| < draft-ietf-dnsext-rsa-02.txt | draft-ietf-dnsext-rsa-03.txt > | |||
|---|---|---|---|---|
| INTERNET-DRAFT RSA SIGs and KEYs in the DNS | A new Request for Comments is now available in online RFC libraries. | |||
| OBSOLETES RFC 2537 December 2000 | ||||
| Expires June 2001 | ||||
| D. Eastlake | ||||
| RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) | ||||
| --------- ---- --- --- ---- -- --- ------ ---- ------ ----- | ||||
| <draft-ietf-dnsext-rsa-02.txt> | ||||
| Status of This Document | ||||
| This draft is intended to be become a Proposed Standard RFC. | ||||
| Distribution of this document is unlimited. Comments should be sent | ||||
| to the DNS extensions mailing list <namedroppers@ops.ietf.org> or to | ||||
| the author. | ||||
| This document is an Internet-Draft and is in full conformance with | ||||
| all provisions of Section 10 of RFC 2026. Internet-Drafts are | ||||
| working documents of the Internet Engineering Task Force (IETF), its | ||||
| areas, and its working groups. Note that other groups may also | ||||
| distribute working documents as Internet-Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | ||||
| and may be updated, replaced, or obsoleted by other documents at any | ||||
| time. It is inappropriate to use Internet- Drafts as reference | ||||
| material or to cite them other than as "work in progress." | ||||
| The list of current Internet-Drafts can be accessed at | ||||
| http://www.ietf.org/ietf/1id-abstracts.txt | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html. | ||||
| Abstract | ||||
| Since the adoption of a Proposed Standard for RSA signatures in the | ||||
| DNS [RFC 2537], advances in hashing have been made. A new DNS | ||||
| signature algorithm is defined to make these advances available in | ||||
| SIG resource records (RRs). The use of the previously specified | ||||
| weaker mechanism is deprecated. The algorithm number of the RSA KEY | ||||
| RR is changed to correspond to this new SIG algorithm. No other | ||||
| changes are made to DNS security. | ||||
| INTERNET-DRAFT RSA/SHA1 in the DNS | ||||
| Acknowledgements | ||||
| Material and comments from the following have been incorporated and | ||||
| are gratefully acknowledged: | ||||
| Olafur Gudmundsson | ||||
| Charlie Kaufman | ||||
| Steve Wang | ||||
| Table of Contents | ||||
| Status of This Document....................................1 | ||||
| Abstract...................................................1 | ||||
| Acknowledgements...........................................2 | ||||
| Table of Contents..........................................2 | ||||
| 1. Introduction............................................3 | ||||
| 2. RSA Public KEY Resource Records.........................3 | ||||
| 3. RSA/SHA1 SIG Resource Records...........................4 | ||||
| 4. Performance Considerations..............................5 | ||||
| 5. IANA Considerations.....................................5 | ||||
| 6. Security Considerations.................................6 | ||||
| References.................................................7 | ||||
| Author's Address...........................................8 | ||||
| Expiration and File Name...................................8 | ||||
| INTERNET-DRAFT RSA/SHA1 in the DNS | ||||
| 1. Introduction | ||||
| The Domain Name System (DNS) is the global hierarchical replicated | ||||
| distributed database system for Internet addressing, mail proxy, and | ||||
| other information [RFC 1034, 1035, etc.]. The DNS has been extended | ||||
| to include digital signatures and cryptographic keys as described in | ||||
| [RFC 2535]. Thus the DNS can now be secured and used for secure key | ||||
| distribution. | ||||
| Familiarity with the RSA and SHA-1 algorithms is assumed [Schneier, | ||||
| FIP180] in this document. | ||||
| [RFC 2537] described how to store RSA keys and RSA/MD5 based | ||||
| signatures in the DNS. However, since the adoption of [RFC 2537], | ||||
| continued cryptographic research has revealed hints of weakness in | ||||
