RFC 9904 - DNSSEC Cryptographic Algorithm Recommendation Update Process

Publication Date: November 2025
Status: Standards Track
Authors: W. Hardaker (USC/ISI), W. Kumari (Google)
Obsoletes: RFC 8624
Updates: RFC 9157

---

Abstract

The DNSSEC protocol makes use of various cryptographic algorithms to provide authentication of DNS data and proof of nonexistence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify both a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document replaces and obsoletes RFC 8624 and moves the canonical source of algorithm implementation requirements and usage guidance for DNSSEC from RFC 8624 to the IANA DNSSEC algorithm registries. This is done to allow the list of requirements to be more easily updated and referenced. Extensions to these registries can be made in future RFCs. This document also updates RFC 9157 and incorporates the revised IANA DNSSEC considerations from that RFC.

This document does not change the recommendation status (MUST, MAY, RECOMMENDED, etc.) of the algorithms listed in RFC 8624; that is the work of future documents.

---

Status of This Memo

This is an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9904.

---

Copyright Notice

Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

---

Table of Contents

• 1. Introduction
  • 1.1. Document Audience
  • 1.2. Updating Algorithm Requirement Levels
  • 1.3. Requirements Notation
• 2. Adding Usage and Implementation Recommendations to the IANA DNSSEC Algorithm Registries
  • 2.1. Column Descriptions
  • 2.2. Adding and Changing Values
• 3. DNS Security Algorithm Numbers Registry Column Values
• 4. Digest Algorithms Registry Column Values
• 5. Security Considerations
• 6. Operational Considerations
• 7. IANA Considerations
  • 7.1. Update to the DNS Security Algorithm Numbers Registry
  • 7.2. Update to the Digest Algorithms Registry
• 8. References
  • 8.1. Normative References
  • 8.2. Informative References
• Acknowledgments
• Authors' Addresses