| < draft-ietf-dnsext-dnssec-rsasha256-13.txt | draft-ietf-dnsext-dnssec-rsasha256-14.txt > | |||
|---|---|---|---|---|
| DNS Extensions working group J. Jansen | DNS Extensions working group J. Jansen | |||
| Internet-Draft NLnet Labs | Internet-Draft NLnet Labs | |||
| Intended status: Standards Track April 24, 2009 | Intended status: Standards Track June 04, 2009 | |||
| Expires: October 26, 2009 | Expires: December 6, 2009 | |||
| Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records | Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records | |||
| for DNSSEC | for DNSSEC | |||
| draft-ietf-dnsext-dnssec-rsasha256-13 | draft-ietf-dnsext-dnssec-rsasha256-14 | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 33 ¶ | skipping to change at page 1, line 33 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on October 26, 2009. | This Internet-Draft will expire on December 6, 2009. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents in effect on the date of | |||
| publication of this document (http://trustee.ietf.org/license-info). | publication of this document (http://trustee.ietf.org/license-info). | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 23 ¶ | skipping to change at page 2, line 23 ¶ | |||
| 3.1. RSA/SHA-256 RRSIG Resource Records . . . . . . . . . . . . 4 | 3.1. RSA/SHA-256 RRSIG Resource Records . . . . . . . . . . . . 4 | |||
| 3.2. RSA/SHA-512 RRSIG Resource Records . . . . . . . . . . . . 5 | 3.2. RSA/SHA-512 RRSIG Resource Records . . . . . . . . . . . . 5 | |||
| 4. Deployment Considerations . . . . . . . . . . . . . . . . . . 5 | 4. Deployment Considerations . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Signature Sizes . . . . . . . . . . . . . . . . . . . . . 5 | 4.2. Signature Sizes . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Implementation Considerations . . . . . . . . . . . . . . . . 5 | 5. Implementation Considerations . . . . . . . . . . . . . . . . 5 | |||
| 5.1. Support for SHA-2 signatures . . . . . . . . . . . . . . . 5 | 5.1. Support for SHA-2 signatures . . . . . . . . . . . . . . . 5 | |||
| 5.2. Support for NSEC3 Denial of Existence . . . . . . . . . . 5 | 5.2. Support for NSEC3 Denial of Existence . . . . . . . . . . 5 | |||
| 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.1. RSA/SHA-256 Key and Signature . . . . . . . . . . . . . . 6 | 6.1. RSA/SHA-256 Key and Signature . . . . . . . . . . . . . . 6 | |||
| 6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 6 | 6.2. RSA/SHA-512 Key and Signature . . . . . . . . . . . . . . 7 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 8.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource | 8.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource | |||
