draft-ietf-dnsext-dnssec-rsasha256-07.txt   draft-ietf-dnsext-dnssec-rsasha256-08.txt 
DNS Extensions working group J. Jansen DNS Extensions working group J. Jansen
Internet-Draft NLnet Labs Internet-Draft NLnet Labs
Intended status: Standards Track December 03, 2008 Intended status: Standards Track December 04, 2008
Expires: June 6, 2009 Expires: June 7, 2009
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
for DNSSEC for DNSSEC
draft-ietf-dnsext-dnssec-rsasha256-07 draft-ietf-dnsext-dnssec-rsasha256-08
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 6, 2009. This Internet-Draft will expire on June 7, 2009.
Abstract Abstract
This document describes how to produce RSA/SHA-256 and RSA/SHA-512 This document describes how to produce RSA/SHA-256 and RSA/SHA-512
DNSKEY and RRSIG resource records for use in the Domain Name System DNSKEY and RRSIG resource records for use in the Domain Name System
Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
skipping to change at page 3, line 20 skipping to change at page 3, line 20
authenticity and integrity of its data. RFC 4033 [RFC4033], RFC 4034 authenticity and integrity of its data. RFC 4033 [RFC4033], RFC 4034
[RFC4034], and RFC 4035 [RFC4035] describe these DNS Security [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
Extensions, called DNSSEC. Extensions, called DNSSEC.
RFC 4034 describes how to store DNSKEY and RRSIG resource records, RFC 4034 describes how to store DNSKEY and RRSIG resource records,
and specifies a list of cryptographic algorithms to use. This and specifies a list of cryptographic algorithms to use. This
document extends that list with the algorithms RSA/SHA-256 and RSA/ document extends that list with the algorithms RSA/SHA-256 and RSA/
SHA-512, and specifies how to store DNSKEY data and how to produce SHA-512, and specifies how to store DNSKEY data and how to produce
RRSIG resource records with these hash algorithms. RRSIG resource records with these hash algorithms.
Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-2.2002] family Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-3.2008] family
of algorithms is assumed in this document. of algorithms is assumed in this document.
To refer to both SHA-256 and SHA-512, this document will use the name To refer to both SHA-256 and SHA-512, this document will use the name
SHA-2. This is done to improve readability. When a part of text is SHA-2. This is done to improve readability. When a part of text is
specific for either SHA-256 or SHA-512, their specific names are specific for either SHA-256 or SHA-512, their specific names are
used. The same goes for RSA/SHA-256 and RSA/SHA-512, which will be used. The same goes for RSA/SHA-256 and RSA/SHA-512, which will be
grouped using the name RSA/SHA-2. grouped using the name RSA/SHA-2.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
skipping to change at page 4, line 28 skipping to change at page 4, line 28
3. RRSIG Resource Records 3. RRSIG Resource Records
The value of the signature field in the RRSIG RR follows the RSASSA- The value of the signature field in the RRSIG RR follows the RSASSA-
PKCS1-v1_5 signature scheme, and is calculated as follows. The PKCS1-v1_5 signature scheme, and is calculated as follows. The
values for the RDATA fields that precede the signature data are values for the RDATA fields that precede the signature data are
specified in RFC 4034 [RFC4034]. specified in RFC 4034 [RFC4034].
hash = SHA-XXX(data) hash = SHA-XXX(data)
Here XXX is either 256 or 512, depending on the algorithm used, as Here XXX is either 256 or 512, depending on the algorithm used, as
specified in FIPS PUB 180-2 [FIPS.180-2.2002], and "data" is the wire specified in FIPS PUB 180-3 [FIPS.180-3.2008], and "data" is the wire
format data of the resource record set that is signed, as specified format data of the resource record set that is signed, as specified
in RFC 4034 [RFC4034]. in RFC 4034 [RFC4034].
signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n) signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets
of corresponding hexadecimal value, "e" is the private exponent of of corresponding hexadecimal value, "e" is the private exponent of
the signing RSA key, and "n" is the public modulus of the signing the signing RSA key, and "n" is the public modulus of the signing
key. The FF octet MUST be repeated the exact number of times so that key. The FF octet MUST be repeated the exact number of times so that
the total length of the concatenated term in parentheses equals the the total length of the concatenated term in parentheses equals the
skipping to change at page 7, line 22 skipping to change at page 7, line 22
The following people provided additional feedback and text: Jaap The following people provided additional feedback and text: Jaap
Akkerhuis, Roy Arends, Rob Austein, Francis Dupont, Miek Gieben, Akkerhuis, Roy Arends, Rob Austein, Francis Dupont, Miek Gieben,
Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St. Johns, Scott Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St. Johns, Scott
Rose and Wouter Wijngaards. Rose and Wouter Wijngaards.
9. References 9. References
9.1. Normative References 9.1. Normative References
[FIPS.180-2.2002] [FIPS.180-3.2008]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002. Hash Standard", FIPS PUB 180-3, October 2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
Name System (DNS)", RFC 3110, May 2001. Name System (DNS)", RFC 3110, May 2001.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005. RFC 4033, March 2005.
 End of changes. 7 change blocks. 
8 lines changed or deleted 8 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/