rfc9904.original   rfc9904.txt 
Network Working Group W. Hardaker Internet Engineering Task Force (IETF) W. Hardaker
Internet-Draft USC/ISI Request for Comments: 9904 USC/ISI
Obsoletes: 8624 (if approved) W. Kumari Obsoletes: 8624 W. Kumari
Updates: 9157 (if approved) Google Updates: 9157 Google
Intended status: Standards Track 4 June 2025 Category: Standards Track October 2025
Expires: 6 December 2025 ISSN: 2070-1721
DNSSEC Cryptographic Algorithm Recommendation Update Process DNSSEC Cryptographic Algorithm Recommendation Update Process
draft-ietf-dnsop-rfc8624-bis-13
Abstract Abstract
The DNSSEC protocol makes use of various cryptographic algorithms to The DNSSEC protocol makes use of various cryptographic algorithms to
provide authentication of DNS data and proof of non-existence. To provide authentication of DNS data and proof of nonexistence. To
ensure interoperability between DNS resolvers and DNS authoritative ensure interoperability between DNS resolvers and DNS authoritative
servers, it is necessary to specify both a set of algorithm servers, it is necessary to specify both a set of algorithm
implementation requirements and usage guidelines to ensure that there implementation requirements and usage guidelines to ensure that there
is at least one algorithm that all implementations support. This is at least one algorithm that all implementations support. This
document replaces and obsoletes RFC8624 and moves the canonical document replaces and obsoletes RFC 8624 and moves the canonical
source of algorithm implementation requirements and usage guidance source of algorithm implementation requirements and usage guidance
for DNSSEC from RFC8624 to an IANA registry. This is done both to for DNSSEC from RFC 8624 to an IANA registry. This is done to allow
allow the list of requirements to be more easily updated, and to the list of requirements to be more easily updated and referenced.
allow the list to be more easily referenced. Future extensions to Future extensions to this registry can be made under new, incremental
this registry can be made under new, incremental update RFCs. This update RFCs. This document also updates RFC 9157 and incorporates
document also incorporates the revised IANA DNSSEC considerations the revised IANA DNSSEC considerations from that RFC.
from RFC9157.
The document does not change the status (MUST, MAY, RECOMMENDED, This document does not change the status (MUST, MAY, RECOMMENDED,
etc.) of the algorithms listed in RFC8624; that is the work of future etc.) of the algorithms listed in RFC 8624; that is the work of
documents. future documents.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 6 December 2025. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9904.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Document Audience . . . . . . . . . . . . . . . . . . . . 3 1.1. Document Audience
1.2. Updating Algorithm Requirement Levels . . . . . . . . . . 4 1.2. Updating Algorithm Requirement Levels
1.3. Requirements notation . . . . . . . . . . . . . . . . . . 5 1.3. Requirements Notation
2. Adding usage and implementation recommendations to the IANA 2. Adding Usage and Implementation Recommendations to the IANA
DNSSEC registries . . . . . . . . . . . . . . . . . . . . 5 DNSSEC Algorithm Registries
2.1. Column Descriptions . . . . . . . . . . . . . . . . . . . 5 2.1. Column Descriptions
2.2. Adding and Changing Values . . . . . . . . . . . . . . . 6 2.2. Adding and Changing Values
3. DNS System Algorithm Numbers Column Values . . . . . . . . . 7 3. DNS Security Algorithm Numbers Registry Column Values
4. DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest 4. Digest Algorithms Registry Column Values
Algorithms Column Values . . . . . . . . . . . . . . . . 9 5. Security Considerations
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Operational Considerations
6. Operational Considerations . . . . . . . . . . . . . . . . . 10 7. IANA Considerations
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7.1. Update to the DNS Security Algorithm Numbers Registry
7.1. Update to the "DNS Security Algorithm Numbers" 7.2. Update to the Digest Algorithms Registry
registry . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References
7.2. Update to the "Digest Algorithms" registry . . . . . . . 11 8.1. Normative References
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 8.2. Informative References
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 Acknowledgments
9.1. Normative References . . . . . . . . . . . . . . . . . . 12 Authors' Addresses
9.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. ChangeLog . . . . . . . . . . . . . . . . . . . . . 14
A.1. Changes from ietf-10 to ietf-11: . . . . . . . . . . . . 14
A.2. Changes from ietf-09 to ietf-10: . . . . . . . . . . . . 14
A.3. Changes from ietf-08 to ietf-09 . . . . . . . . . . . . . 14
A.4. Changes from ietf-07 to ietf-08 . . . . . . . . . . . . . 14
A.5. Changes from ietf-06 to ietf-07 . . . . . . . . . . . . . 14
A.6. Changes from ietf-05 to ietf-06 . . . . . . . . . . . . . 14
A.7. Changes from ietf-03 to ietf-05 . . . . . . . . . . . . . 14
A.8. Changes from ietf-02 to ietf-03 . . . . . . . . . . . . . 14
A.9. Changes from ietf-01 to ietf-02 . . . . . . . . . . . . . 15
A.10. Changes from ietf-00 to ietf-01 . . . . . . . . . . . . . 15
A.11. Changes from hardaker-04 to ietf-00 . . . . . . . . . . . 15
A.12. Changes from -03 to -04 . . . . . . . . . . . . . . . . . 15
A.13. Changes since RFC8624 . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
DNS Security Extensions (DNSSEC) [RFC9364] is used to provide "DNS Security Extensions (DNSSEC)" [RFC9364] is used to provide
authentication of DNS data. The DNSSEC signing algorithms are authentication of DNS data. The DNSSEC signing algorithms are
defined by various RFCs, including [RFC4034], [RFC4509], [RFC5155], defined by various RFCs, including [RFC4034], [RFC4509], [RFC5155],
[RFC5702], [RFC5933], [RFC6605], [RFC8080]. [RFC5702], [RFC5933], [RFC6605], and [RFC8080].
