Internet-Draft DNSSEC Algorithm Lifecycles October 2024
Crocker & Housley Expires 7 April 2025 [Page]
Workgroup:
DNSOP Working Group
Internet-Draft:
draft-crocker-dnsop-dnssec-algorithm-lifecycle-01
Published:
Intended Status:
Informational
Expires:
Authors:
S. Crocker
Edgemoor Research Institute
R. Housley
Vigil Security

Documenting and Managing DNSSEC Algorithm Lifecycles

Abstract

Cryptographic algorithms for DNSSEC go through multiple phases during their lifetime. They are created, tested, adopted, used, and deprecated over a period of time. This RFC defines phases for the DNSSEC algorithm lifecycle, and it defines the criteria for moving from one phase to the next.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 April 2025.

Table of Contents

1. Background

Each DNSSEC cryptographic algorithm is used in two distinct but interconnected ways. The first is to sign. The second is to validate a signature. If someone uses an algorithm to sign, the party that receives that signed message should be able to validate the signature. This means the receiving parties need to implement the validation algorithm before the sending parties can expect to use it effectively, and equally, the receiving parties have to keep the validation algorithm in service even after the signing parties stop using it.

These relationships seem obvious, but there has not been an organized way to communicate within the Internet community regarding these algorithm transitions. This document builds upon the enhancements defined in [I-D.ietf-dnsop-rfc8624-bis] to the IANA registry of DNSSEC algorithms; the values in the "Use for DNSSSEC Signing", "Use for DNSSSEC Validation", "Implement for DNSSSEC Signing", and "Implement for DNSSSEC Validation" tell which phase the algorithm is in with respect to this lifecycle.

2. Seven phases in the lifecycle of a DNSSEC algorithm

We define seven phases in the lifecycle of a DNSSEC algorithm.

  1. Experimental: The algorithm is under development by the cryptographic community and is not yet ready for general use.

  2. Adopted: The algorithm is ready to be used by the Internet community. It is listed in the IANA registry. Implementers are expected to support the algorithm for signature validation.

  3. Available: The algorithm is ready for use by all parties. Implementers are expected to support the algorithm for signing and signature validation.

  4. Mainstream: The algorithm has reached “recommended” status. Implementers are expected to support the algorithm for signing and signature validation.

  5. Phaseout: The algorithm is nearing the end of its lifecycle, but it is still in use. Implementers are advised to transition to other recommend algorithms. Signing should be phased out.

  6. Deprecated: All use for signing should have stopped, but signature validation is still supported.

  7. Obsolete: No support for signing or signature validation is expected.

3. Process and Criteria for transitions

The previous section does not specify the process and criteria for advancing a DNSSEC algorithm through these lifecycle phases. There are six transition points, labelled A through F, between these seven lifecycle phases. We propose the following process and criteria for these transitions.

A. Algorithm Inclusion

B. Ready for Use

C. Mainstream

D. Phaseout

E. Deprecation

F. Obsolescence

4. Lifecycle Phase and the IANA Registry

The enhancements to the IANA registry of DNSSEC algorithms defined in [I-D.ietf-dnsop-rfc8624-bis]. Table 1 suggests the values for the IANA registry values in the "Use for DNSSSEC Signing", "Use for DNSSSEC Validation", "Implement for DNSSSEC Signing", and "Implement for DNSSSEC Validation" columns for each phase in the algorithms lifecycle defined in Section 2. The IETF is encouraged to follow Table 1 in assigning the values in the IANA registry of DNSSEC algorithms as each algorithm progresses through the lifecycle.

 +=======+===========================+===========================+
 |       |    DNSSEC Validation      |      DNSSEC Signing       |
 |       +-------------+-------------+-------------+-------------+
 | Phase |  Implement  |     Use     |  Implement  |     Use     |
 +=======+=============+=============+=============+=============+
 | 1     |     MAY     |     MAY     |     MAY     |     MAY     |
 +-------+-------------+-------------+-------------+-------------+
 | 2     | RECOMMENDED |     MAY     | RECOMMENDED |     MAY     |
 +-------+-------------+-------------+-------------+-------------+
 | 3     |     MUST    | RECOMMENDED |     MUST    |     MAY     |
 +-------+-------------+-------------+-------------+-------------+
 | 4     |     MUST    |     MUST    |     MUST    | RECOMMENDED |
 +-------+-------------+-------------+-------------+-------------+
 | 5     |     MUST    | RECOMMENDED | RECOMMENDED |     NOT     |
 |       |             |             |             | RECOMMENDED |
 +-------+-------------+-------------+-------------+-------------+
 | 6     | RECOMMENDED |     NOT     |     NOT     |   MUST NOT  |
 |       |             | RECOMMENDED | RECOMMENDED |             |
 +-------+-------------+-------------+-------------+-------------+
 | 7     |     NOT     |   MUST NOT  |   MUST NOT  |   MUST NOT  |
 |       | RECOMMENDED |             |             |             |
 |       |  -- or --   |             |             |             |
 |       |  MUST NOT   |             |             |             |
 +-------+-------------+-------------+-------------+-------------+

   Table 1.  Determine lifecycle phase from the IANA registry.

5. IANA Considerations

IANA has no actions related to this document.

6. Security Considerations

This document proposes a lifecycle for DNSSEC algorithms. By following the criteria presented in Section 3, Internet-wide deployment of new DNSSEC algorithm will occur in a smooth manner that ensures all implementations will be able to validate signatures. Likewise, following the criteria will ensure that out-of-date DNSSEC algorithm are retired in a graceful manner. The criteria associated with the transition between phases of the lifecycle will depend on the process that makes changes to the IANA registry as defined in [I-D.ietf-dnsop-rfc8624-bis].

7. References

7.1. Normative References

[RFC8126]
Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, , <https://www.rfc-editor.org/rfc/rfc8126>.

7.2. Informative References

[I-D.ietf-dnsop-rfc8624-bis]
Hardaker, W. and W. A. Kumari, "DNSSEC Cryptographic Algorithm Recommendation Update Process", Work in Progress, Internet-Draft, draft-ietf-dnsop-rfc8624-bis-00, , <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8624-bis-00>.

Authors' Addresses

Steve Crocker
Edgemoor Research Institute
Russ Housley
Vigil Security, LLC