draft-ietf-dnsext-rfc2539bis-dhk-03.txt   draft-ietf-dnsext-rfc2539bis-dhk-04.txt 
INTERNET-DRAFT Diffie-Hellman Information in the DNS INTERNET-DRAFT Diffie-Hellman Information in the DNS
OBSOLETES: RFC 2539 Donald E. Eastlake 3rd OBSOLETES: RFC 2539 Donald E. Eastlake 3rd
Motorola Laboratories Motorola Laboratories
Expires: January 2004 July 2003 Expires: February 2005 August 2004
Storage of Diffie-Hellman Keying Information in the DNS Storage of Diffie-Hellman Keying Information in the DNS
------- -- -------------- ------ ----------- -- --- --- ------- -- -------------- ------ ----------- -- --- ---
<draft-ietf-dnsext-rfc2539bis-dhk-03.txt> <draft-ietf-dnsext-rfc2539bis-dhk-04.txt>
Status of This Document Status of This Document
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be
disclosed, in accordance with RFC 3668.
Distribution of this document is unlimited. Comments should be sent Distribution of this document is unlimited. Comments should be sent
to the DNS extensions working group mailing list to the DNS extensions working group mailing list
<namedroppers@ops.ietf.org> or to the author. <namedroppers@ops.ietf.org>.
This document is an Internet Draft and is in full conformance with Internet-Drafts are working documents of the Internet Engineering
all provisions of Section 10 of RFC 2026. Internet Drafts are Task Force (IETF), its areas, and its working groups. Note that
working documents of the Internet Engineering Task Force (IETF), its other groups may also distribute working documents as Internet-
areas, and its working groups. Note that other groups may also Drafts.
distribute working documents as Internet Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than a "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html
Abstract Abstract
A standard method for encoding Diffie-Hellman keys in the Domain Name The standard method for encoding Diffie-Hellman keys in the Domain
System is described. Name System is specified.
Copyright
Copyright (C) The Internet Society 2004.
INTERNET-DRAFT Diffie-Hellman Information in the DNS INTERNET-DRAFT Diffie-Hellman Information in the DNS
Acknowledgements Acknowledgements
Part of the format for Diffie-Hellman keys and the description Part of the format for Diffie-Hellman keys and the description
thereof was taken from a work in progress by Ashar Aziz, Tom Markson, thereof was taken from a work in progress by Ashar Aziz, Tom Markson,
and Hemma Prafullchandra. In addition, the following persons and Hemma Prafullchandra. In addition, the following persons
provided useful comments that were incorporated into the predecessor provided useful comments that were incorporated into the predecessor
of this document: Ran Atkinson, Thomas Narten. of this document: Ran Atkinson, Thomas Narten.
Table of Contents Table of Contents
Status of This Document....................................1 Status of This Document....................................1
Abstract...................................................1 Abstract...................................................1
Copyright..................................................1
Acknowledgements...........................................2 Acknowledgements...........................................2
Table of Contents..........................................2 Table of Contents..........................................2
1. Introduction............................................3 1. Introduction............................................3
1.1 About This Document....................................3 1.1 About This Document....................................3
1.2 About Diffie-Hellman...................................3 1.2 About Diffie-Hellman...................................3
2. Encoding Diffie-Hellman Keying Information..............4 2. Encoding Diffie-Hellman Keying Information..............4
3. Performance Considerations..............................5 3. Performance Considerations..............................5
4. IANA Considerations.....................................5 4. IANA Considerations.....................................5
5. Security Considerations.................................5 5. Security Considerations.................................5
Copyright and Disclaimer...................................5
Normative References.......................................6 Normative References.......................................7
Informative Refences.......................................6 Informative Refences.......................................7
Author's Address...........................................6 Author Address.............................................7
Expiration and File Name...................................7 Expiration and File Name...................................8
Appendix A: Well known prime/generator pairs...............8 Appendix A: Well known prime/generator pairs...............9
A.1. Well-Known Group 1: A 768 bit prime..................8 A.1. Well-Known Group 1: A 768 bit prime..................9
A.2. Well-Known Group 2: A 1024 bit prime.................8 A.2. Well-Known Group 2: A 1024 bit prime.................9
A.3. Well-Known Group 3: A 1536 bit prime.................9 A.3. Well-Known Group 3: A 1536 bit prime................10
INTERNET-DRAFT Diffie-Hellman Information in the DNS INTERNET-DRAFT Diffie-Hellman Information in the DNS
1. Introduction 1. Introduction
The Domain Name System (DNS) is the global hierarchical replicated The Domain Name System (DNS) is the global hierarchical replicated
distributed database system for Internet addressing, mail proxy, and distributed database system for Internet addressing, mail proxy, and
similar information [RFC 1034, 1035]. The DNS has been extended to similar information [RFC 1034, 1035]. The DNS has been extended to
include digital signatures and cryptographic keys as described in include digital signatures and cryptographic keys as described in
[RFC 2535] and additonal work is underway which would require the [RFC intro, proto, records] and additonal work is underway which
storage of keying and signature information in the DNS. would use the storage of keying information in the DNS.