To ensure interoperability, a set of "mandatory to implement" DNSKEY To ensure interoperability, a set of "mandatory-to-implement" DNS
algorithms are defined in [RFC8624]. To make the current status of Public Key (DNSKEY) algorithms are defined in [RFC8624]. To make the
the algorithms more easily accessible and understandable, and to make current status of the algorithms more easily accessible and
future changes to these recommendations easier to publish, this understandable, and to make future changes to these recommendations
document moves the canonical status of the algorithms from [RFC8624] easier to publish, this document moves the canonical status of the
to the IANA DNSSEC algorithm registries. Additionally, as advice to algorithms from [RFC8624] to the IANA DNSSEC algorithm registries.
operators, it adds recommendations for deploying and the usage of Additionally, as advice to operators, it adds recommendations for
these algorithms. deploying and using these algorithms.
This is similar to the process used for the [TLS-ciphersuites] This is similar to the process used for the "TLS Cipher Suites"
registry, where the canonical list of ciphersuites is in the IANA registry [TLS-ciphersuites], where the canonical list of cipher
registry, and the RFCs reference the IANA registry. suites is in the IANA registry, and RFCs reference the IANA registry.
1.1. Document Audience 1.1. Document Audience
The columns added to the IANA "DNS Security Algorithm Numbers" The columns added to the IANA "DNS Security Algorithm Numbers"
[DNSKEY-IANA] and "DNSSEC Delegation Signer (DS) Resource Record (RR) [DNSKEY-IANA] and "Digest Algorithms" [DS-IANA] registries target
Type Digest Algorithms" [DS-IANA] registries target DNSSEC operators DNSSEC operators and implementers.
and implementers.
Implementations need to meet both high security expectations as well Implementations need to meet high security expectations as well as
as provide interoperability between various implementations and with provide interoperability between various implementations and with
different versions. different versions.
The field of cryptography evolves continuously. New, stronger The field of cryptography evolves continuously. New, stronger
algorithms appear, and existing algorithms may be found to be less algorithms appear, and existing algorithms may be found to be less
secure than originally thought. Therefore, algorithm implementation secure than originally thought. Therefore, algorithm implementation
requirements and usage guidance need to be updated from time to time requirements and usage guidance need to be updated from time to time
in order to reflect the new reality, and to allow for a smooth in order to reflect the new reality and to allow for a smooth
transition to more secure algorithms, as well as deprecation of transition to more secure algorithms as well as the deprecation of
algorithms deemed to no longer be secure. algorithms deemed to no longer be secure.
Implementations need to be conservative in the selection of Implementations need to be conservative in the selection of
algorithms they implement in order to minimize both code complexity algorithms they implement in order to minimize both code complexity
and the attack surface. and the attack surface.
The perspective of implementers may differ from that of an operator The perspective of implementers may differ from that of an operator
who wishes to deploy and configure DNSSEC with only the safest who wishes to deploy and configure DNSSEC with only the safest
algorithm. As such this document also adds new recommendations about algorithm. As such, this document also adds new recommendations
which algorithms should be deployed regardless of implementation about which algorithms should be deployed regardless of
status. In general, it is expected that deployment of aging implementation status. In general, it is expected that deployment of
algorithms should generally be reduced before implementations stop aging algorithms should generally be reduced before implementations
supporting them. stop supporting them.
1.2. Updating Algorithm Requirement Levels 1.2. Updating Algorithm Requirement Levels
By the time a DNSSEC cryptographic algorithm is made mandatory to By the time a DNSSEC cryptographic algorithm is made mandatory to
implement, it should already be available in most implementations. implement, it should already be available in most implementations.
This document defines an IANA registration modification to allow This document defines an IANA registration modification to allow
future documents to specify the implementation recommendations for future documents to specify the implementation recommendations for
each algorithm, as the recommendation status of each DNSSEC each algorithm, as the recommendation status of each DNSSEC
cryptographic algorithm is expected to change over time. For cryptographic algorithm is expected to change over time. For
example, there is no guarantee that newly introduced algorithms will example, there is no guarantee that newly introduced algorithms will
skipping to change at page 4, line 37 skipping to change at line 157
It is expected that the deprecation of an algorithm will be performed It is expected that the deprecation of an algorithm will be performed
gradually. This provides time for implementations to update their gradually. This provides time for implementations to update their
implemented algorithms while remaining interoperable. Unless there implemented algorithms while remaining interoperable. Unless there
are strong security reasons, an algorithm is expected to be are strong security reasons, an algorithm is expected to be
downgraded from MUST to NOT RECOMMENDED or MAY, instead of directly downgraded from MUST to NOT RECOMMENDED or MAY, instead of directly
from MUST to MUST NOT. Similarly, an algorithm that has not been from MUST to MUST NOT. Similarly, an algorithm that has not been
mentioned as mandatory to implement is expected to be first mentioned as mandatory to implement is expected to be first
introduced as RECOMMENDED instead of a MUST. introduced as RECOMMENDED instead of a MUST.