| Records . . . . . . . . . . . . . . . . . . . . . . . . . 8 | Records . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8.2. Signature Type Downgrade Attacks . . . . . . . . . . . . . 8 | 8.2. Signature Type Downgrade Attacks . . . . . . . . . . . . . 8 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 9 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 9 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| skipping to change at page 6, line 4 ¶ | skipping to change at page 6, line 4 ¶ | |||
| RFC 5155 [RFC5155] defines new algorithm identifiers for existing | RFC 5155 [RFC5155] defines new algorithm identifiers for existing | |||
| signing algorithms, to indicate that zones signed with these | signing algorithms, to indicate that zones signed with these | |||
| algorithm identifiers can use NSEC3 as well as NSEC records to | algorithm identifiers can use NSEC3 as well as NSEC records to | |||
| provide denial of existence. That mechanism was chosen to protect | provide denial of existence. That mechanism was chosen to protect | |||
| implementations predating RFC5155 from encountering resource records | implementations predating RFC5155 from encountering resource records | |||
| they could not know about. This document does not define such | they could not know about. This document does not define such | |||
| algorithm aliases. | algorithm aliases. | |||
| A DNSSEC validator that implements RSA/SHA-2 MUST be able to validate | A DNSSEC validator that implements RSA/SHA-2 MUST be able to validate | |||
| both NSEC and NSEC3 [RFC5155] negative answers. An authoritative | negative answers in the form of both NSEC and NSEC3 with hash | |||
| server that does not implement NSEC3 MAY still serve zones that use | algorithm 1, as defined in [RFC5155]. An authoritative server that | |||
| RSA/SHA-2 with NSEC denial of existence. | does not implement NSEC3 MAY still serve zones that use RSA/SHA-2 | |||
| with NSEC denial of existence. | ||||
| 6. Examples | 6. Examples | |||
| 6.1. RSA/SHA-256 Key and Signature | 6.1. RSA/SHA-256 Key and Signature | |||
| Given a private key with the following values (in Base64): | Given a private key with the following values (in Base64): | |||
| Private-key-format: v1.2 | Private-key-format: v1.2 | |||
| Algorithm: 8 (RSASHA256) | Algorithm: 8 (RSASHA256) | |||
| Modulus: wVwaxrHF2CK64aYKRUibLiH30KpPuPBjel7E8ZydQW1HYWHfoGm | Modulus: wVwaxrHF2CK64aYKRUibLiH30KpPuPBjel7E8ZydQW1HYWHfoGm | |||
| skipping to change at page 6, line 35 ¶ | skipping to change at page 6, line 36 ¶ | |||
| Coefficient: icQdNRjlZGPmuJm2TIadubcO8X7V4y07aVhX464tx8Q= | Coefficient: icQdNRjlZGPmuJm2TIadubcO8X7V4y07aVhX464tx8Q= | |||
| The DNSKEY record for this key would be: | The DNSKEY record for this key would be: | |||
| example.net. 3600 IN DNSKEY (256 3 8 AwEAAcFcGsaxxdgiuuGmCkVI | example.net. 3600 IN DNSKEY (256 3 8 AwEAAcFcGsaxxdgiuuGmCkVI | |||
| my4h99CqT7jwY3pexPGcnUFtR2Fh36BponcwtkZ4cAgtvd4Qs8P | my4h99CqT7jwY3pexPGcnUFtR2Fh36BponcwtkZ4cAgtvd4Qs8P | |||
| kxUdp6p/DlUmObdk= );{id = 9033 (zsk), size = 512b} | kxUdp6p/DlUmObdk= );{id = 9033 (zsk), size = 512b} | |||
