<?xmlversion="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3.4.2) -->version='1.0' encoding='UTF-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?rfc docmapping="yes"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-dnsop-rfc8624-bis-13" number="9904" category="std" consensus="true" submissionType="IETF" obsoletes="8624" updates="9157" tocInclude="true" sortRefs="true"symRefs="true">symRefs="true" xml:lang="en" version="3"> <front> <title abbrev="DNSSEC Algorithms Update Process">DNSSEC Cryptographic Algorithm Recommendation Update Process</title> <seriesInfo name="RFC" value="9904"/> <author initials="W." surname="Hardaker" fullname="Wes Hardaker"> <organization>USC/ISI</organization> <address> <email>ietf@hardakers.net</email> </address> </author> <author initials="W." surname="Kumari" fullname="Warren Kumari"> <organization>Google</organization> <address> <email>warren@kumari.net</email> </address> </author> <date year="2025"month="June" day="04"/>month="October"/> <area>OPS</area> <workgroup>dnsop</workgroup> <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. --> <abstract><?line 60?><t>The DNSSEC protocol makes use of various cryptographic algorithms to provide authentication of DNS data and proof ofnon-existence.nonexistence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify both a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. <!--[rfced] In the first sentence, should "an IANA registry" be updated to "the IANA DNSSEC algorithm registries"? In the second sentence, should "this registry" be updated to "these registries"? If not, should the registry name be included for clarity? Also, please clarify "incremental update RFCs". Is the intended meaning that future extensions can be made under new, incremental RFCs that update this document? Current: This document replaces and obsoletes RFC 8624 and moves the canonical source of algorithm implementation requirements and usage guidance for DNSSEC from RFC 8624 to an IANA registry. Future extensions to this registry can be made under new, incremental update RFCs. Perhaps: This document replaces and obsoletes RFC 8624 and moves the canonical source of algorithm implementation requirements and usage guidance for DNSSEC from RFC 8624 to the IANA DNSSEC algorithm registries. Future extensions to these registries can be made under new, incremental RFCs that update this document. --> This document replaces and obsoletesRFC8624RFC 8624 and moves the canonical source of algorithm implementation requirements and usage guidance for DNSSEC fromRFC8624RFC 8624 to an IANA registry. <!--[rfced] We assume that the second instance of "the list" is "the list of requirements"; therefore, we have updated this sentence for clarity as shown below. Please let us know if this is incorrect. Original: This is done both to allow the list of requirements to be more easily updated, and to allow the list to be more easily referenced. Current: This is done to allow the list of requirements to be more easily updated and referenced. --> This is done to allow the list of requirements to be more easily updated and referenced. <!--[rfced] FYI: We added that this document "updates RFC 9157" in the Abstract as shown below. Original: This document also incorporates the revised IANA DNSSEC considerations from RFC9157. Current: This document also updates RFC 9157 and incorporates the revised IANA DNSSEC considerations from that RFC. --> Future extensions to this registry can be made under new, incremental update RFCs. This document also updates RFC 9157 and incorporates the revised IANA DNSSEC considerations fromRFC9157.</t> <t>Thethat RFC.</t> <!--[rfced] Should "MUST", "MAY", and "RECOMMENDED" be referred to as the "recommendation status" or the "DNSSEC delegation, signing, or validation status" rather than "status" for clarity? Original: The document does not change the status (MUST, MAY, RECOMMENDED, etc.) of the algorithms listed in RFC8624; that is the work of future documents. Perhaps: This document does not change the recommendation status (MUST, MAY, RECOMMENDED, etc.) of the algorithms listed in RFC 8624; that is the work of future documents. --> <t>This document does not change the status (<bcp14>MUST</bcp14>, <bcp14>MAY</bcp14>, <bcp14>RECOMMENDED</bcp14>, etc.) of the algorithms listed in RFC 8624; that is the work of future documents.</t> </abstract> </front> <middle><?line 78?><sectionanchor="introduction"><name>Introduction</name> <t>DNSanchor="introduction"> <name>Introduction</name> <t>"DNS Security Extensions(DNSSEC)(DNSSEC)" <xreftarget="RFC9364"></xref>target="RFC9364"/> is used to provide authentication of DNS data. The DNSSEC signing algorithms are defined by various RFCs, including <xreftarget="RFC4034"></xref>,target="RFC4034"/>, <xreftarget="RFC4509"></xref>,target="RFC4509"/>, <xreftarget="RFC5155"></xref>,target="RFC5155"/>, <xreftarget="RFC5702"></xref>,target="RFC5702"/>, <xreftarget="RFC5933"></xref>,target="RFC5933"/>, <xreftarget="RFC6605"></xref>,target="RFC6605"/>, and <xreftarget="RFC8080"></xref>.</t>target="RFC8080"/>.</t> <t>To ensure interoperability, a set of"mandatory to implement" DNSKEY"mandatory-to-implement" DNS Public Key (DNSKEY) algorithms are defined in <xreftarget="RFC8624"></xref>.target="RFC8624"/>. To make the current status of the algorithms more easily accessible and understandable, and to make future changes to these recommendations easier to publish, this document moves the canonical status of the algorithms from <xreftarget="RFC8624"></xref>target="RFC8624"/> to the IANA DNSSEC algorithm registries. Additionally, as advice to operators, it adds recommendations for deploying andthe usage ofusing these algorithms.</t> <t>This is similar to the process used for the "TLS Cipher Suites" registry <xreftarget="TLS-ciphersuites"></xref> registry,target="TLS-ciphersuites"/>, where the canonical list ofciphersuitescipher suites is in the IANA registry, andtheRFCs reference the IANA registry.</t> <sectionanchor="document-audience"><name>Documentanchor="document-audience"> <name>Document Audience</name><t>The<!--[rfced] FYI: We updated the second IANA registry listed below to reflect the registry name rather than the registry group for clarity and consistency. Original: The columns added to the IANA<xref target="DNSKEY-IANA">"DNS"DNS Security AlgorithmNumbers"</xref>Numbers" [DNSKEY-IANA] and<xref target="DS-IANA">"DNSSEC"DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms" [DS-IANA] registries target DNSSEC operators and implementers. Current: The columns added to the IANA "DNS Security Algorithm Numbers" [DNSKEY-IANA] and "Digest Algorithms" [DS-IANA] registries target DNSSEC operators and implementers. --> <t>The columns added to the IANA <xref target="DNSKEY-IANA">"DNS Security Algorithm Numbers"</xref> and <xref target="DS-IANA">"Digest Algorithms"</xref> registries target DNSSEC operators and implementers.</t> <t>Implementations need to meetbothhigh security expectations as well as provide interoperability between various implementations and with different versions.</t> <t>The field of cryptography evolves continuously. New, stronger algorithms appear, and existing algorithms may be found to be less secure than originally thought. Therefore, algorithm implementation requirements and usage guidance need to be updated from time to time in order to reflect the newreality,reality and to allow for a smooth transition to more securealgorithms,algorithms as well as the deprecation of algorithms deemed to no longer be secure.</t> <t>Implementations need to be conservative in the selection of algorithms they implement in order to minimize both code complexity and the attack surface.</t> <t>The perspective of implementers may differ from that of an operator who wishes to deploy and configure DNSSEC with only the safest algorithm. Assuchsuch, this document also adds new recommendations about which algorithms should be deployed regardless of implementation status. In general, it is expected that deployment of aging algorithms should generally be reduced before implementations stop supporting them.