1.1 About This Document 1.1 About This Document
This document describes how to store Diffie-Hellman keys in the DNS. This document describes how to store Diffie-Hellman keys in the DNS.
Familiarity with the Diffie-Hellman key exchange algorithm is assumed Familiarity with the Diffie-Hellman key exchange algorithm is assumed
[Schneier, RFC 2631]. [Schneier, RFC 2631].
1.2 About Diffie-Hellman 1.2 About Diffie-Hellman
Diffie-Hellman requires two parties to interact to derive keying Diffie-Hellman requires two parties to interact to derive keying
skipping to change at page 5, line 23 skipping to change at page 5, line 23
is still advisable at this time to make reasonable efforts to is still advisable at this time to make reasonable efforts to
minimize the size of RR sets containing keying information consistent minimize the size of RR sets containing keying information consistent
with adequate security. with adequate security.
4. IANA Considerations 4. IANA Considerations
Assignment of meaning to Prime Lengths of 0 and 3 through 15 requires Assignment of meaning to Prime Lengths of 0 and 3 through 15 requires
an IETF consensus as defined in [RFC 2434]. an IETF consensus as defined in [RFC 2434].
Well known prime/generator pairs number 0x0000 through 0x07FF can Well known prime/generator pairs number 0x0000 through 0x07FF can
only be assigned by an IETF standards action. RFC 2539, the Proposed only be assigned by an IETF standards action. [RFC 2539], the
Standard predecessor of this document, assigned 0x0001 through Proposed Standard predecessor of this document, assigned 0x0001
0x0002. This document assigns 0x0003. Pairs number 0s0800 through through 0x0002. This document assigns 0x0003. Pairs number 0s0800
0xBFFF can be assigned based on RFC documentation. Pairs number through 0xBFFF can be assigned based on RFC documentation. Pairs
0xC000 through 0xFFFF are available for private use and are not number 0xC000 through 0xFFFF are available for private use and are
centrally coordinated. Use of such private pairs outside of a closed not centrally coordinated. Use of such private pairs outside of a
environment may result in conflicts. closed environment may result in conflicts and/or security failures.
5. Security Considerations 5. Security Considerations
Keying information retrieved from the DNS should not be trusted Keying information retrieved from the DNS should not be trusted
unless (1) it has been securely obtained from a secure resolver or unless (1) it has been securely obtained from a secure resolver or
independently verified by the user and (2) this secure resolver and independently verified by the user and (2) this secure resolver and
secure obtainment or independent verification conform to security secure obtainment or independent verification conform to security
policies acceptable to the user. As with all cryptographic policies acceptable to the user. As with all cryptographic
algorithms, evaluating the necessary strength of the key is important algorithms, evaluating the necessary strength of the key is important
and dependent on security policy. and dependent on security policy.
In addition, the usual Diffie-Hellman key strength considerations In addition, the usual Diffie-Hellman key strength considerations
apply. (p-1)/2 should also be prime, g should be primitive mod p, p apply. (p-1)/2 should also be prime, g should be primitive mod p, p
should be "large", etc. [RFC 2631, Schneier] should be "large", etc. [RFC 2631, Schneier]
Copyright and Disclaimer
Copyright (C) The Internet Society 2004. This document is subject to
the rights, licenses and restrictions contained in BCP 78 and except
as set forth therein, the authors retain all their rights.
