mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

new rev

Browse Source
This commit is contained in:
Mark Andrews 2001-11-27 12:58:44 +00:00
parent 60213f2815
commit 559fe25977
2 changed files with 106 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
doc/draft/draft-ietf-dnsext-dnssec-roadmap-04.txt → doc/draft/draft-ietf-dnsext-dnssec-roadmap-05.txt
View File

@ -6,7 +6,7 @@
DNEXT Working Group S. Rose DNEXT Working Group S. Rose
Internet Draft NIST Internet Draft NIST
Expires: January 2001 July 2001 Expires: May 2001 November 2001
Category: Informational Category: Informational
@ -14,7 +14,7 @@ Category: Informational
DNS Security Document Roadmap DNS Security Document Roadmap
------------------------------ ------------------------------
<draft-ietf-dnsext-dnssec-roadmap-04.txt> <draft-ietf-dnsext-dnssec-roadmap-05.txt>
Status of this Document Status of this Document
@ -61,7 +61,7 @@ Rose [Page 1]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
@ -120,7 +120,7 @@ Rose [Page 2]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
1. Introduction 1. Introduction
@ -180,7 +180,7 @@ Rose [Page 3]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
possible that some documents fall into more than one of these possible that some documents fall into more than one of these
@ -205,15 +205,16 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
| Security | <------->| protocol |<-------->| Security | | Security | <------->| protocol |<-------->| Security |
| RRs | | | | Uses | | RRs | | | | Uses |
| [RFC2538, | | [RFC2535, | | [SSH-DNS] | | [RFC2538, | | [RFC2535, | | [SSH-DNS] |
| RFC2931, | | RFC3007, | +-------------+ | RFC2931, | | RFC3007, | +-------------+
| NO, DSIG] | | RFC3008, | | DSIG] | | RFC3008, |
+------------+ | RFC3090, | +------------+ | RFC3090, |
| SIZE ] | | SIZE, |
| OKBIT, | | OKBIT, |
| ADBIT, | | ADBIT, |
| OPTIN, | | OPTIN, |
| PARSIG, | | PARSIG, |
| PARKEY ] | | PARKEY, |
| LIMIT ] |
+-----------+ +-----------+
| |
| |
@ -225,12 +226,11 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
| Algorithm | | Transactions | * Notes * | Algorithm | | Transactions | * Notes *
| Impl. | | | | | | Impl. | | | | |
| [RFC2536, | | [RFC2845, | * [CAIRN, * | [RFC2536, | | [RFC2845, | * [CAIRN, *
| RFC2537 | | RFC2930] | | ROLLOVER, | | RFC2537 | | RFC2930, | | ROLLOVER, |
| RFC2539 | | | * RESROLLOVER ] * | RFC2539 | | RENEW ] | * RESROLLOVER ] *
| GSS-TSIG, | | | +-*-*-*-*-*-*-*-*-+ | GSS-TSIG, | | | +-*-*-*-*-*-*-*-*-+
| RFC3110] | +---------------+ | RFC3110, | +---------------+
+------------+ | ECC, DH ] |
Figure 1 DNSSEC Document Roadmap
@ -240,7 +240,11 @@ Rose [Page 4]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
+------------+
Figure 1 DNSSEC Document Roadmap
The "DNSSEC protocol" document set refers to the document that makes The "DNSSEC protocol" document set refers to the document that makes
@ -258,22 +262,21 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
lines of RFC/Internet Draft author guidelines). Also, the portions lines of RFC/Internet Draft author guidelines). Also, the portions
of the specification to be modified SHOULD be synopsized in the new of the specification to be modified SHOULD be synopsized in the new
document for the benefit of the reader. The "DNSSEC protocol" set document for the benefit of the reader. The "DNSSEC protocol" set
includes the documents [RFC2535], [RFC3007], [RFC3008], [RFC3090], includes the documents [RFC2535], [RFC3007], [RFC3008], [RFC3090] and
[SIZE], [OKBIT], [ADBIT], [OPTIN], [PARSIG], [PARKEY] and their their derivative documents.
derivative documents.
The "New Security RRs" set refers to the group of documents that seek The "New Security RRs" set refers to the group of documents that seek
to add additional Resource Records to the set of base DNS Record to add additional Resource Records to the set of base DNS Record
types. These new records can be related to securing the DNS protocol types. These new records can be related to securing the DNS protocol
[RFC2535], [RFC2931], [NO] or using DNS security for other purposes [RFC2535], [RFC2931], or using DNS security for other purposes such
such as storing certificates [RFC2538]. as storing certificates [RFC2538].
