Domain Name System Security (DNSSEC) Algorithm Numbers (original) (raw)

Created

2003-11-03

Last Updated

2024-04-16

Available Formats

XML HTML Plain text

Registries included below

DNS Security Algorithm Numbers
DNS KEY Record Diffie-Hellman Prime Lengths
DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs

DNS Security Algorithm Numbers

Registration Procedure(s)

RFC Required

Reference

[RFC4034][RFC3755][RFC6014][RFC6944]

Note

The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used to identify the security algorithm being used.

All algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. Only algorithms usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs. Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs.

There has been no determination of standardization of the use of this algorithm with Transaction Security.

Available Formats

CSV

Number	Description	Mnemonic	ZoneSigning	Trans.Sec.	Reference
0	Delete DS	DELETE	N	N	[RFC4034][proposed standard][RFC4398][proposed standard][RFC8078][proposed standard]
1	RSA/MD5 (DEPRECATED, see 5)	RSAMD5	N	Y	[RFC3110][proposed standard][RFC4034][proposed standard]
2	Diffie-Hellman	DH	N	Y	[RFC2539][proposed standard]
3	DSA/SHA1	DSA	Y	Y	[RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186, Digital Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. (Supersedes FIPS PUB 180 dated 11 May 1993.)]
4	Reserved	[RFC6725][proposed standard]
5	RSA/SHA-1	RSASHA1	Y	Y	[RFC3110][proposed standard][RFC4034][proposed standard]
6	DSA-NSEC3-SHA1	DSA-NSEC3-SHA1	Y	Y	[RFC5155][proposed standard]
7	RSASHA1-NSEC3-SHA1	RSASHA1-NSEC3-SHA1	Y	Y	[RFC5155][proposed standard]
8	RSA/SHA-256	RSASHA256	Y	*	[RFC5702][proposed standard]
9	Reserved	[RFC6725][proposed standard]
10	RSA/SHA-512	RSASHA512	Y	*	[RFC5702][proposed standard]
11	Reserved	[RFC6725][proposed standard]
12	GOST R 34.10-2001 (DEPRECATED)	ECC-GOST	Y	*	[RFC5933][proposed standard][Change the status of GOST Signature Algorithms in DNSSEC in the IETF stream to Historic]
13	ECDSA Curve P-256 with SHA-256	ECDSAP256SHA256	Y	*	[RFC6605][proposed standard]
14	ECDSA Curve P-384 with SHA-384	ECDSAP384SHA384	Y	*	[RFC6605][proposed standard]
15	Ed25519	ED25519	Y	*	[RFC8080][proposed standard]
16	Ed448	ED448	Y	*	[RFC8080][proposed standard]
17	SM2 signing algorithm with SM3 hashing algorithm	SM2SM3	Y	*	[RFC-cuiling-dnsop-sm2-alg-15][informational]
18-22	Unassigned
23	GOST R 34.10-2012	ECC-GOST12	Y	*	[RFC9558][informational]
24-122	Unassigned
123-251	Reserved	[RFC4034][proposed standard][RFC6014][proposed standard]
252	Reserved for Indirect Keys	INDIRECT	N	N	[RFC4034][proposed standard]
253	private algorithm	PRIVATEDNS	Y	Y	[RFC4034][proposed standard]
254	private algorithm OID	PRIVATEOID	Y	Y	[RFC4034][proposed standard]
255	Reserved	[RFC4034][proposed standard]

DNS KEY Record Diffie-Hellman Prime Lengths

Registration Procedure(s)

IETF Review

Reference

[RFC2539]

Available Formats

CSV

Value	Description	Reference
0	Unassigned
1	index into well-known table	[RFC2539]
2	index into well-known table	[RFC2539]
3-15	Unassigned

DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs

Reference

[RFC2539]

Available Formats

CSV

Range	Registration Procedures
0x0000-0x07ff	Standards Action
0x0800-0xbfff	RFC Required

Value	Description	Reference
0x0000	Unassigned
0x0001	Well-Known Group 1: A 768 bit prime	[RFC2539]
0x0002	Well-Known Group 2: A 1024 bit prime	[RFC2539]
0x0003-0xbfff	Unassigned
0xc000-0xffff	Private Use	[RFC2539]