mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

new draft

Browse Source
This commit is contained in:
Mark Andrews
2009-11-10 22:13:24 +00:00
parent 2e2a294b05
commit f466c1552a
1 changed files with 50 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt → doc/draft/draft-ietf-dnsext-dnssec-gost-02.txt
View File

@@ -1,12 +1,12 @@
DNS Extensions working group V.Dolmatov, Ed.
Internet-Draft Cryptocom Ltd.
Intended status: Standards Track October 18, 2009
Expires: April 18, 2010
Intended status: Standards Track November 10, 2009
Expires: May 10, 2010
Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
for DNSSEC
draft-ietf-dnsext-dnssec-gost-01
draft-ietf-dnsext-dnssec-gost-02
Status of this Memo
@@ -29,7 +29,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 18 2010.
This Internet-Draft will expire on May 10 2010.
Copyright Notice
@@ -49,7 +49,7 @@ Abstract
Name System Security Extensions (DNSSEC, RFC 4033, RFC 4034,
and RFC 4035).
V.Dolmatov Expires April 18, 2010 [Page 1]
V.Dolmatov Expires May 10, 2010 [Page 1]
Table of Contents
@@ -106,7 +106,7 @@ Table of Contents
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
V.Dolmatov Expires April 18, 2010 [Page 2]
V.Dolmatov Expires May 10, 2010 [Page 2]
2. DNSKEY Resource Records
@@ -145,7 +145,7 @@ V.Dolmatov Expires April 18, 2010 [Page 2]
section 2.3.2.
To make this encoding from the wire format of a GOST public key
with the parameters used in this document, prepend last 64 octets
with the parameters used in this document, prepend the last 64 octets
of key data (in other words, substitute first two parameter octets)
with the following 37-byte sequence:
@@ -155,23 +155,24 @@ V.Dolmatov Expires April 18, 2010 [Page 2]
2.2. GOST DNSKEY RR Example
Given a private key with the following value:
Given a private key with the following value (the value of GostAsn1
field is split here into two lines to simplify reading; in the
private key file it must be in one line):
Private-key-format: v1.2
Algorithm: {TBA1} (GOST)
GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEE
IgQgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S
2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
(corresponding to private key value 1)
V.Dolmatov Expires April 18, 2010 [Page 3]
V.Dolmatov Expires May 10, 2010 [Page 3]
The following DNSKEY RR stores a DNS zone key for example.net
example.net. 86400 IN DNSKEY 256 3 {TBA1} ( AAABAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAABQe
n56cyawiseMj3y1PKTV2Kz9F
WlDfJ9qcmOBx5JGN )
example.net. 86400 IN DNSKEY 256 3 {TBA1} (
AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq
tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
yB7i836EfzmJo5LP
) ; key id = 15820
3. RRSIG Resource Records
@@ -209,13 +210,18 @@ V.Dolmatov Expires April 18, 2010 [Page 3]
Setting the inception date to 2000-01-01 00:00:00 UTC and the
expiration date to 2030-01-01 00:00:00 UTC, the following signature
should be created (assuming {TBA1}==249 until proped code is
should be created (assuming {TBA1}==249 until proper code is
assigned by IANA)
www.example.net. 3600 IN RRSIG ( A {TBA1} 3 3600
20300101000000 20000101000000 9033 example.net.
96ObOt5gR6Xln8g42w70OZvi6BZoQvLIhrN9F+VBc29mp+ap
DQov1re0hApGenYDd2zLaHecw4H2vnPj0NhhxA== )
www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 (
20000101000000 15820 example.net.
K4sw+TOJz47xqP6685ItDfPhkktyvgxXrLdX
aQLX01mMZbJUp6tzetBYGpdHciAW5RLvHLVB
P8RtFK8Qv5DRsA== )
Note: Several GOST signatures calculated for the same message text
will differ because of using of random element in signature
generation process.
4. DS Resource Records
@@ -223,7 +229,7 @@ V.Dolmatov Expires April 18, 2010 [Page 3]
type {TBA2}. The wire format of a digest value is compatible with
RFC 4490 [RFC4490].
V.Dolmatov Expires April 18, 2010 [Page 4]
V.Dolmatov Expires May 10, 2010 [Page 4]
Quoting RFC 4490:
@@ -234,9 +240,22 @@ V.Dolmatov Expires April 18, 2010 [Page 4]
4.1. DS RR Example
example.net. 3600 IN DS 9033 {TBA1} {TBA2} ( Su0ToNow7Lwex+wqac+cTQ
djJ733qubhan+KqUrselc= )
For key signing key (assuming {TBA1}==249 until proper code is
assigned by IANA)
example.net. 86400 DNSKEY 257 3 {TBA1} (
AAADr5vmKVdXo780hSRU1YZYWuMZUbEe9R7C
RRLc7Wj2osDXv2XbCnIpTUx8dVLnLKmDBquu
9tCz5oSsZl0cL0R2
) ; key id = 21649
DS RR will be
example.net. 3600 IN DS 21649 {TBA1} {TBA2} (
A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A
A44649C6 )
5. Deployment Considerations
5.1. Key Sizes
@@ -283,7 +302,7 @@ V.Dolmatov Expires April 18, 2010 [Page 4]
of multiple elliptic curve point computations on prime modulus
2**256.
V.Dolmatov Expires April 18, 2010 [Page 5]
V.Dolmatov Expires May 10, 2010 [Page 5]
Currently, the cryptographic resistance of GOST 34.11-94 hash
algorithm is estimated as 2**128 operations of computations of a
@@ -339,7 +358,7 @@ V.Dolmatov Expires April 18, 2010 [Page 5]
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
V.Dolmatov Expires April 18, 2010 [Page 6]
V.Dolmatov Expires May 10, 2010 [Page 6]
[RFC4035] Arends R., Austein R., Larson M., Massey D., and S.
Rose, "Protocol Modifications for the DNS Security
@@ -396,7 +415,7 @@ V.Dolmatov Expires April 18, 2010 [Page 6]
"GOST R 34.10-2001 digital signature algorithm"
draft-dolmatov-cryptocom-gost3410-2001-05,
work in progress
V.Dolmatov Expires April 18, 2010 [Page 7]
V.Dolmatov Expires May 10, 2010 [Page 7]
[DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.11-94 Hash function algorithm"
@@ -430,6 +449,7 @@ Moscow, 117303, Russian Federation
EMail: igus@cryptocom.ru
V.Dolmatov Expires April 18, 2010 [Page 8]
V.Dolmatov Expires May 10, 2010 [Page 8]