mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

new draft

Browse Source
This commit is contained in:
Mark Andrews
2008-12-05 00:21:52 +00:00
parent 0339c8af8c
commit 76fe07917f
1 changed files with 31 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
doc/draft/draft-ietf-dnsext-dnssec-rsasha256-07.txt → doc/draft/draft-ietf-dnsext-dnssec-rsasha256-09.txt
View File

@@ -3,13 +3,13 @@
DNS Extensions working group J. Jansen DNS Extensions working group J. Jansen
Internet-Draft NLnet Labs Internet-Draft NLnet Labs
Intended status: Standards Track December 03, 2008 Intended status: Standards Track December 04, 2008
Expires: June 6, 2009 Expires: June 7, 2009
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
for DNSSEC for DNSSEC
draft-ietf-dnsext-dnssec-rsasha256-07 draft-ietf-dnsext-dnssec-rsasha256-09
Status of this Memo Status of this Memo
@@ -34,7 +34,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 6, 2009. This Internet-Draft will expire on June 7, 2009.
Abstract Abstract
@@ -52,7 +52,7 @@ Abstract
Jansen Expires June 6, 2009 [Page 1] Jansen Expires June 7, 2009 [Page 1]
Internet-Draft DNSSEC RSA/SHA-2 December 2008 Internet-Draft DNSSEC RSA/SHA-2 December 2008
@@ -108,7 +108,7 @@ Table of Contents
Jansen Expires June 6, 2009 [Page 2] Jansen Expires June 7, 2009 [Page 2]
Internet-Draft DNSSEC RSA/SHA-2 December 2008 Internet-Draft DNSSEC RSA/SHA-2 December 2008
@@ -128,7 +128,7 @@ Internet-Draft DNSSEC RSA/SHA-2 December 2008
SHA-512, and specifies how to store DNSKEY data and how to produce SHA-512, and specifies how to store DNSKEY data and how to produce
RRSIG resource records with these hash algorithms. RRSIG resource records with these hash algorithms.
Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-2.2002] family Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-3.2008] family
of algorithms is assumed in this document. of algorithms is assumed in this document.
To refer to both SHA-256 and SHA-512, this document will use the name To refer to both SHA-256 and SHA-512, this document will use the name
@@ -164,7 +164,7 @@ Internet-Draft DNSSEC RSA/SHA-2 December 2008
Jansen Expires June 6, 2009 [Page 3] Jansen Expires June 7, 2009 [Page 3]
Internet-Draft DNSSEC RSA/SHA-2 December 2008 Internet-Draft DNSSEC RSA/SHA-2 December 2008
@@ -193,7 +193,7 @@ Internet-Draft DNSSEC RSA/SHA-2 December 2008
hash = SHA-XXX(data) hash = SHA-XXX(data)
Here XXX is either 256 or 512, depending on the algorithm used, as Here XXX is either 256 or 512, depending on the algorithm used, as
specified in FIPS PUB 180-2 [FIPS.180-2.2002], and "data" is the wire specified in FIPS PUB 180-3 [FIPS.180-3.2008], and "data" is the wire
format data of the resource record set that is signed, as specified format data of the resource record set that is signed, as specified
in RFC 4034 [RFC4034]. in RFC 4034 [RFC4034].
@@ -220,7 +220,7 @@ Internet-Draft DNSSEC RSA/SHA-2 December 2008
Jansen Expires June 6, 2009 [Page 4] Jansen Expires June 7, 2009 [Page 4]
Internet-Draft DNSSEC RSA/SHA-2 December 2008 Internet-Draft DNSSEC RSA/SHA-2 December 2008
@@ -276,22 +276,17 @@ Internet-Draft DNSSEC RSA/SHA-2 December 2008
Jansen Expires June 6, 2009 [Page 5] Jansen Expires June 7, 2009 [Page 5]
Internet-Draft DNSSEC RSA/SHA-2 December 2008 Internet-Draft DNSSEC RSA/SHA-2 December 2008
6. IANA Considerations 6. IANA Considerations
Note to the RFC editor: please remove this paragraph during final This document updates the IANA registry "DNS SECURITY ALGORITHM
editing, and request IANA to update the {TBA} designators. NUMBERS -- per [RFC4035]"
(http://www.iana.org/assignments/dns-sec-alg-numbers). The following
IANA has assigned DNS Security Algorithm Numbers {TBA1} for RSA/ entries are added to the registry:
SHA-256 with NSEC, {TBA2} for RSA/SHA-256 with NSEC3, {TBA3} for RSA/
SHA-512 with NSEC, and {TBA4} for RSA/SHA-512 with NSEC3.
The algorithm list from RFC 4034 Appendix A.1 [RFC4034] is extended
with the following entries:
Zone Zone
Value Algorithm Mnemonic Signing References Value Algorithm Mnemonic Signing References
@@ -329,17 +324,19 @@ Internet-Draft DNSSEC RSA/SHA-2 December 2008
malicious party cannot filter out the RSA/SHA-2 RRSIG, and force the malicious party cannot filter out the RSA/SHA-2 RRSIG, and force the
validator to use the RSA/SHA-1 signature if both are present in the validator to use the RSA/SHA-1 signature if both are present in the
zone. This should provide resilience against algorithm downgrade zone. This should provide resilience against algorithm downgrade
attacks, if the validator supports RSA/SHA-2.
Jansen Expires June 6, 2009 [Page 6]
Jansen Expires June 7, 2009 [Page 6]
Internet-Draft DNSSEC RSA/SHA-2 December 2008 Internet-Draft DNSSEC RSA/SHA-2 December 2008
attacks, if the validator supports RSA/SHA-2.
8. Acknowledgments 8. Acknowledgments
This document is a minor extension to RFC 4034 [RFC4034]. Also, we This document is a minor extension to RFC 4034 [RFC4034]. Also, we
@@ -357,9 +354,9 @@ Internet-Draft DNSSEC RSA/SHA-2 December 2008
9.1. Normative References 9.1. Normative References
[FIPS.180-2.2002] [FIPS.180-3.2008]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002. Hash Standard", FIPS PUB 180-3, October 2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
@@ -386,15 +383,16 @@ Internet-Draft DNSSEC RSA/SHA-2 December 2008
"Recommendations for Key Management", NIST SP 800-57, "Recommendations for Key Management", NIST SP 800-57,
March 2007. March 2007.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Jansen Expires June 6, 2009 [Page 7]
Jansen Expires June 7, 2009 [Page 7]
Internet-Draft DNSSEC RSA/SHA-2 December 2008 Internet-Draft DNSSEC RSA/SHA-2 December 2008
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003. Version 2.1", RFC 3447, February 2003.
[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
@@ -444,7 +442,9 @@ Author's Address
Jansen Expires June 6, 2009 [Page 8]
Jansen Expires June 7, 2009 [Page 8]
Internet-Draft DNSSEC RSA/SHA-2 December 2008 Internet-Draft DNSSEC RSA/SHA-2 December 2008
@@ -500,5 +500,5 @@ Intellectual Property
Jansen Expires June 6, 2009 [Page 9] Jansen Expires June 7, 2009 [Page 9]