mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

new rev

Browse Source
This commit is contained in:
Mark Andrews 2001-11-27 12:58:44 +00:00
parent 60213f2815
commit 559fe25977
2 changed files with 106 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
doc/draft/draft-ietf-dnsext-dnssec-roadmap-04.txt → doc/draft/draft-ietf-dnsext-dnssec-roadmap-05.txt
View File

@ -6,7 +6,7 @@
DNEXT Working Group S. Rose
Internet Draft NIST
Expires: January 2001 July 2001
Expires: May 2001 November 2001
Category: Informational
@ -14,7 +14,7 @@ Category: Informational
DNS Security Document Roadmap
------------------------------
<draft-ietf-dnsext-dnssec-roadmap-04.txt>
<draft-ietf-dnsext-dnssec-roadmap-05.txt>
Status of this Document
@ -61,7 +61,7 @@ Rose [Page 1]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
@ -120,7 +120,7 @@ Rose [Page 2]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
1. Introduction
@ -180,7 +180,7 @@ Rose [Page 3]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
possible that some documents fall into more than one of these
@ -205,15 +205,16 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
| Security | <------->| protocol |<-------->| Security |
| RRs | | | | Uses |
| [RFC2538, | | [RFC2535, | | [SSH-DNS] |
| RFC2931, | | RFC3007, | +-------------+
| NO, DSIG] | | RFC3008, |
| RFC2931, | | RFC3007, | +-------------+
| DSIG] | | RFC3008, |
+------------+ | RFC3090, |
| SIZE ] |
| SIZE, |
| OKBIT, |
| ADBIT, |
| OPTIN, |
| PARSIG, |
| PARKEY ] |
| PARKEY, |
| LIMIT ] |
+-----------+
|
|
@ -225,12 +226,11 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
| Algorithm | | Transactions | * Notes *
| Impl. | | | | |
| [RFC2536, | | [RFC2845, | * [CAIRN, *
| RFC2537 | | RFC2930] | | ROLLOVER, |
| RFC2539 | | | * RESROLLOVER ] *
| RFC2537 | | RFC2930, | | ROLLOVER, |
| RFC2539 | | RENEW ] | * RESROLLOVER ] *
| GSS-TSIG, | | | +-*-*-*-*-*-*-*-*-+
| RFC3110] | +---------------+
+------------+
Figure 1 DNSSEC Document Roadmap
| RFC3110, | +---------------+
| ECC, DH ] |
@ -240,7 +240,11 @@ Rose [Page 4]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
+------------+
Figure 1 DNSSEC Document Roadmap
The "DNSSEC protocol" document set refers to the document that makes
@ -258,22 +262,21 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
lines of RFC/Internet Draft author guidelines). Also, the portions
of the specification to be modified SHOULD be synopsized in the new
document for the benefit of the reader. The "DNSSEC protocol" set
includes the documents [RFC2535], [RFC3007], [RFC3008], [RFC3090],
[SIZE], [OKBIT], [ADBIT], [OPTIN], [PARSIG], [PARKEY] and their
derivative documents.
includes the documents [RFC2535], [RFC3007], [RFC3008], [RFC3090] and
their derivative documents.
The "New Security RRs" set refers to the group of documents that seek
to add additional Resource Records to the set of base DNS Record
types. These new records can be related to securing the DNS protocol
[RFC2535], [RFC2931], [NO] or using DNS security for other purposes
such as storing certificates [RFC2538].
[RFC2535], [RFC2931], or using DNS security for other purposes such
as storing certificates [RFC2538].
The "DS Algorithm Impl" document set refers to the group of documents
that describe how a specific digital signature algorithm is imple-
mented to fit the DNSSEC Resource Record format. Each one of these
documents deals with one specific digital signature algorithm. Exam-
ples of this set include [RFC2536], [RFC2537], [RFC2539], [RFC3110]
and [GSS-TSIG].
ples of this set include [RFC2536], [RFC2537], [RFC2539] and
[RFC3110].