</t> </section> <sectionanchor="updating-algorithm-requirement-levels"><name>Updatinganchor="updating-algorithm-requirement-levels"> <name>Updating Algorithm Requirement Levels</name> <t>By the time a DNSSEC cryptographic algorithm is made mandatory to implement, it should already be available in most implementations. This document defines an IANA registration modification to allow future documents to specify the implementation recommendations for each algorithm, as the recommendation status of each DNSSEC cryptographic algorithm is expected to change over time. For example, there is no guarantee that newly introduced algorithms will become mandatory to implement in the future. Likewise, published algorithms are continuously subjected to cryptographic attack and may become too weak, or even be completely broken, and will require deprecation in the future.</t> <t>It is expected that the deprecation of an algorithm will be performed gradually. This provides time for implementations to update their implemented algorithms while remaining interoperable. Unless there are strong security reasons, an algorithm is expected to be downgraded fromMUST<bcp14>MUST</bcp14> toNOT RECOMMENDED<bcp14>NOT RECOMMENDED</bcp14> orMAY,<bcp14>MAY</bcp14>, instead of directly fromMUST<bcp14>MUST</bcp14> toMUST NOT.<bcp14>MUST NOT</bcp14>. Similarly, an algorithm that has not been mentioned as mandatory to implement is expected to be first introduced asRECOMMENDED<bcp14>RECOMMENDED</bcp14> instead of aMUST.</t><bcp14>MUST</bcp14>.</t> <t>Since the effect of using an unknown DNSKEY algorithm is that the zone is treated as insecure, it is recommended that algorithmswhichthat have been downgraded toNOT RECOMMENDED<bcp14>NOT RECOMMENDED</bcp14> or lower not be used by authoritative nameservers and DNSSEC signers to create newDNSKEY's.DNSKEYs. This ensures that the use of deprecated algorithms decreases over time. Once an algorithm has reached a sufficiently low level of deployment, it can be marked asMUST NOT,<bcp14>MUST NOT</bcp14>, so that recursive resolvers can remove support for validating it.</t> <t>Validating recursive resolvers are encouraged to retain support for all algorithms not marked asMUST NOT.</t><bcp14>MUST NOT</bcp14>.</t> </section> <sectionanchor="requirements-notation"><name>Requirements notation</name> <t>Theanchor="requirements-notation"> <name>Requirements Notation</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> <t><xreftarget="RFC2119"></xref>target="RFC2119"/> considers the termSHOULD<bcp14>SHOULD</bcp14> to be equivalent toRECOMMENDED,<bcp14>RECOMMENDED</bcp14>, andSHOULD NOT<bcp14>SHOULD NOT</bcp14> equivalent toNOT RECOMMENDED.<bcp14>NOT RECOMMENDED</bcp14>. This document has chosen to use the termsRECOMMENDED<bcp14>RECOMMENDED</bcp14> andNOT RECOMMENDED,<bcp14>NOT RECOMMENDED</bcp14>, as this more clearly expresses the recommendations to implementers.</t> </section> </section> <sectionanchor="adding-usage-and-implementation-recommendations-to-the-iana-dnssec-registries"><name>Adding usageanchor="adding-usage-and-implementation-recommendations-to-the-iana-dnssec-registries"> <name>Adding Usage andimplementation recommendationsImplementation Recommendations to the IANA DNSSECregistries</name>Algorithm Registries</name> <t>Per this document, the following columnsare beinghave been added to thefollowingcorresponding DNSSEC algorithm registries maintainedwithby IANA:</t><texttable title="Columns to add<table anchor="columns"> <name>Columns Added toexistingExisting DNSSECalgorithm registries" anchor="columns"> <ttcol align='left'>Registry</ttcol> <ttcol align='left'>Column added</ttcol> <c>DNSAlgorithm Registries</name> <thead> <tr> <th align="left">Registry</th> <th align="left">Column Added</th> </tr> </thead> <tbody> <tr> <td align="left">DNS Security AlgorithmNumbers</c> <c>UseNumbers</td> <td align="left">Use for DNSSECSigning</c> <c>DNSSigning</td> </tr> <tr> <td align="left">DNS Security AlgorithmNumbers</c> <c>UseNumbers</td> <td align="left">Use for DNSSECValidation</c> <c>DNSValidation</td> </tr> <tr> <td align="left">DNS Security AlgorithmNumbers</c> <c>ImplementNumbers</td> <td align="left">Implement for DNSSECSigning</c> <c>DNSSigning</td> </tr> <tr> <td align="left">DNS Security AlgorithmNumbers</c> <c>Implement for DNSSEC Validation</c> <c>Digest Algorithm</c> <c>Use for DNSSEC Delegation</c> <c>Digest Algorithm</c> <c>Use for DNSSEC Validation</c> <c>Digest Algorithm</c> <c>Implement for DNSSEC Delegation</c> <c>Digest Algorithm</c> <c>Implement for DNSSEC Validation</c> </texttable>Numbers</td> <td align="left">Implement for DNSSEC Validation</td> </tr> <tr> <td align="left">Digest Algorithms</td> <td align="left">Use for DNSSEC Delegation</td> </tr> <tr> <td align="left">Digest Algorithms</td> <td align="left">Use for DNSSEC Validation</td> </tr> <tr> <td align="left">Digest Algorithms</td> <td align="left">Implement for DNSSEC Delegation</td> </tr> <tr> <td align="left">Digest Algorithms</td> <td align="left">Implement for DNSSEC Validation</td> </tr> </tbody> </table> <sectionanchor="column-descriptions"><name>Columnanchor="column-descriptions"> <name>Column Descriptions</name> <t>The intended usage of the four columns in the "DNS Security Algorithm Numbers"table are:</t>registry is as follows:</t> <dl> <dt>Use for DNSSEC Signing:</dt> <dd> <t>Indicates the recommendation for using the algorithm within authoritative servers.</t> </dd> <dt>Use for DNSSEC Validation:</dt> <dd> <t>Indicates the recommendation for using the algorithm in DNSSEC validators.</t> </dd> <dt>Implement for DNSSEC Signing:</dt> <dd> <t>Indicates the recommendation for implementing the algorithm within DNSSEC signing software.</t> </dd> <dt>Implement for DNSSEC Validation:</dt> <dd> <t>Indicates the recommendation for implementing the algorithm within DNSSEC validators.</t> </dd> </dl> <t>The intended usage of the four columns in the "DigestAlgorithm" table are:</t>Algorithms" registry is as follows:</t> <dl> <dt>Use for DNSSEC Delegation:</dt> <dd> <t>Indicates the recommendation for using the algorithm within authoritative servers.</t> </dd> <dt>Use for DNSSEC Validation:</dt> <dd> <t>Indicates the recommendation for using the algorithm in DNSSEC validators.</t> </dd> <dt>Implement for DNSSEC Delegation:</dt> <dd> <t>Indicates the recommendation for implementing the algorithm within authoritative servers.</t> </dd> <dt>Implement for DNSSEC Validation:</dt> <dd> <t>Indicates the recommendation for implementing the algorithm within validating resolvers.</t> </dd> </dl> </section> <sectionanchor="adding-and-changing-values"><name>Addinganchor="adding-and-changing-values"> <name>Adding and Changing Values</name> <t>Adding a new entry to the "DNS System Algorithm Numbers" registry with a recommended value of"MAY""<bcp14>MAY</bcp14>" in the "Use for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for DNSSEC Validation" columns will be subject to the"Specification Required"Specification Required policy as defined in <xreftarget="RFC8126"></xref>target="RFC8126"/> in order to promote continued evolution of DNSSEC algorithms and DNSSEC agility. New entries added through the"Specification Required"Specification Required process will have the value of"MAY""<bcp14>MAY</bcp14>" for all columns.(Ed note (RFC Editor -</t> <!--[rfced] Questions about Section 2.2 a) In this section, may we put the notes that appear in the IANA registry within <blockquote>? Should lead-in sentences be added for clarity? If so, pleasedeleteprovide the desired text. Perhaps: The following note describing the procedures for adding and changing values has been added to the "DNS Security Algorithm Numbers" registry: Note: ... The following note has been added to the "Digest Algorithms" registry: Note: ... b) May we update the phrasing of these two paragraphs for ease of reading as shown below (i.e., make "existing values" singular for consistency and move the '"any value other than "May"' phrasing up)? If agreeable, we will ask IANA to make the same updates to the notes in the corresponding registries. c) In the first example below, should the "DNS System Algorithm Numbers" registry be updated to the "DNS Security Algorithm Numbers" registry? Note that thisbefore publication): Asregistry name also appears in the first paragraph in Section 2.2. d) Note: Per IANA's note, we have updated the "DNS System Algorithm Numbers" registry to the "Digest Algorithms" registry in the second example shown below. Original: Adding areminder:new entry to, or changing existing values in, the"Specification Required" policy includes"DNS System Algorithm Numbers" registry for the "Use for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for DNSSEC Validation" columns to any other value than "MAY" requires a Standards Action. Perhaps: Adding arequirementnew entry to, or changing an existing value in, the "DNS Security Algorithm Numbers" registry that has any value other than "MAY" in the "Use for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for DNSSEC Validation" columns requires Standards Action. ... Original: Adding adesignated expertnew entry to, or changing existing values in, the "DNS System Algorithm Numbers" registry for the "Use for DNSSEC Delegation", "Use for DNSSEC Validation", "Implement for DNSSEC Delegation", or "Implement for DNSSEC Validation" columns toreviewany other value than "MAY" requires a Standards Action. Perhaps: Adding a new entry to, or changing an existing value in, the "Digest Algorithm Numbers" registry that has any value other than "MAY" in therequest.)