| the MD5 [RFC 1321] algorithm used in [RFC 2537]. The SHA1 Secure Hash | ||||
| Algorithm [FIP180], which produces a larger hash, has been developed. | ||||
| By now there has been sufficient experience with SHA1 that it is | ||||
| generally acknowledged to be stronger than MD5. While this stronger | ||||
| hash is probably not needed today in most secure DNS zones, critical | ||||
| zones such a root and most TLDs are sufficiently valuable targets | ||||
| that it would be negligent not to provide what are generally agreed | ||||
| to be stronger mechanisms. Furthermore, future advances in | ||||
| cryptanalysis and/or computer speeds may require a stronger hash | ||||
| everywhere. In addition, the additional computation required by SHA1 | ||||
| above that required by MD5 is insignificant compared with the | ||||
| computational effort required by the RSA modular exponentiation. | ||||
| This document describes how to produce RSA/SHA1 SIG RRs in Section 3 | ||||
| and, so as to completely replace [RFC 2537], describes how to produce | ||||
| RSA KEY RRs in Section 2. | ||||
| Implementation of the RSA algorithm in DNS with SHA1 is MANDATORY for | ||||
| DNSSEC. The generation of RSA/MD5 SIG RRs as described in [RFC 2537] | ||||
| is NOT RECOMMENDED. | ||||
| The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", "NOT | ||||
| RECOMMENDED", and "MAY" in this document are to be interpreted as | ||||
| described in [RFC 2119]. | ||||
| 2. RSA Public KEY Resource Records | ||||
| RSA public keys are stored in the DNS as KEY RRs using algorithm | ||||
| number (TBD, suggest 5) [RFC 2535]. The structure of the algorithm | ||||
| specific portion of the RDATA part of such RRs is as shown below. | ||||
| INTERNET-DRAFT RSA/SHA1 in the DNS | ||||
| Field Size | ||||
| ----- ---- | ||||
| exponent length 1 or 3 octets (see text) | ||||
| exponent as specified by length field | ||||
| modulus remaining space | ||||
| For interoperability, the exponent and modulus are each limited to | ||||
| 4096 bits in length. The public key exponent is a variable length | ||||
| unsigned integer. Its length in octets is represented as one octet | ||||
| if it is in the range of 1 to 255 and by a zero octet followed by a | ||||
| two octet unsigned length if it is longer than 255 bytes. The public | ||||
| key modulus field is a multiprecision unsigned integer. The length | ||||
| of the modulus can be determined from the RDLENGTH and the preceding | ||||
| RDATA fields including the exponent. Leading zero octets are | ||||
| prohibited in the exponent and modulus. | ||||
| Note: KEY RRs for use with RSA/SHA1 DNS signatures MUST use this | ||||
| algorithm number (rather than the algorithm number specified in the | ||||
| obsoleted [RFC 2537]). | ||||
| Note: This changes the algorithm number for RSA KEY RRs to be the | ||||
| same as the new algorithm number for RSA/SHA1 SIGs. | ||||
| 3. RSA/SHA1 SIG Resource Records | ||||
| RSA/SHA1 signatures are stored in the DNS using SIG resource records | ||||
| (RRs) with algorithm number (TBD, 5 suggested). | ||||
| The signature portion of the SIG RR RDATA area, when using the | ||||
| RSA/SHA1 algorithm, is calculated as shown below. The data signed is | ||||
| determined as specified in [RFC 2535]. See [RFC 2535] for fields in | ||||
| the SIG RR RDATA which precede the signature itself. | ||||
| hash = SHA1 ( data ) | ||||
| signature = ( 01 | FF* | 00 | prefix | hash ) ** e (mod n) | ||||
| where SHA1 is the message digest algorithm documented in [FIP180], | ||||
| "|" is concatenation, "e" is the private key exponent of the signer, | ||||
| and "n" is the modulus of the signer's public key. 01, FF, and 00 | ||||
| are fixed octets of the corresponding hexadecimal value. "prefix" is | ||||
| the ASN.1 BER SHA1 algorithm designator prefix required in PKCS1 [RFC | ||||
| 2437], that is, | ||||
| hex 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 | ||||
| This prefix is included to make it easier to use standard | ||||