The "DS Algorithm Impl" document set refers to the group of documents The "DS Algorithm Impl" document set refers to the group of documents
that describe how a specific digital signature algorithm is imple- that describe how a specific digital signature algorithm is imple-
mented to fit the DNSSEC Resource Record format. Each one of these mented to fit the DNSSEC Resource Record format. Each one of these
documents deals with one specific digital signature algorithm. Exam- documents deals with one specific digital signature algorithm. Exam-
ples of this set include [RFC2536], [RFC2537], [RFC2539], [RFC3110] ples of this set include [RFC2536], [RFC2537], [RFC2539] and
and [GSS-TSIG]. [RFC3110].
The "Transactions" document set refers to the group of documents that The "Transactions" document set refers to the group of documents that
deal with the message transaction sequence of security-related DNS deal with the message transaction sequence of security-related DNS
@ -288,9 +291,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
related purposes. Documents that fall in this category include the related purposes. Documents that fall in this category include the
use of DNS in the storage and distribution of certificates and indi- use of DNS in the storage and distribution of certificates and indi-
vidual user public keys (PGP, e-mail, etc.) Some documents in this vidual user public keys (PGP, e-mail, etc.) Some documents in this
group may fall beyond the DNSEXT WG scope, but they are included
because of their use of the security extensions. The documents in
this group should not propose any changes to the DNS protocol to
@ -300,10 +300,13 @@ Rose [Page 5]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
support other protocols; only how existing DNS security records and group may fall beyond the DNSEXT WG scope, but they are included
because of their use of the security extensions. The documents in
this group should not propose any changes to the DNS protocol to sup-
port other protocols; only how existing DNS security records and
transactions can be used to support other protocols. One such docu- transactions can be used to support other protocols. One such docu-
ment is [SSH-DNS] which deals with storing SSH keys in the DNS using ment is [SSH-DNS] which deals with storing SSH keys in the DNS using
the security records. the security records.
@ -348,9 +351,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
required content and structure. It is the purpose of this document required content and structure. It is the purpose of this document
roadmap to establish criteria for content that any new DNS security roadmap to establish criteria for content that any new DNS security
protocol specifications document SHOULD contain. These criteria protocol specifications document SHOULD contain. These criteria
SHOULD be interpreted as a minimum set of information required/needed
in a document, any additional information regarding the specific
extension should also be included in the document. These criteria
@ -360,9 +360,12 @@ Rose [Page 6]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
SHOULD be interpreted as a minimum set of information required/needed
in a document, any additional information regarding the specific
extension should also be included in the document. These criteria
are not officially part of the IETF guidelines regarding RFC/Internet are not officially part of the IETF guidelines regarding RFC/Internet
Drafts, but should be considered as guidance to promote uniformity to Drafts, but should be considered as guidance to promote uniformity to
Working Group documents. Working Group documents.
@ -408,9 +411,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
* the current known status of the algorithm (as one of REQUIRED, * the current known status of the algorithm (as one of REQUIRED,
RECOMMENDED, or OPTIONAL). RECOMMENDED, or OPTIONAL).
In addition, authors are encouraged to include any necessary descrip-
tion of the algorithm itself, as well as any know/suspected
weaknesses as an appendix to the document. This is for reference
@ -420,9 +420,12 @@ Rose [Page 7]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
In addition, authors are encouraged to include any necessary descrip-
tion of the algorithm itself, as well as any know/suspected
weaknesses as an appendix to the document. This is for reference
only, as the goals of the DNSEXT working group is to propose exten- only, as the goals of the DNSEXT working group is to propose exten-
sions to the DNS protocol, not cryptographic research. sions to the DNS protocol, not cryptographic research.
@ -469,9 +472,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
document [RFC2535]. document [RFC2535].
