Domain Name System Security (DNSSEC) Algorithm Numbers

Created: 2003-11-03
Last Updated: 2025-06-10
Available Formats: XML
HTML
Plain text

Registries Included Below

DNS Security Algorithm Numbers
DNS KEY Record Diffie-Hellman Prime Lengths
DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs

DNS Security Algorithm Numbers

Registration Procedure(s)

Standards Action or Specification Required

Expert(s)

Unassigned

Reference

[RFC4034][RFC3755][RFC6014][RFC6944][RFC-ietf-dnsop-rfc8624-bis-13]

Note

Adding a new entry to the "DNS System Algorithm Numbers" registry with
a recommended value of "MAY" in the "Use for DNSSEC Signing", "Use for
DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for
DNSSEC Validation" columns will subject to the "Specification Required"
policy as defined in [RFC8126] in order to promote continued evolution
of DNSSEC algorithms and DNSSEC agility. New entries added through
the "Specification Required" process will have the value of "MAY"
for all columns.

Adding a new entry to, or changing existing values in, the "DNS System
Algorithm Numbers" registry for the "Use for DNSSEC Signing", "Use for
DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for
DNSSEC Validation" columns to any other value than "MAY" requires a
Standards Action.

If an item is not marked as "RECOMMENDED", it does not necessarily mean
that it is flawed; rather, it indicates that the item either has not been
through the IETF consensus process, has limited applicability, or is
intended only for specific use cases.

Note

The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used
to identify the security algorithm being used.

All algorithm numbers in this registry may be used in CERT RRs. Zone
signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG)
make use of particular subsets of these algorithms. Only algorithms
usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs.
Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs.

* There has been no determination of standardization of the use of this
algorithm with Transaction Security.

Available Formats

CSV

Number	Description	Mnemonic	Zone Signing	Trans. Sec.	Use for DNSSEC Signing	Use for DNSSEC Validation	Implement for DNSSEC Signing	Implement for DNSSEC Validation	Reference
0	Delete DS	DELETE	N	N					[RFC4034][proposed standard][RFC4398][proposed standard][RFC8078][proposed standard]
1	RSA/MD5 (DEPRECATED, see 5)	RSAMD5	N	Y	MUST NOT	MUST NOT	MUST NOT	MUST NOT	[RFC3110][proposed standard][RFC4034][proposed standard]
2	Diffie-Hellman	DH	N	Y					[RFC2539][proposed standard]
3	DSA/SHA1	DSA	Y	Y	MUST NOT	MUST NOT	MUST NOT	MUST NOT	[RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186, Digital Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. (Supersedes FIPS PUB 180 dated 11 May 1993.)]
4	Reserved								[RFC6725][proposed standard]
5	RSA/SHA-1	RSASHA1	Y	Y	MUST NOT	RECOMMENDED	NOT RECOMMENDED	MUST	[RFC3110][proposed standard][RFC4034][proposed standard][RFC-ietf-dnsop-must-not-sha1-09]
6	DSA-NSEC3-SHA1	DSA-NSEC3-SHA1	Y	Y	MUST NOT	MUST NOT	MUST NOT	MUST NOT	[RFC5155][proposed standard]
7	RSASHA1-NSEC3-SHA1	RSASHA1-NSEC3-SHA1	Y	Y	MUST NOT	RECOMMENDED	NOT RECOMMENDED	MUST	[RFC5155][proposed standard][RFC-ietf-dnsop-must-not-sha1-09]
8	RSA/SHA-256	RSASHA256	Y	*	RECOMMENDED	RECOMMENDED	MUST	MUST	[RFC5702][proposed standard]
9	Reserved								[RFC6725][proposed standard]
10	RSA/SHA-512	RSASHA512	Y	*	NOT RECOMMENDED	RECOMMENDED	NOT RECOMMENDED	MUST	[RFC5702][proposed standard]
11	Reserved								[RFC6725][proposed standard]
12	GOST R 34.10-2001 (DEPRECATED)	ECC-GOST	Y	*	MUST NOT	MUST NOT	MUST NOT	MUST NOT	[RFC5933][proposed standard][Change the status of GOST Signature Algorithms in DNSSEC in the IETF stream to Historic][RFC-ietf-dnsop-must-not-ecc-gost-07]
13	ECDSA Curve P-256 with SHA-256	ECDSAP256SHA256	Y	*	RECOMMENDED	RECOMMENDED	MUST	MUST	[RFC6605][proposed standard]
14	ECDSA Curve P-384 with SHA-384	ECDSAP384SHA384	Y	*	MAY	RECOMMENDED	MAY	RECOMMENDED	[RFC6605][proposed standard]
15	Ed25519	ED25519	Y	*	RECOMMENDED	RECOMMENDED	RECOMMENDED	RECOMMENDED	[RFC8080][proposed standard]
16	Ed448	ED448	Y	*	MAY	RECOMMENDED	MAY	RECOMMENDED	[RFC8080][proposed standard]
17	SM2 signing algorithm with SM3 hashing algorithm	SM2SM3	Y	*	MAY	MAY	MAY	MAY	[RFC9563][informational]
18-22	Unassigned
23	GOST R 34.10-2012	ECC-GOST12	Y	*	MAY	MAY	MAY	MAY	[RFC9558][informational]
24-122	Unassigned
123-251	Reserved								[RFC4034][proposed standard][RFC6014][proposed standard]
252	Reserved for Indirect Keys	INDIRECT	N	N					[RFC4034][proposed standard]
253	private algorithm	PRIVATEDNS	Y	Y	MAY	MAY	MAY	MAY	[RFC4034][proposed standard]
254	private algorithm OID	PRIVATEOID	Y	Y	MAY	MAY	MAY	MAY	[RFC4034][proposed standard]
255	Reserved								[RFC4034][proposed standard]

DNS KEY Record Diffie-Hellman Prime Lengths

Registration Procedure(s)

IETF Review

Reference

[RFC2539]

Available Formats

CSV

Value	Description	Reference
0	Unassigned
1	index into well-known table	[RFC2539]
2	index into well-known table	[RFC2539]
3-15	Unassigned

DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs

Reference: [RFC2539]
Available Formats: CSV

Range	Registration Procedures
0x0000-0x07ff	Standards Action
0x0800-0xbfff	RFC Required

Value	Description	Reference
0x0000	Unassigned
0x0001	Well-Known Group 1: A 768 bit prime	[RFC2539]
0x0002	Well-Known Group 2: A 1024 bit prime	[RFC2539]
0x0003-0xbfff	Unassigned
0xc000-0xffff	Private Use	[RFC2539]