</t>"Use for DNSSEC Delegation", "Use for DNSSEC Validation", "Implement for DNSSEC Delegation", or "Implement for DNSSEC Validation" columns requires Standards Action. --> <t>Adding a new entry to, or changing existing values in, the "DNS System Algorithm Numbers" registry for the "Use for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for DNSSEC Validation" columns to any other value than"MAY""<bcp14>MAY</bcp14>" requires a Standards Action.</t> <!--Note for RFC Editor: Ask IANA to remove the quote marks around the Specification Required policy in the notes in both registries. --> <t>Adding a new entry to the "Digest Algorithms" registry with a recommended value of"MAY""<bcp14>MAY</bcp14>" in the "Use for DNSSEC Delegation", "Use for DNSSEC Validation", "Implement for DNSSEC Delegation", or "Implement for DNSSEC Validation" columnsSHALL<bcp14>SHALL</bcp14> follow the"Specification Required"Specification Required policy as defined in <xreftarget="RFC8126"></xref>.</t>target="RFC8126"/>.</t> <t>Adding a new entry to, or changing existing values in, the"DNS System Algorithm Numbers""Digest Algorithms" registry for the "Use for DNSSEC Delegation", "Use for DNSSEC Validation", "Implement for DNSSEC Delegation", or "Implement for DNSSEC Validation" columns to any other value than"MAY""<bcp14>MAY</bcp14>" requires a Standards Action.</t> <t>If an item is not marked as"RECOMMENDED","<bcp14>RECOMMENDED</bcp14>", it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases.</t> <t>Only values of"MAY", "RECOMMENDED", "MUST NOT","<bcp14>MAY</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>MUST NOT</bcp14>", and"NOT RECOMMENDED""<bcp14>NOT RECOMMENDED</bcp14>" may be placed into the "Use for DNSSEC Signing" and "Use for DNSSEC Validation" columns. Only values of"MAY", "RECOMMENDED", "MUST", "MUST NOT","<bcp14>MAY</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", and"NOT RECOMMENDED""<bcp14>NOT RECOMMENDED</bcp14>" may be placed into the "Implement for DNSSEC Signing" and "Implement for DNSSEC Validation" columns. Note that a value of"MUST""<bcp14>MUST</bcp14>" is not an allowed value for the two "Use for" columns.</t> <t>The following sections state the initial valuesto bethat have been populated into theserows.columns. The values in the "Implement for"column valuescolumns are transcribed from <xreftarget="RFC8624"></xref>.target="RFC8624"/>. The "Use for" columns are set to the same values as those in the "Implement for"valuescolumns since the general interpretation to date indicates they have been treated as values for both"implementation""use" and"use"."implementation". Note that the value in the "Use for"columns values use "RECOMMENDED"column is "<bcp14>RECOMMENDED</bcp14>" when the value in the corresponding "Implement for" column isa "MUST" value."<bcp14>MUST</bcp14>". We note that the values for "Implement for" and "Use for" may diverge in the future as implementations generally precede deployments.</t> </section> </section> <sectionanchor="dns-system-algorithm-numbers-column-values"><name>DNS Systemanchor="dns-system-algorithm-numbers-column-values"> <name>DNS Security Algorithm Numbers Registry Column Values</name><t>Initial<!--[rfced] Section 3. Since there are multiple registries under the "Domain Name System Security (DNSSEC) Algorithm Numbers" registry group, we added the registry name for clarity as shown below. Also, to avoid using "recommendation" twice, do you prefer option A, which matches the title of Table 2, or option B? Note that there is similar text in Section 4 that we would also apply this update to. Original: Initial recommendation columns of use and implementation recommendations for the "Domain Name System Security (DNSSEC) Algorithm Numbers" are shown in Table2.</t> <t>When2. Perhaps A: Initial values for the use and implementation recommendation columns in the "DNS Security Algorithm Numbers" registry under the "Domain Name System Security (DNSSEC) Algorithm Numbers" registry group are shown in Table 2. or Perhaps B: Initial use and implementation recommendation columns in the "DNS Security Algorithm Numbers" registry under the "Domain Name System Security (DNSSEC) Algorithm Numbers" registry group are shown in Table 2. --> <t>Initial recommendation columns of use and implementation recommendations for the "DNS Security Algorithm Numbers" registry under the "Domain Name System Security (DNSSEC) Algorithm Numbers" registry group are shown in <xref target="algtable"/>.</t> <!--[rfced] Should "use" be "Use for" and "column" be "columns"? If not, please clarify which "use" column this is referring to. Note that this sentence occurs in Sections 3 and 4. Original: When there are multiple RECOMMENDED algorithms in the "use" column, operators should choose the best algorithm according to local policy. Perhaps: When there are multiple RECOMMENDED algorithms in the "Use for" columns, operators should choose the best algorithm according to local policy. --> <t>When there are multiple <bcp14>RECOMMENDED</bcp14> algorithms in the "use" column, operators should choose the best algorithm according to local policy.</t><texttable title="Initial<!--[rfced] Questions about Table 2 a) In Table 2, some of the values in the "Use for" and "Implement for" columns are different than what is listed in "DNS Security Algorithm Numbers" registry (specifically, see numbers 5, 7, and 12). Should Table 2 be updated to match the IANA registry as shown below, or should the IANA registry be updated to match Table 2? b) In Table 2, numbers 17, 23, 253, and 254 use terms from the Description column in the registry whereas the rest of the numbers use terms from the Mnemonic column. Should these numbers be updated to use the mnemonic terms for consistency as shown below, or do you prefer otherwise? Registry URL: <https://www.iana.org/assignments/dns-sec-alg-numbers/> Original: 5 RSASHA1 NOT RECOMMENDED|RECOMMENDED|NOT RECOMMENDED|MUST 7 RSASHA1-NSEC3-SHA1 NOT RECOMMENDED|RECOMMENDED|NOT RECOMMENDED|MUST 12 ECC-GOST MUST NOT | MAY |MUST NOT |MAY 17 SM2/SM3 ... 23 GOST R 34.10-2012 253 private algorithm 254 private algorithm OID Perhaps (to match the IANA registry): 5 RSASHA1 MUST NOT |RECOMMENDED |NOT RECOMMENDED |MUST 7 RSASHA1-NSEC3-SHA1 MUST NOT |RECOMMENDED |NOT RECOMMENDED |MUST 12 ECC-GOST MUST NOT |MUST NOT |MUST NOT |MUST NOT 17 SM2SM3 ... 23 ECC-GOST12 253 PRIVATEDNS 254 PRIVATEOID --> <table anchor="algtable"> <name>Initial Values for the DNSSystemSecurity Algorithm Numberscolumns" anchor="algtable"> <ttcol align='left'>N</ttcol> <ttcol align='left'>Mnemonics</ttcol> <ttcol align='left'>Use for DNSSEC Signing</ttcol> <ttcol align='left'>Use for DNSSEC Validation</ttcol> <ttcol align='left'>Implement for DNSSEC Signing</ttcol> <ttcol align='left'>Implement for DNSSEC Validation</ttcol> <c>1</c> <c>RSAMD5</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>3</c> <c>DSA</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>5</c> <c>RSASHA1</c> <c>NOT RECOMMENDED</c> <c>RECOMMENDED</c> <c>NOT RECOMMENDED</c> <c>MUST</c> <c>6</c> <c>DSA-NSEC3-SHA1</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>7</c> <c>RSASHA1-NSEC3- SHA1</c> <c>NOT RECOMMENDED</c> <c>RECOMMENDED</c> <c>NOT RECOMMENDED</c> <c>MUST</c> <c>8</c> <c>RSASHA256</c> <c>RECOMMENDED</c> <c>RECOMMENDED</c> <c>MUST</c> <c>MUST</c> <c>10</c> <c>RSASHA512</c> <c>NOT RECOMMENDED</c> <c>RECOMMENDED</c> <c>NOT RECOMMENDED</c> <c>MUST</c> <c>12</c> <c>ECC-GOST</c> <c>MUST NOT</c> <c>MAY</c> <c>MUST NOT</c> <c>MAY</c> <c>13</c> <c>ECDSAP256SHA256</c> <c>RECOMMENDED</c> <c>RECOMMENDED</c> <c>MUST</c> <c>MUST</c> <c>14</c> <c>ECDSAP384SHA384</c> <c>MAY</c> <c>RECOMMENDED</c> <c>MAY</c> <c>RECOMMENDED</c> <c>15</c> <c>ED25519</c> <c>RECOMMENDED</c> <c>RECOMMENDED</c> <c>RECOMMENDED</c> <c>RECOMMENDED</c> <c>16</c> <c>ED448</c> <c>MAY</c> <c>RECOMMENDED</c> <c>MAY</c> <c>RECOMMENDED</c> <c>17</c> <c>SM2/SM3</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>23</c> <c>GOSTRegistry Columns</name> <thead> <tr> <th align="left">No.