mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 15:45:25 +00:00
Code Issues Releases Wiki Activity

new draft

Browse Source
This commit is contained in:
Mark Andrews
2009-11-10 22:13:24 +00:00
parent 2e2a294b05
commit f466c1552a
1 changed files with 50 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt → doc/draft/draft-ietf-dnsext-dnssec-gost-02.txt
View File

@@ -1,12 +1,12 @@
DNS Extensions working group V.Dolmatov, Ed. DNS Extensions working group V.Dolmatov, Ed.
Internet-Draft Cryptocom Ltd. Internet-Draft Cryptocom Ltd.
Intended status: Standards Track October 18, 2009 Intended status: Standards Track November 10, 2009
Expires: April 18, 2010 Expires: May 10, 2010
Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
for DNSSEC for DNSSEC
draft-ietf-dnsext-dnssec-gost-01 draft-ietf-dnsext-dnssec-gost-02
Status of this Memo Status of this Memo
@@ -29,7 +29,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 18 2010. This Internet-Draft will expire on May 10 2010.
Copyright Notice Copyright Notice
@@ -49,7 +49,7 @@ Abstract
Name System Security Extensions (DNSSEC, RFC 4033, RFC 4034, Name System Security Extensions (DNSSEC, RFC 4033, RFC 4034,
and RFC 4035). and RFC 4035).
V.Dolmatov Expires April 18, 2010 [Page 1] V.Dolmatov Expires May 10, 2010 [Page 1]
Table of Contents Table of Contents
@@ -106,7 +106,7 @@ Table of Contents
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
V.Dolmatov Expires April 18, 2010 [Page 2] V.Dolmatov Expires May 10, 2010 [Page 2]
2. DNSKEY Resource Records 2. DNSKEY Resource Records
@@ -145,7 +145,7 @@ V.Dolmatov Expires April 18, 2010 [Page 2]
section 2.3.2. section 2.3.2.
To make this encoding from the wire format of a GOST public key To make this encoding from the wire format of a GOST public key
with the parameters used in this document, prepend last 64 octets with the parameters used in this document, prepend the last 64 octets
of key data (in other words, substitute first two parameter octets) of key data (in other words, substitute first two parameter octets)
with the following 37-byte sequence: with the following 37-byte sequence:
@@ -155,23 +155,24 @@ V.Dolmatov Expires April 18, 2010 [Page 2]
2.2. GOST DNSKEY RR Example 2.2. GOST DNSKEY RR Example
Given a private key with the following value: Given a private key with the following value (the value of GostAsn1
field is split here into two lines to simplify reading; in the
private key file it must be in one line):
Private-key-format: v1.2 Private-key-format: v1.2
Algorithm: {TBA1} (GOST) Algorithm: {TBA1} (GOST)
GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEE GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S
IgQgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= 2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
(corresponding to private key value 1) V.Dolmatov Expires May 10, 2010 [Page 3]
V.Dolmatov Expires April 18, 2010 [Page 3]
The following DNSKEY RR stores a DNS zone key for example.net The following DNSKEY RR stores a DNS zone key for example.net
example.net. 86400 IN DNSKEY 256 3 {TBA1} ( AAABAAAAAAAAAAAAAAAAAAAA example.net. 86400 IN DNSKEY 256 3 {TBA1} (
AAAAAAAAAAAAAAAAAAAAABQe AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq
n56cyawiseMj3y1PKTV2Kz9F tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
WlDfJ9qcmOBx5JGN ) yB7i836EfzmJo5LP
) ; key id = 15820
3. RRSIG Resource Records 3. RRSIG Resource Records
@@ -209,13 +210,18 @@ V.Dolmatov Expires April 18, 2010 [Page 3]
Setting the inception date to 2000-01-01 00:00:00 UTC and the Setting the inception date to 2000-01-01 00:00:00 UTC and the