Since the effect of using an unknown DNSKEY algorithm is that the Since the effect of using an unknown DNSKEY algorithm is that the
zone is treated as insecure, it is recommended that algorithms which zone is treated as insecure, it is recommended that algorithms that
have been downgraded to NOT RECOMMENDED or lower not be used by have been downgraded to NOT RECOMMENDED or lower not be used by
authoritative nameservers and DNSSEC signers to create new DNSKEY's. authoritative nameservers and DNSSEC signers to create new DNSKEYs.
This ensures that the use of deprecated algorithms decreases over This ensures that the use of deprecated algorithms decreases over
time. Once an algorithm has reached a sufficiently low level of time. Once an algorithm has reached a sufficiently low level of
deployment, it can be marked as MUST NOT, so that recursive resolvers deployment, it can be marked as MUST NOT, so that recursive resolvers
can remove support for validating it. can remove support for validating it.
Validating recursive resolvers are encouraged to retain support for Validating recursive resolvers are encouraged to retain support for
all algorithms not marked as MUST NOT. all algorithms not marked as MUST NOT.
1.3. Requirements notation 1.3. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
[RFC2119] considers the term SHOULD to be equivalent to RECOMMENDED, [RFC2119] considers the term SHOULD to be equivalent to RECOMMENDED,
and SHOULD NOT equivalent to NOT RECOMMENDED. This document has and SHOULD NOT equivalent to NOT RECOMMENDED. This document has
chosen to use the terms RECOMMENDED and NOT RECOMMENDED, as this more chosen to use the terms RECOMMENDED and NOT RECOMMENDED, as this more
clearly expresses the recommendations to implementers. clearly expresses the recommendations to implementers.
2. Adding usage and implementation recommendations to the IANA DNSSEC 2. Adding Usage and Implementation Recommendations to the IANA DNSSEC
registries Algorithm Registries
Per this document, the following columns are being added to the Per this document, the following columns have been added to the
following DNSSEC algorithm registries maintained with IANA: corresponding DNSSEC algorithm registries maintained by IANA:
+================================+=================================+ +================================+=================================+
| Registry | Column added | | Registry | Column Added |
+================================+=================================+ +================================+=================================+
| DNS Security Algorithm Numbers | Use for DNSSEC Signing | | DNS Security Algorithm Numbers | Use for DNSSEC Signing |
+--------------------------------+---------------------------------+ +--------------------------------+---------------------------------+
| DNS Security Algorithm Numbers | Use for DNSSEC Validation | | DNS Security Algorithm Numbers | Use for DNSSEC Validation |
+--------------------------------+---------------------------------+ +--------------------------------+---------------------------------+
| DNS Security Algorithm Numbers | Implement for DNSSEC Signing | | DNS Security Algorithm Numbers | Implement for DNSSEC Signing |
+--------------------------------+---------------------------------+ +--------------------------------+---------------------------------+
| DNS Security Algorithm Numbers | Implement for DNSSEC Validation | | DNS Security Algorithm Numbers | Implement for DNSSEC Validation |
+--------------------------------+---------------------------------+ +--------------------------------+---------------------------------+
| Digest Algorithm | Use for DNSSEC Delegation | | Digest Algorithms | Use for DNSSEC Delegation |
+--------------------------------+---------------------------------+ +--------------------------------+---------------------------------+
| Digest Algorithm | Use for DNSSEC Validation | | Digest Algorithms | Use for DNSSEC Validation |
+--------------------------------+---------------------------------+ +--------------------------------+---------------------------------+
| Digest Algorithm | Implement for DNSSEC Delegation | | Digest Algorithms | Implement for DNSSEC Delegation |
+--------------------------------+---------------------------------+ +--------------------------------+---------------------------------+
| Digest Algorithm | Implement for DNSSEC Validation | | Digest Algorithms | Implement for DNSSEC Validation |
+--------------------------------+---------------------------------+ +--------------------------------+---------------------------------+
Table 1: Columns to add to existing DNSSEC algorithm registries Table 1: Columns Added to Existing DNSSEC Algorithm Registries
2.1. Column Descriptions 2.1. Column Descriptions
The intended usage of the four columns in the "DNS Security Algorithm The intended usage of the four columns in the "DNS Security Algorithm
Numbers" table are: Numbers" registry is as follows:
Use for DNSSEC Signing: Indicates the recommendation for using the Use for DNSSEC Signing: Indicates the recommendation for using the
algorithm within authoritative servers. algorithm within authoritative servers.
Use for DNSSEC Validation: Indicates the recommendation for using Use for DNSSEC Validation: Indicates the recommendation for using
the algorithm in DNSSEC validators. the algorithm in DNSSEC validators.
Implement for DNSSEC Signing: Indicates the recommendation for Implement for DNSSEC Signing: Indicates the recommendation for
implementing the algorithm within DNSSEC signing software. implementing the algorithm within DNSSEC signing software.
Implement for DNSSEC Validation: Indicates the recommendation for Implement for DNSSEC Validation: Indicates the recommendation for
implementing the algorithm within DNSSEC validators. implementing the algorithm within DNSSEC validators.
The intended usage of the four columns in the "Digest Algorithm" The intended usage of the four columns in the "Digest Algorithms"
table are: registry is as follows:
Use for DNSSEC Delegation: Indicates the recommendation for using Use for DNSSEC Delegation: Indicates the recommendation for using
the algorithm within authoritative servers. the algorithm within authoritative servers.
Use for DNSSEC Validation: Indicates the recommendation for using Use for DNSSEC Validation: Indicates the recommendation for using
the algorithm in DNSSEC validators. the algorithm in DNSSEC validators.
