3. DNS Security Algorithm Numbers Registry 列值
"Domain Name System Security (DNSSEC) Algorithm Numbers" registry group 下 "DNS Security Algorithm Numbers" registry 中使用和实现建议列的初始值如 Table 2 所示.
当 "Use for" 列中存在多个 RECOMMENDED 算法时, 运营者应根据本地策略选择最佳算法.
这些初始值把 RFC 8624 中的算法状态迁移到 IANA registry 的列中. "Use for DNSSEC Signing" 和 "Use for DNSSEC Validation" 面向运营部署, 表示在创建 DNSSEC signatures 或验证 DNSSEC signatures 时的使用建议. "Implement for DNSSEC Signing" 和 "Implement for DNSSEC Validation" 面向软件实现, 表示实现是否需要支持相应算法以便签名或验证.
表中的 Mnemonics 和算法编号是 registry 中既有的协议值, 因此保持原样. 这些建议值不改变算法本身的定义, 也不为算法分配新编号. 它们只把每个算法在 DNSSEC signing, DNSSEC validation, implementation for signing 和 implementation for validation 四个维度上的推荐级别明确列出.
| No. | Mnemonics | Use for DNSSEC Signing | Use for DNSSEC Validation | Implement for DNSSEC Signing | Implement for DNSSEC Validation |
|---|---|---|---|---|---|
| 1 | RSAMD5 | MUST NOT | MUST NOT | MUST NOT | MUST NOT |
| 3 | DSA | MUST NOT | MUST NOT | MUST NOT | MUST NOT |
| 5 | RSASHA1 | NOT RECOMMENDED | RECOMMENDED | NOT RECOMMENDED | MUST |
| 6 | DSA-NSEC3-SHA1 | MUST NOT | MUST NOT | MUST NOT | MUST NOT |
| 7 | RSASHA1-NSEC3-SHA1 | NOT RECOMMENDED | RECOMMENDED | NOT RECOMMENDED | MUST |
| 8 | RSASHA256 | RECOMMENDED | RECOMMENDED | MUST | MUST |
| 10 | RSASHA512 | NOT RECOMMENDED | RECOMMENDED | NOT RECOMMENDED | MUST |
| 12 | ECC-GOST | MUST NOT | MAY | MUST NOT | MAY |
| 13 | ECDSAP256SHA256 | RECOMMENDED | RECOMMENDED | MUST | MUST |
| 14 | ECDSAP384SHA384 | MAY | RECOMMENDED | MAY | RECOMMENDED |
| 15 | ED25519 | RECOMMENDED | RECOMMENDED | RECOMMENDED | RECOMMENDED |
| 16 | ED448 | MAY | RECOMMENDED | MAY | RECOMMENDED |
| 17 | SM2SM3 | MAY | MAY | MAY | MAY |
| 23 | ECC-GOST12 | MAY | MAY | MAY | MAY |
| 253 | PRIVATEDNS | MAY | MAY | MAY | MAY |
| 254 | PRIVATEOID | MAY | MAY | MAY | MAY |
Table 2: DNS Security Algorithm Numbers Registry 列的初始值