]> ICANN

paul.hoffman@icann.org

Internet-Draft RFC 4034 allocates one value in the IANA registry for DNSSEC algorithm numbers for private algorithms. That may be too few for experimentation where multiple yet-to-be-assigned algorithms are used. This document assigns seven more values for this use case. This document is currently maintained at https://github.com/paulehoffman/draft-hoffman-more-private-algs. Issues and pull requests are welcomed. If the document is later adopted by a working group, a new repository will likely be created.

Introduction Section A.1 of assigns value 253 as "Private [PRIVATEDNS]". Section A.1.1 describes this value:

In the coming years, it is likely that there will be experimentation with new DNSSEC signing algorithms for post-quantum cryptography. At the time this document is written, it is possible that there will be many such algorithms in experimental use at the same time. If that comes to pass, it would be useful to have a handful of private use algorithms to use at the same time, such as for experimenting with zones that will have multiple simultaneous signing algorithms. This document updates to add seven more private use algorithms. Unlike private use algorithm 253, there is no restriction on the public key area in the DNSKEY RR and the signature area in the RRSIG RR. Thus, there are no domain names embdded in the public key or signature like there are with private use algorithm 253. This update brings the total number of private use algorithms that use the same format to eight.

IANA Considerations This document requests that IANA allocate seven additional values, 245 through 251, in the "DNS Security Algorithm Numbers" registry (https://www.iana.org/assignments/dns-sec-alg-numbers/).

Security Considerations Allocating private use values does not cause any significant security considerations.

This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]