| cryptographic libraries. The FF octet MUST be repeated the maximum | ||||
| INTERNET-DRAFT RSA/SHA1 in the DNS | ||||
| number of times such that the value of the quantity being | ||||
| exponentiated is one octet shorter than the value of n. | ||||
| (The above specifications are identical to the corresponding part of | ||||
| Public Key Cryptographic Standard #1 [RFC 2437].) | ||||
| The size of "n", including most and least significant bits (which | ||||
| will be 1) MUST be not less than 512 bits and not more than 4096 | ||||
| bits. "n" and "e" SHOULD be chosen such that the public exponent is | ||||
| small. These are protocol limits. For a discussion of key size see | ||||
| [RFC 2541]. | ||||
| Leading zero bytes are permitted in the RSA/SHA1 algorithm signature. | ||||
| A public exponent of 3 minimizes the effort needed to verify a | ||||
| signature. Use of 3 as the public exponent is weak for | ||||
| confidentiality uses since, if the same data can be collected | ||||
| encrypted under three different keys with an exponent of 3 then, | ||||
| using the Chinese Remainder Theorem [NETSEC], the original plain text | ||||
| can be easily recovered. This weakness is not significant for DNS | ||||
| security because we seek only authentication, not confidentiality. | ||||
| 4. Performance Considerations | ||||
| General signature generation speeds are roughly the same for RSA and | ||||
| DSA [RFC 2536]. With sufficient pre-computation, signature | ||||
| generation with DSA is faster than RSA. Key generation is also | ||||
| faster for DSA. However, signature verification is an order of | ||||
| magnitude slower with DSA when the RSA public exponent is chosen to | ||||
| be small as is recommended for KEY RRs used in domain name system | ||||
| (DNS) data authentication. | ||||
| Current DNS implementations are optimized for small transfers, | ||||
| typically less than 512 bytes including DNS overhead. Larger | ||||
| transfers will perform correctly and extensions have been | ||||
| standardized [RFC 2671] to make larger transfers more efficient, it | ||||
| is still advisable at this time to make reasonable efforts to | ||||
| minimize the size of KEY RR sets stored within the DNS consistent | ||||
| with adequate security. Keep in mind that in a secure zone, at least | ||||
| one authenticating SIG RR will also be returned. | ||||
| 5. IANA Considerations | ||||
| The DNSSEC algorithm number (TBD, 5 suggested) is allocated for | ||||
| RSA/SHA1 SIG RRs and RSA KEY RRs. | ||||
| INTERNET-DRAFT RSA/SHA1 in the DNS | ||||
| 6. Security Considerations | ||||
| Many of the general security consideration in [RFC 2535] apply. Keys | ||||
| retrieved from the DNS should not be trusted unless (1) they have | ||||
| been securely obtained from a secure resolver or independently | ||||
| verified by the user and (2) this secure resolver and secure | ||||
| obtainment or independent verification conform to security policies | ||||
| acceptable to the user. As with all cryptographic algorithms, | ||||
| evaluating the necessary strength of the key is essential and | ||||
| dependent on local policy. For particularly critical applications, | ||||
| implementers are encouraged to consider the range of available | ||||
| algorithms and key sizes. See also [RFC 2541], "DNS Security | ||||
| Operational Considerations". | ||||
| INTERNET-DRAFT RSA/SHA1 in the DNS | ||||
| References | ||||
| [FIP180] - U.S. Department of Commerce, "Secure Hash Standard", FIPS | ||||
| PUB 180-1, 17 Apr 1995. | ||||
| [NETSEC] - Network Security: PRIVATE Communications in a PUBLIC | ||||
| World, Charlie Kaufman, Radia Perlman, & Mike Speciner, Prentice Hall | ||||
| Series in Computer Networking and Distributed Communications, 1995. | ||||
| [RFC 1034] - P. Mockapetris, "Domain names - concepts and | ||||
| facilities", 11/01/1987. | ||||
| [RFC 1035] - P. Mockapetris, "Domain names - implementation and | ||||
| specification", 11/01/1987. | ||||
| [RFC 1321] - R. Rivest, "The MD5 Message-Digest Algorithm", April | ||||
| 1992. | ||||
