idnits 2.17.00 (12 Aug 2021) /tmp/idnits29681/draft-ietf-dnsop-dnssec-iana-cons-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 104: '... MAY be implemented. For clarifi...' RFC 2119 keyword, line 105: '... be specified as MAY in this document ...' RFC 2119 keyword, line 106: '...owngraded from a MUST or a RECOMMENDED...' RFC 2119 keyword, line 115: '... this document MAY be implemented. F...' RFC 2119 keyword, line 116: '...rithm will be specified as MAY in this...' (2 more instances...) -- The draft header indicates that this document updates RFC3658, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3658, updated by this document, for RFC5378 checks: 2001-05-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (23 August 2021) is 270 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DNSKEY-IANA' is mentioned on line 114, but not defined == Missing Reference: 'DS-IANA' is mentioned on line 114, but not defined -- Obsolete informational reference (is this intentional?): RFC 3658 (Obsoleted by RFC 4033, RFC 4034, RFC 4035) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft ICANN 4 Updates: 3658, 5155, 6014, 8624 (if approved) 23 August 2021 5 Intended status: Standards Track 6 Expires: 24 February 2022 8 Revised IANA Considerations for DNSSEC 9 draft-ietf-dnsop-dnssec-iana-cons-02 11 Abstract 13 This document changes the review requirements needed to get DNSSEC 14 algorithms and resource records added to IANA registries. It updates 15 RFC 6014 to include hash algorithms for DS records and NSEC3 16 parameters. It also updates RFC 5155 and RFC 6014, which have 17 requirements for DNSSEC algorithms, and updates RFC 8624 to say that 18 algorithms that are described in RFCs that are not on standards track 19 are only at the "MAY" level of implementation recommendation. The 20 rationale for these changes is to bring the requirements for DS 21 records and for the hash algorithms used in NSEC3 in line with the 22 requirements for all other DNSSEC algorithms. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 24 February 2022. 41 Copyright Notice 43 Copyright (c) 2021 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Update to RFC 6014 . . . . . . . . . . . . . . . . . . . . . 2 59 3. Update to RFC 8624 . . . . . . . . . . . . . . . . . . . . . 2 60 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 3 62 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 6.1. Normative References . . . . . . . . . . . . . . . . . . 3 64 6.2. Informative References . . . . . . . . . . . . . . . . . 4 65 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 4 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 68 1. Introduction 70 DNSSEC is primarily described in [RFC4033], [RFC4034], and [RFC4035]. 71 DNSSEC commonly uses two resource records beyond those defined in RFC 72 4034: DS [RFC3658] and NSEC3 [RFC5155]. 74 [RFC8126] gives guidelines for listing in the myriad IANA registries. 76 [RFC6014] updated the requirements for how DNSSEC cryptographic 77 algorithm identifiers in the IANA registries are assigned, reducing 78 the requirements from being "Standards Action" to "RFC Required". 79 However, the IANA registry requirements for hash algorithms for DS 80 records [RFC3658] and for the hash algorithms used in NSEC3 [RFC5155] 81 are still "Standards Action". This document updates those IANA 82 registry requirements. 84 2. Update to RFC 6014 86 Section 4 updates RFC 6014 to bring the requirements for DS records 87 and NSEC3 hash algorithms in line with the rest of the DNSSEC 88 cryptographic algorithms by allowing any DS or NSEC3 hash algorithms 89 that are fully described in an RFC to have identifiers assigned in 90 the IANA registries. This is an addition to the IANA considerations 91 in RFC 6014. 93 3. Update to RFC 8624 95 This document updates [RFC8624] for all DNSKEY and DS algorithms that 96 are not on standards track. 98 The second paragraph of Section 1.2 of RFC 8624 currently says: 100 This document only provides recommendations with respect to 101 mandatory-to-implement algorithms or algorithms so weak that they 102 cannot be recommended. Any algorithm listed in the [DNSKEY-IANA] 103 and [DS-IANA] registries that are not mentioned in this document 104 MAY be implemented. For clarification and consistency, an 105 algorithm will be specified as MAY in this document only when it 106 has been downgraded from a MUST or a RECOMMENDED to a MAY. 108 That paragraph is now replaced with the following: 110 This document provides recommendations with respect to 111 mandatory-to-implement algorithms, algorithms so weak that they 112 cannot be recommended, and algorithms that are defined in RFCs 113 that are not on standards track. Any algorithm listed in the 114 [DNSKEY-IANA] and [DS-IANA] registries that are not mentioned in 115 this document MAY be implemented. For clarification and 116 consistency, an algorithm will be specified as MAY in this 117 document only when it has been downgraded from a MUST or a 118 RECOMMENDED to a MAY. 120 This update is also reflected in the IANA considerations in 121 Section 4. 123 4. IANA Considerations 125 In the "Domain Name System Security (DNSSEC) NextSECure3 (NSEC3) 126 Parameters" registry, the registration procedure for "DNSSEC NSEC3 127 Flags", "DNSSEC NSEC3 Hash Algorithms", and "DNSSEC NSEC3PARAM Flags" 128 are changed from "Standards Action" to "RFC Required". 130 In the "Delegation Signer (DS) Resource Record (RR) Type Digest 131 Algorithms" registry, the registration procedure for "Digest 132 Algorithms" is changed from "Standards Action" to "RFC Required". 134 5. Security Considerations 136 Changing the requirements for getting security algorithms added to 137 IANA registries as described in this document will make it easier to 138 get good algorithms added to the registries, and will make it easier 139 to get bad algorithms added to the registries. It is impossible to 140 weigh the security impact of those two changes. 142 6. References 144 6.1. Normative References 146 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 147 Rose, "DNS Security Introduction and Requirements", 148 RFC 4033, DOI 10.17487/RFC4033, March 2005, 149 . 151 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 152 Rose, "Resource Records for the DNS Security Extensions", 153 RFC 4034, DOI 10.17487/RFC4034, March 2005, 154 . 156 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 157 Rose, "Protocol Modifications for the DNS Security 158 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 159 . 161 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 162 Security (DNSSEC) Hashed Authenticated Denial of 163 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 164 . 166 [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier 167 Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014, 168 November 2010, . 170 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 171 Writing an IANA Considerations Section in RFCs", BCP 26, 172 RFC 8126, DOI 10.17487/RFC8126, June 2017, 173 . 175 [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation 176 Requirements and Usage Guidance for DNSSEC", RFC 8624, 177 DOI 10.17487/RFC8624, June 2019, 178 . 180 6.2. Informative References 182 [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record 183 (RR)", RFC 3658, DOI 10.17487/RFC3658, December 2003, 184 . 186 Appendix A. Acknowledgements 188 Donald Eastlake and Murray Kucherawy contributed to this document. 190 Author's Address 191 Paul Hoffman 192 ICANN 194 Email: paul.hoffman@icann.org