Domain Name System Security (DNSSEC) Algorithm Numbers (last updated 2009-06-04) Registries included below: - DNS Security Algorithm Numbers - DNS KEY Record Diffie-Hellman Prime Lengths - DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs Registry Name: DNS Security Algorithm Numbers Reference: [RFC4034][RFC3755] Registration Procedures: IETF Standards Action Note: The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used to identify the security algorithm being used. All algorithm numbers in this registry may be used in CERT RRs. Zone zigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. Only algorithms usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs. Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs. Registry: Number Description Mnemonic Zone Signing Trans. Sec. Reference ------ --------------------------------- ------------------ ------------ ----------- --------- 0 Reserved [RFC4398] 1 RSA/MD5 (deprecated, see 5) RSAMD5 N Y [RFC4034][RFC2537] 2 Diffie-Hellman DH N Y [RFC2539] 3 DSA/SHA1 DSA Y Y [RFC3755[RFC2536][DSA][SHA-1] 4 Reserved for Elliptic Curve ECC 5 RSA/SHA-1 RSASHA1 Y Y [RFC3755][RFC3110] 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 Y Y [RFC5155] 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 Y Y [RFC5155] 8-251 Unassigned 252 Reserved for Indirect Keys INDIRECT N N [RFC4034] 253 Private algorithms - domain name PRIVATEDNS Y Y [RFC3755][RFC2535] 254 Private algorithms - OID PRIVATEOID Y Y [RFC3755][RFC2535] 255 Reserved [RFC4034] Registry Name: DNS KEY Record Diffie-Hellman Prime Lengths Reference: [RFC2539] Registration Procedures: IETF Review Value Description Reference ----- ------------------------------------- --------- 0 Unassigned 1 index into well-known table [RFC2539] 2 index into well-known table [RFC2539] 3-15 Unassigned Registry Name: DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs Reference: [RFC2539] Range Registration Procedures ------------- ----------------------- 0x0000-0x07ff Standards Action 0x0800-0xbfff RFC Required Value Description Reference ------------- ------------------------------------- --------- 0x0000 Unassigned 0x0001 Well-Known Group 1: A 768 bit prime [RFC2539] 0x0002 Well-Known Group 2: A 1024 bit prime [RFC2539] 0x0003-0xbfff Unassigned 0xc000-0xffff Private Use [RFC2539] References ---------- [DSA] Federal Information Processing Standards Publication (FIPS PUB) 186, Digital Signature Standard, 18 May 1994. [SHA-1] Federal Information Processing Standards Publication (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. [Supersedes FIPS PUB 180 dated 11 May 1993.] [RFC1321] R. Rivest, "The MD5 Message-Digest Algorithm", April 1992. [RFC2535] D. Eastlake, "Domain Name System Security Extensions", RFC 2535. March 1999. [RFC2536] D. Eastlake, "DSA KEYs and SIGs in the Domain Name System (DNS)", RFC 2436, March 1999. [RFC2537] D. Eastlake, "RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)", RFC 2537, March 1999. [RFC2539] D. Eastlake, "Storage of Diffie-Hellman Keys in the Domain Name System (DNS)", RFC 2539, March 1999. [RFC3110] D. Eastlake, "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", RFC 3110, May 2001. [RFC3755] S. Weiler, "Legacy Resolver Compatibility for Delegation Signer", RFC 3755, May 2004. [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. [RFC4398] S. Josefsson, "Storing Certificates in the Domain Name System (DNS)", RFC 4398, March 2006. [RFC5155] B. Laurie, G. Sisson, R. Arends, D. Blacka, "DNSSEC Hashed Authenticated Denial of Existence", RFC 5155, March 2008. (Registry created 2003-11-03) []