]> DS support for private DNSSEC algorithms Internet Systems Consortium
PO Box 360 Newmarket NH 03857 US marka@isc.org
Extend the DS digest field of the DS record to identify the private DNSSEC algorithm of the DNSKEY matching the DS record.
When the DNSSEC algorithm is PRIVATEDNS (233) or PRIVATEOID (254) the private algorithm identifier is embedded at the start of the key data in KEY, CDNSKEY, and DNSKEY records and at the start of the signature data in the RRSIG and SIG records . This allows the private algorithm to be fully identified. DS record, however, do not embed this identifier at the start of the digest field. This results in PRIVATEDNS and PRIVATEOID keys not being able to be used in all the scenarios where non private keys can be. i.e. publishing of DS records for yet to be published DNSKEYs, determining if a DS based trust anchor represents a supported algorithm. This document adds DS digest types which embed the private algorithm identifiers to the start of the digest field to provide equivalent functionality to PRIVATE key types. This document was inspired by the work done to add private DNSSEC algorithm support to BIND 9.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .
The digest field of CDS and DS records with digest types other than SHA-1 (1), SHA-256 (2), GOST R 34.11-94 (3), SHA-384 (4), GOST R 34.11-2012 (5) and SM3 (6) MUST now embed the private algorithm identifier before the digest data if the DS algorithm field is PRIVATEDNS or PRIVATEOID in the same manner as is done for the matching DNSKEY record. It is RECOMMENDED that only DS records with DS digest types that embed the private DNSSEC algorithm are used with private DNSSEC algorithms as allows for publishing of DS records without the corresponding DNSKEY record being published.
New DS type identifiers which support embedding the private DNSSEC algorithm identifier are needed for SHA-256, SHA-384, GOST R 34.11-2012 and SM3 are needed along with identifing names. The new names and types are SHA-256-PRIVATE (TBA), SHA-384-PRIVATE (TBA), GOST R 34.11-2012 PRIVATE (TBA) and SM3-PRIVATE (TBA) respectively.
IANA is requested to assign DS types for SHA-256-PRIVATE, SHA-384-PRIVATE, GOST R 34.11-2012 PRIVATE and SM3-PRIVATE.
This adds no known security issues.
&rfc2119; &rfc4034;