</th> <th align="left">Mnemonics</th> <th align="left">Use for DNSSEC Signing</th> <th align="left">Use for DNSSEC Validation</th> <th align="left">Implement for DNSSEC Signing</th> <th align="left">Implement for DNSSEC Validation</th> </tr> </thead> <tbody> <tr> <td align="left">1</td> <td align="left">RSAMD5</td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> </tr> <tr> <td align="left">3</td> <td align="left">DSA</td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> </tr> <tr> <td align="left">5</td> <td align="left">RSASHA1</td> <td align="left"><bcp14>NOT RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>NOT RECOMMENDED</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> </tr> <tr> <td align="left">6</td> <td align="left">DSA-NSEC3-SHA1</td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> </tr> <tr> <td align="left">7</td> <td align="left">RSASHA1-NSEC3- SHA1</td> <td align="left"><bcp14>NOT RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>NOT RECOMMENDED</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> </tr> <tr> <td align="left">8</td> <td align="left">RSASHA256</td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> </tr> <tr> <td align="left">10</td> <td align="left">RSASHA512</td> <td align="left"><bcp14>NOT RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>NOT RECOMMENDED</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> </tr> <tr> <td align="left">12</td> <td align="left">ECC-GOST</td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">13</td> <td align="left">ECDSAP256SHA256</td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> </tr> <tr> <td align="left">14</td> <td align="left">ECDSAP384SHA384</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> </tr> <tr> <td align="left">15</td> <td align="left">ED25519</td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> </tr> <tr> <td align="left">16</td> <td align="left">ED448</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> </tr> <tr> <td align="left">17</td> <td align="left">SM2/SM3</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">23</td> <td align="left">GOST R34.10-2012</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>253</c> <c>private algorithm</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>254</c> <c>private34.10-2012</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">253</td> <td align="left">private algorithm</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">254</td> <td align="left">private algorithmOID</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> </texttable>OID</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> </tbody> </table> </section> <sectionanchor="dnssec-delegation-signer-ds-resource-record-rr-type-digest-algorithms-column-values"><name>DNSSECanchor="dnssec-delegation-signer-ds-resource-record-rr-type-digest-algorithms-column-values"> <!--[rfced] FYI: We updated the titles of Section 4 and Table 3 to reflect the registry name rather than the registry group name for clarity and consistency as shown below. Original (Section 4): 4. DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Column Values Current: 4. Digest Algorithms Registry Column Values ... Original (Table 3 title): Initial values for the DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms columns Current: Initial Values for the Digest Algorithms Registry Columns --> <name>Digest Algorithms Registry Column Values</name> <t>Initial recommendation columns of use and implementation recommendations for the "Digest Algorithms" registry under the "DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms" registry group are shown inTable 3.</t><xref target="dstable"/>.</t> <t>When there are multipleRECOMMENDED<bcp14>RECOMMENDED</bcp14> algorithms in the "use" column, operators should choose the best algorithm according to local policy.</t><texttable title="Initial<table anchor="dstable"> <!--[rfced] We note differences between Table 3 and the "Digest Algorithms" registry. Should this document be updated to match the registry as shown below, or should the registry be updated to match this document? We also note that this document is listed as a reference for values 128-252 and 253-254. Should this document be listed as a reference for any other values in the registry? Registry URL: <https://www.iana.org/assignments/ds-rr-types/> Original: 0 NULL (CDS only) MUST NOT | MUST NOT | MUST NOT | MUST NOT 3 GOST R 34.11-94 MUST NOT | MAY | MUST NOT | MAY Perhaps (to match the IANA registry): 0 Reserved MUST NOT | MUST NOT | MUST NOT | MUST NOT 3 GOST R 34.11-94 MUST NOT | MUST NOT | MUST NOT | MUST NOT --> <name>Initial Values for theDNSSEC Delegation Signer (DS) Resource Record (RR) TypeDigest Algorithmscolumns" anchor="dstable"> <ttcol align='left'>Number</ttcol> <ttcol align='left'>Mnemonics</ttcol> <ttcol align='left'>Use for DNSSEC Delegation</ttcol> <ttcol align='left'>Use for DNSSEC Validation</ttcol> <ttcol align='left'>Implement for DNSSEC Delegation</ttcol> <ttcol align='left'>Implement for DNSSEC Validation</ttcol> <c>0</c> <c>NULLRegistry Columns</name> <thead> <tr> <th align="left">Value</th> <th align="left">Description</th> <th align="left">Use for DNSSEC Delegation</th> <th align="left">Use for DNSSEC Validation</th> <th align="left">Implement for DNSSEC Delegation</th> <th align="left">Implement for DNSSEC Validation</th> </tr> </thead> <tbody> <tr> <td align="left">0</td> <td align="left">NULL (CDSonly)</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>MUST NOT</c> <c>1</c> <c>SHA-1</c> <c>MUST NOT</c> <c>RECOMMENDED</c> <c>MUST NOT</c> <c>MUST</c> <c>2</c> <c>SHA-256</c> <c>RECOMMENDED</c> <c>RECOMMENDED</c> <c>MUST</c> <c>MUST</c> <c>3</c> <c>GOSTonly)</td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> </tr> <tr> <td align="left">1</td> <td align="left">SHA-1</td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> </tr> <tr> <td align="left">2</td> <td align="left">SHA-256</td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> <td align="left"><bcp14>MUST</bcp14></td> </tr> <tr> <td align="left">3</td> <td align="left">GOST R34.11-94</c> <c>MUST NOT</c> <c>MAY</c> <c>MUST NOT</c> <c>MAY</c> <c>4</c> <c>SHA-384</c> <c>MAY</c> <c>RECOMMENDED</c> <c>MAY</c> <c>RECOMMENDED</c> <c>5</c> <c>GOST34.11-94</td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">4</td> <td align="left">SHA-384</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> </tr> <tr> <td align="left">5</td> <td align="left">GOST R34.11-2012</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>6</c> <c>SM3</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> <c>MAY</c> </texttable>34.11-2012</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">6</td> <td align="left">SM3</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> </tbody> </table> </section> <sectionanchor="security-considerations"><name>Securityanchor="security-considerations"> <name>Security Considerations</name> <t>The security of cryptographic systems depends onboththe strength of both the cryptographic algorithms chosen and thestrength of thekeys used with those algorithms. The security also depends on the engineering of the protocol used by the system to ensure that there are no non- cryptographic ways to bypass the security of the overall system.</t> <t>This document concerns itself with the selection of cryptographic algorithms for the use of DNSSEC, specifically with the selection of"mandatory to implement""mandatory-to-implement" algorithms.TheIn this document, the algorithms identifiedin this documentas"MUST"<bcp14>MUST</bcp14> or"RECOMMENDED"<bcp14>RECOMMENDED</bcp14> to implement are not known to be broken at the current time, and cryptographic research so far leads us to believe that they are likely to remain adequately secure unless significant and unexpected discovery is made. However, this isn't necessarily forever, and it is expected that future documents will be issued from time to time to reflect the current best practices in this area.