idnits 2.17.00 (12 Aug 2021) /tmp/idnits29997/draft-ietf-dnsop-dnssec-iana-cons-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5155, updated by this document, for RFC5378 checks: 2005-01-27) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (16 September 2021) is 246 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DNSKEY-IANA' is mentioned on line 122, but not defined == Missing Reference: 'DS-IANA' is mentioned on line 122, but not defined -- Obsolete informational reference (is this intentional?): RFC 3658 (Obsoleted by RFC 4033, RFC 4034, RFC 4035) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft ICANN 4 Updates: 5155, 6014, 8624 (if approved) 16 September 2021 5 Intended status: Standards Track 6 Expires: 20 March 2022 8 Revised IANA Considerations for DNSSEC 9 draft-ietf-dnsop-dnssec-iana-cons-03 11 Abstract 13 This document changes the review requirements needed to get DNSSEC 14 algorithms and resource records added to IANA registries. It updates 15 RFC 6014 to include hash algorithms for DS records and NSEC3 16 parameters. It also updates RFC 5155 and RFC 6014, which have 17 requirements for DNSSEC algorithms, and updates RFC 8624 to say that 18 algorithms that are described in RFCs that are not on standards track 19 are only at the "MAY" level of implementation recommendation. The 20 rationale for these changes is to bring the requirements for DS 21 records and for the hash algorithms used in NSEC3 in line with the 22 requirements for all other DNSSEC algorithms. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 20 March 2022. 41 Copyright Notice 43 Copyright (c) 2021 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Update to RFC 6014 . . . . . . . . . . . . . . . . . . . . . 3 59 3. Update to RFC 8624 . . . . . . . . . . . . . . . . . . . . . 3 60 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 62 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 64 6.2. Informative References . . . . . . . . . . . . . . . . . 5 65 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 68 1. Introduction 70 DNSSEC is primarily described in [RFC4033], [RFC4034], and [RFC4035]. 71 DNSSEC commonly uses two resource records beyond those defined in RFC 72 4034: DS [RFC3658] (which was obsoleted by RFC 4034) and NSEC3 73 [RFC5155]. 75 [RFC8126] gives guidelines for listing in the myriad IANA registries. 77 [RFC6014] updated the requirements for how DNSSEC cryptographic 78 algorithm identifiers in the IANA registries are assigned, reducing 79 the requirements from being "Standards Action" to "RFC Required". 80 However, the IANA registry requirements for hash algorithms for DS 81 records [RFC3658] and for the hash algorithms used in NSEC3 [RFC5155] 82 are still "Standards Action". This document updates those IANA 83 registry requirements. (For reference on how IANA registries can be 84 updated in general, see [RFC8126].) 86 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 87 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 88 "OPTIONAL" in this document are to be interpreted as described in BCP 89 14 [RFC2119] [RFC8174] when, and only when, they appear in all 90 capitals, as shown here. 92 2. Update to RFC 6014 94 Section 4 updates RFC 6014 to bring the requirements for DS records 95 and NSEC3 hash algorithms in line with the rest of the DNSSEC 96 cryptographic algorithms by allowing any DS or NSEC3 hash algorithms 97 that are fully described in an RFC to have identifiers assigned in 98 the IANA registries. This is an addition to the IANA considerations 99 in RFC 6014. 101 3. Update to RFC 8624 103 This document updates [RFC8624] for all DNSKEY and DS algorithms that 104 are not on standards track. 106 The second paragraph of Section 1.2 of RFC 8624 currently says: 108 This document only provides recommendations with respect to 109 mandatory-to-implement algorithms or algorithms so weak that they 110 cannot be recommended. Any algorithm listed in the [DNSKEY-IANA] 111 and [DS-IANA] registries that are not mentioned in this document 112 MAY be implemented. For clarification and consistency, an 113 algorithm will be specified as MAY in this document only when it 114 has been downgraded from a MUST or a RECOMMENDED to a MAY. 116 That paragraph is now replaced with the following: 118 This document provides recommendations with respect to 119 mandatory-to-implement algorithms, algorithms so weak that they 120 cannot be recommended, and algorithms that are defined in RFCs 121 that are not on standards track. Any algorithm listed in the 122 [DNSKEY-IANA] and [DS-IANA] registries that are not mentioned in 123 this document MAY be implemented. For clarification and 124 consistency, an algorithm will be specified as MAY in this 125 document only when it has been downgraded from a MUST or a 126 RECOMMENDED to a MAY. 128 This update is also reflected in the IANA considerations in 129 Section 4. 131 4. IANA Considerations 133 In the "Domain Name System Security (DNSSEC) NextSECure3 (NSEC3) 134 Parameters" registry, the registration procedure for "DNSSEC NSEC3 135 Flags", "DNSSEC NSEC3 Hash Algorithms", and "DNSSEC NSEC3PARAM Flags" 136 are changed from "Standards Action" to "RFC Required". 138 In the "Delegation Signer (DS) Resource Record (RR) Type Digest 139 Algorithms" registry, the registration procedure for "Digest 140 Algorithms" is changed from "Standards Action" to "RFC Required". 142 5. Security Considerations 144 Changing the requirements for getting security algorithms added to 145 IANA registries as described in this document will make it easier to 146 get good algorithms added to the registries, and will make it easier 147 to get bad algorithms added to the registries. It is impossible to 148 weigh the security impact of those two changes. 150 Administrators of DNSSEC-signed zones, and of validating resolvers, 151 may have been making security decisions based on the contents of the 152 IANA registries. This was a bad idea in the past, and now is an even 153 worse idea because there will be more algorithms in those registries 154 that may not have gone through IETF review. Security decisions about 155 which algorithms are safe and not safe should be made by reading the 156 security literature, not by looking in IANA registries. 158 6. References 160 6.1. Normative References 162 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 163 Requirement Levels", BCP 14, RFC 2119, 164 DOI 10.17487/RFC2119, March 1997, 165 . 167 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 168 Rose, "DNS Security Introduction and Requirements", 169 RFC 4033, DOI 10.17487/RFC4033, March 2005, 170 . 172 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 173 Rose, "Resource Records for the DNS Security Extensions", 174 RFC 4034, DOI 10.17487/RFC4034, March 2005, 175 . 177 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 178 Rose, "Protocol Modifications for the DNS Security 179 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 180 . 182 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 183 Security (DNSSEC) Hashed Authenticated Denial of 184 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 185 . 187 [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier 188 Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014, 189 November 2010, . 191 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 192 Writing an IANA Considerations Section in RFCs", BCP 26, 193 RFC 8126, DOI 10.17487/RFC8126, June 2017, 194 . 196 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 197 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 198 May 2017, . 200 [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation 201 Requirements and Usage Guidance for DNSSEC", RFC 8624, 202 DOI 10.17487/RFC8624, June 2019, 203 . 205 6.2. Informative References 207 [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record 208 (RR)", RFC 3658, DOI 10.17487/RFC3658, December 2003, 209 . 211 Appendix A. Acknowledgements 213 Donald Eastlake, Murray Kucherawy, and Dan Harkins contributed to 214 this document. 216 Author's Address 218 Paul Hoffman 219 ICANN 221 Email: paul.hoffman@icann.org