draft-ietf-dnsext-dnssec-rsasha256-07.txt | draft-ietf-dnsext-dnssec-rsasha256-08.txt | |||
---|---|---|---|---|
DNS Extensions working group J. Jansen | DNS Extensions working group J. Jansen | |||
Internet-Draft NLnet Labs | Internet-Draft NLnet Labs | |||
Intended status: Standards Track December 03, 2008 | Intended status: Standards Track December 04, 2008 | |||
Expires: June 6, 2009 | Expires: June 7, 2009 | |||
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records | Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records | |||
for DNSSEC | for DNSSEC | |||
draft-ietf-dnsext-dnssec-rsasha256-07 | draft-ietf-dnsext-dnssec-rsasha256-08 | |||
Status of this Memo | Status of this Memo | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on June 6, 2009. | This Internet-Draft will expire on June 7, 2009. | |||
Abstract | Abstract | |||
This document describes how to produce RSA/SHA-256 and RSA/SHA-512 | This document describes how to produce RSA/SHA-256 and RSA/SHA-512 | |||
DNSKEY and RRSIG resource records for use in the Domain Name System | DNSKEY and RRSIG resource records for use in the Domain Name System | |||
Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). | Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
skipping to change at page 3, line 20 | skipping to change at page 3, line 20 | |||
authenticity and integrity of its data. RFC 4033 [RFC4033], RFC 4034 | authenticity and integrity of its data. RFC 4033 [RFC4033], RFC 4034 | |||
[RFC4034], and RFC 4035 [RFC4035] describe these DNS Security | [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security | |||
Extensions, called DNSSEC. | Extensions, called DNSSEC. | |||
RFC 4034 describes how to store DNSKEY and RRSIG resource records, | RFC 4034 describes how to store DNSKEY and RRSIG resource records, | |||
and specifies a list of cryptographic algorithms to use. This | and specifies a list of cryptographic algorithms to use. This | |||
document extends that list with the algorithms RSA/SHA-256 and RSA/ | document extends that list with the algorithms RSA/SHA-256 and RSA/ | |||
SHA-512, and specifies how to store DNSKEY data and how to produce | SHA-512, and specifies how to store DNSKEY data and how to produce | |||
RRSIG resource records with these hash algorithms. | RRSIG resource records with these hash algorithms. | |||
Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-2.2002] family | Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-3.2008] family | |||
of algorithms is assumed in this document. | of algorithms is assumed in this document. | |||
To refer to both SHA-256 and SHA-512, this document will use the name | To refer to both SHA-256 and SHA-512, this document will use the name | |||
SHA-2. This is done to improve readability. When a part of text is | SHA-2. This is done to improve readability. When a part of text is | |||
specific for either SHA-256 or SHA-512, their specific names are | specific for either SHA-256 or SHA-512, their specific names are | |||
used. The same goes for RSA/SHA-256 and RSA/SHA-512, which will be | used. The same goes for RSA/SHA-256 and RSA/SHA-512, which will be | |||
grouped using the name RSA/SHA-2. | grouped using the name RSA/SHA-2. | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
skipping to change at page 4, line 28 | skipping to change at page 4, line 28 | |||
3. RRSIG Resource Records | 3. RRSIG Resource Records | |||
The value of the signature field in the RRSIG RR follows the RSASSA- | The value of the signature field in the RRSIG RR follows the RSASSA- | |||
PKCS1-v1_5 signature scheme, and is calculated as follows. The | PKCS1-v1_5 signature scheme, and is calculated as follows. The | |||
values for the RDATA fields that precede the signature data are | values for the RDATA fields that precede the signature data are | |||
specified in RFC 4034 [RFC4034]. | specified in RFC 4034 [RFC4034]. | |||
hash = SHA-XXX(data) | hash = SHA-XXX(data) | |||
Here XXX is either 256 or 512, depending on the algorithm used, as | Here XXX is either 256 or 512, depending on the algorithm used, as | |||
specified in FIPS PUB 180-2 [FIPS.180-2.2002], and "data" is the wire | specified in FIPS PUB 180-3 [FIPS.180-3.2008], and "data" is the wire | |||
format data of the resource record set that is signed, as specified | format data of the resource record set that is signed, as specified | |||
in RFC 4034 [RFC4034]. | in RFC 4034 [RFC4034]. | |||
signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n) | signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n) | |||
Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets | Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets | |||
of corresponding hexadecimal value, "e" is the private exponent of | of corresponding hexadecimal value, "e" is the private exponent of | |||
the signing RSA key, and "n" is the public modulus of the signing | the signing RSA key, and "n" is the public modulus of the signing | |||
key. The FF octet MUST be repeated the exact number of times so that | key. The FF octet MUST be repeated the exact number of times so that | |||
the total length of the concatenated term in parentheses equals the | the total length of the concatenated term in parentheses equals the | |||
skipping to change at page 7, line 22 | skipping to change at page 7, line 22 | |||
The following people provided additional feedback and text: Jaap | The following people provided additional feedback and text: Jaap | |||
Akkerhuis, Roy Arends, Rob Austein, Francis Dupont, Miek Gieben, | Akkerhuis, Roy Arends, Rob Austein, Francis Dupont, Miek Gieben, | |||
Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St. Johns, Scott | Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St. Johns, Scott | |||
Rose and Wouter Wijngaards. | Rose and Wouter Wijngaards. | |||
9. References | 9. References | |||
9.1. Normative References | 9.1. Normative References | |||
[FIPS.180-2.2002] | [FIPS.180-3.2008] | |||
National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
Hash Standard", FIPS PUB 180-2, August 2002. | Hash Standard", FIPS PUB 180-3, October 2008. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", RFC 2119, March 1997. | Requirement Levels", RFC 2119, March 1997. | |||
[RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain | [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain | |||
Name System (DNS)", RFC 3110, May 2001. | Name System (DNS)", RFC 3110, May 2001. | |||
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
Rose, "DNS Security Introduction and Requirements", | Rose, "DNS Security Introduction and Requirements", | |||
RFC 4033, March 2005. | RFC 4033, March 2005. | |||
End of changes. 7 change blocks. | ||||
8 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |