatory in the
future. Published algorithms are continuously subjected to
cryptographic attack and may become too weak or could become
completely broken before this document is updated.
</t>
<t>
This document only provides recommendations for the
mandatory-to-implement algorithms or algorithms too weak that
are recommended not to be implemented. As a result, any
algorithm listed at the <xref target="DNSKEY-IANA"/> and
<xref target="DS-IANA"/> registries not mentioned in this
document MAY be implemented. For clarification and consistency,
an algorithm will be set to MAY only when it has been downgraded.
</t>
<t>
Although this document updates the algorithms to keep the
DNSSEC authentication secure over time, it also aims at
providing recommendations so that DNSSEC implementations
remain interoperable. DNSSEC interoperability is addressed
by an incremental introduction or deprecation of algorithms.
</t>
<t>
While <xref target="RFC2119"/> consider term SHOULD
equivalent to RECOMMENDED, and term SHOULD NOT to NOT
RECOMMENDED, the authors of this document has chosen to use
terms RECOMMENDED and NOT RECOMMENDED, as it better reflects
the recommendations for implementations.
</t>
<t>
It is expected that deprecation of an algorithm is performed
gradually. This provides time for various implementations
to update their implemented algorithms while remaining
interoperable. Unless there are strong security reasons, an
algorithm is expected to be downgraded from MUST to NOT
RECOMMENDED or MAY, instead of MUST NOT. Similarly, an
algorithm that has not been mentioned as
mandatory-to-implement is expected to be introduced with a
RECOMMENDED instead of a MUST.
</t>
<t>
Since the effects of using an unknown DNSKEY algorithm is
for the zone to be treated as insecure, it is recommended
that algorithms downgraded to NOT RECOMMENDED or below are
no longer used by authoritative nameservers and DNSSEC
signers to create new DNSKEY's. This will allow for
algorithms to slowly become more unused over time. Once
deployment has reached a sufficiently low point these
algorithms can finally be marked as MUST NOT so that
recursive nameservers can remove support for these
algorithms.
</t>
<t>
Recursive nameservers are encouraged to keep support for all
algorithms not marked as MUST NOT.
</t>
</section>
<section title="Document Audience">
<t>
The recommendations of this document mostly target DNSSEC
implementers as implementations need to meet both high
security expectations as well as high interoperability
between various vendors and with different versions.
Interoperability requires a smooth move to more secure
algorithms. This may differ from a user point of view that
may deploy and configure DNSSEC with only the safest
algorithm. On the other hand, comments and recommendations
from this document are also expected to be useful for such
users.
</t>
</section>
</section>
<section anchor="mustshouldmay" title="Conventions Used in This Document">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119"/>.
</t>
</section>
<section anchor="algs" title="Algorithm Selection">
<section anchor="algs_dnskey" title="DNSKEY Algorithms">
<t>
Implementation recommendations for DNSKEY algorithms <xref target="DNSKEY-IANA"/>.
</t>
<texttable anchor="tbl_dnskey" suppress-title="true">
<ttcol align="left">Number</ttcol>
<ttcol align="left">Mnemonics</ttcol>
<ttcol align="left">DNSSEC Signing</ttcol>
<ttcol align="left">DNSSEC Validation</ttcol>
<c>1</c><c>RSAMD5</c><c>MUST NOT</c><c>MUST NOT</c>
<c>3</c><c>DSA</c><c>MUST NOT</c><c>MUST NOT</c>
<c>5</c><c>RSASHA1</c><c>NOT RECOMMENDED</c><c>MUST</c>
<c>6</c><c>DSA-NSEC3-SHA1</c><c>MUST NOT</c><c>MUST NOT</c>
<c>7</c><c>RSASHA1-NSEC3-SHA1</c><c>NOT RECOMMENDED</c><c>MUST</c>
<c>8</c><c>RSASHA256</c><c>MUST</c><c>MUST</c>
<c>10</c><c>RSASHA512</c><c>NOT RECOMMENDED</c><c>MUST</c>
<c>12</c><c>ECC-GOST</c><c>MUST NOT</c><c>MAY</c>
<c>13</c><c>ECDSAP256SHA256</c><c>MUST</c><c>MUST</c>
<c>14</c><c>ECDSAP384SHA384</c><c>MAY</c><c>RECOMMENDED</c>
<c>15</c><c>ED25519</c><c>RECOMMENDED</c><c>RECOMMENDED</c>
<c>16</c><c>ED448</c><c>MAY</c><c>RECOMMENDED</c>
</texttable>
<t>
RSAMD5 is not widely deployed and there is an industry-wide
trend to deprecate MD5 usage.