Implement for DNSSEC Delegation: Indicates the recommendation for Implement for DNSSEC Delegation: Indicates the recommendation for
implementing the algorithm within authoritative servers. implementing the algorithm within authoritative servers.
Implement for DNSSEC Validation: Indicates the recommendation for Implement for DNSSEC Validation: Indicates the recommendation for
implementing the algorithm within validating resolvers. implementing the algorithm within validating resolvers.
2.2. Adding and Changing Values 2.2. Adding and Changing Values
Adding a new entry to the "DNS System Algorithm Numbers" registry Adding a new entry to the "DNS System Algorithm Numbers" registry
with a recommended value of "MAY" in the "Use for DNSSEC Signing", with a recommended value of "MAY" in the "Use for DNSSEC Signing",
"Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or
"Implement for DNSSEC Validation" columns will subject to the "Implement for DNSSEC Validation" columns will be subject to the
"Specification Required" policy as defined in [RFC8126] in order to Specification Required policy as defined in [RFC8126] in order to
promote continued evolution of DNSSEC algorithms and DNSSEC agility. promote continued evolution of DNSSEC algorithms and DNSSEC agility.
New entries added through the "Specification Required" process will New entries added through the Specification Required process will
have the value of "MAY" for all columns. (Ed note (RFC Editor - have the value of "MAY" for all columns.
please delete this before publication): As a reminder: the
"Specification Required" policy includes a requirement for a
designated expert to review the request.)
Adding a new entry to, or changing existing values in, the "DNS Adding a new entry to, or changing existing values in, the "DNS
System Algorithm Numbers" registry for the "Use for DNSSEC Signing", System Algorithm Numbers" registry for the "Use for DNSSEC Signing",
"Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or
"Implement for DNSSEC Validation" columns to any other value than "Implement for DNSSEC Validation" columns to any other value than
"MAY" requires a Standards Action. "MAY" requires a Standards Action.
Adding a new entry to the "Digest Algorithms" registry with a Adding a new entry to the "Digest Algorithms" registry with a
recommended value of "MAY" in the "Use for DNSSEC Delegation", "Use recommended value of "MAY" in the "Use for DNSSEC Delegation", "Use
for DNSSEC Validation", "Implement for DNSSEC Delegation", or for DNSSEC Validation", "Implement for DNSSEC Delegation", or
"Implement for DNSSEC Validation" columns SHALL follow the "Implement for DNSSEC Validation" columns SHALL follow the
"Specification Required" policy as defined in [RFC8126]. Specification Required policy as defined in [RFC8126].
Adding a new entry to, or changing existing values in, the "DNS Adding a new entry to, or changing existing values in, the "Digest
System Algorithm Numbers" registry for the "Use for DNSSEC Algorithms" registry for the "Use for DNSSEC Delegation", "Use for
Delegation", "Use for DNSSEC Validation", "Implement for DNSSEC DNSSEC Validation", "Implement for DNSSEC Delegation", or "Implement
Delegation", or "Implement for DNSSEC Validation" columns to any for DNSSEC Validation" columns to any other value than "MAY" requires
other value than "MAY" requires a Standards Action. a Standards Action.
If an item is not marked as "RECOMMENDED", it does not necessarily If an item is not marked as "RECOMMENDED", it does not necessarily
mean that it is flawed; rather, it indicates that the item either has mean that it is flawed; rather, it indicates that the item either has
not been through the IETF consensus process, has limited not been through the IETF consensus process, has limited
applicability, or is intended only for specific use cases. applicability, or is intended only for specific use cases.
Only values of "MAY", "RECOMMENDED", "MUST NOT", and "NOT Only values of "MAY", "RECOMMENDED", "MUST NOT", and "NOT
RECOMMENDED" may be placed into the "Use for DNSSEC Signing" and "Use RECOMMENDED" may be placed into the "Use for DNSSEC Signing" and "Use
for DNSSEC Validation" columns. Only values of "MAY", "RECOMMENDED", for DNSSEC Validation" columns. Only values of "MAY", "RECOMMENDED",
"MUST", "MUST NOT", and "NOT RECOMMENDED" may be placed into the "MUST", "MUST NOT", and "NOT RECOMMENDED" may be placed into the
"Implement for DNSSEC Signing" and "Implement for DNSSEC Validation" "Implement for DNSSEC Signing" and "Implement for DNSSEC Validation"
columns. Note that a value of "MUST" is not an allowed value for the columns. Note that a value of "MUST" is not an allowed value for the
two "Use for" columns. two "Use for" columns.
The following sections state the initial values to be populated into The following sections state the initial values that have been
these rows. The "Implement for" column values are transcribed from populated into these columns. The values in the "Implement for"
[RFC8624]. The "Use for" columns are set to the same values as the columns are transcribed from [RFC8624]. The "Use for" columns are
"Implement for" values since the general interpretation to date set to the same values as those in the "Implement for" columns since
indicates they have been treated as values for both "implementation" the general interpretation to date indicates they have been treated
and "use". Note that the "Use for" columns values use "RECOMMENDED" as values for both "use" and "implementation". Note that the value
when the corresponding "Implement for" column is a "MUST" value. We in the "Use for" column is "RECOMMENDED" when the value in the
note that the values for "Implement for" and "Use for" may diverge in corresponding "Implement for" column is "MUST". We note that the
the future as implementations generally precede deployments. values for "Implement for" and "Use for" may diverge in the future as
implementations generally precede deployments.