| [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", March 1997. | ||||
| [RFC 2437] - B. Kaliski, J. Staddon, "PKCS #1: RSA Cryptography | RFC 3110 | |||
| Specifications Version 2.0", October 1998. | ||||
| [RFC 2535] - D. Eastlake, "Domain Name System Security Extensions", | Title: RSA/SHA-1 SIGs and RSA KEYs in the Domain Name | |||
| March 1999. | System (DNS) | |||
| Author(s): D. Eastlake 3rd | ||||
| Status: Standards Track | ||||
| Date: May 2001 | ||||
| Mailbox: Donald.Eastlake@motorola.com | ||||
| Pages: 7 | ||||
| Characters: 14587 | ||||
| Updates/Obsoletes/SeeAlso: None | ||||
| [RFC 2536] - D. Eastlake, "DSA KEYs and SIGs in the Domain Name | I-D Tag: draft-ietf-dnsext-rsa-03.txt | |||
| System (DNS)", March 1999. | ||||
| [RFC 2537] - D. Eastlake, "RSA/MD5 KEYs and SIGs in the Domain Name | URL: ftp://ftp.rfc-editor.org/in-notes/rfc3110.txt | |||
| System (DNS)", March 1999. | ||||
| [RDC 2541] - D. Eastlake, "DNS Security Operational Considerations", | This document describes how to produce RSA/SHA1 SIG resource records | |||
| March 1999. | (RRs) in Section 3 and, so as to completely replace RFC 2537, | |||
| describes how to produce RSA KEY RRs in Section 2. | ||||
| [RFC 2671] - P. Vixie, "Extension Mechanisms for DNS (EDNS0)", August | Since the adoption of a Proposed Standard for RSA signatures in the | |||
| 1999. | DNS (Domain Name Space), advances in hashing have been made. A new | |||
| DNS signature algorithm is defined to make these advances available in | ||||
| SIG RRs. The use of the previously specified weaker mechanism is | ||||
| deprecated. The algorithm number of the RSA KEY RR is changed to | ||||
| correspond to this new SIG algorithm. No other changes are made to | ||||
| DNS security. | ||||
| [Schneier] - Bruce Schneier, "Applied Cryptography Second Edition: | This document is a product of the DNS Extensions Working Group of the | |||
| protocols, algorithms, and source code in C", 1996, John Wiley and | IETF. | |||
| Sons, ISBN 0-471-11709-9. | ||||
| INTERNET-DRAFT RSA/SHA1 in the DNS | This is now a Proposed Standard Protocol. | |||
| Author's Address | This document specifies an Internet standards track protocol for | |||
| the Internet community, and requests discussion and suggestions | ||||
| for improvements. Please refer to the current edition of the | ||||
| "Internet Official Protocol Standards" (STD 1) for the | ||||
| standardization state and status of this protocol. Distribution | ||||
| of this memo is unlimited. | ||||
| Donald E. Eastlake 3rd | This announcement is sent to the IETF list and the RFC-DIST list. | |||
| Motorola | Requests to be added to or deleted from the IETF distribution list | |||
| 155 Beaver Street | should be sent to IETF-REQUEST@IETF.ORG. Requests to be | |||
| Milford, MA 01757 USA | added to or deleted from the RFC-DIST distribution list should | |||
| be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. | ||||
| Telephone: +1-508-261-5434 (w) | Details on obtaining RFCs via FTP or EMAIL may be obtained by sending | |||
| +1-508-634-2066 (h) | an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body | |||
| FAX: +1-508-261-4777 (w) | help: ways_to_get_rfcs. For example: | |||
| EMail: Donald.Eastlake@motorola.com | ||||
| Expiration and File Name | To: rfc-info@RFC-EDITOR.ORG | |||
| Subject: getting rfcs | ||||
| This draft expires in June 2001. | help: ways_to_get_rfcs | |||
| Its file name is draft-ietf-dnsext-rsa-02.txt. | Requests for special distribution should be addressed to either the | |||
| author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless | ||||
| specifically noted otherwise on the RFC itself, all RFCs are for | ||||
| unlimited distribution.echo | ||||
| Submissions for Requests for Comments should be sent to | ||||
| RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC | ||||
| Authors, for further information. | ||||
| End of changes. 15 change blocks. | ||||
| 288 lines changed or deleted | 43 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||