idnits 2.17.00 (12 Aug 2021) /tmp/idnits31039/draft-ietf-dnsop-dnssec-iana-cons-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5155, updated by this document, for RFC5378 checks: 2005-01-27) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (16 September 2021) is 246 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DNSKEY-IANA' is mentioned on line 120, but not defined == Missing Reference: 'DS-IANA' is mentioned on line 120, but not defined -- Obsolete informational reference (is this intentional?): RFC 3658 (Obsoleted by RFC 4033, RFC 4034, RFC 4035) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft ICANN 4 Updates: 5155, 6014, 8624 (if approved) 16 September 2021 5 Intended status: Standards Track 6 Expires: 20 March 2022 8 Revised IANA Considerations for DNSSEC 9 draft-ietf-dnsop-dnssec-iana-cons-04 11 Abstract 13 This document changes the review requirements needed to get DNSSEC 14 algorithms and resource records added to IANA registries. It updates 15 RFC 6014 to include hash algorithms for DS records and NSEC3 16 parameters. It also updates RFC 5155 and RFC 6014, which have 17 requirements for DNSSEC algorithms, and updates RFC 8624 to say that 18 algorithms that are described in RFCs that are not on standards track 19 are only at the "MAY" level of implementation recommendation. The 20 rationale for these changes is to bring the requirements for DS 21 records and for the hash algorithms used in NSEC3 in line with the 22 requirements for all other DNSSEC algorithms. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 20 March 2022. 41 Copyright Notice 43 Copyright (c) 2021 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Update to RFC 6014 . . . . . . . . . . . . . . . . . . . . . 3 59 3. Update to RFC 8624 . . . . . . . . . . . . . . . . . . . . . 3 60 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 62 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 64 6.2. Informative References . . . . . . . . . . . . . . . . . 5 65 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 68 1. Introduction 70 DNSSEC is primarily described in [RFC4033], [RFC4034], and [RFC4035]. 71 DNSSEC commonly uses two resource records beyond those defined in RFC 72 4034: DS [RFC3658] (which was obsoleted by RFC 4034) and NSEC3 73 [RFC5155]. 75 [RFC6014] updated the requirements for how DNSSEC cryptographic 76 algorithm identifiers in the IANA registries are assigned, reducing 77 the requirements from being "Standards Action" to "RFC Required". 78 However, the IANA registry requirements for hash algorithms for DS 79 records [RFC3658] and for the hash algorithms used in NSEC3 [RFC5155] 80 are still "Standards Action". This document updates those IANA 81 registry requirements. (For reference on how IANA registries can be 82 updated in general, see [RFC8126].) 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 86 "OPTIONAL" in this document are to be interpreted as described in BCP 87 14 [RFC2119] [RFC8174] when, and only when, they appear in all 88 capitals, as shown here. 90 2. Update to RFC 6014 92 Section 4 updates RFC 6014 to bring the requirements for DS records 93 and NSEC3 hash algorithms in line with the rest of the DNSSEC 94 cryptographic algorithms by allowing any DS or NSEC3 hash algorithms 95 that are fully described in an RFC to have identifiers assigned in 96 the IANA registries. This is an addition to the IANA considerations 97 in RFC 6014. 99 3. Update to RFC 8624 101 This document updates [RFC8624] for all DNSKEY and DS algorithms that 102 are not on standards track. 104 The second paragraph of Section 1.2 of RFC 8624 currently says: 106 This document only provides recommendations with respect to 107 mandatory-to-implement algorithms or algorithms so weak that they 108 cannot be recommended. Any algorithm listed in the [DNSKEY-IANA] 109 and [DS-IANA] registries that are not mentioned in this document 110 MAY be implemented. For clarification and consistency, an 111 algorithm will be specified as MAY in this document only when it 112 has been downgraded from a MUST or a RECOMMENDED to a MAY. 114 That paragraph is now replaced with the following: 116 This document provides recommendations with respect to 117 mandatory-to-implement algorithms, algorithms so weak that they 118 cannot be recommended, and algorithms that are defined in RFCs 119 that are not on standards track. Any algorithm listed in the 120 [DNSKEY-IANA] and [DS-IANA] registries that are not mentioned in 121 this document MAY be implemented. For clarification and 122 consistency, an algorithm will be specified as MAY in this 123 document only when it has been downgraded from a MUST or a 124 RECOMMENDED to a MAY. 126 This update is also reflected in the IANA considerations in 127 Section 4. 129 4. IANA Considerations 131 In the "Domain Name System Security (DNSSEC) NextSECure3 (NSEC3) 132 Parameters" registry, the registration procedure for "DNSSEC NSEC3 133 Flags", "DNSSEC NSEC3 Hash Algorithms", and "DNSSEC NSEC3PARAM Flags" 134 are changed from "Standards Action" to "RFC Required". 136 In the "Delegation Signer (DS) Resource Record (RR) Type Digest 137 Algorithms" registry, the registration procedure for "Digest 138 Algorithms" is changed from "Standards Action" to "RFC Required". 140 5. Security Considerations 142 Changing the requirements for getting security algorithms added to 143 IANA registries as described in this document will make it easier to 144 get good algorithms added to the registries, and will make it easier 145 to get bad algorithms added to the registries. It is impossible to 146 weigh the security impact of those two changes. 148 Administrators of DNSSEC-signed zones, and of validating resolvers, 149 may have been making security decisions based on the contents of the 150 IANA registries. This was a bad idea in the past, and now is an even 151 worse idea because there will be more algorithms in those registries 152 that may not have gone through IETF review. Security decisions about 153 which algorithms are safe and not safe should be made by reading the 154 security literature, not by looking in IANA registries. 156 6. References 158 6.1. Normative References 160 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 161 Requirement Levels", BCP 14, RFC 2119, 162 DOI 10.17487/RFC2119, March 1997, 163 . 165 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 166 Rose, "DNS Security Introduction and Requirements", 167 RFC 4033, DOI 10.17487/RFC4033, March 2005, 168 . 170 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 171 Rose, "Resource Records for the DNS Security Extensions", 172 RFC 4034, DOI 10.17487/RFC4034, March 2005, 173 . 175 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 176 Rose, "Protocol Modifications for the DNS Security 177 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 178 . 180 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 181 Security (DNSSEC) Hashed Authenticated Denial of 182 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 183 . 185 [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier 186 Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014, 187 November 2010, . 189 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 190 Writing an IANA Considerations Section in RFCs", BCP 26, 191 RFC 8126, DOI 10.17487/RFC8126, June 2017, 192 . 194 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 195 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 196 May 2017, . 198 [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation 199 Requirements and Usage Guidance for DNSSEC", RFC 8624, 200 DOI 10.17487/RFC8624, June 2019, 201 . 203 6.2. Informative References 205 [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record 206 (RR)", RFC 3658, DOI 10.17487/RFC3658, December 2003, 207 . 209 Appendix A. Acknowledgements 211 Donald Eastlake, Murray Kucherawy, and Dan Harkins contributed to 212 this document. 214 Author's Address 216 Paul Hoffman 217 ICANN 219 Email: paul.hoffman@icann.org