Internet-Draft | More Private Algs | March 2022 |
Hoffman | Expires 25 September 2022 | [Page] |
RFC 4034 allocates one value in the IANA registry for DNSSEC algorithm numbers for private algorithms. That may be too few for experimentation where multiple yet-to-be-assigned algorithms are used. This document assigns seven more values for this use case.¶
This document is currently maintained at https://github.com/paulehoffman/draft-hoffman-more-private-algs. Issues and pull requests are welcomed. If the document is later adopted by a working group, a new repository will likely be created.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 September 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Section A.1 of [RFC4034] assigns value 253 as "Private [PRIVATEDNS]". Section A.1.1 describes this value:¶
Algorithm number 253 is reserved for private use and will never be assigned to a specific algorithm. The public key area in the DNSKEY RR and the signature area in the RRSIG RR begin with a wire encoded domain name, which MUST NOT be compressed. The domain name indicates the private algorithm to use, and the remainder of the public key area is determined by that algorithm. Entities should only use domain names they control to designate their private algorithms.¶
In the coming years, it is likely that there will be experimentation with new DNSSEC signing algorithms for post-quantum cryptography. At the time this document is written, it is possible that there will be many such algorithms in experimental use at the same time. If that comes to pass, it would be useful to have a handful of private use algorithms to use at the same time, such as for experimenting with zones that will have multiple simultaneous signing algorithms.¶
This document updates [RFC4034] to add seven more private use algorithms. Unlike private use algorithm 253, there is no restriction on the public key area in the DNSKEY RR and the signature area in the RRSIG RR. Thus, there are no domain names embdded in the public key or signature like there are with private use algorithm 253. This update brings the total number of private use algorithms that use the same format to eight.¶
This document requests that IANA allocate seven additional values, 245 through 251, in the "DNS Security Algorithm Numbers" registry (https://www.iana.org/assignments/dns-sec-alg-numbers/).¶
Allocating private use values does not cause any significant security considerations.¶