Internet Assigned Numbers Authority Domain Name System Security (DNSSEC) Algorithm Numbers Created 2003-11-03 Last Updated 2025-06-10 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries Included Below • DNS Security Algorithm Numbers • DNS KEY Record Diffie-Hellman Prime Lengths • DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs DNS Security Algorithm Numbers Registration Procedure(s) Standards Action or Specification Required Expert(s) Unassigned Reference [RFC4034][RFC3755][RFC6014][RFC6944][RFC-ietf-dnsop-rfc8624-bis-13] Note Adding a new entry to the "DNS System Algorithm Numbers" registry with a recommended value of "MAY" in the "Use for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for DNSSEC Validation" columns will subject to the "Specification Required" policy as defined in [RFC8126] in order to promote continued evolution of DNSSEC algorithms and DNSSEC agility. New entries added through the "Specification Required" process will have the value of "MAY" for all columns. Adding a new entry to, or changing existing values in, the "DNS System Algorithm Numbers" registry for the "Use for DNSSEC Signing", "Use for DNSSEC Validation", "Implement for DNSSEC Signing", or "Implement for DNSSEC Validation" columns to any other value than "MAY" requires a Standards Action. If an item is not marked as "RECOMMENDED", it does not necessarily mean that it is flawed; rather, it indicates that the item either has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases. Note The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used to identify the security algorithm being used. All algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. Only algorithms usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs. Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs. * There has been no determination of standardization of the use of this algorithm with Transaction Security. Available Formats [IMG] CSV Use for Use for Implement Implement Number Description Mnemonic Zone Trans. DNSSEC DNSSEC for for Reference Signing Sec. Signing Validation DNSSEC DNSSEC Signing Validation 0 Delete DS DELETE N N [RFC4034][proposed standard][RFC4398][proposed standard][RFC8078][proposed standard] RSA/MD5 [RFC3110][proposed standard][RFC4034][proposed 1 (DEPRECATED, see RSAMD5 N Y MUST NOT MUST NOT MUST NOT MUST NOT standard] 5) 2 Diffie-Hellman DH N Y [RFC2539][proposed standard] [RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186, Digital 3 DSA/SHA1 DSA Y Y MUST NOT MUST NOT MUST NOT MUST NOT Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. (Supersedes FIPS PUB 180 dated 11 May 1993.)] 4 Reserved [RFC6725][proposed standard] 5 RSA/SHA-1 RSASHA1 Y Y MUST NOT RECOMMENDED NOT MUST [RFC3110][proposed standard][RFC4034][proposed RECOMMENDED standard][RFC-ietf-dnsop-must-not-sha1-09] 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 Y Y MUST NOT MUST NOT MUST NOT MUST NOT [RFC5155][proposed standard] 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 Y Y MUST NOT RECOMMENDED NOT MUST [RFC5155][proposed RECOMMENDED standard][RFC-ietf-dnsop-must-not-sha1-09] 8 RSA/SHA-256 RSASHA256 Y * RECOMMENDED RECOMMENDED MUST MUST [RFC5702][proposed standard] 9 Reserved [RFC6725][proposed standard] 10 RSA/SHA-512 RSASHA512 Y * NOT RECOMMENDED NOT MUST [RFC5702][proposed standard] RECOMMENDED RECOMMENDED 11 Reserved [RFC6725][proposed standard] [RFC5933][proposed standard][Change the status 12 GOST R 34.10-2001 ECC-GOST Y * MUST NOT MUST NOT MUST NOT MUST NOT of GOST Signature Algorithms in DNSSEC in the (DEPRECATED) IETF stream to Historic][RFC-ietf-dnsop-must-not-ecc-gost-07] 13 ECDSA Curve P-256 ECDSAP256SHA256 Y * RECOMMENDED RECOMMENDED MUST MUST [RFC6605][proposed standard] with SHA-256 14 ECDSA Curve P-384 ECDSAP384SHA384 Y * MAY RECOMMENDED MAY RECOMMENDED [RFC6605][proposed standard] with SHA-384 15 Ed25519 ED25519 Y * RECOMMENDED RECOMMENDED RECOMMENDED RECOMMENDED [RFC8080][proposed standard] 16 Ed448 ED448 Y * MAY RECOMMENDED MAY RECOMMENDED [RFC8080][proposed standard] SM2 signing 17 algorithm with SM3 SM2SM3 Y * MAY MAY MAY MAY [RFC9563][informational] hashing algorithm 18-22 Unassigned 23 GOST R 34.10-2012 ECC-GOST12 Y * MAY MAY MAY MAY [RFC9558][informational] 24-122 Unassigned 123-251 Reserved [RFC4034][proposed standard][RFC6014][proposed standard] 252 Reserved for INDIRECT N N [RFC4034][proposed standard] Indirect Keys 253 private algorithm PRIVATEDNS Y Y MAY MAY MAY MAY [RFC4034][proposed standard] 254 private algorithm PRIVATEOID Y Y MAY MAY MAY MAY [RFC4034][proposed standard] OID 255 Reserved [RFC4034][proposed standard] DNS KEY Record Diffie-Hellman Prime Lengths Registration Procedure(s) IETF Review Reference [RFC2539] Available Formats [IMG] CSV Value Description Reference 0 Unassigned 1 index into well-known table [RFC2539] 2 index into well-known table [RFC2539] 3-15 Unassigned DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs Reference [RFC2539] Available Formats [IMG] CSV Range Registration Procedures 0x0000-0x07ff Standards Action 0x0800-0xbfff RFC Required Value Description Reference 0x0000 Unassigned 0x0001 Well-Known Group 1: A 768 bit prime [RFC2539] 0x0002 Well-Known Group 2: A 1024 bit prime [RFC2539] 0x0003-0xbfff Unassigned 0xc000-0xffff Private Use [RFC2539] Licensing Terms