6. Acknowledgements
Rose [Page 8] Rose [Page 8]
@ -480,9 +480,11 @@ Rose [Page 8]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
6. Acknowledgements
In addition to the RFCs mentioned in this document, there are also In addition to the RFCs mentioned in this document, there are also
numerous Internet drafts that fall in one or more of the categories numerous Internet drafts that fall in one or more of the categories
of DNS Security documents mentioned above. Depending on where (and of DNS Security documents mentioned above. Depending on where (and
@ -502,8 +504,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
message size requirements". <draft-ietf-dnsext-message-size-NN.txt> message size requirements". <draft-ietf-dnsext-message-size-NN.txt>
* GSS-TSIG: S. Kwan, P. Garg, J. Gilroy, and L. Esibov. "GSS * GSS-TSIG: S. Kwan, P. Garg, J. Gilroy, and L. Esibov. "GSS
Algorithm for TSIG (GSS-TSIG)". <draft-ietf-dnsext-gss-tsig-NN.txt> Algorithm for TSIG (GSS-TSIG)". <draft-ietf-dnsext-gss-tsig-NN.txt>
* NO: S. A. Josefsson. "Authenticating Denial of Existence in DNS
with Minimum Disclosure". <draft-ietf-dnsext-not-existing-rr-NN.txt>
* OKBIT: D. Conrad. "Indicting Resolver Support of DNSSEC". * OKBIT: D. Conrad. "Indicting Resolver Support of DNSSEC".
<draft-ietf-dnsext-dnssec-okbit-NN.txt> <draft-ietf-dnsext-dnssec-okbit-NN.txt>
* ROLLOVER: M. Andrews, D. Eastlake. "Domain Name System (DNS) * ROLLOVER: M. Andrews, D. Eastlake. "Domain Name System (DNS)
@ -523,14 +523,14 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
* RESROLLOVER: O. Kolkman, M. Gieben, R. Arends. "Rollover of * RESROLLOVER: O. Kolkman, M. Gieben, R. Arends. "Rollover of
statically configured resolver keys". <draft-ietf-dnsop-resolver- statically configured resolver keys". <draft-ietf-dnsop-resolver-
rollover-NN.txt> rollover-NN.txt>
* ECC: D. Eastlake and R. Schroeppel. "Elliptic Curve KEYs in the
DNS". <draft-ietf-dnsext-ecc-key-NN.txt>
7. References * RENEW: Y. Kamite, M. Nakayama. "TKEY Secret Key Renewal Mode".
<draft-ietf-dnsext-tkey-renewal-mode-NN.txt>
[RFC2535] D. Eastlake, "Domain Name System Security Extensions", RFC * LIMIT: D. Massey and S. Rose. "Limiting the Scope of the KEY
2535, March 1999. Resource Record". <draft-ietf-dnsext-restrict-key-for-dnssec-NN.txt>
* DH: D. Eastlake. "Storage of Diffie-Hellman Keys in the Domain
[RFC2537] D. Eastlake, "RSA/MD5 KEYs and SIGs in the Domain Name Name System (DNS)". <draft-ietf-dnsext-rfc2539bis-dhk-NN.txt>
@ -540,10 +540,16 @@ Rose [Page 9]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
System (DNS)", RFC 2537, March 1999. 7. References
[RFC2535] D. Eastlake, "Domain Name System Security Extensions", RFC
2535, March 1999.
[RFC2537] D. Eastlake, "RSA/MD5 KEYs and SIGs in the Domain Name Sys-
tem (DNS)", RFC 2537, March 1999.
[RFC2536] D. Eastlake, "DSA KEYs and SIGs in the Domain Name System [RFC2536] D. Eastlake, "DSA KEYs and SIGs in the Domain Name System
(DNS)", RFC 2536, March 1999. (DNS)", RFC 2536, March 1999.
@ -585,12 +591,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Require- [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Require-
ment Levels", RFC-2119, March 1997. ment Levels", RFC-2119, March 1997.
[RFC3007] B. Wellington, "Secure Domain Name System (DNS) Dynamic
Update". RFC 3007, November 2000.
[RFC3008] B. Wellington, "Domain Name System Security (DNSSEC) Sign-
ing Authority". RFC 3008, November 2000.
@ -600,7 +600,16 @@ Rose [Page 10]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
[RFC3007] B. Wellington, "Secure Domain Name System (DNS) Dynamic
Update". RFC 3007, November 2000.
[RFC3008] B. Wellington, "Domain Name System Security (DNSSEC) Sign-
ing Authority". RFC 3008, November 2000.
8. Author's Addresses 8. Author's Addresses
@ -614,7 +623,7 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
Expiration and File Name: Expiration and File Name:
This draft, titled <draft-ietf-dnsext-dnssec-roadmap-04.txt> expires January 2001. This draft, titled <draft-ietf-dnsext-dnssec-roadmap-05.txt> expires May 2001.
