]>
Ed25519 and Ed448 for DNSSECCZ.NICMilesovska 1136/5Praha130 00CZ+420 222 745 111ondrej.sury@nic.cz
Security
Internet Engineering Task Forcednsseced25519ed448This document describes how to specify Ed25519 and Ed448 keys
and signatures in DNS Security (DNSSEC). It uses the Ed25519
and Ed448 curve and the SHA-512 for signatures.DNSSEC, which is broadly defined in RFCs 4033, 4034, and 4035, uses cryptographic keys and
digital signatures to provide authentication of DNS data.
Currently, the most popular signature algorithm is RSA. RFC 6605 defines usage of Elliptic Curve
Digital Signature Algorithm (ECDSA) for DNSSEC with curve P-256
and SHA-256, and ECDSA with curve P-384 and SHA-384.This document defines the DNSKEY and RRSIG resource records
(RRs) of two new signing algorithm:
Curve Ed25519 and SHA-512.Curve Ed448 and SHA-512.
A description of both curves can be found in Elliptic Curves for
Security. A more thorough description of Ed25519 can be
found in EdDSA and
Ed25519.)
Ed25519 is targeted to provide attack resistance comparable
to quality 128-bit symmetric ciphers that is equivalent
strength of RSA with 3072-bit keys. Public keys are 256 bits
(32 bytes) in length and signatures are 512 bits (64 bytes).
Ed448 is targeted to provide attack resistance comparable
to quality 224-bit symmetric ciphers that is equivalent
strength of RSA with ~12448-bit keys. However only RSA with
4096-bit keys is defined for use in DNSSEC, so we are going to
use RSA-4096 in comparisons below. Ed448 public keys are 448
bits (56 bytes) in length and signatures are 896 bits
(112-bytes). The curve is meant as a more conservative
alternative to Ed25519.Using the Ed25519 and Ed448 curve in DNSSEC has some
advantages and disadvantage relative to using RSA. The
Ed25519 and Ed448 keys are much shorter than RSA keys; at the
comparable size, the difference is 256 versus 3072 bits for
the Ed25519 and 448 versus 4096 bits for the Ed448. The
Ed25519 and Ed448 signatures are also much shorter than RSA
keys; at the comparable size, the difference is 512 versus
3072 bits for the Ed25519 and 896 versus 4096 bits for the
Ed448. This is relevant because DNSSEC stores and transmits
both keys and signatures.Signing with Ed25519 and Ed448 is significantly faster than
with equivalently strong RSA, it is also faster than existing
ECDSA curves in DNSSEC defined in RFC
6605. However, validating RSA signatures is
significantly faster than validating Ed25519 and Ed448
signatures.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.The Ed25519 public keys consist of a 32-byte value that
represents encoding of the curve point. The generation of
public key is defined Chapter 5.5 in I-D.josefsson-eddsa-ed25519.The Ed448 public key consist of a 56-byte value that
represents encoding of the curve point.In DNSSEC keys, the Ed25519 and Ed448 public key is a
simple bit string that represents uncompressed form of a curve
point.The Ed25519 signature consists of a 64-byte value. The
Ed25519 signature algorithm is described Chapter 5.6 in I-D.josefsson-eddsa-ed25519.The Ed448 signature consists of a 112-byte value. In
DNSSEC keys, the Ed448 signatures is a simple bit string that
represents the Ed448 signature.In DNSSEC keys, the Ed25519 and Ed448 signatures is a
simple bit string that represents the signature.The algorithm number associated with the DNSKEY and RRSIG
resource records is fully defined in the IANA Considerations
section. DNSKEY and RRSIG RRs signifying:
Ed25519 and SHA-512 use the algorithm number TBD1.Ed448 and SHA-512 use the algorithm number TBD2.[[TODO]]
Some of the material in this document is copied liberally from
RFC 6605.
The author of this document wants to thanks Pieter Lexis and
Kees Monshouwer for a review of this document.
This document updates the IANA registry "Domain Name System
Security (DNSSEC) Algorithm Numbers". The following entry have
been added to the registry:NumberTBD1DescriptionEd25519 with SHA-512MnemonicEd25519SHA512Zone SigningYTrans. Sec.*ReferenceThis document* There has been no determination of
standardization of the use of this algorithm with Transaction
Security.NumberTBD2DescriptionEd448 with SHA-512MnemonicEd448SHA512Zone SigningYTrans. Sec.*ReferenceThis document* There has been no determination of
standardization of the use of this algorithm with Transaction
Security.Ed25519 is targeted to provide attack resistance comparable
to quality 128-bit symmetric ciphers, and Ed448 is targeted to
provide attack resistance comparable to quality 224-bit
symmetric ciphers. Such an assessment could, of course, change
in the future if new attacks that work better than the ones
known today are found.
&RFC2119;
&RFC4033;
&RFC4034;
&RFC4035;
&CURVES;
&EDDSA;
&RFC6605;