                                                Domain Name System Security (DNSSEC) Algorithm Numbers

   Created
           2003-11-03

   Last Updated
           2009-06-04

   This registry is also available in XML and plain text formats.

   Registries included below

     * DNS Security Algorithm Numbers
     * DNS KEY Record Diffie-Hellman Prime Lengths
     * DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs

DNS Security Algorithm Numbers

   Reference
           [RFC4034][RFC3755]

   Note

 The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used
 to identify the security algorithm being used.

 All algorithm numbers in this registry may be used in CERT RRs. Zone
 zigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG)
 make use of particular subsets of these algorithms. Only algorithms
 usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs.
 Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs.

   Registration Procedures
           IETF Standards Action

   Number           Description                 Mnemonic       Zone   Trans.                               Reference
                                                              Signing  Sec.
     0    Reserved                                                           [RFC4398]
     1    RSA/MD5 (deprecated, see 5)      RSAMD5                N      Y    [RFC4034][RFC2537]
     2    Diffie-Hellman                   DH                    N      Y    [RFC2539]
                                                                             [RFC3755][RFC2536][Federal Information Processing Standards
                                                                             Publication (FIPS PUB) 186, Digital Signature Standard, 18 May
     3    DSA/SHA1                         DSA                   Y      Y    1994.][Federal Information Processing Standards Publication (FIPS PUB)
                                                                             180-1, Secure Hash Standard, 17 April 1995. (Supersedes FIPS PUB 180
                                                                             dated 11 May 1993.)]
     4    Reserved for Elliptic Curve      ECC
     5    RSA/SHA-1                        RSASHA1               Y      Y    [RFC3755][RFC3110]
     6    DSA-NSEC3-SHA1                   DSA-NSEC3-SHA1        Y      Y    [RFC5155]
     7    RSASHA1-NSEC3-SHA1               RSASHA1-NSEC3-SHA1    Y      Y    [RFC5155]
   8-251  Unassigned
    252   Reserved for Indirect Keys       INDIRECT              N      N    [RFC4034]
    253   Private algorithms - domain name PRIVATEDNS            Y      Y    [RFC3755][RFC2535]
    254   Private algorithms - OID         PRIVATEOID            Y      Y    [RFC3755][RFC2535]
    255   Reserved                                                           [RFC4034]

DNS KEY Record Diffie-Hellman Prime Lengths

   Reference
           [RFC2539]

   Registration Procedures
           IETF Review

   Value         Description         Reference
     0   Unassigned
     1   index into well-known table [RFC2539]
     2   index into well-known table [RFC2539]
   3-15  Unassigned

DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs

   Reference
           [RFC2539]

       Range     Registration Procedure
   0x0000-0x07ff Standards Action
   0x0800-0xbfff RFC Required

       Value                 Description              Reference
      0x0000     Unassigned
      0x0001     Well-Known Group 1: A 768 bit prime  [RFC2539]
      0x0002     Well-Known Group 2: A 1024 bit prime [RFC2539]
   0x0003-0xbfff Unassigned
   0xc000-0xffff Private Use                          [RFC2539]
