Network Working Group M. Andrews Internet-Draft ISC Intended status: Standards Track 16 May 2025 Expires: 17 November 2025 DS support for private DNSSEC algorithms draft-andrews-ds-support-for-private-algorithms-00 Abstract Extend the DS digest field of the DS record to identify the private DNSSEC algorithm of the DNSKEY matching the DS record. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 17 November 2025. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Andrews Expires 17 November 2025 [Page 1] Internet-Draft DS support for private DNSSEC algorithms May 2025 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . 2 2. Updated DS digest field structure . . . . . . . . . . . . . . 2 3. New DS Types . . . . . . . . . . . . . . . . . . . . . . . . 3 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 5. Security Considerations . . . . . . . . . . . . . . . . . . . 3 6. Normative References . . . . . . . . . . . . . . . . . . . . 3 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction When the DNSSEC algorithm is PRIVATEDNS (233) or PRIVATEOID (254) the private algorithm identifier is embedded at the start of the key data in KEY, CDNSKEY, and DNSKEY records and at the start of the signature data in the RRSIG and SIG records [RFC4034]. This allows the private algorithm to be fully identified. DS record, however, do not embed this identifier at the start of the digest field. This results in PRIVATEDNS and PRIVATEOID keys not being able to be used in all the scenarios where non private keys can be. i.e. publishing of DS records for yet to be published DNSKEYs, determining if a DS based trust anchor represents a supported algorithm. This document adds DS digest types which embed the private algorithm identifiers to the start of the digest field to provide equivalent functionality to PRIVATE key types. This document was inspired by the work done to add private DNSSEC algorithm support to BIND 9. 1.1. Reserved Words The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Updated DS digest field structure The digest field of CDS and DS records with digest types other than SHA-1 (1), SHA-256 (2), GOST R 34.11-94 (3), SHA-384 (4), GOST R 34.11-2012 (5) and SM3 (6) MUST now embed the private algorithm identifier before the digest data if the DS algorithm field is PRIVATEDNS or PRIVATEOID in the same manner as is done for the matching DNSKEY record. Andrews Expires 17 November 2025 [Page 2] Internet-Draft DS support for private DNSSEC algorithms May 2025 It is RECOMMENDED that only DS records with DS digest types that embed the private DNSSEC algorithm are used with private DNSSEC algorithms as allows for publishing of DS records without the corresponding DNSKEY record being published. 3. New DS Types New DS type identifiers which support embedding the private DNSSEC algorithm identifier are needed for SHA-256, SHA-384, GOST R 34.11-2012 and SM3 are needed along with identifing names. The new names and types are SHA-256-PRIVATE (TBA), SHA-384-PRIVATE (TBA), GOST R 34.11-2012 PRIVATE (TBA) and SM3-PRIVATE (TBA) respectively. 4. IANA Considerations IANA is requested to assign DS types for SHA-256-PRIVATE, SHA- 384-PRIVATE, GOST R 34.11-2012 PRIVATE and SM3-PRIVATE. 5. Security Considerations This adds no known security issues. 6. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, . Author's Address M. Andrews Internet Systems Consortium PO Box 360 Newmarket, NH 03857 United States of America Email: marka@isc.org Andrews Expires 17 November 2025 [Page 3]