| draft-ietf-dnsext-dnssec-rsasha256-07.txt | draft-ietf-dnsext-dnssec-rsasha256-08.txt | |||
|---|---|---|---|---|
| DNS Extensions working group J. Jansen | DNS Extensions working group J. Jansen | |||
| Internet-Draft NLnet Labs | Internet-Draft NLnet Labs | |||
| Intended status: Standards Track December 03, 2008 | Intended status: Standards Track December 04, 2008 | |||
| Expires: June 6, 2009 | Expires: June 7, 2009 | |||
| Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records | Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records | |||
| for DNSSEC | for DNSSEC | |||
| draft-ietf-dnsext-dnssec-rsasha256-07 | draft-ietf-dnsext-dnssec-rsasha256-08 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on June 6, 2009. | This Internet-Draft will expire on June 7, 2009. | |||
| Abstract | Abstract | |||
| This document describes how to produce RSA/SHA-256 and RSA/SHA-512 | This document describes how to produce RSA/SHA-256 and RSA/SHA-512 | |||
| DNSKEY and RRSIG resource records for use in the Domain Name System | DNSKEY and RRSIG resource records for use in the Domain Name System | |||
| Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). | Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| skipping to change at page 3, line 20 | skipping to change at page 3, line 20 | |||
| authenticity and integrity of its data. RFC 4033 [RFC4033], RFC 4034 | authenticity and integrity of its data. RFC 4033 [RFC4033], RFC 4034 | |||
| [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security | [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security | |||
| Extensions, called DNSSEC. | Extensions, called DNSSEC. | |||
| RFC 4034 describes how to store DNSKEY and RRSIG resource records, | RFC 4034 describes how to store DNSKEY and RRSIG resource records, | |||
| and specifies a list of cryptographic algorithms to use. This | and specifies a list of cryptographic algorithms to use. This | |||
| document extends that list with the algorithms RSA/SHA-256 and RSA/ | document extends that list with the algorithms RSA/SHA-256 and RSA/ | |||
| SHA-512, and specifies how to store DNSKEY data and how to produce | SHA-512, and specifies how to store DNSKEY data and how to produce | |||
| RRSIG resource records with these hash algorithms. | RRSIG resource records with these hash algorithms. | |||
| Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-2.2002] family | Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-3.2008] family | |||
| of algorithms is assumed in this document. | of algorithms is assumed in this document. | |||
| To refer to both SHA-256 and SHA-512, this document will use the name | To refer to both SHA-256 and SHA-512, this document will use the name | |||
| SHA-2. This is done to improve readability. When a part of text is | SHA-2. This is done to improve readability. When a part of text is | |||
| specific for either SHA-256 or SHA-512, their specific names are | specific for either SHA-256 or SHA-512, their specific names are | |||
| used. The same goes for RSA/SHA-256 and RSA/SHA-512, which will be | used. The same goes for RSA/SHA-256 and RSA/SHA-512, which will be | |||
| grouped using the name RSA/SHA-2. | grouped using the name RSA/SHA-2. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| skipping to change at page 4, line 28 | skipping to change at page 4, line 28 | |||
| 3. RRSIG Resource Records | 3. RRSIG Resource Records | |||
| The value of the signature field in the RRSIG RR follows the RSASSA- | The value of the signature field in the RRSIG RR follows the RSASSA- | |||
| PKCS1-v1_5 signature scheme, and is calculated as follows. The | PKCS1-v1_5 signature scheme, and is calculated as follows. The | |||
| values for the RDATA fields that precede the signature data are | values for the RDATA fields that precede the signature data are | |||
| specified in RFC 4034 [RFC4034]. | specified in RFC 4034 [RFC4034]. | |||
| hash = SHA-XXX(data) | hash = SHA-XXX(data) | |||
| Here XXX is either 256 or 512, depending on the algorithm used, as | Here XXX is either 256 or 512, depending on the algorithm used, as | |||
| specified in FIPS PUB 180-2 [FIPS.180-2.2002], and "data" is the wire | specified in FIPS PUB 180-3 [FIPS.180-3.2008], and "data" is the wire | |||
| format data of the resource record set that is signed, as specified | format data of the resource record set that is signed, as specified | |||
| in RFC 4034 [RFC4034]. | in RFC 4034 [RFC4034]. | |||
| signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n) | signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n) | |||
| Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets | Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets | |||
| of corresponding hexadecimal value, "e" is the private exponent of | of corresponding hexadecimal value, "e" is the private exponent of | |||
| the signing RSA key, and "n" is the public modulus of the signing | the signing RSA key, and "n" is the public modulus of the signing | |||
| key. The FF octet MUST be repeated the exact number of times so that | key. The FF octet MUST be repeated the exact number of times so that | |||
| the total length of the concatenated term in parentheses equals the | the total length of the concatenated term in parentheses equals the | |||
| skipping to change at page 7, line 22 | skipping to change at page 7, line 22 | |||
| The following people provided additional feedback and text: Jaap | The following people provided additional feedback and text: Jaap | |||
| Akkerhuis, Roy Arends, Rob Austein, Francis Dupont, Miek Gieben, | Akkerhuis, Roy Arends, Rob Austein, Francis Dupont, Miek Gieben, | |||
| Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St. Johns, Scott | Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St. Johns, Scott | |||
| Rose and Wouter Wijngaards. | Rose and Wouter Wijngaards. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [FIPS.180-2.2002] | [FIPS.180-3.2008] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS PUB 180-2, August 2002. | Hash Standard", FIPS PUB 180-3, October 2008. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", RFC 2119, March 1997. | Requirement Levels", RFC 2119, March 1997. | |||
| [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain | [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain | |||
| Name System (DNS)", RFC 3110, May 2001. | Name System (DNS)", RFC 3110, May 2001. | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", | Rose, "DNS Security Introduction and Requirements", | |||
| RFC 4033, March 2005. | RFC 4033, March 2005. | |||
| End of changes. 7 change blocks. | ||||
| 8 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||