INTERNET-DRAFT Diffie-Hellman Information in the DNS
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
INTERNET-DRAFT Diffie-Hellman Information in the DNS INTERNET-DRAFT Diffie-Hellman Information in the DNS
Normative References Normative References
[RFC 2631] - "Diffie-Hellman Key Agreement Method", E. Rescorla, June [RFC 2631] - "Diffie-Hellman Key Agreement Method", E. Rescorla, June
1999. 1999.
[RFC 2434] - Guidelines for Writing an IANA Considerations Section in [RFC 2434] - "Guidelines for Writing an IANA Considerations Section
RFCs, T. Narten, H. Alvestrand, October 1998. in RFCs", T. Narten, H. Alvestrand, October 1998.
Informative Refences [RFC records] - "Resource Records for the DNS Security Extensions",
R. Arends, R. Austein, M. Larson, D. Massey, S. Rose, work in
progress, draft-ietf-dnsext-dnssec-records- *.txt.
[RFC 1034] - P. Mockapetris, "Domain names - concepts and Informative Refences
facilities", November 1987.
[RFC 1035] - P. Mockapetris, "Domain names - implementation and [RFC 1034] - "Domain names - concepts and facilities", P.
specification", November 1987. Mockapetris, November 1987.
[RFC 2535] - Domain Name System Security Extensions, D. Eastlake 3rd, [RFC 1035] - "Domain names - implementation and specification", P.
March 1999. Mockapetris, November 1987.
[RFC 2539] - Storage of Diffie-Hellman Keys in the Domain Name System [RFC 2539] - "Storage of Diffie-Hellman Keys in the Domain Name
(DNS), D. Eastlake, March 1999, obsoleted by this RFC. System (DNS)", D. Eastlake, March 1999, obsoleted by this RFC.
[RFC 2671] - Extension Mechanisms for DNS (EDNS0), P. Vixie, August [RFC 2671] - "Extension Mechanisms for DNS (EDNS0)", P. Vixie, August
1999. 1999.
[RFC intro] - "DNS Security Introduction and Requirements", R.
Arends, M. Larson, R. Austein, D. Massey, S. Rose, work in progress,
draft-ietf-dnsext-dnssec-intro-*.txt.
[RFC protocol] - "Protocol Modifications for the DNS Security
Extensions", R. Arends, M. Larson, R. Austein, D. Massey, S. Rose,
work in progress, draft-ietf-dnsext-dnssec-protocol-*.txt.
[Schneier] - Bruce Schneier, "Applied Cryptography: Protocols, [Schneier] - Bruce Schneier, "Applied Cryptography: Protocols,
Algorithms, and Source Code in C" (Second Edition), 1996, John Wiley Algorithms, and Source Code in C" (Second Edition), 1996, John Wiley
and Sons. and Sons.
Author's Address Author Address
Donald E. Eastlake 3rd Donald E. Eastlake 3rd
Motorola Laboratories Motorola Laboratories
155 Beaver Street 155 Beaver Street
Milford, MA 01757 USA Milford, MA 01757 USA
Telephone: +1-508-851-8280 (w) Telephone: +1-508-786-7554 (w)
+1-508-634-2066 (h)
EMail: Donald.Eastlake@motorola.com
INTERNET-DRAFT Diffie-Hellman Information in the DNS INTERNET-DRAFT Diffie-Hellman Information in the DNS
+1-508-634-2066 (h)
EMail: Donald.Eastlake@motorola.com
Expiration and File Name Expiration and File Name
This draft expires in January 2004. This draft expires in February 2005.
Its file name is draft-ietf-dnsext-rfc2539bis-dhk-03.txt. Its file name is draft-ietf-dnsext-rfc2539bis-dhk-04.txt.
INTERNET-DRAFT Diffie-Hellman Information in the DNS INTERNET-DRAFT Diffie-Hellman Information in the DNS
Appendix A: Well known prime/generator pairs Appendix A: Well known prime/generator pairs
These numbers are copied from the IPSEC effort where the derivation of These numbers are copied from the IPSEC effort where the derivation of
these values is more fully explained and additional information is available. these values is more fully explained and additional information is available.
Richard Schroeppel performed all the mathematical and computational Richard Schroeppel performed all the mathematical and computational
work for this appendix. work for this appendix.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/