Internet Engineering Task Force (IETF) S. Rose
Request for Comments: 6725 NIST
Category: Standards Track August 2012
ISSN: 2070-1721
Internet Engineering Task Force (IETF) S. Rose
Request for Comments: 6725 NIST
Category: Standards Track August 2012
ISSN: 2070-1721
DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates
DNS安全(DNSSEC)DNSKEY算法IANA注册表更新
Abstract
摘要
The DNS Security Extensions (DNSSEC) require the use of cryptographic algorithm suites for generating digital signatures over DNS data. The algorithms specified for use with DNSSEC are reflected in an IANA-maintained registry. This document presents a set of changes for some entries of the registry.
DNS安全扩展(DNSSEC)要求使用加密算法套件在DNS数据上生成数字签名。指定用于DNSSEC的算法反映在IANA维护的注册表中。本文档为注册表的某些条目提供了一组更改。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6725.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6725.
Copyright Notice
版权公告
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2
2. The DNS Security Algorithm Numbers Sub-Registry .................2
2.1. Updates and Additions ......................................2
2.2. DNS Security Algorithm Numbers Sub-Registry Table ..........3
3. IANA Considerations .............................................4
4. Security Considerations .........................................4
5. Informative References ..........................................4
1. Introduction ....................................................2
2. The DNS Security Algorithm Numbers Sub-Registry .................2
2.1. Updates and Additions ......................................2
2.2. DNS Security Algorithm Numbers Sub-Registry Table ..........3
3. IANA Considerations .............................................4
4. Security Considerations .........................................4
5. Informative References ..........................................4
The Domain Name System (DNS) Security Extensions (DNSSEC, defined by [RFC4033], [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702]) use digital signatures over DNS data to provide source authentication and integrity protection. DNSSEC uses an IANA registry to list codes for digital signature algorithms (consisting of an asymmetric cryptographic algorithm and a one-way hash function).
域名系统(DNS)安全扩展(DNSSEC,由[RFC4033]、[RFC4034]、[RFC4035]、[RFC4509]、[RFC5155]和[RFC5702]定义)使用DNS数据上的数字签名来提供源身份验证和完整性保护。DNSSEC使用IANA注册表列出数字签名算法的代码(由非对称加密算法和单向哈希函数组成)。
This document updates a set of entries in the IANA registry titled "DNS Security (DNSSEC) Algorithm Numbers". These updated entries are given in Section 2.2 below. This list includes changes to selected entries originally set aside for future algorithm specification that did not occur. These three entries are changed to "Reserved" to avoid potential conflicts with older implementations. This document also brings the list of references for entries up to date.
本文档更新IANA注册表中标题为“DNS安全(DNSSEC)算法编号”的一组条目。下文第2.2节给出了这些更新的条目。此列表包括对最初为未来算法规范预留的未发生的选定条目的更改。这三个条目更改为“保留”,以避免与旧的实现发生潜在冲突。本文件还提供了最新的条目参考列表。
There are auxiliary sub-registries related to the DNS Security (DNSSEC) Algorithm Numbers registry that deal with various Diffie-Hellman parameters used with DNSSEC. These registry tables are not altered by this document.
有一些与DNS安全(DNSSEC)算法编号注册表相关的辅助子注册表,它们处理DNSSEC使用的各种Diffie-Hellman参数。本文档不会更改这些注册表表。
The DNS Security Algorithm Numbers sub-registry (part of the Domain Name System Security (DNSSEC) Algorithm Numbers registry) contains a set of entries that contain errors. There are additional differences to entries that are described in Section 2.1, and the complete list of changed registry entries is in Section 2.2.
DNS安全算法编号子注册表(域名系统安全(DNSSEC)算法编号注册表的一部分)包含一组包含错误的条目。第2.1节中描述的条目还有其他差异,第2.2节中列出了更改的注册表条目的完整列表。
This document updates three entries in the Domain Name System Security (DNSSEC) Algorithm Numbers registry:
本文档更新域名系统安全(DNSSEC)算法编号注册表中的三个条目:
The description for assignment number 4 is changed to "Reserved".
分配编号4的说明更改为“保留”。
The description for assignment number 9 is changed to "Reserved".
作业编号9的说明更改为“保留”。
The description for assignment number 11 is changed to "Reserved".
分配编号11的说明更改为“保留”。
The above entries are changed to "Reserved" because they were placeholders for algorithms that were not fully specified for use with DNSSEC. Older implementations may still have these algorithm codes assigned, so these codes are reserved to prevent potential incompatibilities.
