draft-ietf-dnsext-ds-sha256-03.txt   draft-ietf-dnsext-ds-sha256-04.txt 
Network Working Group W. Hardaker Network Working Group W. Hardaker
Internet-Draft Sparta Internet-Draft Sparta
Expires: July 10, 2006 January 6, 2006 Expires: July 17, 2006 January 13, 2006
Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
draft-ietf-dnsext-ds-sha256-03.txt draft-ietf-dnsext-ds-sha256-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 10, 2006. This Internet-Draft will expire on July 17, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document specifies how to use the SHA-256 digest type in DNS This document specifies how to use the SHA-256 digest type in DNS
Delegation Signer (DS) Resource Records (RRs). DS records, when Delegation Signer (DS) Resource Records (RRs). DS records, when
stored in a parent zone, point to key signing DNSKEY key(s) in a stored in a parent zone, point to key signing DNSKEY key(s) in a
skipping to change at page 6, line 8 skipping to change at page 6, line 8
present but invalid. present but invalid.
For example, if the following conditions are all true: For example, if the following conditions are all true:
o Both SHA-1 and SHA-256 based digests are published in DS records o Both SHA-1 and SHA-256 based digests are published in DS records
within a parent zone for a given child zone's DNSKEY. within a parent zone for a given child zone's DNSKEY.
o The DS record with the SHA-1 digest matches the digest computed o The DS record with the SHA-1 digest matches the digest computed
using the child zone's DNSKEY. using the child zone's DNSKEY.
o The DS record with the SHA-256 digest fails to match the signature o The DS record with the SHA-256 digest fails to match the digest
computed using the child zone's DNSKEY computed using the child zone's DNSKEY.
Then if the validator accepts the above situation as secure then this Then if the validator accepts the above situation as secure then this
can be used as a downgrade attack since the stronger SHA-256 digest can be used as a downgrade attack since the stronger SHA-256 digest
is ignored. is ignored.
6.2. SHA-1 vs SHA-256 Considerations for DS Records 6.2. SHA-1 vs SHA-256 Considerations for DS Records
Because of the weaknesses recently discovered within the SHA-1 Because of the weaknesses recently discovered within the SHA-1
algorithm, users of DNSSEC are encouraged to deploy the use of SHA- algorithm, users of DNSSEC are encouraged to deploy the use of SHA-
256 as soon as the software implementations in use allow for it. 256 as soon as the software implementations in use allow for it.
 End of changes. 4 change blocks. 
5 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.28, available from http://www.levkowetz.com/ietf/tools/rfcdiff/