@ -645,24 +654,21 @@ Expiration and File Name:
Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
Rose [Page 11] Rose [Page 11]
INTERNET-DRAFT DNS Security Document Roadmap April 2001 INTERNET-DRAFT DNS Security Document Roadmap November 2001
Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
@ -701,12 +707,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001

58
doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-00.txt → doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-01.txt
View File

@ -1,7 +1,11 @@
INTERNET-DRAFT DSA KEYs and SIGs in the DNS INTERNET-DRAFT DSA KEYs and SIGs in the DNS
OBSOLETES: RFC 2536 Donald Eastlake 3rd OBSOLETES: RFC 2536 Donald Eastlake 3rd
Motorola Motorola
Expires: January 2002 July 2001 Expires: May 2002 November 2001
@ -9,7 +13,7 @@ Expires: January 2002 July 2001
DSA KEYs and SIGs in the Domain Name System (DNS) DSA KEYs and SIGs in the Domain Name System (DNS)
--- ---- --- ---- -- --- ------ ---- ------ ----- --- ---- --- ---- -- --- ------ ---- ------ -----
<draft-ietf-dnsext-rfc2536bis-dsa-00.txt> <draft-ietf-dnsext-rfc2536bis-dsa-01.txt>
Donald E. Eastlake 3rd Donald E. Eastlake 3rd
@ -52,7 +56,7 @@ Abstract
Donald Eastlake 3rd [Page 1] D. Eastlake 3rd [Page 1]
INTERNET-DRAFT DSA in the DNS INTERNET-DRAFT DSA in the DNS
@ -110,7 +114,7 @@ Table of Contents
Donald Eastlake 3rd [Page 2] D. Eastlake 3rd [Page 2]
INTERNET-DRAFT DSA in the DNS INTERNET-DRAFT DSA in the DNS
@ -122,8 +126,7 @@ INTERNET-DRAFT DSA in the DNS
distributed database system for Internet addressing, mail proxy, and distributed database system for Internet addressing, mail proxy, and
other information. The DNS has been extended to include digital other information. The DNS has been extended to include digital
signatures and cryptographic keys as described in [RFC 2535]. Thus signatures and cryptographic keys as described in [RFC 2535]. Thus
the DNS can now be secured and can be used for secure key the DNS can now be secured and can be used for key distribution.
distribution.
This document describes how to store US Government Digital Signature This document describes how to store US Government Digital Signature
Algorithm (DSA) keys and signatures in the DNS. Familiarity with the Algorithm (DSA) keys and signatures in the DNS. Familiarity with the
@ -150,7 +153,7 @@ INTERNET-DRAFT DSA in the DNS
G 64 + T*8 octets G 64 + T*8 octets
Y 64 + T*8 octets Y 64 + T*8 octets
As described in [FIPS 186-2] and [Schneier]: T is a key size As described in [FIPS 186-2] and [Schneier], T is a key size
parameter chosen such that 0 <= T <= 8. (The meaning for algorithm 3 parameter chosen such that 0 <= T <= 8. (The meaning for algorithm 3
if the T octet is greater than 8 is reserved and the remainder of the if the T octet is greater than 8 is reserved and the remainder of the
RDATA portion may have a different format in that case.) Q is a RDATA portion may have a different format in that case.) Q is a
@ -158,17 +161,18 @@ INTERNET-DRAFT DSA in the DNS
2**160 so Q is always 20 octets long and, as with all other fields, 2**160 so Q is always 20 octets long and, as with all other fields,
is stored in "big-endian" network order. P, G, and Y are calculated is stored in "big-endian" network order. P, G, and Y are calculated
as directed by the [FIPS 186-2] key generation algorithm [Schneier]. as directed by the [FIPS 186-2] key generation algorithm [Schneier].
P is in the range 2**(511+64T) < P < 2**(512+64T) and so is 64 + 8*T P is in the range 2**(511+64T) < P < 2**(512+64T) and thus is 64 +
octets long. G and Y are quantities modulo P and so can be up to the 8*T octets long. G and Y are quantities modulo P and so can be up to
same length as P and are allocated fixed size fields with the same the same length as P and are allocated fixed size fields with the
number of octets as P. same number of octets as P.