</t> <t>Retiring an algorithm too soon would result in a zone signed with the retired algorithm being downgraded to the equivalent of an unsigned zone. Therefore, algorithm deprecation must be done only after careful consideration and ideally slowly when possible.</t> </section> <sectionanchor="operational-considerations"><name>Operationalanchor="operational-considerations"> <name>Operational Considerations</name> <t>DNSKEY algorithm rollover in a live zone is a complex process. See <xreftarget="RFC6781"></xref>target="RFC6781"/> and <xreftarget="RFC7583"></xref>target="RFC7583"/> for guidelines on how to perform algorithm rollovers.</t> <t>DS algorithm rollover in a live zone is also a complex process. Upgrading an algorithm at the same time as rolling to the new Key Signing Key (KSK) key will lead to DNSSEC validation failures, and usersMUST<bcp14>MUST</bcp14> upgrade the DS algorithm first before rolling to a new KSK.</t> </section> <sectionanchor="iana-considerations"><name>IANAanchor="iana-considerations"> <name>IANA Considerations</name><t>The IANA is requested to update<t>IANA has updated the "DNS Security Algorithm Numbers" <xreftarget="DNSKEY-IANA"></xref>target="DNSKEY-IANA"/> and "Digest Algorithms" <xreftarget="DS-IANA"></xref>target="DS-IANA"/> registries according to thefollowing sections.</t>sections that follow.</t> <sectionanchor="update-to-the-dns-security-algorithm-numbers-registry"><name>Updateanchor="update-to-the-dns-security-algorithm-numbers-registry"> <name>Update to the"DNSDNS Security AlgorithmNumbers" registry</name> <t>This document requests IANA updateNumbers Registry</name> <t>IANA has updated the "DNS Security Algorithm Numbers" registry(<xref target="DNSKEY-IANA"></xref>) registry<xref target="DNSKEY-IANA"/> with the followingadditional columns:</t> <t><list style="symbols">columns and has populated these columns with the values from <xref target="algtable"/> of this document:</t> <ul spacing="normal"> <li> <t>"Use for DNSSEC Signing"</t> </li> <li> <t>"Use for DNSSEC Validation"</t> </li> <li> <t>"Implement for DNSSEC Signing"</t> </li> <li> <t>"Implement for DNSSEC Validation"</t></list></t> <t>These values must be populated using values from Table 2</li> </ul> <!--[rfced] In Section 7.1, we made the following text into a bulleted list to match Section 7.2. We also updated "Section 2" to "Section 2.2" in both sections. Please let us know ofthis document.</t> <t>Additionally,any objection to these changes. Original: Additionally, the registration policy for the<xref target="DNSKEY-IANA"></xref>[DNSKEY-IANA] registry should match the text describing the requirements in this document, and Section 2's note concerning values not marked as "RECOMMENDED" should be added to theregistry.</t> <t>Thisregistry. This document should be listed as a reference to the "DNS Security Algorithm Numbers" registry. Current: Additionally, IANA has completed the following actions for the "DNS Security Algorithm Numbers" registry [DNSKEY-IANA]: * Changed the registration procedure to Standards Action or Specification Required. * Added a note to the registry that describes the values not marked as "RECOMMENDED" per Section 2.2. * Listed this document as an additional reference for the registry. --> <t>Additionally, IANA has completed the following actions for the "DNS Security Algorithm Numbers" registry <xref target="DNSKEY-IANA"/>:</t> <ul spacing="normal"> <li>Changed the registration procedure to Standards Action or Specification Required. </li> <li>Added a note to the registry that describes the values not marked as "<bcp14>RECOMMENDED</bcp14>" per <xref target="adding-and-changing-values"/>. </li> <li>Listed this document as an additional reference for the registry. </li> </ul> <!-- <t>Additionally, the registration policy for the "DNS Security Algorithm Numbers" registry <xref target="DNSKEY-IANA"/> should match the text describing the requirements in this document, and <xref target="adding-usage-and-implementation-recommendations-to-the-iana-dnssec-registries"/>'s note concerning values not marked as "<bcp14>RECOMMENDED</bcp14>" should be added to the registry.</t> <t>This document has been listed as a reference for the "DNS Security Algorithm Numbers" registry.</t> --> </section> <sectionanchor="update-to-the-digest-algorithms-registry"><name>Updateanchor="update-to-the-digest-algorithms-registry"> <name>Update to the"Digest Algorithms" registry</name> <t>This document requests IANA updateDigest Algorithms Registry</name> <t>IANA has updated the "Digest Algorithms" registry(<xref target="DS-IANA"></xref>) registry<xref target="DS-IANA"/> with the followingadditional columns:</t> <t><list style="symbols">columns and has populated these columns with the values from <xref target="dstable"/> of this document:</t> <ul spacing="normal"> <li> <t>"Use for DNSSEC Delegation"</t> </li> <li> <t>"Use for DNSSEC Validation"</t> </li> <li> <t>"Implement for DNSSEC Delegation"</t> </li> <li> <t>"Implement for DNSSEC Validation"</t></list></t> <t>These values must be populated using values from Table 3 of this document.</t> <t><list style="symbols"> <t>Update</li> </ul> <t>Additionally, IANA has completed theregistration policyfollowing actions for the<xref target="DS-IANA"></xref>"Digest Algorithms" registry <xref target="DS-IANA"/>: </t> <ul spacing="normal"> <li> <t>Changed the registration procedure to Standards Action or Specification Required.</t> </li> <li>Added a note tomatchthetext describing update requirements above</t> <t>Markregistry that describes the values not marked as "<bcp14>RECOMMENDED</bcp14>" per <xref target="adding-and-changing-values"/>. </li> <li>Listed this document as an additional reference for the registry. </li> <li> <t>Marked values128 - 252128-252 as"Reserved"</t> <t>Mark"Reserved".</t> </li> <li> <t>Marked values 253 and 254 as "Reserved for PrivateUse"</t> <t>DeleteUse".</t> </li> <li> <t>Deleted the (now superfluous) column "Status" from theregistry</t> </list></t> <t>Section 2'sregistry.</t> </li> </ul> <!-- <t><xref target="adding-usage-and-implementation-recommendations-to-the-iana-dnssec-registries"/>'s note concerning values not marked as"RECOMMENDED""<bcp14>RECOMMENDED</bcp14>" should be added to the registry.</t> <t>This document should be listed as a reference to the "Digest Algorithms"registry.</t>registry.</t>--> </section> </section> </middle> <back> <references anchor="sec-combined-references"> <name>References</name> <references anchor="sec-normative-references"> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9157.xml"/> <reference anchor="DNSKEY-IANA" target="https://www.iana.org/assignments/dns-sec-alg-numbers"> <front> <title>DNS Security Algorithm Numbers</title> <author> <organization>IANA</organization> </author> </front> </reference> <reference anchor="DS-IANA" target="http://www.iana.org/assignments/ds-rr-types"> <front> <title>DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms</title> <author> <organization>IANA</organization> </author> </front> </reference> </references> <references anchor="sec-informative-references"> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4034.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4509.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5155.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5702.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5933.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6605.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6781.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7583.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8080.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8624.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9364.xml"/> <reference anchor="TLS-ciphersuites" target="https://www.iana.org/assignments/tls-parameters"> <front> <title>Transport Layer Security (TLS) Parameters</title> <author> <organization>IANA</organization> </author> </front> </reference> </references> </references> <sectionanchor="acknowledgments"><name>Acknowledgments</name>anchor="acknowledgments" numbered="false"> <name>Acknowledgments</name> <t>This document is based on, and extends, RFC 8624, which was authored byPaul Wouters and Ondrej Sury.</t><contact fullname="Paul Wouters"/> and <contact fullname="Ondrej Sury"/>.