2003-11-03 2026-01-13 Standards Action or Specification Required Mark Andrews, Roy Arends, Warren Kumari, Wes Hardaker Adding a new entry to the "DNS Security Algorithm Numbers” registry with a recommended value of "MAY" in the "Use for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for DNSSEC Validation" columns will be subject to the Specification Required policy as defined in in order to promote continued evolution of DNSSEC algorithms and DNSSEC agility. New entries added through the Specification Required process will have the value of "MAY” for all columns. Adding a new entry to, or changing an existing value in, the “DNS Security Algorithm Numbers" registry that has any value other than "MAY" in the "Use for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for DNSSEC Validation" columns requires Standards Action. If an item is not marked as "RECOMMENDED", it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases. The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used to identify the security algorithm being used. All algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. Only algorithms usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs. Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs. * There has been no determination of standardization of the use of this algorithm with Transaction Security. 0 Delete DS DELETE N N proposed standard proposed standard proposed standard 1 RSA/MD5 (DEPRECATED, see 5) RSAMD5 N Y MUST NOT MUST NOT MUST NOT MUST NOT proposed standard proposed standard 2 Diffie-Hellman DH N Y proposed standard 3 DSA/SHA1 DSA Y Y MUST NOT MUST NOT MUST NOT MUST NOT proposed standard proposed standard Federal Information Processing Standards Publication (FIPS PUB) 186, Digital Signature Standard, 18 May 1994. Federal Information Processing Standards Publication (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. (Supersedes FIPS PUB 180 dated 11 May 1993.) 4 Reserved proposed standard 5 RSA/SHA-1 RSASHA1 Y Y MUST NOT RECOMMENDED NOT RECOMMENDED MUST proposed standard proposed standard 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 Y Y MUST NOT MUST NOT MUST NOT MUST NOT proposed standard 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 Y Y MUST NOT RECOMMENDED NOT RECOMMENDED MUST proposed standard 8 RSA/SHA-256 RSASHA256 Y * RECOMMENDED RECOMMENDED MUST MUST proposed standard 9 Reserved proposed standard 10 RSA/SHA-512 RSASHA512 Y * NOT RECOMMENDED RECOMMENDED NOT RECOMMENDED MUST proposed standard 11 Reserved proposed standard 12 GOST R 34.10-2001 (DEPRECATED) ECC-GOST Y * MUST NOT MUST NOT MUST NOT MUST NOT proposed standard Change the status of GOST Signature Algorithms in DNSSEC in the IETF stream to Historic 13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256 Y * RECOMMENDED RECOMMENDED MUST MUST proposed standard 14 ECDSA Curve P-384 with SHA-384 ECDSAP384SHA384 Y * MAY RECOMMENDED MAY RECOMMENDED proposed standard 15 Ed25519 ED25519 Y * RECOMMENDED RECOMMENDED RECOMMENDED RECOMMENDED proposed standard 16 Ed448 ED448 Y * MAY RECOMMENDED MAY RECOMMENDED proposed standard 17 SM2 signing algorithm with SM3 hashing algorithm SM2SM3 Y * MAY MAY MAY MAY informational 18-22 Unassigned 23 GOST R 34.10-2012 ECC-GOST12 Y * MAY MAY MAY MAY informational 24-122 Unassigned 123-251 Reserved proposed standard proposed standard 252 Reserved for Indirect Keys INDIRECT N N proposed standard 253 private algorithm PRIVATEDNS Y Y MAY MAY MAY MAY proposed standard 254 private algorithm OID PRIVATEOID Y Y MAY MAY MAY MAY proposed standard 255 Reserved proposed standard IETF Review 0 Unassigned 1 index into well-known table 2 index into well-known table 3-15 Unassigned 0x0000-0x07ff Standards Action 0x0800-0xbfff RFC Required 0x0000 Unassigned 0x0001 Well-Known Group 1: A 768 bit prime 0x0002 Well-Known Group 2: A 1024 bit prime 0x0003-0xbfff Unassigned 0xc000-0xffff Private Use