The "Transactions" document set refers to the group of documents that
deal with the message transaction sequence of security-related DNS
@ -288,9 +291,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
related purposes. Documents that fall in this category include the
use of DNS in the storage and distribution of certificates and indi-
vidual user public keys (PGP, e-mail, etc.) Some documents in this
group may fall beyond the DNSEXT WG scope, but they are included
because of their use of the security extensions. The documents in
this group should not propose any changes to the DNS protocol to
@ -300,10 +300,13 @@ Rose [Page 5]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
support other protocols; only how existing DNS security records and
group may fall beyond the DNSEXT WG scope, but they are included
because of their use of the security extensions. The documents in
this group should not propose any changes to the DNS protocol to sup-
port other protocols; only how existing DNS security records and
transactions can be used to support other protocols. One such docu-
ment is [SSH-DNS] which deals with storing SSH keys in the DNS using
the security records.
@ -348,9 +351,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
required content and structure. It is the purpose of this document
roadmap to establish criteria for content that any new DNS security
protocol specifications document SHOULD contain. These criteria
SHOULD be interpreted as a minimum set of information required/needed
in a document, any additional information regarding the specific
extension should also be included in the document. These criteria
@ -360,9 +360,12 @@ Rose [Page 6]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
SHOULD be interpreted as a minimum set of information required/needed
in a document, any additional information regarding the specific
extension should also be included in the document. These criteria
are not officially part of the IETF guidelines regarding RFC/Internet
Drafts, but should be considered as guidance to promote uniformity to
Working Group documents.
@ -408,9 +411,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
* the current known status of the algorithm (as one of REQUIRED,
RECOMMENDED, or OPTIONAL).
In addition, authors are encouraged to include any necessary descrip-
tion of the algorithm itself, as well as any know/suspected
weaknesses as an appendix to the document. This is for reference
@ -420,9 +420,12 @@ Rose [Page 7]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
In addition, authors are encouraged to include any necessary descrip-
tion of the algorithm itself, as well as any know/suspected
weaknesses as an appendix to the document. This is for reference
only, as the goals of the DNSEXT working group is to propose exten-
sions to the DNS protocol, not cryptographic research.
@ -469,9 +472,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
document [RFC2535].
6. Acknowledgements
Rose [Page 8]
@ -480,9 +480,11 @@ Rose [Page 8]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
6. Acknowledgements
In addition to the RFCs mentioned in this document, there are also
numerous Internet drafts that fall in one or more of the categories
of DNS Security documents mentioned above. Depending on where (and
@ -502,8 +504,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
message size requirements". <draft-ietf-dnsext-message-size-NN.txt>
* GSS-TSIG: S. Kwan, P. Garg, J. Gilroy, and L. Esibov. "GSS
Algorithm for TSIG (GSS-TSIG)". <draft-ietf-dnsext-gss-tsig-NN.txt>
* NO: S. A. Josefsson. "Authenticating Denial of Existence in DNS
with Minimum Disclosure". <draft-ietf-dnsext-not-existing-rr-NN.txt>
* OKBIT: D. Conrad. "Indicting Resolver Support of DNSSEC".
<draft-ietf-dnsext-dnssec-okbit-NN.txt>
* ROLLOVER: M. Andrews, D. Eastlake. "Domain Name System (DNS)
@ -523,14 +523,14 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
* RESROLLOVER: O. Kolkman, M. Gieben, R. Arends. "Rollover of
statically configured resolver keys". <draft-ietf-dnsop-resolver-
rollover-NN.txt>
7. References
[RFC2535] D. Eastlake, "Domain Name System Security Extensions", RFC
2535, March 1999.
[RFC2537] D. Eastlake, "RSA/MD5 KEYs and SIGs in the Domain Name
* ECC: D. Eastlake and R. Schroeppel. "Elliptic Curve KEYs in the
DNS". <draft-ietf-dnsext-ecc-key-NN.txt>
* RENEW: Y. Kamite, M. Nakayama. "TKEY Secret Key Renewal Mode".