</t> <t>The content of this document was heavily discussed by participants of the DNSOPworking group.Working Group. The authors appreciate the thoughtfulness of the many opinions expressed by working group participants that all helped shaped this document. We thankPaul Hoffman and Paul Wouters<contact fullname="Paul Hoffman"/> and <contact fullname="Paul Wouters"/> for their contributedtext,text and alsoNabeel Cocker, Shumon Huque, Nicolai Leymann, S Moonesamy, Magnus Nyström, Peter Thomassen, Stefan Ubbink, and Loganaden Velvindron<contact fullname="Nabeel Cocker"/>, <contact fullname="Shumon Huque"/>, <contact fullname="Nicolai Leymann"/>, <contact fullname="S. Moonesamy"/>, <contact fullname="Magnus Nyström"/>, <contact fullname="Peter Thomassen"/>, <contact fullname="Stefan Ubbink"/>, and <contact fullname="Loganaden Velvindron"/> for their reviews and comments.</t> </section></middle> <back> <references title='References' anchor="sec-combined-references"> <references title='Normative References' anchor="sec-normative-references"> <reference anchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8126"> <front> <title>Guidelines for Writing an IANA Considerations Section in RFCs</title> <author fullname="M. Cotton" initials="M." surname="Cotton"/> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <author fullname="T. Narten" initials="T." surname="Narten"/> <date month="June" year="2017"/> <abstract> <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not</back> <!--[rfced] Terminology FYI: We haveconflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t> <t>To make assignments in a given registry prudently, guidance describingupdated theconditions under which new values should be assigned, as well as when and how modificationsfollowing terms toexisting values can be made, is needed. This document defines a framework forthedocumentation of these guidelines by specification authors, in order to assure thatform on theprovided guidanceright forthe IANA Considerations is clear and addresses the various issues that are likely in the operationconsistency. Please let us know ofa registry.</t> <t>This isany objection. ciphersuite -> cipher suite (to match thethird edition of this document; it obsoletes"TLS Cipher Suites" registry) non-existence -> nonexistence (per RFC5226.</t> </abstract> </front> <seriesInfo name="BCP" value="26"/> <seriesInfo name="RFC" value="8126"/> <seriesInfo name="DOI" value="10.17487/RFC8126"/> </reference> <reference anchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words8624) --> <!-- [rfced] FYI: We havethe defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC9157"> <front> <title>Revised IANA Considerations for DNSSEC</title> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <date month="December" year="2021"/> <abstract> <t>This document changes the review requirements needed to get DNSSEC algorithms and resource recordsaddedto IANA registries. It updates RFC 6014 to include hash algorithms for Delegation Signer (DS) records and NextSECure version 3 (NSEC3) parameters (for Hashed Authenticated Denial of Existence). It also updates RFCs 5155 and 6014, which have requirements for DNSSEC algorithms, and updates RFC 8624 to clarify the implementation recommendation related to the algorithms described in RFCs that are not on the standards track. The rationale for these changes is to bring the requirements for DS records and hash algorithms used in NSEC3 in line with the requirements for all other DNSSEC algorithms.</t> </abstract> </front> <seriesInfo name="RFC" value="9157"/> <seriesInfo name="DOI" value="10.17487/RFC9157"/> </reference> <reference anchor="DNSKEY-IANA" target="https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml#dns-sec-alg-numbers-1"> <front> <title>DNS Security Algorithm Numbers</title> <author initials="" surname="IANA" fullname="IANA"> <organization></organization> </author> <date year="n.d."/> </front> </reference> <reference anchor="DS-IANA" target="http://www.iana.org/assignments/ds-rr-types"> <front> <title>Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms</title> <author initials="" surname="IANA" fullname="IANA"> <organization></organization> </author> <date year="n.d."/> </front> </reference> </references> <references title='Informative References' anchor="sec-informative-references"> <reference anchor="RFC4034"> <front> <title>Resource Records for the DNS Security Extensions</title> <author fullname="R. Arends" initials="R." surname="Arends"/> <author fullname="R. Austein" initials="R." surname="Austein"/> <author fullname="M. Larson" initials="M." surname="Larson"/> <author fullname="D. Massey" initials="D." surname="Massey"/> <author fullname="S. Rose" initials="S." surname="Rose"/> <date month="March" year="2005"/> <abstract> <t>This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given.</t> <t>This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4034"/> <seriesInfo name="DOI" value="10.17487/RFC4034"/> </reference> <reference anchor="RFC4509"> <front> <title>Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)</title> <author fullname="W. Hardaker" initials="W." surname="Hardaker"/> <date month="May" year="2006"/> <abstract> <t>This document specifies how to use the SHA-256 digest type in DNS Delegation Signer (DS) Resource Records (RRs). DS records, when stored in a parent zone, point to DNSKEYs in a child zone. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4509"/> <seriesInfo name="DOI" value="10.17487/RFC4509"/> </reference> <reference anchor="RFC5155"> <front> <title>DNS Security (DNSSEC) Hashed Authenticated Denial of Existence</title> <author fullname="B. Laurie" initials="B." surname="Laurie"/> <author fullname="G. Sisson" initials="G." surname="Sisson"/> <author fullname="R. Arends" initials="R." surname="Arends"/> <author fullname="D. Blacka" initials="D." surname="Blacka"/> <date month="March" year="2008"/> <abstract> <t>The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introducesanalternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradualexpansionof delegation-centric zones. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5155"/> <seriesInfo name="DOI" value="10.17487/RFC5155"/> </reference> <reference anchor="RFC5702"> <front> <title>Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC</title> <author fullname="J. Jansen" initials="J." surname="Jansen"/> <date month="October" year="2009"/> <abstract> <t>This document describes how to produce RSA/SHA-256 and RSA/SHA-512 DNSKEY and RRSIG resource recordsforuse intheDomain Name System Security Extensions (RFC 4033, RFC 4034, and RFC 4035). [STANDARDS TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5702"/> <seriesInfo name="DOI" value="10.17487/RFC5702"/> </reference> <reference anchor="RFC5933"> <front> <title>Usefollowing abbreviation per Section 3.6 ofGOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC</title> <author fullname="V. Dolmatov" initials="V." role="editor" surname="Dolmatov"/> <author fullname="A. Chuprina" initials="A." surname="Chuprina"/> <author fullname="I. Ustinov" initials="I." surname="Ustinov"/> <date month="July" year="2010"/> <abstract> <t>This document describes how to produce digital signatures and hash functions using the GOST R 34.10-2001 and GOST R 34.11-94 algorithms for DNSKEY, RRSIG,RFC 7322 ("RFC Style Guide"). Please review this andDS resource records, for useeach expansion in theDomain Name System Security Extensions (DNSSEC).</t> </abstract> </front> <seriesInfo name="RFC" value="5933"/> <seriesInfo name="DOI" value="10.17487/RFC5933"/> </reference> <reference anchor="RFC6605"> <front> <title>Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC</title> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <author fullname="W.C.A. Wijngaards" initials="W.C.A." surname="Wijngaards"/> <date month="April" year="2012"/> <abstract> <t>Thisdocumentdescribes howcarefully tospecify Elliptic Curve Digital Signature Algorithm (DSA) keys and signatures in DNS Security (DNSSEC). It lists curves of different sizes and uses the SHA-2 family of hashes for signatures. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6605"/> <seriesInfo name="DOI" value="10.17487/RFC6605"/> </reference> <reference anchor="RFC6781"> <front> <title>DNSSEC Operational Practices, Version 2</title> <author fullname="O. Kolkman" initials="O." surname="Kolkman"/> <author fullname="W. Mekking" initials="W." surname="Mekking"/> <author fullname="R. Gieben" initials="R." surname="Gieben"/> <date month="December" year="2012"/> <abstract> <t>This document describes a set of practices for operating theensure correctness. DNSwith security extensions (DNSSEC). The target audience is zone administrators deploying DNSSEC.