During the key generation process, a random number X must be During the key generation process, a random number X must be
generated such that 1 <= X <= Q-1. X is the private key and is used generated such that 1 <= X <= Q-1. X is the private key and is used
in the final step of public key generation where Y is computed as in the final step of public key generation where Y is computed as
Donald Eastlake 3rd [Page 3]
D. Eastlake 3rd [Page 3]
INTERNET-DRAFT DSA in the DNS INTERNET-DRAFT DSA in the DNS
@ -203,8 +207,8 @@ INTERNET-DRAFT DSA in the DNS
S = ( K**(-1) * (hash + X*R) ) mod Q S = ( K**(-1) * (hash + X*R) ) mod Q
For infromation on the SHA-1 has funcation see [FIPS 180-1] and For infromation on the SHA-1 has funcation see [FIPS 180-1] and [RFC
[draft-sha1]. 3174].
Since Q is 160 bits long, R and S can not be larger than 20 octets, Since Q is 160 bits long, R and S can not be larger than 20 octets,
which is the space allocated. which is the space allocated.
@ -226,7 +230,7 @@ INTERNET-DRAFT DSA in the DNS
recommended for KEY RRs used in domain name system (DNS) data recommended for KEY RRs used in domain name system (DNS) data
Donald Eastlake 3rd [Page 4] D. Eastlake 3rd [Page 4]
INTERNET-DRAFT DSA in the DNS INTERNET-DRAFT DSA in the DNS
@ -257,13 +261,13 @@ INTERNET-DRAFT DSA in the DNS
dependent on local policy. dependent on local policy.
The key size limitation of a maximum of 1024 bits ( T = 8 ) in the The key size limitation of a maximum of 1024 bits ( T = 8 ) in the
current DSA standard may limit the security of DSA. For particularly current DSA standard may limit the security of DSA. For particular
critical applications, implementors are encouraged to consider the applications, implementors are encouraged to consider the range of
range of available algorithms and key sizes. available algorithms and key sizes.
DSA assumes the ability to frequently generate high quality random DSA assumes the ability to frequently generate high quality random
numbers. See [RFC 1750] for guidance. DSA is designed so that if numbers. See [RFC 1750] for guidance. DSA is designed so that if
manipulated rather than random numbers are used, very high bandwidth manipulated rather than random numbers are used, high bandwidth
covert channels are possible. See [Schneier] and more recent covert channels are possible. See [Schneier] and more recent
research. The leakage of an entire DSA private key in only two DSA research. The leakage of an entire DSA private key in only two DSA
signatures has been demonstrated. DSA provides security only if signatures has been demonstrated. DSA provides security only if
@ -284,7 +288,7 @@ INTERNET-DRAFT DSA in the DNS
Donald Eastlake 3rd [Page 5] D. Eastlake 3rd [Page 5]
INTERNET-DRAFT DSA in the DNS INTERNET-DRAFT DSA in the DNS
@ -316,9 +320,8 @@ References
[RFC 3110] - RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System [RFC 3110] - RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
(DNS), D. Eastlake 3rd. May 2001. (DNS), D. Eastlake 3rd. May 2001.
[draft-sha1] - US Secure Hash Algorithm 1 (SHA1), draft-eastlake- [RFC 3174] - US Secure Hash Algorithm 1 (SHA1), D. Eastlake, P.
sha1-02.txt, work in progress, D. Eastlake, in IESG queue for Jones, September 2001.
approval as an Informational RFC.
[Schneier] - Bruce Schneier, "Applied Cryptography Second Edition: [Schneier] - Bruce Schneier, "Applied Cryptography Second Edition:
protocols, algorithms, and source code in C", 1996, John Wiley and protocols, algorithms, and source code in C", 1996, John Wiley and
@ -342,7 +345,8 @@ Author's Address
Donald Eastlake 3rd [Page 6]
D. Eastlake 3rd [Page 6]
INTERNET-DRAFT DSA in the DNS INTERNET-DRAFT DSA in the DNS
@ -350,9 +354,9 @@ INTERNET-DRAFT DSA in the DNS
Expiration and File Name Expiration and File Name
This draft expires in January 2002. This draft expires in May 2002.
Its file name is draft-ietf-dnsext-rfc2536bis-dsa-00.txt. Its file name is draft-ietf-dnsext-rfc2536bis-dsa-01.txt.
@ -400,5 +404,5 @@ Expiration and File Name
Donald Eastlake 3rd [Page 7] D. Eastlake 3rd [Page 7]