Internet Assigned Numbers Authority

Domain Name System Security (DNSSEC) Algorithm Numbers

Last Updated
Available Formats



Plain text

Registries included below

DNS Security Algorithm Numbers

Registration Procedure(s)
RFC Required
The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used
to identify the security algorithm being used.

All algorithm numbers in this registry may be used in CERT RRs. Zone
signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG)
make use of particular subsets of these algorithms. Only algorithms
usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs.
Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs.

* There has been no determination of standardization of the use of this
algorithm with Transaction Security.
Available Formats

Number Description Mnemonic Zone
0 Delete DS DELETE N N [RFC4034][proposed standard][RFC4398][proposed standard][RFC8078][proposed standard]
1 RSA/MD5 (DEPRECATED, see 5) RSAMD5 N Y [RFC3110][proposed standard][RFC4034][proposed standard]
2 Diffie-Hellman DH N Y [RFC2539][proposed standard]
3 DSA/SHA1 DSA Y Y [RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186, Digital Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. (Supersedes FIPS PUB 180 dated 11 May 1993.)]
4 Reserved [RFC6725][proposed standard]
5 RSA/SHA-1 RSASHA1 Y Y [RFC3110][proposed standard][RFC4034][proposed standard]
6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 Y Y [RFC5155][proposed standard]
7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 Y Y [RFC5155][proposed standard]
8 RSA/SHA-256 RSASHA256 Y * [RFC5702][proposed standard]
9 Reserved [RFC6725][proposed standard]
10 RSA/SHA-512 RSASHA512 Y * [RFC5702][proposed standard]
11 Reserved [RFC6725][proposed standard]
12 GOST R 34.10-2001 (DEPRECATED) ECC-GOST Y * [RFC5933][proposed standard][status-change-gost-dnssec-to-historic]
13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256 Y * [RFC6605][proposed standard]
14 ECDSA Curve P-384 with SHA-384 ECDSAP384SHA384 Y * [RFC6605][proposed standard]
15 Ed25519 ED25519 Y * [RFC8080][proposed standard]
16 Ed448 ED448 Y * [RFC8080][proposed standard]
17 SM2 signing algorithm with SM3 hashing algorithm SM2SM3 Y * [RFC-cuiling-dnsop-sm2-alg-15][informational]
18-22 Unassigned
23 GOST R 34.10-2012 ECC-GOST12 Y * [RFC9558][informational]
24-122 Unassigned
123-251 Reserved [RFC4034][proposed standard][RFC6014][proposed standard]
252 Reserved for Indirect Keys INDIRECT N N [RFC4034][proposed standard]
253 private algorithm PRIVATEDNS Y Y [RFC4034][proposed standard]
254 private algorithm OID PRIVATEOID Y Y [RFC4034][proposed standard]
255 Reserved [RFC4034][proposed standard]

DNS KEY Record Diffie-Hellman Prime Lengths

Registration Procedure(s)
IETF Review
Available Formats

Value Description Reference
0 Unassigned
1 index into well-known table [RFC2539]
2 index into well-known table [RFC2539]
3-15 Unassigned

DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs

Available Formats

Range Registration Procedures
0x0000-0x07ff Standards Action
0x0800-0xbfff RFC Required
Value Description Reference
0x0000 Unassigned
0x0001 Well-Known Group 1: A 768 bit prime [RFC2539]
0x0002 Well-Known Group 2: A 1024 bit prime [RFC2539]
0x0003-0xbfff Unassigned
0xc000-0xffff Private Use [RFC2539]