上述条目更改为“保留”,因为它们是未完全指定用于DNSSEC的算法的占位符。较旧的实现可能仍然分配了这些算法代码,因此保留这些代码以防止潜在的不兼容。
The list of DNS Security Algorithm Numbers sub-registry entry changes is given below. All other existing entries in the sub-registry table are unchanged by this document and are not shown. The other two sub-registries in the Domain Name System Security (DNSSEC) Algorithm Numbers registry (DNS KEY Record Diffie-Hellman Prime Lengths and DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs) are not changed in any way by this document.
DNS安全算法编号子注册表项更改列表如下所示。sub registry表中的所有其他现有条目均未受本文档的影响,因此不会显示。域名系统安全性(DNSSEC)算法编号注册表中的其他两个子注册表(DNS密钥记录Diffie-Hellman素数长度和DNS密钥记录Diffie-Hellman著名素数/生成器对)不受本文档的任何更改。
Zone Trans.
Number Description Mnemonic Signing Sec. Reference
------ ----------- -------- ------- --------- ---------
0 Reserved [RFC4034],
[RFC4398]
Zone Trans.
Number Description Mnemonic Signing Sec. Reference
------ ----------- -------- ------- --------- ---------
0 Reserved [RFC4034],
[RFC4398]
1 RSA/MD5 RSAMD5 N Y [RFC3110], (deprecated; [RFC4034] see 5)
1 RSA/MD5 RSAMD5 N Y[RFC3110],(已弃用;[RFC4034]参见第5节)
4 Reserved [RFC6725]
4保留[RFC6725]
5 RSA/SHA-1 RSASHA1 Y Y [RFC3110], [RFC4034]
5 RSA/SHA-1 RSASHA1 Y[RFC3110],[RFC4034]
9 Reserved [RFC6725]
9保留[RFC6725]
11 Reserved [RFC6725]
11保留[RFC6725]
15-122 Unassigned
15-122未分配
123-251 Reserved [RFC4034], [RFC6014]
123-251保留[RFC4034],[RFC6014]
253 private PRIVATEDNS Y Y [RFC4034] algorithm
253私有私有DNS Y[RFC4034]算法
254 private PRIVATEOID Y Y [RFC4034] algorithm OID
254私有私有OID Y[RFC4034]算法OID
This document updates a set of DNS Security Algorithm Numbers sub-registry entries as given in Section 2.2. The changes include moving three registry entries to "Reserved" and updating the reference list for entries.
本文档更新了第2.2节中给出的一组DNS安全算法编号子注册表项。更改包括将三个注册表项移动到“保留”并更新条目的引用列表。
This document updates the Domain Name System Security (DNSSEC) Algorithm Numbers registry. It is not meant to be a discussion on algorithm superiority. No new security considerations are raised in this document.
本文档更新域名系统安全(DNSSEC)算法编号注册表。这并不是要讨论算法的优越性。本文档中没有提出新的安全注意事项。
[RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", RFC 3110, May 2001.
[RFC3110]Eastlake,D.,“域名系统(DNS)中的RSA/SHA-1 SIGs和RSA密钥”,RFC 3110,2001年5月。
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.
[RFC4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月。
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.
[RFC4034]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 40342005年3月。
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.
[RFC4035]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的协议修改”,RFC 4035,2005年3月。
[RFC4398] Josefsson, S., "Storing Certificates in the Domain Name System (DNS)", RFC 4398, March 2006.
[RFC4398]Josefsson,S.,“在域名系统(DNS)中存储证书”,RFC 4398,2006年3月。
[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)", RFC 4509, May 2006.
[RFC4509]Hardaker,W.“SHA-256在DNSSEC委托签署人(DS)资源记录(RRs)中的使用”,RFC 4509,2006年5月。
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence", RFC 5155, March 2008.
[RFC5155]Laurie,B.,Sisson,G.,Arends,R.,和D.Blacka,“DNS安全(DNSSEC)哈希认证拒绝存在”,RFC 51552008年3月。
[RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC", RFC 5702, October 2009.
[RFC5702]Jansen,J.,“在DNSSEC的DNSKEY和RRSIG资源记录中使用带有RSA的SHA-2算法”,RFC 5702,2009年10月。
[RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier Allocation for DNSSEC", RFC 6014, November 2010.
[RFC6014]Hoffman,P.,“DNSSEC的密码算法标识符分配”,RFC6014010年11月。
Author's Address
作者地址
Scott Rose NIST 100 Bureau Dr. Gaithersburg, MD 20899 USA
斯科特·罗斯NIST 100局盖瑟斯堡博士,美国马里兰州20899
Phone: +1-301-975-8439
EMail: scottr.nist@gmail.com
Phone: +1-301-975-8439
EMail: scottr.nist@gmail.com