</t> <t>The document discusses operational aspects of using keys and signatures in the DNS. It discusses issues of key generation, key storage, signature generation, key rollover, and related policies.</t> <t>This document obsoletes RFC 4641, as it covers more operational ground and gives more up-to-date requirements with respect to key sizes and the DNSSEC operations.</t> </abstract> </front> <seriesInfo name="RFC" value="6781"/> <seriesInfo name="DOI" value="10.17487/RFC6781"/> </reference> <reference anchor="RFC7583"> <front> <title>DNSSECPublic KeyRollover Timing Considerations</title> <author fullname="S. Morris" initials="S." surname="Morris"/> <author fullname="J. Ihren" initials="J." surname="Ihren"/> <author fullname="J. Dickinson" initials="J." surname="Dickinson"/> <author fullname="W. Mekking" initials="W." surname="Mekking"/> <date month="October" year="2015"/> <abstract> <t>This document describes the issues surrounding(DNSKEY) --> <!-- [rfced] Please review thetiming"Inclusive Language" portion ofevents intherolling of a key in a DNSSEC-secured zone. It presents timelines for the key rollover and explicitly identifies the relationships between the various parameters affecting the process.</t> </abstract> </front> <seriesInfo name="RFC" value="7583"/> <seriesInfo name="DOI" value="10.17487/RFC7583"/> </reference> <reference anchor="RFC8080"> <front> <title>Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC</title> <author fullname="O. Sury" initials="O." surname="Sury"/> <author fullname="R. Edmonds" initials="R." surname="Edmonds"/> <date month="February" year="2017"/> <abstract> <t>This document describes how to specify Edwards-curve Digital Security Algorithm (EdDSA) keys and signatures in DNS Security (DNSSEC). It uses EdDSA with the choice of two curves: Ed25519online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> andEd448.</t> </abstract> </front> <seriesInfo name="RFC" value="8080"/> <seriesInfo name="DOI" value="10.17487/RFC8080"/> </reference> <reference anchor="RFC8624"> <front> <title>Algorithm Implementation Requirements and Usage Guidance for DNSSEC</title> <author fullname="P. Wouters" initials="P." surname="Wouters"/> <author fullname="O. Sury" initials="O." surname="Sury"/> <date month="June" year="2019"/> <abstract> <t>The DNSSEC protocol makes uselet us know if any changes are needed. Updates ofvarious cryptographic algorithmsthis nature typically result inorder to provide authentication of DNS data and proof of nonexistence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that theremore precise language, which isat least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidancehelpful forDNSSEC. This document obsoletes RFC 6944.</t> </abstract> </front> <seriesInfo name="RFC" value="8624"/> <seriesInfo name="DOI" value="10.17487/RFC8624"/> </reference> <reference anchor="RFC9364"> <front> <title>DNS Security Extensions (DNSSEC)</title> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <date month="February" year="2023"/> <abstract> <t>This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place soreaders. Note thatthe reader can understand the many aspects of DNSSEC. This document doesour script did notupdateflag anyof those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t> </abstract> </front> <seriesInfo name="BCP" value="237"/> <seriesInfo name="RFC" value="9364"/> <seriesInfo name="DOI" value="10.17487/RFC9364"/> </reference> <reference anchor="TLS-ciphersuites" target="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4"> <front> <title>Transport Layer Security (TLS) Parameters</title> <author initials="" surname="IANA" fullname="IANA"> <organization></organization> </author> <date year="n.d."/> </front> </reference> </references> </references> <?line 480?> <section anchor="changelog"><name>ChangeLog</name> <t>(RFC Editor: please removewords in particular, but thisChangeLog section upon publication.)</t> <section anchor="changes-from-ietf-10-to-ietf-11"><name>Changes from ietf-10 to ietf-11:</name> <figure><artwork><![CDATA[ * Many more comments to address IESG reviews ]]></artwork></figure> </section> <section anchor="changes-from-ietf-09-to-ietf-10"><name>Changes from ietf-09 to ietf-10:</name> <figure><artwork><![CDATA[ * Many comments addressed from IESG reviews ]]></artwork></figure> </section> <section anchor="changes-from-ietf-08-to-ietf-09"><name>Changes from ietf-08 to ietf-09</name> <figure><artwork><![CDATA[ * Added missing alogirthms (SM2/SM3 and GOST R 34.10-2012) ]]></artwork></figure> </section> <section anchor="changes-from-ietf-07-to-ietf-08"><name>Changes from ietf-07 to ietf-08</name> <figure><artwork><![CDATA[ * Handle issues raised during IETF last call: * updates 9157 * other nit fixes ]]></artwork></figure> </section> <section anchor="changes-from-ietf-06-to-ietf-07"><name>Changes from ietf-06 to ietf-07</name> <figure><artwork><![CDATA[ * changed to a standards track document ]]></artwork></figure> </section> <section anchor="changes-from-ietf-05-to-ietf-06"><name>Changes from ietf-05 to ietf-06</name> <figure><artwork><![CDATA[ * Address Eric Vyncke (RAD!) AD review comments. ]]></artwork></figure> </section> <section anchor="changes-from-ietf-03-to-ietf-05"><name>Changes from ietf-03 to ietf-05</name> <figure><artwork><![CDATA[ * Updated "entry requirements" toshould still be"Specification Required". * Marked values 128 - 252 as "Reserved" in "Digest Algorithms"reviewed asbreak-glass mechanism in case we getaflood of these. To align with the "DNS Security Algorithm Numbers" registry (that reserves 123 - ...) * Marked values 253 and 254 as "Reserved for Private Use" in "Digest Algorithms" * Deleted the (now superfluous) column "Status" from the "Digest ]]></artwork></figure> </section> <section anchor="changes-from-ietf-02-to-ietf-03"><name>Changes from ietf-02 to ietf-03</name> <t><list style="symbols"> <t>Fixed the reference in the Abstract (no links in Abstracts)</t> <t>Added Updates: to the header.</t> </list></t> </section> <section anchor="changes-from-ietf-01-to-ietf-02"><name>Changes from ietf-01 to ietf-02</name> <t><list style="symbols"> <t>Changed the MUST values in the tables for the Use columns to RECOMMENDED based on discussions on the dnsop mailing list.</t> <t>Other minor wording and formatting changes</t> </list></t> </section> <section anchor="changes-from-ietf-00-to-ietf-01"><name>Changes from ietf-00 to ietf-01</name> <t><list style="symbols"> <t>Only NIT fixing</t> </list></t> </section> <section anchor="changes-from-hardaker-04-to-ietf-00"><name>Changes from hardaker-04 to ietf-00</name> <t><list style="symbols"> <t>Just a draft name and number change.</t> </list></t> </section> <section anchor="changes-from-03-to-04"><name>Changes from -03 to -04</name> <t><list style="symbols"> <t>Changed the columns being added from 2 per table to 4, based on discussion within the dnsop working group mailing list. This was a fairly major set of changes.</t> </list></t> </section> <section anchor="changes-since-rfc8624"><name>Changes since RFC8624</name> <t><list style="symbols"> <t>The primary purpose of this revision is to introduce the new columns to existing registries. It makes no changes to the previously defined values.</t> <t>Merged in RFC9157 updates.</t> <t>Set authors as Wes Hardaker, Warren Kumari.</t> </list></t> </section> </section> </back> <!