</t>
<t>
RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although
zones deploying it are recommended to switch to
ECDSAP256SHA256 as there is an industry-wide trend to move
to elliptic curve cryptography. RSASHA1 does not support
NSEC3. RSASHA1-NSEC3-SHA1 can be used with or without
NSEC3.
</t>
<t>
DSA and DSA-NSEC3-SHA1 are not widely deployed and
vulnerable to private key compromise when generating
signatures using a weak or compromised random number
generator.
</t>
<t>
RSASHA256 is in wide use and considered strong.
</t>
<t>
RSASHA512 is NOT RECOMMENDED for DNSSEC Signing because it
has not seen wide deployment, but there are some deployments
hence DNSSEC Validation MUST implement RSASHA512 to ensure
interoperability. There's isn't significant difference in
cryptographics strength between RSASHA512 and RSASHA256,
therefore it is discouraged to use RSASHA512, as it will
only make deprecation of older algorithms harder. People
that want to use cryptographically stronger algorithm should
switch to elliptic curve cryptography algorithms.
</t>
<t>
ECC-GOST (GOST R 34.11-94) has been superseded by GOST R
34.11-2012 in <xref target="RFC6986"/>. The GOST R
34.11-2012 hasn't been standardized for use in DNSSEC.
</t>
<t>
ECDSAP256SHA256 provide more strength for signature size
than RSASHA256 and RSASHA512 variants. ECDSAP256SHA256 has
been widely deployed and therefore it is now at MUST level
for both validation and signing. It is RECOMMENDED to use
deterministic digital signature generation procedure of the
ECDSA (<xref target="RFC6979"/>) when implementing
ECDSAP256SHA256 (and ECDSAP384SHA384).
</t>
<t>
ECDSAP384SHA384 share the same properties as
ECDSAP256SHA256, but offers a modest security advantage over
ECDSAP256SHA256 (192-bits of strength versus 128-bits). For
most applications of DNSSEC, ECDSAP256SHA256 should be
satisfactory and robust for the foreseeable future, and is
therefore recommended for signing. While it is unlikely for
a DNSSEC use case which requires 192-bit security strength
to arise, ECDSA384SHA384 is provided for such applications
and it MAY be used for signing in these cases.
</t>
<t>
ED25519 and ED448 uses Edwards-curve Digital Security
Algorithm (EdDSA). There are three main advantages of the
EdDSA algorithm: It does not require the use of a unique
random number for each signature, there are no padding or
truncation issues as with ECDSA, and it is more resilient to
side-channel attacks. Furthermore, EdDSA cryptography is
less prone to implementation errors (<xref
target="RFC8032"/>, <xref target="RFC8080"/>). It is
expected that ED25519 will become the future RECOMMENDED
default algorithm once there's enough support for this
algorithm in the deployed DNSSEC validators.
</t>
</section>
<section anchor="algs_dnskey_recommendation" title="DNSKEY Algorithm Recommendation">
<t>
Operation recommendation for new and existing deployments.
</t>
<t>
Due to industry-wide trend to move to elliptic curve
cryptography, the ECDSAP256SHA256 is RECOMMENDED to be used
by new DNSSEC deployments, and users of RSA based algorithms
SHOULD upgrade to ECDSAP256SHA256.
</t>
</section>
<section anchor="algs_ds" title="DS and CDS Algorithms">
<t>
Recommendations for Delegation Signer Digest Algorithms
<xref target="DNSKEY-IANA"/> These also apply to the CDS
RRTYPE as specified in <xref target="RFC7344"/>
</t>
<texttable anchor="tbl_ds" suppress-title="true">
<ttcol align="left">Number</ttcol>
<ttcol align="left">Mnemonics</ttcol>
<ttcol align="left">DNSSEC Delegation</ttcol>
<ttcol align="left">DNSSEC Validation</ttcol>
<c>0</c><c>NULL (CDS only)</c><c>MUST NOT [*]</c><c>MUST NOT [*]</c>
<c>1</c><c>SHA-1</c><c>MUST NOT</c><c>MUST</c>
<c>2</c><c>SHA-256</c><c>MUST</c><c>MUST</c>
<c>3</c><c>GOST R 34.11-94</c><c>MUST NOT</c><c>MAY</c>
<c>4</c><c>SHA-384</c><c>MAY</c><c>RECOMMENDED</c>
<postamble>
[*] - This is a special type of CDS record signaling removal of
DS at the parent in <xref target="RFC8078"/>
</postamble>
</texttable>
<t>
NULL is a special case, see <xref target="RFC8078"/>
</t>
<t>
SHA-1 is still in wide use for DS records, so validators
MUST implement the validation, but it is disallowed to use
SHA-1 to generate new DS records. (See Operational
Considerations for caveats when upgrading from SHA-1 to
SHA-256 DS Algorithm.)
