Registries Included Below
Standards Action or Specification Required
Unassigned
Adding a new entry to the "DNS Security Algorithm Numbers”registry with a recommended value of "MAY" in the "Use for DNSSECSigning", "Use for DNSSEC Validation", "Implement for DNSSECSigning", or "Implement for DNSSEC Validation" columns will besubject to the Specification Required policy as defined in [RFC8126] in order to promote continued evolution of DNSSECalgorithms and DNSSEC agility. New entries added through theSpecification Required process will have the value of "MAY” forall columns.Adding a new entry to, or changing an existing value in, the “DNSSecurity Algorithm Numbers" registry that has any value other than"MAY" in the "Use for DNSSEC Signing", "Use for DNSSECValidation", "Implement for DNSSEC Signing", or "Implement forDNSSEC Validation" columns requires Standards Action.If an item is not marked as "RECOMMENDED", it does not necessarily meanthat it is flawed; rather, it indicates that the item either has not beenthrough the IETF consensus process, has limited applicability, or isintended only for specific use cases.
The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number usedto identify the security algorithm being used.All algorithm numbers in this registry may be used in CERT RRs. Zonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG)make use of particular subsets of these algorithms. Only algorithmsusable for zone signing may appear in DNSKEY, RRSIG, and DS RRs.Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs.* There has been no determination of standardization of the use of thisalgorithm with Transaction Security.
| Number | Description | Mnemonic | Zone Signing | Trans. Sec. | Use for DNSSEC Signing | Use for DNSSEC Validation | Implement for DNSSEC Signing | Implement for DNSSEC Validation | Reference |
|---|---|---|---|---|---|---|---|---|---|
| 0 | Delete DS | DELETE | N | N | [RFC4034][proposed standard][RFC4398][proposed standard][RFC8078][proposed standard] | ||||
| 1 | RSA/MD5 (DEPRECATED, see 5) | RSAMD5 | N | Y | MUST NOT | MUST NOT | MUST NOT | MUST NOT | [RFC3110][proposed standard][RFC4034][proposed standard] |
| 2 | Diffie-Hellman | DH | N | Y | [RFC2539][proposed standard] | ||||
| 3 | DSA/SHA1 | DSA | Y | Y | MUST NOT | MUST NOT | MUST NOT | MUST NOT | [RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186,Digital Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1,Secure Hash Standard, 17 April 1995.(Supersedes FIPS PUB 180 dated 11 May 1993.)] |
| 4 | Reserved | [RFC6725][proposed standard] | |||||||
| 5 | RSA/SHA-1 | RSASHA1 | Y | Y | MUST NOT | RECOMMENDED | NOT RECOMMENDED | MUST | [RFC3110][proposed standard][RFC4034][proposed standard][RFC-ietf-dnsop-must-not-sha1-09] |
| 6 | DSA-NSEC3-SHA1 | DSA-NSEC3-SHA1 | Y | Y | MUST NOT | MUST NOT | MUST NOT | MUST NOT | [RFC5155][proposed standard] |
| 7 | RSASHA1-NSEC3-SHA1 | RSASHA1-NSEC3-SHA1 | Y | Y | MUST NOT | RECOMMENDED | NOT RECOMMENDED | MUST | [RFC5155][proposed standard][RFC-ietf-dnsop-must-not-sha1-09] |
| 8 | RSA/SHA-256 | RSASHA256 | Y | * | RECOMMENDED | RECOMMENDED | MUST | MUST | [RFC5702][proposed standard] |
| 9 | Reserved | [RFC6725][proposed standard] | |||||||
| 10 | RSA/SHA-512 | RSASHA512 | Y | * | NOT RECOMMENDED | RECOMMENDED | NOT RECOMMENDED | MUST | [RFC5702][proposed standard] |
| 11 | Reserved | [RFC6725][proposed standard] | |||||||
| 12 | GOST R 34.10-2001 (DEPRECATED) | ECC-GOST | Y | * | MUST NOT | MUST NOT | MUST NOT | MUST NOT | [RFC5933][proposed standard][Change the status of GOST Signature Algorithms in DNSSEC in the IETF stream to Historic][RFC-ietf-dnsop-must-not-ecc-gost-07] |
| 13 | ECDSA Curve P-256 with SHA-256 | ECDSAP256SHA256 | Y | * | RECOMMENDED | RECOMMENDED | MUST | MUST | [RFC6605][proposed standard] |
| 14 | ECDSA Curve P-384 with SHA-384 | ECDSAP384SHA384 | Y | * | MAY | RECOMMENDED | MAY | RECOMMENDED | [RFC6605][proposed standard] |
| 15 | Ed25519 | ED25519 | Y | * | RECOMMENDED | RECOMMENDED | RECOMMENDED | RECOMMENDED | [RFC8080][proposed standard] |
| 16 | Ed448 | ED448 | Y | * | MAY | RECOMMENDED | MAY | RECOMMENDED | [RFC8080][proposed standard] |
| 17 | SM2 signing algorithm with SM3 hashing algorithm | SM2SM3 | Y | * | MAY | MAY | MAY | MAY | [RFC9563][informational] |
| 18-22 | Unassigned | ||||||||
| 23 | GOST R 34.10-2012 | ECC-GOST12 | Y | * | MAY | MAY | MAY | MAY | [RFC9558][informational] |
| 24-122 | Unassigned | ||||||||
| 123-251 | Reserved | [RFC4034][proposed standard][RFC6014][proposed standard] | |||||||
| 252 | Reserved for Indirect Keys | INDIRECT | N | N | [RFC4034][proposed standard] | ||||
| 253 | private algorithm | PRIVATEDNS | Y | Y | MAY | MAY | MAY | MAY | [RFC4034][proposed standard] |
| 254 | private algorithm OID | PRIVATEOID | Y | Y | MAY | MAY | MAY | MAY | [RFC4034][proposed standard] |
| 255 | Reserved | [RFC4034][proposed standard] |
IETF Review
| Value | Description | Reference |
|---|---|---|
| 0 | Unassigned | |
| 1 | index into well-known table | [RFC2539] |
| 2 | index into well-known table | [RFC2539] |
| 3-15 | Unassigned |
| Range | Registration Procedures |
|---|---|
| 0x0000-0x07ff | Standards Action |
| 0x0800-0xbfff | RFC Required |
| Value | Description | Reference |
|---|---|---|
| 0x0000 | Unassigned | |
| 0x0001 | Well-Known Group 1: A 768 bit prime | [RFC2539] |
| 0x0002 | Well-Known Group 2: A 1024 bit prime | [RFC2539] |
| 0x0003-0xbfff | Unassigned | |
| 0xc000-0xffff | Private Use | [RFC2539] |