-- ##markdown-source: H4sIAAAAAAAAA+09a3MbOY7f9St4zoeNtySN33G8dVXrsz0bXxw7FzkzNZVy XVHdkMR1N9lDsqVod+Zv3R+4P3YFgOyHXn7M4zI7k6rdabe6QQAEQAAE0b1e r+OVz+BEbJ1fDwYXZ+LMzgtvxlYWE5WI02xsrPKTXHyAxOQ56FR6ZbT4WKTS g3hvTQLObXXkcGhhWoOpXnRLj6Ym0TKHE5FaOfI9BX7US7UzRc+OkuOjvYPe ULne7n4nkR7Gxs5PhPNpRxX2RHhbOr+3s/N6Z6/jvAWZn4jLi9uvOyUN4k7E 693DVx0zdCYD+hsBdjrOS53+t8yMhhMxB9cp1In45E3SFc5Yb2HkusLNc75I TZLLolB6fNfpyNJPjD3pCNHrCCGE0u5EfNsXb6RN5T1YuskEfQuufdvY8Yn4 ODj76nJwSTcglyo7EUjzXyfhSdfX4JfAvy1zaVUTuLQWdPM+Qf+bMeMMmsBn 9OBf7+lBgt3RxubSqykgGR++Ptvb3X0dLo93946qy1cH4RK5iJfn14O3F9/1 Lk+vT09ojJobNWb4K93w0o7Bn4itifeFO/nqq9ls1ldSy76x46+kc2qsc9De fZVq13OQ9GQ27ukyH4Jdea//Oc9erLjf293iAVl2z68HYgBJaZWfN0T2mh9G MgbPImEjBa5nbc/PC3BtXCCDMevIQI01WPHyfLAtPoAzpU2A9Mim4uWHD9vi dl6AOFdjcL6hMJ2O0qOFCTvY2Y9Tc3C4E+fucPfwMF6+2tmLl6/398Pl0dFO fODo1fFuuHx1eBwfON453omXR3vV7O8f0eXt1aCXqGIC1pUKtennFAGfuV4h rczB4+y3/+x/nvg8e9G+2TtocfrWSu0KY724knOwtQS8vL0abIv31XudTq/X E3LovJWJ7yCM2wmIYKkKa7xJTCZyeQ9OlA6EGYmptMqUTiQtcyhrq+YNvjlV Keke8gS0VwnPvBmRTKbSSyF1ik+aEd7VRvfgs3IedAJ9IW6NAO1KS0CU9mBN AVYOVYaEDMHPADTBsuBMNgXrCCDe4XlQnuREOLD4a1coLxTKvNCA9lbaOeLq CkjUaC6Gxk+EFA48olPRI1ReZIATwwRY+L5Ulm7QgAivdHIMYlyqFDKlgVjA yAs/kV74CVgQygnpRQbSeWE0NIagh2SWEamt4ZxwZYEziRyZKIcGuMRfhYUi kwkw0ZVVj+JKd3MzRVwmxMJEaqNVIjMR1O0pRDYolDoheCNjo5yMrMmrgb0R UpPUCwtj5byd9xl1wl4DMxofyzIzQ1B+AiJTjvjeGtkbMQSRGwsCpFPZXPBi lnYJqQijBrD0AoK3MAKLUpX2xdelx1mBzx60I/56IzxiF5FFRhEQmYIodQpW aJh1WQoTxkxmARGk2i1NjcycwYeNLYzFtZcQtDBVDlKBkIg9gXuJ0U6lYMN8 R2biOtOvNLKCnRpwQhsvkonUYyDIzktfOvHy3cfBbVe8O/2uKz5cnN28e3dx fX5x3hXgk/42jWtG9EJDWZFtkAql4wT+haVRMdIzY+/xrRHzLaLh+mw5cpWm GXQ6L8Sl9takZYJEENatleei5vdLJntbfArm9A7HKpEzjzUc/aaRQrOp9LhJ k2SjkcJIaUjFcF7ZLJyuLk5NVqb40qewgNx1+fJw53W4xAXkjmb9U1hD4g+v 9/fDJa4h4RJXi7swXZXuL1qtbm1etnKJ/qJhE1Rp31bg3NuL7xYIqqhRmgc8 2ju4YzOJ1pkmKynRvUGHKYrE8nw3lUkmaAbVMAPWcRR2cgflMAOiPWgZjRBE gOUu6A04lOum++sIOFjhDQIoymGm3KTLOlZJcWWZmmZpDcpkbFApKrLD2C0t qk1ZUGQFro+vnqapQsRkluEEOCHTqUoAYdDUeBOWBpmmbomYkbEsSkVm5iRm yJEJBIPIyLomuiQE0d45latM2ohwwY4+SzsaULz5adGXuKtsEc7BjNaONqui sWy+hcMpXfOlghFRZgfG1eZw+dl+p/PihRDncZpOy1Thk5UZSkxW5hp5mLK+ ViA+bW12NbfuPjU85rsoXJ9iVPRM55BmuOI9DsL+7F1DDILnFSWlmnVCoFI9 dK2IzsuFBVgDk5oDeF67Jmo8ES6SCp8LSOLDksR1BlmGohas2Xr3JdqlxUUf MZspPyHZUyOaMC/Qi8Gf62VhpCBLSRJqZ2wuYIr+kMOVxStdmtJl874Q1zDr Cuet0WOwCwomiwKkZVkhL2zBpOYSkRYjU7JFGILIUJKJC+TlaFpfrBorUjXh J6YcT9hvAQsjY6H7XK8KfY5qHoYQvQA2C17lpM30X6WFsSmZHxT0DBIfHSAN M2FBBkPcdB9QE6VwuSHHBH1nshg06WguA5E1O9g2umqeUygs1OtUg28pQM5o ayMy5vwwQtwsb0Mg1wDslN3YoNwOkCgeidBoON4TmNeMbfEiV1rl6h/B+UpM isDxyc/KzytLPwEhpPcyuReutCOZQC1qBVj0lAkVM2rpDUkHi2mYEvQgkBG6 0jZSi4kRM+UmvHqwTaWBE6NHaow8DjqKsi+MJjEC4eQoqHpFbF+IU/SNk8nC ykK+F5lynu+WOScQQ1N6MZuoZNLknZuYMkuR6YwXpGhBpE1JzJnVCzLLC1Zf XGoxBg1WZiHECCYBpxEZwQDzsDIjW8YL2hUGD1AyUjULaZmg90KqszIy8KaI 4QEC9BPIgwWnxBLea2apKg0TVzCFzNHU/gezmJRHVi7p6tAOSUO3GN9b7b8Q AwI1MrMgU6JFTqXK0KlAmcwNz+UCOUteNDs8bjGaoKcJA5OqUfQOa11ecFSb EV4wBEumZ2nJFyCb0kFuQ3i5/XTDaaFXHuQfgqilw0Qv3kxRTVWOge/XOP5n iUh268hRGzEupZXaA3DMJD2KeDbH1YVcb0ibMjVTWSaGiC2smSwOaWj6mWt9 Ia7UPcyUg2703NpA0RFtrirkapbDv9f0tClnW0KxKC0ghI03RsxA3ncFUjoF ms1hNEgeUP6tuQfdDetglsX1oWVp27izLV2hfvjMooHWjUkJjEIDh7kloLVn bGVaoipGsQxLuWNNQRlZVEdvwroUQlrVeGRhaiYqQwXPpaLQpeEeZDgJHzUa nQAGFx5cg2jdrr0OC9IZ7bptWlrE4xJCDoSZaaQnLpgYJuKv1ze3zTgRZ4Ni R6WdB0luRaosJJ7nufUu/ff65rYvxIB9XPKu9WJSYyI5Wh0CTzMyQxmMY6Rb I5bLRIiRss435Dwsv03kG0hLwo4FYqCiowujEToDZiRKx468KPW9NjO9FHBx 8Csrz+EfmLXAexbI7ZDoafMSHi1+ZRai1LXdK15uJnIKxInmlKyeiMzMMPFA nKNwgXRkvpDZwgxjyG7F3FcMifEW6SOijIaijiz/VNlajlNrYmOKL6pLS2w5 DkKADlzLYt0gj1tzj9Nu0SIiBOHK0UglCnSQJLTTGS5BYaywOhIvq+yLvWdO R0nD7QhCNFjh0jpkQZ38wzctYGQZF0VS06nMVFgMlWeh+Ka+tQoQqhvoxJRW jnmCLHipdAtsyNY1tBonaxltXpA/NN1bbdhkVK7VPcwx0ZI6sYWvbXX5v/g6 Xn+4+K+Plx8uzvF68Ob06qq64CcQzNbgzc3Hq/AIXtUvV3KFfy6IGg11+t1W Fexv3by/vby5Pr3aYvPacq0sBH0kg1VYCMqQgkusGrKQKi3+4+y92D0Q//xn 2E/58Ue+xl2UH3/EiDaYdvLw+E/yXTkKCVBklolEFsrLzNEK7CaorGgReRo/ BfB3VQqNUwoebC4CFxhf5P5UZkiEN+3cWIg1aqYtPLzAsCUvZcIRXzIxDsgN QRWKWLRNFFK8AC54FuwXUKyRZIC2FC2gBeeq3GHbR2naSw5cX1CiQ49D1NQK bVf7OSuSKHXMTAx+jyrepLbLC65BTwvHqtIBFu0aWdVGYoCzxPHZDXkagQsh ahhw1Ct4Rwrf/6H38L9HPPMDwRIfYo537b8fxBnRFAhZ+cjPj9fm1Anj9dFB M+c+CGnPLwytaFqN/v9Fqwqq1/DsS0KrwbNfAq2FTdRVMr8wiY1c3C83iU9H 61eRrUegtXISGzz7ktD6xWTrnyfiRTT/tOv871tn8U9KwNAeaMwkbjD+Wz+S hxTM7jm5EgVnazroHKGvQW51M+OOiUhbLT8hEFyTge7EDLTwlIKQFk46ndXm 9KRzIi51ilmFlSsvvcLxQ2uTgpYthRHOyq3n/tJ49bw8e0ilA7COiE6uoaE2 2b5HjVY5DhvoXNh9c2bkZ5I8swfk8OfGoEX6kyVmQa82ykit4v+6YvJEGh8z T+tI/bXkZNqM9kKMh6JCZic4zegun2EqDv/4RmYlONGJu4f4O2WTQXvOVdTW Zu485Ct2u6otNYr+FVWWNHMEUxyDNoIx/KrkcbVVCiHeWtnAKG6T0m9hpo1A PMDzrUpBKCkWMnsNd35rQKnUmHUNYW26JQqTqWTOwWB7n3p37+iuuRVBu8LW 5MZXqURIacuqbOzzt1aLZnKDAtUx7aLxlhbNCgYRIfSYWNx3YnauwTagQFux RCglZvCNhWkJgX7kSl+8vEgxfAfx8sPXhMpFqryxoicKrOvBRCNmMDlq4sw9 J1IZhe0T3LVAScgVbrafPJavXLEA/G6dxyf8OC+DhpgSNpg6s56zFlMFs6A6 35fgfH97vVBTNjaJOlCt3FNWBqW7sVLnkYJf7W9HuQ0JqLZcPkGoV75v7BOE moVP6rkwmFgNs417l2G+A2+RzQOqg8CczCnttvUfNAeLxYoNVrABaG0fPNoG 1Bb52WZgEcSTmMaJJo7jf6IZ2MDDX1P6mux4pgC2QDyFnUSG+UkyeEn7FwoZ oBazjgvpPtWoF4s1j6EoLgepQ6UXJbBHmZxB+hdhJaLFae3G6hvywzQqKHwE gTSz+y3Li4XnvHutXemise3SC5nKlQ85/KJA0xiro3BBd7X7RtlBZKcL0ka5 tQTTz1TZg/+7wWeClERNWs56NrKplOS8vrnFl5tPxQoHKqpEsY16vWZJjonD DfJTLxur0aTXV2C6BuNV6NJKtojxRleAwa2T69XYXxsfClll02ghqlEEufyD tmAryxZV0M9MxaYabF3DUqUIHRc2ONpV5QVZaeWVzCLvOJ1bmKLMpI/55roS zcwc1wa2CYyDRiiUyMYyjzpr3S4wC0AWceaNOIgOkXAyhwqmqyzUwtjhAVft RIVt/jqLXm1hx93DpubBvLFv1NiBCmCRyVjTQcLUzviGuS4dbPUbc9iUanKF InUBIipZSywpQ88VaMZacIXRZMFrQjnTW/MZK52jgBDUvhDfAntOFQ41Acuu aUC9mgAuMJmCHUN72xc5sao2oi6lwJ0sSKGxz8TpcrFpIYnpCA4F2OwGSVyI QiLzaF9xVd59uWjA1YvTucHUt7hGQQq41LX6oVC20yxxq1c6kkXaEVFa3FLU usdK9W2YrrBznJeZVwUfhGltR9TudXQ9UFQCRd1GnVwo6Egmxri4uy2G6O3U 4ZZMsD6PwjAsdMIqRXYG+nUef3ViaW26aVMe6oEc1cMprJBYu8b/e6chx8pK tyn7GJPHm9KSD+Sdn5Kj+wJ5tUtbKIPTd+eHi7nHuFwtJSXX/PDAbw//3Mr+ foG82qes7eD08XT9fnl1GORq8OZ0d4GuxcqI6ocVNx96qcWrDf++aF4dBbnq XQ8uzvZ7Ncv+kKslXr1qyFXglyCG/SFXS7w6rnm1d3jUomsNyZt5tZEZv3Fe 7e5UvDrc3XuMiPx+5Wp3T/wgLs7Oen+7aVOxyV6dfrdZcDbYq7Wv/hZ4tU+8 Oh+cvt87PGpo4h86uMyrg4pX+8cHgzen+8cHm2XgAV5tEpxNr/4WeHWIvDrf Ozzcff04ujbzaiMzfuu8OiJeHRwcP1ZEfsdy9Ur8IAbv9r4avNt/LK822vbN vPpN2/Y9tO20Bn4Q+wf93Z3e3g75Dn/waplXh8iswqopZoHrFNMfvFrFq4OV vLq5PP+DXS12YcGazMZc3xMq1i7buwsxLbsxMxwSvlS2tmI/8LmtbX61jPOj EKZc8YM4N7ZbV2Sj9zdmo5+SiqY969XZ6MelommbbDEbvU5wniuHjxDCh58I WWmStZWZ6U3Fus9ITbfefloF6RfKu53Ip+uPV1fi5dn5gDaSt39CKuwRebAn ZMrWUfMF8K7KJQ7enPYWc7Gb+PNgGPow7zb8+03wbq/Ju0fm0H5aCP+vw7v9 SE3DQ97tvT54WC+fmyp6oiuzjpovgHcHkRqUu5gFeQx/nh22PjFyXUfNF8C7 w0hNS+4oMnuuj/wY3v1LyN1RpGYx+n8+f34PvMMwJHWPiUJ+xtiiilkEBS1V iclZq/VcVZFVNRloNxZSiXAUFVHDG9CpE0aHbn7Uhc6CHmPfllGsEVnbIjIc l41NZxqv0t/3MHfVqXcqnvX4QrPL1gKm1PalgRWd+MdiUgCr9LhT976rmlpS E65h6DDD0d7Kto0YtWhD/SmpWqpF00zOuSptXkjnQoOemnv4N56UxyJyHiPW vTXPECdGJ2DxWIp3kI0ixe1eP2uZGYqvmuf3WXK6VeEkFUKthEqlV2t60S2z uxmnpXjqYqS4xDceYa7Pisez7FQd26oma/V6YOZ6wY0YuLyPm38IPunf6GtH 7Qa4HrLNCwsOpE0m2CFgJC222ExRfhhepmAKVecAPmdusV/kPXYaoTp5KsKS KXxfSmo/Eho+lZp7XGH5DnIR8Q2tqXTVoSJVLsEpnsfuOH3xxsxgikW0ntvA 6T+1ym9xtvj3AG1V06ClPjaxTYlyrlzZ+oqr2xtNryq+UXxcYIdXlYCrDvZL C5LF8QN4ZUNTjEYDD2OEM0aLGQXcFlyZUVcpyR0xqM1E3aeMzxl4LARvAOFj 4e1+F6Sc9Sl7asjCXA0gEfy6xmHNVi556ahBBrUVxSiPilBHHqxIpIVRmbW7 a3KyJAXSB5eZWWg/IArDfRC5MvCmCM/LbJWJXGoXYrGCFfthEG8yPOYUW4bI 2GYr1kBjwxSg/Mqn0Hr4jhvhhe7Dd6TLjVayRosJVt6b2KCmHpjmO4wdCmrP B4/Ei9pkLSGHID4WOFOtDlUilGxSwSu3inIEPSRZ8Des5n8LNAOx3u0tzMXL t4O329zhAgUYVRPfaB/eo+NcUmXYjKRbt3/DdBt58SWhxMmeFoXcGCYctGkg JGPHk7eDtzyn1OZgeTJvYwcE6uFCh2RYRkN/V2rQ2GxcyJO1ossgnnRrJp78 ytJmbgcS+r63TpKt75xYnyXrLDcBJpQd09DAed1ZWLHiqMTLFoHbC8dWWnQg kVU/zehWUKeGP6+tlF/5Y6PQnH/fWLS+4ZEmIJ5PV5UWR/NQ1YuHA5LR0UIT GipnebGmRSwylxSq3T2UTVzdhiyed6laebYkpXEEMOQsc+mTSegO8tnHvinx 7GKrB+Ji9xVMgqLoDcLSvfcnx/XUwXlo0LXhSEiNCnZlazbxrFuA0sGKtpjV 74R2wZJPolWNRFcIcmdl1XK70+iiHqxPMD9J9DeAESjtg0dI+uPlvHEW6CeI +hKUX1Da99dJ+5+rGXlQ0BcM4Dy4HxtEPExRu9Pn0EyBBn4n7X1EdXfvWPTE 3uEeyy+3uEq3lp7DjULUCdwEaz5JaL4Pe2IfHfCb5/FoJoiX2sywmxPYUYaN 7LbjwYWtAfXz24ptLKElgL+87j1f89bLPK9/pwm62BmkY+L88kh4YFU6OnYV 28DiOSzXxa7B9K2QbmhjNkMc6FA3B1DvZYk7LN+a0sdGZDc6tfB3MSgroviw b3D32n2lEN4E5BRdY/SmSxcis0JarxJVSES4CuDOrwc376kxOfJ9bE1ZxPCE kHJ4rMxCooIgd0TsRTsqM83dPAlQTqfwCqW5bXVouEQjt6B3RAuTqlu/mEBW QCrcRBbktjeI6uN5FzzVdx/Z88aMRrlkFxRvVfwKOqUscciqYUkuCHz2PA/k quHCLYcA6JAm9xg7DCZlbrR4U35fQldcq8RkUokrmOdS664YiHfGaHAyn3fF OznWpRPXc+ft//5P3kVw7/EDEOJ2YnLpHHbgGngYSS0+DodK3/PQV2YstUxB i28gmyqdWj5334kNDvmIsQtNXPN4uoabww9lco+yRwfr4cqMOx08Nh3OTJ/E I9OhZxuxr3o0OkyiLND61Eeo8QjziwgzWDX6Ts7uDkWWdLnLzaPIXOh5aKwV 0AvtSXCuxeXF4G+RhjVgd17XYHfaYCuIAVyMyh4D9biCuvM6Aj0lm5Arx/0J MzNWlmLtl7HIBtm8VESyjiE7r+oxjuMYb6ROsxBEOmElfZEgLSn4o0ObGX6d AhMG8Ssm+Fb4hBB/Qai+zSdYtfJipD6TByzEOmSOamReRWS4+Sk3YhauOuyK 3yK5rzRpHcDDGuBRg4M0rxdWJeKbuU7u8aT+6fm/bYvT83geviGnqyHv15AP I+SPoeP0Fh9Ybi5iWyFtse5QdL+SGVoWNq9x6PetMuZ8vFAMLcj73jjDXFMO yD/lqMUHnooVMzxbiIc0R5kxadWcvo8fCZCZGuvKzyFgj447xEsyeZaRRNz3 RU/0+/3tlaQ9elluEEuAGgQHwLxmp09dtCPQNRO8V0/wPk3wn8XX6nMYpl5b QynCafg6DiIgMqXvyTmPd912p6G8H+O3tsK6PAGZgl0rabs1InsBkbOoExPg 2Lc6As9OFTpwdY4YXc12d4P2Gb+4osd1lVa6kB6lD4th6z0KmtG96Accbkiv c6WNpb6UsUMKf3qJDuaHr0CsI6y2xTu7ESgegb6+vEVbgZHk0pvxo1+9nYP6 7Z3w9n+icyv5u2jU9pQQ4m9eBWRWcDnocm/nYAV3I9+ajQvprT3MtIRGQN6I g27FRmZwzcvQZKbBzpbj0GZucLhmQZVRTaXCVo+5/DsecucPgwTGtonhs8Ph dHIghXqyW5XjV4yK0hbGQeVa0admqEUyt4qMjXNjooYRqAWnbrjQ+HgGdVPm Lz9ps/DZDwZQ4DjUB7pq98DSGgXpHR7YjR+XwcUjriTxgQGaq+i1udZX4rrt z7r1O/8HgJHb15JvAAA=best practice. --> </rfc>