3. DNS System Algorithm Numbers Column Values 3. DNS Security Algorithm Numbers Registry Column Values
Initial recommendation columns of use and implementation Initial recommendation columns of use and implementation
recommendations for the "Domain Name System Security (DNSSEC) recommendations for the "DNS Security Algorithm Numbers" registry
Algorithm Numbers" are shown in Table 2. under the "Domain Name System Security (DNSSEC) Algorithm Numbers"
registry group are shown in Table 2.
When there are multiple RECOMMENDED algorithms in the "use" column, When there are multiple RECOMMENDED algorithms in the "use" column,
operators should choose the best algorithm according to local policy. operators should choose the best algorithm according to local policy.
+===+===============+===========+===========+===========+===========+ +===+===============+===========+===========+===========+===========+
|N |Mnemonics |Use for |Use for |Implement |Implement | |No.|Mnemonics |Use for |Use for |Implement |Implement |
| | |DNSSEC |DNSSEC |for DNSSEC |for DNSSEC | | | |DNSSEC |DNSSEC |for DNSSEC |for DNSSEC |
| | |Signing |Validation |Signing |Validation | | | |Signing |Validation |Signing |Validation |
+===+===============+===========+===========+===========+===========+ +===+===============+===========+===========+===========+===========+
|1 |RSAMD5 |MUST NOT |MUST NOT |MUST NOT |MUST NOT | |1 |RSAMD5 |MUST NOT |MUST NOT |MUST NOT |MUST NOT |
+---+---------------+-----------+-----------+-----------+-----------+ +---+---------------+-----------+-----------+-----------+-----------+
|3 |DSA |MUST NOT |MUST NOT |MUST NOT |MUST NOT | |3 |DSA |MUST NOT |MUST NOT |MUST NOT |MUST NOT |
+---+---------------+-----------+-----------+-----------+-----------+ +---+---------------+-----------+-----------+-----------+-----------+
|5 |RSASHA1 |NOT |RECOMMENDED|NOT |MUST | |5 |RSASHA1 |NOT |RECOMMENDED|NOT |MUST |
| | |RECOMMENDED| |RECOMMENDED| | | | |RECOMMENDED| |RECOMMENDED| |
+---+---------------+-----------+-----------+-----------+-----------+ +---+---------------+-----------+-----------+-----------+-----------+
skipping to change at page 8, line 49 skipping to change at line 348
|23 |GOST R |MAY |MAY |MAY |MAY | |23 |GOST R |MAY |MAY |MAY |MAY |
| |34.10-2012 | | | | | | |34.10-2012 | | | | |
+---+---------------+-----------+-----------+-----------+-----------+ +---+---------------+-----------+-----------+-----------+-----------+
|253|private |MAY |MAY |MAY |MAY | |253|private |MAY |MAY |MAY |MAY |
| |algorithm | | | | | | |algorithm | | | | |
+---+---------------+-----------+-----------+-----------+-----------+ +---+---------------+-----------+-----------+-----------+-----------+
|254|private |MAY |MAY |MAY |MAY | |254|private |MAY |MAY |MAY |MAY |
| |algorithm OID | | | | | | |algorithm OID | | | | |
+---+---------------+-----------+-----------+-----------+-----------+ +---+---------------+-----------+-----------+-----------+-----------+
Table 2: Initial values for the DNS System Algorithm Numbers columns Table 2: Initial Values for the DNS Security Algorithm Numbers
Registry Columns
4. DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest 4. Digest Algorithms Registry Column Values
Algorithms Column Values
Initial recommendation columns of use and implementation Initial recommendation columns of use and implementation
recommendations for the "DNSSEC Delegation Signer (DS) Resource recommendations for the "Digest Algorithms" registry under the
Record (RR) Type Digest Algorithms" registry are shown in Table 3. "DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest
Algorithms" registry group are shown in Table 3.
When there are multiple RECOMMENDED algorithms in the "use" column, When there are multiple RECOMMENDED algorithms in the "use" column,
operators should choose the best algorithm according to local policy. operators should choose the best algorithm according to local policy.
