| Internet-Draft | DNSSEC Algorithm Lifecycles | March 2024 |
| Crocker & Housley | Expires 3 September 2024 | [Page] |
Cryptographic algorithms for DNSSEC go through multiple phases during their lifetime. They are created, tested, adopted, used, and deprecated over a period of time. This RFC defines these phases, and defines the criteria for moving from one phase to the next.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 September 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Each DNSSEC cryptographic algorithm is used in two distinct but interconnected ways. The first is to sign. The second is to validate a signature. If someone uses an algorithm to sign, the party that receives that signed message should be able to validate the signature. This means the receiving parties need to implement the validation algorithm before the sending parties can use expect to use it effectively, and equally, the receiving parties have to keep the validation algorithm in service well after the signing parties stop using it.¶
These relationships seem obvious, but there has not been an organized way to communicate to the Internet community when these algorithm transitions take place. This document proposes that IANA augment its registry of DNSSEC algorithms with the status of each algorithm with respect to this lifecycle.¶
We define seven phases in the lifecycle of a DNSSEC algorithm.¶
Experimental: The algorithm is under development by the cryptographic community and is not yet ready for general use.¶
Adopted: The algorithm is ready to be used by the Internet community. It is listed in the IANA registry. Implementers are expected to support the algorithm for signature validation.¶
Available: The algorithm is ready for use by all parties. Implementers are expected to support the algorithm for signing and signature validation.¶
Mainstream: The algorithm has reached “recommended” status. Implementers are expected to support the algorithm for signing and signature validation.¶
Phaseout: The algorithm is nearing the end of its lifecycle, but it is still in use. Implementers are advised to transition to other recommend algorithms. Signing should be phased out.¶
Deprecated: All use for signing should have stopped, but signature validation is still supported.¶
Obsolete: No support for signing or signature validation is expected.¶
The previous section does not specify the process and criteria for advancing a DNSSEC algorithm through these lifecycle phases. There are six transition points, labelled A through F, between these seven lifecycle phases. We propose the following process and criteria for these transitions.¶
A. Algorithm Inclusion¶
Prerequisites:¶
IETF determines the algorithm is suitable for use with DNSSEC.¶
Action: IETF publishes notice that the algorithm is suitable for use and should be deployed for signature validation.¶
B. Ready for Use¶
Prerequisites:¶
IETF reaches consensus that algorithm has been widely deployed for DNSSEC.¶
Action: IETF publishes notice that algorithm is available for DNSSEC signing.¶
C. Mainstream¶
D. Phaseout¶
Prerequisites:¶
Cryptographic community has determined the algorithm is reaching its end of life.¶
IETF determines it is time to announce the phaseout.¶
Action: IETF publishes notice to signing operators to transition away from the algorithm and begin signing with a mainstream algorithm.¶
E. Deprecation¶
Prerequisites:¶
IETF determines it is time to deprecate the algorithm for use with DNSSEC.¶
Action: IETF publishes notice that use of the algorithm is now inappropriate for DNSSEC signing.¶
F. Obsolescence¶
Determination of when an algorithm has reached a particular transition point will require a panel of experts. We propose that the IESG select the individuals for this panel as the IANA Designated Experts [RFC8126] for the "DNS Security Algorithm Numbers" registry. The individuals that make up the Expert Panel are expected to have contacts within the cryptographic community to determine whether a particular algorithm is suitable for use with DNSSEC.¶
IANA is asked to add a "Lifecycle Phase" column to the "DNS Security Algorithm Numbers" registry. Once the Expert Panel discussed in the previous section is seated, the Expert Panel will tell IANA the appropriate lifecycle phase for each algorithm that is in the registry.¶
For future additions to the registry, they will initially be listed in Phase 1 (Experimental). Changes to the lifecycle phase will be determined by the Expert Panel.¶
This document proposes a lifecycle for DNSSEC algorithms. By following the criteria presented in Section 3, Internet-wide deployment of new DNSSEC algorithm will occur in a smooth manner that ensures all implementations will be able to validate signatures. Likewise, following the criteria will ensure that out-of-date DNSSEC algorithm are retired in a graceful manner. The criteria associated with the transition between phases of the lifecycle will depend on the judgement of the Expert Panel that will be chosen by the IESG.¶
(RFC Editor: Please remove this section before publication.)¶
draft-crocker-dnsop-dnssec-algorithm-lifecycle-00¶
Initial public draft.¶