| With this key, sign the following RRSet, consisting of 1 A record: | With this key, sign the following RRSet, consisting of 1 A record: | |||
| www.example.net. 3600 IN A 123.123.123.123 | www.example.net. 3600 IN A 192.0.2.91 | |||
| If the inception date is set at 00:00 hours on January 1st, 2000, and | If the inception date is set at 00:00 hours on January 1st, 2000, and | |||
| the expiration date at 00:00 hours on January 1st, 2030, the | the expiration date at 00:00 hours on January 1st, 2030, the | |||
| following signature should be created: | following signature should be created: | |||
| www.example.net. 3600 IN RRSIG (A 8 3 3600 20300101000000 | www.example.net. 3600 IN RRSIG (A 8 3 3600 20300101000000 | |||
| 20000101000000 9033 example.net. KWgSIg3khRfyrHmtJU | 20000101000000 9033 example.net. kRCOH6u7l0QGy9qpC9 | |||
| 5pzpsANyy27+HOZ6waMQ5kV690ljVmbHmGc8ULOfXw3aWmP0wJB | l1sLncJcOKFLJ7GhiUOibu4teYp5VE9RncriShZNz85mwlMgNEa | |||
| ND/TQhjCvrb3T9ffQ== );{id = 9033} | cFYK/lPtPiVYP4bwg== ;{id = 9033} | |||
| 6.2. RSA/SHA-512 Key and Signature | 6.2. RSA/SHA-512 Key and Signature | |||
| Given a private key with the following values (in Base64): | Given a private key with the following values (in Base64): | |||
| Private-key-format: v1.2 | Private-key-format: v1.2 | |||
| Algorithm: 9 (RSASHA512) | Algorithm: 10 (RSASHA512) | |||
| Modulus: 8Du9YHEwFNjO5iG9jrrNyKwRs5mAzJgXBrjbA49R/ESWJKw6eHH | Modulus: 0eg1M5b563zoq4k5ZEOnWmd2/BvpjzedJVdfIsDcMuuhE5SQ3pf | |||
| XfZaxnP+gVhZBDmqwND/SFwrEkN5LyH3HZ+/d/ECW+vT8Lxprqf | Q7qmdaeMlC6Nf8DKGoUPGPXe06cP27/WRODtxXquSUytkO0kJDk | |||
| haTfxQkV4OFjw/ikuTcBMoUIYfhO1NVPBcH1mWh34DWmu6eedzH | 8KX8PtA0+yBWwy7UnZDyCkynO00Uuk8HPVtZeMO1pHtlAGVnc8V | |||
| IbdeNZnIkWSv4muchs= | jXZlNKdyit99waaE4s= | |||
| PublicExponent: AQAB | PublicExponent: AQAB | |||
| PrivateExponent: sRm5YLHQ2m2DCdDx55j7P+bqHdcaRroQr5nzi8pKjIkbjumRKV3 | PrivateExponent: rFS1IPbJllFFgFc33B5DDlC1egO8e81P4fFadODbp56V7sphKa6 | |||
| zmNhRFAa3cv9w8mnggIRUIzyC8LGQeLuRFjbv6uXDzoPX2O321j | AZQCx8NYAew6VXFFPAKTw41QdHnK5kIYOwxvfFDjDcUGza88qbj | |||
| PlTUOwCYMTVnbkZUem6c+7iRd2v5zNNe9uiXex6T8CDXyhQhqYb | yrDPSJenkeZbISMUSSqy7AMFzEolkk6WSn6k3thUVRgSlqDoOV3 | |||
| 8q2AajPrTlRzv6uW8E= | SEIAsrB043XzGrKIVE= | |||
| Prime1: +DPVg2OlfYqcNlm67T42608gjyqWFdVc0UtDDDBo+ABWavqp+Yk | Prime1: 8mbtsu9Tl9v7tKSHdCIeprLIQXQLzxlSZun5T1n/OjvXSUtvD7x | |||
| Fb/z/Ig+iBE901Q8RWdqVLND3PtGwWipIyw== | nZJ+LHqaBj1dIgMbCq2U8O04QVcK3TS9GiQ== | |||
| Prime2: 98fQbOaWH3D/WFhnu47f1qOgaob/ss3FQ12QbUdRDpgfmdryHH7 | Prime2: 3a6gkfs74d0Jb7yL4j4adAif4fcp7ZrGt7G5NRVDDY/Mv4TERAK | |||
| j1UGR2Xs0aRPwBASXYhgtamXtxLorXIFh8Q== | Ma0TKN3okKE0A7X+Rv2K84mhT4QLDlllEcw== | |||
| Exponent1: j0UsbGlqr6sBPQZStnuBLBdCziFg/T1qFI4DJ9gR34YiXCJRV29 | Exponent1: v3D5A9uuCn5rgVR7wgV8ba0/KSpsdSiLgsoA42GxiB1gvvs7gJM | |||
| Wqiw6AalQdnh/EjVeaKWaEoKVFbfoukNKPQ== | MmVTDu/ZG1p1ZnpLbhh/S/Qd/MSwyNlxC+Q== | |||
| Exponent2: 4YTy9ftVjd5p+f3UxEgBATnCatLebd6NeYfySRQM+YyJzp4RmNA | Exponent2: m+ezf9dsDvYQK+gzjOLWYeKq5xWYBEYFGa3BLocMiF4oxkzOZ3J | |||