+======+==========+===========+===========+==========+=============+ +=====+===========+===========+===========+==========+=============+
|Number|Mnemonics |Use for |Use for |Implement | Implement | |Value|Description|Use for |Use for |Implement | Implement |
| | |DNSSEC |DNSSEC |for DNSSEC| for DNSSEC | | | |DNSSEC |DNSSEC |for DNSSEC| for DNSSEC |
| | |Delegation |Validation |Delegation| Validation | | | |Delegation |Validation |Delegation| Validation |
+======+==========+===========+===========+==========+=============+ +=====+===========+===========+===========+==========+=============+
|0 |NULL (CDS |MUST NOT |MUST NOT |MUST NOT | MUST NOT | |0 |NULL (CDS |MUST NOT |MUST NOT |MUST NOT | MUST NOT |
| |only) | | | | | | |only) | | | | |
+------+----------+-----------+-----------+----------+-------------+ +-----+-----------+-----------+-----------+----------+-------------+
|1 |SHA-1 |MUST NOT |RECOMMENDED|MUST NOT | MUST | |1 |SHA-1 |MUST NOT |RECOMMENDED|MUST NOT | MUST |
+------+----------+-----------+-----------+----------+-------------+ +-----+-----------+-----------+-----------+----------+-------------+
|2 |SHA-256 |RECOMMENDED|RECOMMENDED|MUST | MUST | |2 |SHA-256 |RECOMMENDED|RECOMMENDED|MUST | MUST |
+------+----------+-----------+-----------+----------+-------------+ +-----+-----------+-----------+-----------+----------+-------------+
|3 |GOST R |MUST NOT |MAY |MUST NOT | MAY | |3 |GOST R |MUST NOT |MAY |MUST NOT | MAY |
| |34.11-94 | | | | | | |34.11-94 | | | | |
+------+----------+-----------+-----------+----------+-------------+ +-----+-----------+-----------+-----------+----------+-------------+
|4 |SHA-384 |MAY |RECOMMENDED|MAY | RECOMMENDED | |4 |SHA-384 |MAY |RECOMMENDED|MAY | RECOMMENDED |
+------+----------+-----------+-----------+----------+-------------+ +-----+-----------+-----------+-----------+----------+-------------+
|5 |GOST R |MAY |MAY |MAY | MAY | |5 |GOST R |MAY |MAY |MAY | MAY |
| |34.11-2012| | | | | | |34.11-2012 | | | | |
+------+----------+-----------+-----------+----------+-------------+ +-----+-----------+-----------+-----------+----------+-------------+
|6 |SM3 |MAY |MAY |MAY | MAY | |6 |SM3 |MAY |MAY |MAY | MAY |
+------+----------+-----------+-----------+----------+-------------+ +-----+-----------+-----------+-----------+----------+-------------+
Table 3: Initial values for the DNSSEC Delegation Signer (DS) Table 3: Initial Values for the Digest Algorithms Registry Columns
Resource Record (RR) Type Digest Algorithms columns
5. Security Considerations 5. Security Considerations
The security of cryptographic systems depends on both the strength of The security of cryptographic systems depends on the strength of both
the cryptographic algorithms chosen and the strength of the keys used the cryptographic algorithms chosen and the keys used with those
with those algorithms. The security also depends on the engineering algorithms. The security also depends on the engineering of the
of the protocol used by the system to ensure that there are no non- protocol used by the system to ensure that there are no non-
cryptographic ways to bypass the security of the overall system. cryptographic ways to bypass the security of the overall system.
This document concerns itself with the selection of cryptographic This document concerns itself with the selection of cryptographic
algorithms for the use of DNSSEC, specifically with the selection of algorithms for the use of DNSSEC, specifically with the selection of
"mandatory to implement" algorithms. The algorithms identified in "mandatory-to-implement" algorithms. In this document, the
this document as "MUST" or "RECOMMENDED" to implement are not known algorithms identified as MUST or RECOMMENDED to implement are not
to be broken at the current time, and cryptographic research so far known to be broken at the current time, and cryptographic research so
leads us to believe that they are likely to remain adequately secure far leads us to believe that they are likely to remain adequately
unless significant and unexpected discovery is made. However, this secure unless significant and unexpected discovery is made. However,
isn't necessarily forever, and it is expected that future documents this isn't necessarily forever, and it is expected that future
will be issued from time to time to reflect the current best documents will be issued from time to time to reflect the current
practices in this area. best practices in this area.
Retiring an algorithm too soon would result in a zone signed with the Retiring an algorithm too soon would result in a zone signed with the
retired algorithm being downgraded to the equivalent of an unsigned retired algorithm being downgraded to the equivalent of an unsigned
zone. Therefore, algorithm deprecation must be done only after zone. Therefore, algorithm deprecation must be done only after
careful consideration and ideally slowly when possible. careful consideration and ideally slowly when possible.
6. Operational Considerations 6. Operational Considerations
DNSKEY algorithm rollover in a live zone is a complex process. See DNSKEY algorithm rollover in a live zone is a complex process. See
[RFC6781] and [RFC7583] for guidelines on how to perform algorithm [RFC6781] and [RFC7583] for guidelines on how to perform algorithm
rollovers. rollovers.
DS algorithm rollover in a live zone is also a complex process. DS algorithm rollover in a live zone is also a complex process.
Upgrading algorithm at the same time as rolling to the new Key Upgrading an algorithm at the same time as rolling to the new Key
Signing Key (KSK) key will lead to DNSSEC validation failures, and Signing Key (KSK) key will lead to DNSSEC validation failures, and
users MUST upgrade the DS algorithm first before rolling to a new users MUST upgrade the DS algorithm first before rolling to a new
KSK. KSK.
7. IANA Considerations 7. IANA Considerations
The IANA is requested to update the [DNSKEY-IANA] and [DS-IANA] IANA has updated the "DNS Security Algorithm Numbers" [DNSKEY-IANA]
registries according to the following sections. and "Digest Algorithms" [DS-IANA] registries according to the
sections that follow.
7.1. Update to the "DNS Security Algorithm Numbers" registry 7.1. Update to the DNS Security Algorithm Numbers Registry
This document requests IANA update the "DNS Security Algorithm IANA has updated the "DNS Security Algorithm Numbers" registry
Numbers" registry ([DNSKEY-IANA]) registry with the following [DNSKEY-IANA] with the following columns and has populated these
additional columns: columns with the values from Table 2 of this document:
* "Use for DNSSEC Signing" * "Use for DNSSEC Signing"
* "Use for DNSSEC Validation" * "Use for DNSSEC Validation"
* "Implement for DNSSEC Signing" * "Implement for DNSSEC Signing"
* "Implement for DNSSEC Validation" * "Implement for DNSSEC Validation"
These values must be populated using values from Table 2 of this Additionally, IANA has completed the following actions for the "DNS
document. Security Algorithm Numbers" registry [DNSKEY-IANA]:
Additionally, the registration policy for the [DNSKEY-IANA] registry * Changed the registration procedure to Standards Action or
should match the text describing the requirements in this document, Specification Required.
and Section 2's note concerning values not marked as "RECOMMENDED"
should be added to the registry.