<draft-ietf-dnsext-tkey-renewal-mode-NN.txt>
* LIMIT: D. Massey and S. Rose. "Limiting the Scope of the KEY
Resource Record". <draft-ietf-dnsext-restrict-key-for-dnssec-NN.txt>
* DH: D. Eastlake. "Storage of Diffie-Hellman Keys in the Domain
Name System (DNS)". <draft-ietf-dnsext-rfc2539bis-dhk-NN.txt>
@ -540,10 +540,16 @@ Rose [Page 9]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
System (DNS)", RFC 2537, March 1999.
7. References
[RFC2535] D. Eastlake, "Domain Name System Security Extensions", RFC
2535, March 1999.
[RFC2537] D. Eastlake, "RSA/MD5 KEYs and SIGs in the Domain Name Sys-
tem (DNS)", RFC 2537, March 1999.
[RFC2536] D. Eastlake, "DSA KEYs and SIGs in the Domain Name System
(DNS)", RFC 2536, March 1999.
@ -585,12 +591,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Require-
ment Levels", RFC-2119, March 1997.
[RFC3007] B. Wellington, "Secure Domain Name System (DNS) Dynamic
Update". RFC 3007, November 2000.
[RFC3008] B. Wellington, "Domain Name System Security (DNSSEC) Sign-
ing Authority". RFC 3008, November 2000.
@ -600,7 +600,16 @@ Rose [Page 10]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
[RFC3007] B. Wellington, "Secure Domain Name System (DNS) Dynamic
Update". RFC 3007, November 2000.
[RFC3008] B. Wellington, "Domain Name System Security (DNSSEC) Sign-
ing Authority". RFC 3008, November 2000.
8. Author's Addresses
@ -614,7 +623,7 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001
Expiration and File Name:
This draft, titled <draft-ietf-dnsext-dnssec-roadmap-04.txt> expires January 2001.
This draft, titled <draft-ietf-dnsext-dnssec-roadmap-05.txt> expires May 2001.
@ -645,24 +654,21 @@ Expiration and File Name:
Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
Rose [Page 11]
INTERNET-DRAFT DNS Security Document Roadmap April 2001
INTERNET-DRAFT DNS Security Document Roadmap November 2001
Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
@ -701,12 +707,6 @@ INTERNET-DRAFT DNS Security Document Roadmap April 2001

58
doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-00.txt → doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-01.txt
View File

@ -1,7 +1,11 @@
INTERNET-DRAFT DSA KEYs and SIGs in the DNS
OBSOLETES: RFC 2536 Donald Eastlake 3rd
Motorola
Expires: January 2002 July 2001
Expires: May 2002 November 2001
@ -9,7 +13,7 @@ Expires: January 2002 July 2001
DSA KEYs and SIGs in the Domain Name System (DNS)
--- ---- --- ---- -- --- ------ ---- ------ -----
<draft-ietf-dnsext-rfc2536bis-dsa-00.txt>
<draft-ietf-dnsext-rfc2536bis-dsa-01.txt>
Donald E. Eastlake 3rd
@ -52,7 +56,7 @@ Abstract
Donald Eastlake 3rd [Page 1]
D. Eastlake 3rd [Page 1]
INTERNET-DRAFT DSA in the DNS
@ -110,7 +114,7 @@ Table of Contents
Donald Eastlake 3rd [Page 2]
D. Eastlake 3rd [Page 2]
INTERNET-DRAFT DSA in the DNS
@ -122,8 +126,7 @@ INTERNET-DRAFT DSA in the DNS
distributed database system for Internet addressing, mail proxy, and
other information. The DNS has been extended to include digital
signatures and cryptographic keys as described in [RFC 2535]. Thus
the DNS can now be secured and can be used for secure key
distribution.
the DNS can now be secured and can be used for key distribution.
This document describes how to store US Government Digital Signature
Algorithm (DSA) keys and signatures in the DNS. Familiarity with the
@ -150,7 +153,7 @@ INTERNET-DRAFT DSA in the DNS
G 64 + T*8 octets
Y 64 + T*8 octets
As described in [FIPS 186-2] and [Schneier]: T is a key size
As described in [FIPS 186-2] and [Schneier], T is a key size
parameter chosen such that 0 <= T <= 8. (The meaning for algorithm 3
if the T octet is greater than 8 is reserved and the remainder of the
RDATA portion may have a different format in that case.) Q is a
@ -158,17 +161,18 @@ INTERNET-DRAFT DSA in the DNS
2**160 so Q is always 20 octets long and, as with all other fields,
is stored in "big-endian" network order. P, G, and Y are calculated
as directed by the [FIPS 186-2] key generation algorithm [Schneier].
