RFC 9905 - Deprecating the Use of SHA-1 in DNSSEC Signature Algorithms

Published: November 2025
Status: Standards Track
Updates: RFC 4034, RFC 5155
Authors: W. Hardaker (USC/ISI), W. Kumari (Google)

Abstract

This document deprecates the use of the RSASHA1 and RSASHA1-NSEC3-SHA1 algorithms for the creation of DNS Public Key (DNSKEY) and Resource Record Signature (RRSIG) records.

It updates RFCs 4034 and 5155 as it deprecates the use of these algorithms.

1. Introduction
- 1.1 Requirements Notation
2. Deprecating SHA-1 from DNSSEC Signatures and Delegation RRs
3. Security Considerations
4. Operational Considerations
5. IANA Considerations
6. Normative References
Acknowledgments
Authors' Addresses

Official Text: RFC 9905
Official Page: RFC 9905 DataTracker
Errata: RFC Editor Errata

Abstract​

Contents​

Related Resources​

Abstract

Contents

Related Resources