Skip to main content

7. IANA Considerations

This document introduces no new IANA considerations, because all of the protocol parameters used in this document have been assigned by previous specifications. However, because the evolution of DNSSEC has been long and somewhat convoluted, this section attempts to describe the current state of the IANA registries and other protocol parameters that are (or have been) related to DNSSEC.

See [RFC4035] for additional IANA considerations.

DNS Resource Record Types: [RFC2535] assigned types 24, 25, and 30 to the SIG, KEY, and NXT RRs. [RFC3658] assigned DNS resource record type 43 to the DS RR. [RFC3755] assigned types 46, 47, and 48 to the RRSIG, NSEC, and DNSKEY RRs. [RFC3755] also marked type 30 (NXT) as obsolete and limited the use of types 24 (SIG) and 25 (KEY) to the "SIG(0)" transaction security protocol described in [RFC2931] and the transaction KEY resource record described in [RFC2930].

DNS Security Algorithm Numbers: [RFC2535] created an IANA registry for the numbering of the algorithm field of DNSSEC resource records, and assigned values 1-4 and 252-255. [RFC3110] assigned value 5. [RFC3755] modified this registry to include a flags field to indicate for each entry whether use with DNS security extensions is mandated, recommended, optional, or must not be used. Each algorithm entry may reference an algorithm that is usable for zone signing, transaction security (see [RFC2931]), or both. Values 6-251 are assignable through IETF standards action ([RFC3755]). See Appendix A for a complete list of the DNS Security Algorithm Number entries as of the time of this writing and their status with regard to use in DNSSEC.

[RFC3658] created an IANA registry for DNSSEC DS digest types, and assigned value 0 to Reserved and value 1 to SHA-1.

KEY Protocol Values: [RFC2535] created an IANA registry for KEY protocol values, but [RFC3445] reassigned all values other than 3 to Reserved and closed this IANA registry. The registry remains closed, and all KEY and DNSKEY records are required to have the protocol octet value of 3.

Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA registry for the DNSSEC KEY and DNSKEY RR flag bits. Initially, this registry only contains an assignment for bit 7 (the ZONE bit) and bit 15 (the Secure Entry Point flag (SEP) bit; see [RFC3757]). Bits 0-6 and 8-14 are available for assignment by IETF standards action, as described in [RFC3755].

Related Chapter Navigation:

Last updated on