Domain Name System Security (DNSSEC) Algorithm Numbers
2003-11-03
2024-02-07
DNS Security Algorithm Numbers
RFC Required
The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used
to identify the security algorithm being used.
All algorithm numbers in this registry may be used in CERT RRs. Zone
signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG)
make use of particular subsets of these algorithms. Only algorithms
usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs.
Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs.
* There has been no determination of standardization of the use of this
algorithm with Transaction Security.
0
Delete DS
DELETE
N
N
proposed standard
proposed standard
proposed standard
1
RSA/MD5 (deprecated, see 5)
RSAMD5
N
Y
proposed standard
proposed standard
2
Diffie-Hellman
DH
N
Y
proposed standard
3
DSA/SHA1
DSA
Y
Y
proposed standard
proposed standard
Federal Information Processing Standards Publication (FIPS PUB) 186,
Digital Signature Standard, 18 May 1994.
Federal Information Processing Standards Publication (FIPS PUB) 180-1,
Secure Hash Standard, 17 April 1995.
(Supersedes FIPS PUB 180 dated 11 May 1993.)
4
Reserved
proposed standard
5
RSA/SHA-1
RSASHA1
Y
Y
proposed standard
proposed standard
6
DSA-NSEC3-SHA1
DSA-NSEC3-SHA1
Y
Y
proposed standard
7
RSASHA1-NSEC3-SHA1
RSASHA1-NSEC3-SHA1
Y
Y
proposed standard
8
RSA/SHA-256
RSASHA256
Y
*
proposed standard
9
Reserved
proposed standard
10
RSA/SHA-512
RSASHA512
Y
*
proposed standard
11
Reserved
proposed standard
12
GOST R 34.10-2001
ECC-GOST
Y
*
proposed standard
13
ECDSA Curve P-256 with SHA-256
ECDSAP256SHA256
Y
*
proposed standard
14
ECDSA Curve P-384 with SHA-384
ECDSAP384SHA384
Y
*
proposed standard
15
Ed25519
ED25519
Y
*
proposed standard
16
Ed448
ED448
Y
*
proposed standard
17
SM2 signing algorithm with SM3 hashing algorithm
SM2SM3
Y
*
informational
18-22
Unassigned
23
GOST R 34.10-2012
ECC-GOST12
Y
*
informational
24-122
Unassigned
123-251
Reserved
proposed standard
proposed standard
252
Reserved for Indirect Keys
INDIRECT
N
N
proposed standard
253
private algorithm
PRIVATEDNS
Y
Y
proposed standard
254
private algorithm OID
PRIVATEOID
Y
Y
proposed standard
255
Reserved
proposed standard
DNS KEY Record Diffie-Hellman Prime Lengths
IETF Review
0
Unassigned
1
index into well-known table
2
index into well-known table
3-15
Unassigned
DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs
0x0000-0x07ff
Standards Action
0x0800-0xbfff
RFC Required
0x0000
Unassigned
0x0001
Well-Known Group 1: A 768 bit prime
0x0002
Well-Known Group 2: A 1024 bit prime
0x0003-0xbfff
Unassigned
0xc000-0xffff
Private Use