Skip to main content

Appendix A. DNSSEC Algorithm and Digest Types

The DNS security extensions are designed to be independent of the underlying cryptographic algorithms. The DNSKEY, RRSIG, and DS resource records all use a DNSSEC algorithm number to identify the cryptographic algorithm in use by the resource record. The DS resource record also specifies a digest algorithm number to identify the digest algorithm used to construct the DS record. The currently defined algorithms and digest types are listed below. Additional algorithms or digest types may be added as developments in cryptography warrant them.

Resolvers and nameservers that support DNSSEC MUST implement all MANDATORY algorithms.

A.1. DNSSEC Algorithm Types \

DNSKEY, RRSIG, and DS RRs use an 8-bit number to identify the security algorithm being used. These values are stored in the "Algorithm number" field in the resource record RDATA.

Some algorithms are available for use only for zone signing (DNSSEC), some only for transaction security mechanisms (SIG(0) and TSIG), and some for both. Algorithms usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs. Algorithms usable for transaction security appear in SIG(0) and KEY RRs, as described in [RFC2931].

                             Zone
Value Algorithm [Mnemonic]  Signing  References   Status
----- -------------------- --------- ----------  ---------
  0   reserved
  1   RSA/MD5 [RSAMD5]         n      [RFC2537]  NOT RECOMMENDED
  2   Diffie-Hellman [DH]      n      [RFC2539]   -
  3   DSA/SHA-1 [DSA]          y      [RFC2536]  OPTIONAL
  4   Elliptic Curve [ECC]              TBA       -
  5   RSA/SHA-1 [RSASHA1]      y      [RFC3110]  MANDATORY
252   Indirect [INDIRECT]      n                  -
253   Private [PRIVATEDNS]     y      see below  OPTIONAL
254   Private [PRIVATEOID]     y      see below  OPTIONAL
255   reserved

6 - 251  available for assignment by IETF standards action.

A.1.1. Private Algorithm Types \

Algorithm number 253 is reserved for private use and will never be assigned to a specific algorithm. The public key area in the DNSKEY RR and the signature area in the RRSIG RR begin with a wire-encoded domain name, which MUST NOT be compressed. The domain name indicates the private algorithm to use, and the remainder of the public key area is determined by that algorithm. Entities should only use domain names they control to designate their private algorithms.

Algorithm number 254 is reserved for private use and will never be assigned to a specific algorithm. The public key area in the DNSKEY RR and the signature area in the RRSIG RR begin with an unsigned length byte followed by a BER encoded Object Identifier (ISO OID) of that length. The OID indicates the private algorithm in use, and the remainder of the area is whatever is required by that algorithm. Entities should only use OIDs they control to designate their private algorithms.

A.2. DNSSEC Digest Types \

The "Digest Type" field in the DS resource record type identifies the cryptographic digest algorithm used by the resource record. The following table lists the currently defined digest algorithm types.

           VALUE   Algorithm                 STATUS
             0      Reserved                   -
             1      SHA-1                   MANDATORY
           2-255    Unassigned                 -

Related Chapter Navigation:

Last updated on