This document should be listed as a reference to the "DNS Security * Added a note to the registry that describes the values not marked
Algorithm Numbers" registry. as "RECOMMENDED" per Section 2.2.
7.2. Update to the "Digest Algorithms" registry * Listed this document as an additional reference for the registry.
This document requests IANA update the "Digest Algorithms" registry 7.2. Update to the Digest Algorithms Registry
([DS-IANA]) registry with the following additional columns:
IANA has updated the "Digest Algorithms" registry [DS-IANA] with the
following columns and has populated these columns with the values
from Table 3 of this document:
* "Use for DNSSEC Delegation" * "Use for DNSSEC Delegation"
* "Use for DNSSEC Validation" * "Use for DNSSEC Validation"
* "Implement for DNSSEC Delegation" * "Implement for DNSSEC Delegation"
* "Implement for DNSSEC Validation" * "Implement for DNSSEC Validation"
These values must be populated using values from Table 3 of this Additionally, IANA has completed the following actions for the
document. "Digest Algorithms" registry [DS-IANA]:
* Update the registration policy for the [DS-IANA] registry to match
the text describing update requirements above
* Mark values 128 - 252 as "Reserved"
* Mark values 253 and 254 as "Reserved for Private Use"
* Delete the (now superfluous) column "Status" from the registry * Changed the registration procedure to Standards Action or
Specification Required.
Section 2's note concerning values not marked as "RECOMMENDED" should * Added a note to the registry that describes the values not marked
be added to the registry. as "RECOMMENDED" per Section 2.2.
This document should be listed as a reference to the "Digest * Listed this document as an additional reference for the registry.
Algorithms" registry.
8. Acknowledgments * Marked values 128-252 as "Reserved".
This document is based on, and extends, RFC 8624, which was authored * Marked values 253 and 254 as "Reserved for Private Use".
by Paul Wouters and Ondrej Sury.
The content of this document was heavily discussed by participants of * Deleted the (now superfluous) column "Status" from the registry.
the DNSOP working group. The authors appreciate the thoughtfulness
of the many opinions expressed by working group participants that all
helped shaped this document. We thank Paul Hoffman and Paul Wouters
for their contributed text, and also Nabeel Cocker, Shumon Huque,
Nicolai Leymann, S Moonesamy, Magnus Nyström, Peter Thomassen, Stefan
Ubbink, and Loganaden Velvindron for their reviews and comments.
9. References 8. References
9.1. Normative References 8.1. Normative References
[DNSKEY-IANA] [DNSKEY-IANA]
IANA, "DNS Security Algorithm Numbers", n.d., IANA, "DNS Security Algorithm Numbers",
<https://www.iana.org/assignments/dns-sec-alg-numbers/dns- <https://www.iana.org/assignments/dns-sec-alg-numbers>.
sec-alg-numbers.xml#dns-sec-alg-numbers-1>.
[DS-IANA] IANA, "Delegation Signer (DS) Resource Record (RR) Type [DS-IANA] IANA, "DNSSEC Delegation Signer (DS) Resource Record (RR)
Digest Algorithms", n.d., Type Digest Algorithms",
<http://www.iana.org/assignments/ds-rr-types>. <http://www.iana.org/assignments/ds-rr-types>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/rfc/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC9157] Hoffman, P., "Revised IANA Considerations for DNSSEC", [RFC9157] Hoffman, P., "Revised IANA Considerations for DNSSEC",
RFC 9157, DOI 10.17487/RFC9157, December 2021, RFC 9157, DOI 10.17487/RFC9157, December 2021,
<https://www.rfc-editor.org/rfc/rfc9157>. <https://www.rfc-editor.org/info/rfc9157>.
9.2. Informative References 8.2. Informative References
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005, RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/rfc/rfc4034>. <https://www.rfc-editor.org/info/rfc4034>.
[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
(DS) Resource Records (RRs)", RFC 4509, (DS) Resource Records (RRs)", RFC 4509,
DOI 10.17487/RFC4509, May 2006, DOI 10.17487/RFC4509, May 2006,
<https://www.rfc-editor.org/rfc/rfc4509>. <https://www.rfc-editor.org/info/rfc4509>.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
<https://www.rfc-editor.org/rfc/rfc5155>. <https://www.rfc-editor.org/info/rfc5155>.
[RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY [RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY
and RRSIG Resource Records for DNSSEC", RFC 5702, and RRSIG Resource Records for DNSSEC", RFC 5702,
DOI 10.17487/RFC5702, October 2009, DOI 10.17487/RFC5702, October 2009,
<https://www.rfc-editor.org/rfc/rfc5702>. <https://www.rfc-editor.org/info/rfc5702>.
[RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of [RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of
GOST Signature Algorithms in DNSKEY and RRSIG Resource GOST Signature Algorithms in DNSKEY and RRSIG Resource
Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July
2010, <https://www.rfc-editor.org/rfc/rfc5933>. 2010, <https://www.rfc-editor.org/info/rfc5933>.
[RFC6605] Hoffman, P. and W.C.A. Wijngaards, "Elliptic Curve Digital [RFC6605] Hoffman, P. and W.C.A. Wijngaards, "Elliptic Curve Digital
Signature Algorithm (DSA) for DNSSEC", RFC 6605, Signature Algorithm (DSA) for DNSSEC", RFC 6605,
DOI 10.17487/RFC6605, April 2012, DOI 10.17487/RFC6605, April 2012,
<https://www.rfc-editor.org/rfc/rfc6605>. <https://www.rfc-editor.org/info/rfc6605>.