P is in the range 2**(511+64T) < P < 2**(512+64T) and so is 64 + 8*T
octets long. G and Y are quantities modulo P and so can be up to the
same length as P and are allocated fixed size fields with the same
number of octets as P.
P is in the range 2**(511+64T) < P < 2**(512+64T) and thus is 64 +
8*T octets long. G and Y are quantities modulo P and so can be up to
the same length as P and are allocated fixed size fields with the
same number of octets as P.
During the key generation process, a random number X must be
generated such that 1 <= X <= Q-1. X is the private key and is used
in the final step of public key generation where Y is computed as
Donald Eastlake 3rd [Page 3]
D. Eastlake 3rd [Page 3]
INTERNET-DRAFT DSA in the DNS
@ -203,8 +207,8 @@ INTERNET-DRAFT DSA in the DNS
S = ( K**(-1) * (hash + X*R) ) mod Q
For infromation on the SHA-1 has funcation see [FIPS 180-1] and
[draft-sha1].
For infromation on the SHA-1 has funcation see [FIPS 180-1] and [RFC
3174].
Since Q is 160 bits long, R and S can not be larger than 20 octets,
which is the space allocated.
@ -226,7 +230,7 @@ INTERNET-DRAFT DSA in the DNS
recommended for KEY RRs used in domain name system (DNS) data
Donald Eastlake 3rd [Page 4]
D. Eastlake 3rd [Page 4]
INTERNET-DRAFT DSA in the DNS
@ -257,13 +261,13 @@ INTERNET-DRAFT DSA in the DNS
dependent on local policy.
The key size limitation of a maximum of 1024 bits ( T = 8 ) in the
current DSA standard may limit the security of DSA. For particularly
critical applications, implementors are encouraged to consider the
range of available algorithms and key sizes.
current DSA standard may limit the security of DSA. For particular
applications, implementors are encouraged to consider the range of
available algorithms and key sizes.
DSA assumes the ability to frequently generate high quality random
numbers. See [RFC 1750] for guidance. DSA is designed so that if
manipulated rather than random numbers are used, very high bandwidth
manipulated rather than random numbers are used, high bandwidth
covert channels are possible. See [Schneier] and more recent
research. The leakage of an entire DSA private key in only two DSA
signatures has been demonstrated. DSA provides security only if
@ -284,7 +288,7 @@ INTERNET-DRAFT DSA in the DNS
Donald Eastlake 3rd [Page 5]
D. Eastlake 3rd [Page 5]
INTERNET-DRAFT DSA in the DNS
@ -316,9 +320,8 @@ References
[RFC 3110] - RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
(DNS), D. Eastlake 3rd. May 2001.
[draft-sha1] - US Secure Hash Algorithm 1 (SHA1), draft-eastlake-
sha1-02.txt, work in progress, D. Eastlake, in IESG queue for
approval as an Informational RFC.
[RFC 3174] - US Secure Hash Algorithm 1 (SHA1), D. Eastlake, P.
Jones, September 2001.
[Schneier] - Bruce Schneier, "Applied Cryptography Second Edition:
protocols, algorithms, and source code in C", 1996, John Wiley and
@ -342,7 +345,8 @@ Author's Address
Donald Eastlake 3rd [Page 6]
D. Eastlake 3rd [Page 6]
INTERNET-DRAFT DSA in the DNS
@ -350,9 +354,9 @@ INTERNET-DRAFT DSA in the DNS
Expiration and File Name
This draft expires in January 2002.
This draft expires in May 2002.
Its file name is draft-ietf-dnsext-rfc2536bis-dsa-00.txt.
Its file name is draft-ietf-dnsext-rfc2536bis-dsa-01.txt.
@ -400,5 +404,5 @@ Expiration and File Name
Donald Eastlake 3rd [Page 7]
D. Eastlake 3rd [Page 7]