Internet Assigned Numbers Authority Domain Name System Security (DNSSEC) Algorithm Numbers Created 2003-11-03 Last Updated 2024-04-16 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries included below • DNS Security Algorithm Numbers • DNS KEY Record Diffie-Hellman Prime Lengths • DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs DNS Security Algorithm Numbers Registration Procedure(s) RFC Required Reference [RFC4034][RFC3755][RFC6014][RFC6944] Note The KEY, SIG, DNSKEY, RRSIG, DS, and CERT RRs use an 8-bit number used to identify the security algorithm being used. All algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. Only algorithms usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs. Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs. * There has been no determination of standardization of the use of this algorithm with Transaction Security. Available Formats [IMG] CSV Number Description Mnemonic Zone Trans. Reference Signing Sec. 0 Delete DS DELETE N N [RFC4034][proposed standard][RFC4398][proposed standard][RFC8078][proposed standard] 1 RSA/MD5 (DEPRECATED, see 5) RSAMD5 N Y [RFC3110][proposed standard][RFC4034][proposed standard] 2 Diffie-Hellman DH N Y [RFC2539][proposed standard] [RFC3755][proposed standard][RFC2536][proposed standard][Federal Information Processing Standards Publication (FIPS PUB) 186, Digital 3 DSA/SHA1 DSA Y Y Signature Standard, 18 May 1994.][Federal Information Processing Standards Publication (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. (Supersedes FIPS PUB 180 dated 11 May 1993.)] 4 Reserved [RFC6725][proposed standard] 5 RSA/SHA-1 RSASHA1 Y Y [RFC3110][proposed standard][RFC4034][proposed standard] 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 Y Y [RFC5155][proposed standard] 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 Y Y [RFC5155][proposed standard] 8 RSA/SHA-256 RSASHA256 Y * [RFC5702][proposed standard] 9 Reserved [RFC6725][proposed standard] 10 RSA/SHA-512 RSASHA512 Y * [RFC5702][proposed standard] 11 Reserved [RFC6725][proposed standard] 12 GOST R 34.10-2001 ECC-GOST Y * [RFC5933][proposed standard][Change the status of GOST Signature (DEPRECATED) Algorithms in DNSSEC in the IETF stream to Historic] 13 ECDSA Curve P-256 with ECDSAP256SHA256 Y * [RFC6605][proposed standard] SHA-256 14 ECDSA Curve P-384 with ECDSAP384SHA384 Y * [RFC6605][proposed standard] SHA-384 15 Ed25519 ED25519 Y * [RFC8080][proposed standard] 16 Ed448 ED448 Y * [RFC8080][proposed standard] 17 SM2 signing algorithm with SM2SM3 Y * [RFC-cuiling-dnsop-sm2-alg-15][informational] SM3 hashing algorithm 18-22 Unassigned 23 GOST R 34.10-2012 ECC-GOST12 Y * [RFC9558][informational] 24-122 Unassigned 123-251 Reserved [RFC4034][proposed standard][RFC6014][proposed standard] 252 Reserved for Indirect Keys INDIRECT N N [RFC4034][proposed standard] 253 private algorithm PRIVATEDNS Y Y [RFC4034][proposed standard] 254 private algorithm OID PRIVATEOID Y Y [RFC4034][proposed standard] 255 Reserved [RFC4034][proposed standard] DNS KEY Record Diffie-Hellman Prime Lengths Registration Procedure(s) IETF Review Reference [RFC2539] Available Formats [IMG] CSV Value Description Reference 0 Unassigned 1 index into well-known table [RFC2539] 2 index into well-known table [RFC2539] 3-15 Unassigned DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs Reference [RFC2539] Available Formats [IMG] CSV Range Registration Procedures 0x0000-0x07ff Standards Action 0x0800-0xbfff RFC Required Value Description Reference 0x0000 Unassigned 0x0001 Well-Known Group 1: A 768 bit prime [RFC2539] 0x0002 Well-Known Group 2: A 1024 bit prime [RFC2539] 0x0003-0xbfff Unassigned 0xc000-0xffff Private Use [RFC2539] Licensing Terms