</t>
<t>
SHA-256 is in wide use and considered strong.
</t>
<t>
GOST R 34.11-94 has been deprecated by <xref target="RFC6986"/>.
</t>
<t>
SHA-384 share the same properties as SHA-256, but offers a
modest security advantage over SHA-384 (384-bits of strength
versus 256-bits). For most applications of DNSSEC, SHA-256
should be satisfactory and robust for the foreseeable
future, and is therefore recommended for DS/CDS records.
While it is unlikely for a DNSSEC use case which requires
384-bit security strength to arise, SHA-384 is provided for
such applications and it MAY be used for generating DS/CDS
records in these cases.
</t>
</section>
</section>
<section anchor="security" title="Security Considerations">
<t>
The security of cryptographic-based systems depends on both
the strength of the cryptographic algorithms chosen and the
strength of the keys used with those algorithms. The security
also depends on the engineering of the protocol used by the
system to ensure that there are no non-cryptographic ways to
bypass the security of the overall system.
</t>
<t>
This document concerns itself with the selection of
cryptographic algorithms for the use of DNSSEC, specifically
with the selection of "mandatory-to-implement" algorithms.
The algorithms identified in this document as MUST or
RECOMMENDED to implement are not known to be broken at the
current time, and cryptographic research so far leads us to
believe that they will likely remain secure into the
foreseeable future. However, this isn't necessarily forever
and it is expected that new revisions of this document will be
issued from time to time to reflect the current best practice
in this area.
</t>
<t>
Retiring an algorithm too soon would result in a signed zone
with such an algorithm to be downgraded to the equivalent of
an unsigned zone. Therefore, algorithm deprecation must be
done very slowly and only after careful consideration and
measurements of its use.
</t>
</section>
<section anchor="operation" title="Operational Considerations">
<t>
DNSKEY algorithm rollover in a live zone is a complex
process. See <xref target="RFC6781"/> and <xref target="RFC7583"/>
for guidelines on how to perform algorithm rollovers.
</t>
<t>
DS algorithm rollover in a live zone is also a complex
process. Upgrading algorithm at the same time as rolling the
new KSK key will lead to DNSSEC validation failures, and users
MUST upgrade the DS algorithm first before rolling the Key
Signing Key.
</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t>This document makes no requests of IANA.</t>
</section>
<section anchor="ack" title="Acknowledgements">
<t>
This document borrows text from RFC 4307 by Jeffrey I.
Schiller of the Massachusetts Institute of Technology (MIT)
and the 4307bis document by Yoav Nir, Tero Kivinen, Paul
Wouters and Daniel Migault. Much of the original text has
been copied verbatim.
</t>
<t>
We wish to thank Michael Sinatra, Roland van Rijswijk-Deij,
Olafur Gudmundsson and Paul Hoffman for their imminent
feedback.
</t>
<t>
Kudos to Roy Arends for bringing the DS rollover issue to the daylight.
</t>
</section>
</middle>
<!-- ====================================================================== -->
<back>
<references title="Normative References">
&RFC2119;
</references>
<references title="Informative References">
&RFC4034;
&RFC5155;
&RFC5702;
&RFC5933;
&RFC6605;
&RFC6781;
&RFC6944;
&RFC6979;
&RFC6986;
&RFC7344;
&RFC7583;
&RFC8032;
&RFC8078;
&RFC8080;
<reference anchor="DNSKEY-IANA" target="http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml">
<front>
<title>DNSKEY Algorithms</title>
<author initials="" surname="" fullname="">
<organization />
</author>
<date />
</front>
</reference>
<reference anchor="DS-IANA" target="http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml">
<front>
<title>Delegation Signer Digest Algorithms</title>
<author initials="" surname="" fullname="">
<organization />
</author>
<date />
</front>
</reference>
</references>
<!-- ====================================================================== -->
</back>
</rfc>