| BC/t3BQv3IuBrpyyKoFTDGUEWjOSpTLPR8Q== | PZSWU/h1Fjp5RV7aPP0Vmx+hNjYMPIQ8Y5w== | |||
| Coefficient: BpIAEwh5rlw9M8FpGHjpF5TxSdhCjnA8NT0tB+MB/k0msceyBbx | Coefficient: Je5YhYpUron/WdOXjxNAxDubAp3i5X7UOUfhJcyIggqwY86IE0Q | |||
| avjzJXTi/QPk9PIO8Wv6eCzMQEM0QDZO53Q== | /Bk0Dw4SC9zxnsimmdBXW2Izd8Lwuk8FQcQ== | |||
| The DNSKEY record for this key would be: | The DNSKEY record for this key would be: | |||
| example.net. 3600 IN DNSKEY (256 3 9 AwEAAfA7vWBxMBTYzuYhvY66z | example.net. 3600 IN DNSKEY (256 3 10 AwEAAdHoNTOW+et86KuJOWRD | |||
| cisEbOZgMyYFwa42wOPUfxEliSsOnhx132WsZz/oFYWQQ5qsDQ/0 | p1pndvwb6Y83nSVXXyLA3DLroROUkN6X0O6pnWnjJQujX/AyhqFD | |||
| hcKxJDeS8h9x2fv3fxAlvr0/C8aa6n4Wk38UJFeDhY8P4pLk3ATK | xj13tOnD9u/1kTg7cV6rklMrZDtJCQ5PCl/D7QNPsgVsMu1J2Q8g | |||
| FCGH4TtTVTwXB9Zlod+A1prunnncxyG3XjWZyJFkr+JrnIb | pMpztNFLpPBz1bWXjDtaR7ZQBlZ3PFY12ZTSncorffcGmhOL | |||
| );{id = 28237 (zsk), size = 1024b} | );{id = 3740 (zsk), size = 1024b} | |||
| With this key, sign the following RRSet, consisting of 1 A record: | With this key, sign the following RRSet, consisting of 1 A record: | |||
| www.example.net. 3600 IN A 123.123.123.123 | www.example.net. 3600 IN A 192.0.2.91 | |||
| If the inception date is set at 00:00 hours on January 1st, 2000, and | If the inception date is set at 00:00 hours on January 1st, 2000, and | |||
| the expiration date at 00:00 hours on January 1st, 2030, the | the expiration date at 00:00 hours on January 1st, 2030, the | |||
| following signature should be created: | following signature should be created: | |||
| www.example.net. 3600 IN RRSIG (A 9 3 3600 20300101000000 | www.example.net. 3600 IN RRSIG (A 10 3 3600 20300101000000 | |||
| 20000101000000 28237 example.net. mCanSdkQztEUOmslG | 20000101000000 3740 example.net. tsb4wnjRUDnB1BUi+t | |||
| z7VvfkKPMp4ftz3K1PTf2jdla4vUu/tRE585xymurMB+wXhrFcK | 6TMTXThjVnG+eCkWqjvvjhzQL1d0YRoOe0CbxrVDYd0xDtsuJRa | |||
| dhm0egnPq8X/gmm0cmui/GQwFT5hmP5bL1ETuQsM3HOu3j9E3tq | eUw1ep94PzEWzr0iGYgZBWm/zpq+9fOuagYJRfDqfReKBzMweOL | |||
| 4sFWIsUv3N6ohpYEbhj5jk0b/01EMUPM9y5rLzFHmYYujzKQwqu | DiNa8iP5g9vMhpuv6OPlvpXwm9Sa9ZXIbNl1MBGk0fthPgxdDLw | |||
| M= );{id = 28237} | =);{id = 3740} | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document updates the IANA registry "DNS SECURITY ALGORITHM | This document updates the IANA registry "DNS SECURITY ALGORITHM | |||
| NUMBERS -- per [RFC4035] " | NUMBERS -- per [RFC4035] " | |||
| (http://www.iana.org/assignments/dns-sec-alg-numbers). The following | (http://www.iana.org/assignments/dns-sec-alg-numbers). The following | |||
| entries are added to the registry: | entries are added to the registry: | |||
| Zone Trans. | Zone Trans. | |||
| Value Description Mnemonic Signing Sec. References | Value Description Mnemonic Signing Sec. References | |||
| End of changes. 12 change blocks. | ||||
| 43 lines changed or deleted | 44 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||