expiration date to 2030-01-01 00:00:00 UTC, the following signature expiration date to 2030-01-01 00:00:00 UTC, the following signature
should be created (assuming {TBA1}==249 until proped code is should be created (assuming {TBA1}==249 until proper code is
assigned by IANA) assigned by IANA)
www.example.net. 3600 IN RRSIG ( A {TBA1} 3 3600 www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 (
20300101000000 20000101000000 9033 example.net. 20000101000000 15820 example.net.
96ObOt5gR6Xln8g42w70OZvi6BZoQvLIhrN9F+VBc29mp+ap K4sw+TOJz47xqP6685ItDfPhkktyvgxXrLdX
DQov1re0hApGenYDd2zLaHecw4H2vnPj0NhhxA== ) aQLX01mMZbJUp6tzetBYGpdHciAW5RLvHLVB
P8RtFK8Qv5DRsA== )
Note: Several GOST signatures calculated for the same message text
will differ because of using of random element in signature
generation process.
4. DS Resource Records 4. DS Resource Records
@@ -223,7 +229,7 @@ V.Dolmatov Expires April 18, 2010 [Page 3]
type {TBA2}. The wire format of a digest value is compatible with type {TBA2}. The wire format of a digest value is compatible with
RFC 4490 [RFC4490]. RFC 4490 [RFC4490].
V.Dolmatov Expires April 18, 2010 [Page 4] V.Dolmatov Expires May 10, 2010 [Page 4]
Quoting RFC 4490: Quoting RFC 4490:
@@ -234,9 +240,22 @@ V.Dolmatov Expires April 18, 2010 [Page 4]
4.1. DS RR Example 4.1. DS RR Example
example.net. 3600 IN DS 9033 {TBA1} {TBA2} ( Su0ToNow7Lwex+wqac+cTQ For key signing key (assuming {TBA1}==249 until proper code is
djJ733qubhan+KqUrselc= ) assigned by IANA)
example.net. 86400 DNSKEY 257 3 {TBA1} (
AAADr5vmKVdXo780hSRU1YZYWuMZUbEe9R7C
RRLc7Wj2osDXv2XbCnIpTUx8dVLnLKmDBquu
9tCz5oSsZl0cL0R2
) ; key id = 21649
DS RR will be
example.net. 3600 IN DS 21649 {TBA1} {TBA2} (
A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A
A44649C6 )
5. Deployment Considerations 5. Deployment Considerations
5.1. Key Sizes 5.1. Key Sizes
@@ -283,7 +302,7 @@ V.Dolmatov Expires April 18, 2010 [Page 4]
of multiple elliptic curve point computations on prime modulus of multiple elliptic curve point computations on prime modulus
2**256. 2**256.
V.Dolmatov Expires April 18, 2010 [Page 5] V.Dolmatov Expires May 10, 2010 [Page 5]
Currently, the cryptographic resistance of GOST 34.11-94 hash Currently, the cryptographic resistance of GOST 34.11-94 hash
algorithm is estimated as 2**128 operations of computations of a algorithm is estimated as 2**128 operations of computations of a
@@ -339,7 +358,7 @@ V.Dolmatov Expires April 18, 2010 [Page 5]
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005. RFC 4034, March 2005.
V.Dolmatov Expires April 18, 2010 [Page 6] V.Dolmatov Expires May 10, 2010 [Page 6]
[RFC4035] Arends R., Austein R., Larson M., Massey D., and S. [RFC4035] Arends R., Austein R., Larson M., Massey D., and S.
Rose, "Protocol Modifications for the DNS Security Rose, "Protocol Modifications for the DNS Security
@@ -396,7 +415,7 @@ V.Dolmatov Expires April 18, 2010 [Page 6]
"GOST R 34.10-2001 digital signature algorithm" "GOST R 34.10-2001 digital signature algorithm"
draft-dolmatov-cryptocom-gost3410-2001-05, draft-dolmatov-cryptocom-gost3410-2001-05,
work in progress work in progress
V.Dolmatov Expires April 18, 2010 [Page 7] V.Dolmatov Expires May 10, 2010 [Page 7]
[DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S., [DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.11-94 Hash function algorithm" "GOST R 34.11-94 Hash function algorithm"
@@ -430,6 +449,7 @@ Moscow, 117303, Russian Federation
EMail: igus@cryptocom.ru EMail: igus@cryptocom.ru
V.Dolmatov Expires April 18, 2010 [Page 8] V.Dolmatov Expires May 10, 2010 [Page 8]