[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
Operational Practices, Version 2", RFC 6781, Operational Practices, Version 2", RFC 6781,
DOI 10.17487/RFC6781, December 2012, DOI 10.17487/RFC6781, December 2012,
<https://www.rfc-editor.org/rfc/rfc6781>. <https://www.rfc-editor.org/info/rfc6781>.
[RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking,
"DNSSEC Key Rollover Timing Considerations", RFC 7583, "DNSSEC Key Rollover Timing Considerations", RFC 7583,
DOI 10.17487/RFC7583, October 2015, DOI 10.17487/RFC7583, October 2015,
<https://www.rfc-editor.org/rfc/rfc7583>. <https://www.rfc-editor.org/info/rfc7583>.
[RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security [RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security
Algorithm (EdDSA) for DNSSEC", RFC 8080, Algorithm (EdDSA) for DNSSEC", RFC 8080,
DOI 10.17487/RFC8080, February 2017, DOI 10.17487/RFC8080, February 2017,
<https://www.rfc-editor.org/rfc/rfc8080>. <https://www.rfc-editor.org/info/rfc8080>.
[RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation
Requirements and Usage Guidance for DNSSEC", RFC 8624, Requirements and Usage Guidance for DNSSEC", RFC 8624,
DOI 10.17487/RFC8624, June 2019, DOI 10.17487/RFC8624, June 2019,
<https://www.rfc-editor.org/rfc/rfc8624>. <https://www.rfc-editor.org/info/rfc8624>.
[RFC9364] Hoffman, P., "DNS Security Extensions (DNSSEC)", BCP 237, [RFC9364] Hoffman, P., "DNS Security Extensions (DNSSEC)", BCP 237,
RFC 9364, DOI 10.17487/RFC9364, February 2023, RFC 9364, DOI 10.17487/RFC9364, February 2023,
<https://www.rfc-editor.org/rfc/rfc9364>. <https://www.rfc-editor.org/info/rfc9364>.
[TLS-ciphersuites] [TLS-ciphersuites]
IANA, "Transport Layer Security (TLS) Parameters", n.d., IANA, "Transport Layer Security (TLS) Parameters",
<https://www.iana.org/assignments/tls-parameters/tls- <https://www.iana.org/assignments/tls-parameters>.
parameters.xhtml#tls-parameters-4>.
Appendix A. ChangeLog
(RFC Editor: please remove this ChangeLog section upon publication.)
A.1. Changes from ietf-10 to ietf-11:
* Many more comments to address IESG reviews
A.2. Changes from ietf-09 to ietf-10:
* Many comments addressed from IESG reviews
A.3. Changes from ietf-08 to ietf-09
* Added missing alogirthms (SM2/SM3 and GOST R 34.10-2012)
A.4. Changes from ietf-07 to ietf-08
* Handle issues raised during IETF last call:
* updates 9157
* other nit fixes
A.5. Changes from ietf-06 to ietf-07
* changed to a standards track document
A.6. Changes from ietf-05 to ietf-06
* Address Eric Vyncke (RAD!) AD review comments.
A.7. Changes from ietf-03 to ietf-05
* Updated "entry requirements" to be "Specification Required".
* Marked values 128 - 252 as "Reserved" in "Digest Algorithms" as
break-glass mechanism in case we get a flood of these. To align with the
"DNS Security Algorithm Numbers" registry (that reserves 123 - ...)
* Marked values 253 and 254 as "Reserved for Private Use" in "Digest
Algorithms"
* Deleted the (now superfluous) column "Status" from the "Digest
A.8. Changes from ietf-02 to ietf-03
* Fixed the reference in the Abstract (no links in Abstracts)
* Added Updates: to the header.
A.9. Changes from ietf-01 to ietf-02
* Changed the MUST values in the tables for the Use columns to
RECOMMENDED based on discussions on the dnsop mailing list.
* Other minor wording and formatting changes
A.10. Changes from ietf-00 to ietf-01
* Only NIT fixing
A.11. Changes from hardaker-04 to ietf-00
* Just a draft name and number change.
A.12. Changes from -03 to -04
* Changed the columns being added from 2 per table to 4, based on
discussion within the dnsop working group mailing list. This was
a fairly major set of changes.
A.13. Changes since RFC8624
* The primary purpose of this revision is to introduce the new Acknowledgments
columns to existing registries. It makes no changes to the
previously defined values.
* Merged in RFC9157 updates. This document is based on, and extends, RFC 8624, which was authored
by Paul Wouters and Ondrej Sury.
* Set authors as Wes Hardaker, Warren Kumari. The content of this document was heavily discussed by participants of
the DNSOP Working Group. The authors appreciate the thoughtfulness
of the many opinions expressed by working group participants that all
helped shaped this document. We thank Paul Hoffman and Paul Wouters
for their contributed text and also Nabeel Cocker, Shumon Huque,
Nicolai Leymann, S. Moonesamy, Magnus Nyström, Peter Thomassen,
Stefan Ubbink, and Loganaden Velvindron for their reviews and
comments.
Authors' Addresses Authors' Addresses
Wes Hardaker Wes Hardaker
USC/ISI USC/ISI
Email: ietf@hardakers.net Email: ietf@hardakers.net
Warren Kumari Warren Kumari
Google Google
Email: warren@kumari.net Email: warren@kumari.net
 End of changes. 88 change blocks. 
325 lines changed or deleted 226 lines changed or added

This html diff was produced by rfcdiff 1.48.