DNS Extensions working group V.Dolmatov, Ed.
Internet-Draft Cryptocom Ltd.
-Intended status: Standards Track November 22, 2009
-Expires: May 22, 2010
+Intended status: Standards Track November 30, 2009
+Expires: May 30, 2010
Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
for DNSSEC
- draft-ietf-dnsext-dnssec-gost-04
+ draft-ietf-dnsext-dnssec-gost-05
Status of this Memo
Abstract
This document describes how to produce signature and hash using
- GOST algorithms for DNSKEY, RRSIG and DS resource records for use in
- the Domain Name System Security Extensions (DNSSEC, RFC 4033,
- RFC 4034, and RFC 4035).
+ GOST algorithms [DRAFT1, DRAFT2, DRAFT3] for DNSKEY, RRSIG and DS
+ resource records for use in the Domain Name System Security
+ Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
-V.Dolmatov Expires May 22, 2010 [Page 1]
+V.Dolmatov Expires May 30, 2010 [Page 1]\f
Table of Contents
2.2. GOST DNSKEY RR Example . . . . . . . . . . . . . . . . . . 3
3. RRSIG Resource Records . . . . . . . . . . . . . . . . . . . . 4
3.1 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . . 4
- 4. DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 4
+ 4. DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 5
4.1 DS RR Example . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Deployment Considerations . . . . . . . . . . . . . . . . . . . 5
5.1. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 5
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
10.1. Normative References . . . . . . . . . . . . . . . . . . . 6
10.2. Informative References . . . . . . . . . . . . . . . . . . 7
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
-V.Dolmatov Expires May 22, 2010 [Page 2]
+V.Dolmatov Expires May 30, 2010 [Page 2]\f
2. DNSKEY Resource Records
The wire format of the public key is compatible with
RFC 4491 [RFC4491]:
- According to [GOSTR341001], a public key is a point on the elliptic
+ According to [GOST3410], a public key is a point on the elliptic
curve Q = (x,y).
The wire representation of a public key MUST contain 66 octets,
little-endian representation of x and the second 32 octets contain
the little-endian representation of y.
This corresponds to the binary representation of (<y>256||<x>256)
- from [GOSTR341001], ch. 5.3.
+ from [GOST3410], ch. 5.3.
The only valid value for both parameters octets is 0.
Other parameters octets values are reserved for future use.
Private-key-format: v1.2
Algorithm: {TBA1} (GOST)
GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S
- 2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
+ 2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
-V.Dolmatov Expires May 22, 2010 [Page 3]
+V.Dolmatov Expires May 30, 2010 [Page 3]\f
The following DNSKEY RR stores a DNS zone key for example.net
example.net. 86400 IN DNSKEY 256 3 {TBA1} (
AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq
- tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
- yB7i836EfzmJo5LP
- ) ; key id = 15820
+ tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
+ yB7i836EfzmJo5LP
+ ) ; key id = 15820
3. RRSIG Resource Records
With the private key from section 2.2 sign the following RRSet,
consisting of one A record:
- www.example.net. 3600 IN A 192.0.32.10
+ www.example.net. 3600 IN A 192.0.2.1
Setting the inception date to 2000-01-01 00:00:00 UTC and the
expiration date to 2030-01-01 00:00:00 UTC, the following signature
www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 (
20000101000000 15820 example.net.
- K4sw+TOJz47xqP6685ItDfPhkktyvgxXrLdX
- aQLX01mMZbJUp6tzetBYGpdHciAW5RLvHLVB
- P8RtFK8Qv5DRsA== )
+ 2MIsZWtEx6pcfQrdl376B8sFg0qxsR8XMHpl
+ jHh+V6U7Qte7WwI4C3Z1nFMRVf//C9rO2dGB
+ rdp+C7wVoOHBqA== )
+
+V.Dolmatov Expires May 30, 2010 [Page 4]\f
Note: Several GOST signatures calculated for the same message text
differ because of using of a random element is used in signature
4. DS Resource Records
GOST R 34.11-94 digest algorithm is denoted in DS RRs by the digest
- type {TBA2}. The wire format of a digest value is compatible with
- RFC 4490 [RFC4490], that is digest is in little-endian representation.
+ type {TBA2}.The wire format of a digest value is compatible with
+ RFC4490 [RFC4490], that is digest is in little-endian representation.
-V.Dolmatov Expires May 22, 2010 [Page 4]
- The digest MUST always be calculated with GOST R 34.11-94 parameters
+ The digest MUST always be calculated with GOST R 34.11-94 parameters
identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
4.1. DS RR Example
example.net. 3600 IN DS 21649 {TBA1} {TBA2} (
A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A
- A44649C6 )
-
+ A44649C6 )
5. Deployment Considerations
5.3. Digest Sizes
- According to the GOST R 34.11-94 [GOST3411], the size of a GOST digest
- is 256 bits.
+ According to the GOST R 34.11-94 [GOST3411], the size of a GOST
+ digest is 256 bits.
6. Implementation Considerations
DNSKEY resource records created with the GOST algorithms as
defined in this document.
+V.Dolmatov Expires May 30, 2010 [Page 5]\f
+
6.2. Support for NSEC3 Denial of Existence
Any DNSSEC-GOST implementation is required to have either NSEC or
of multiple elliptic curve point computations on prime modulus
of order 2**256.
-V.Dolmatov Expires May 22, 2010 [Page 5]
Currently, the cryptographic resistance of GOST 34.11-94 hash
algorithm is estimated as 2**128 operations of computations of a
This document updates the IANA registry "DNS Security Algorithm
Numbers [RFC4034]"
- (http://www.iana.org/assignments/dns-sec-alg-numbers). The
- following entries are added to the registry:
+ (http://www.iana.org/assignments/dns-sec-alg-numbers).
+ The following entries are added to the registry:
Zone Trans.
Value Algorithm Mnemonic Signing Sec. References Status
{TBA1} GOST R 34.10-2001 GOST Y * (this memo) OPTIONAL
contributors to these documents are gratefully acknowledged for
their hard work.
+V.Dolmatov Expires May 30, 2010 [Page 6]\f
+
The following people provided additional feedback and text: Dmitry
Burkov, Jaap Akkerhuis, Olafur Gundmundsson, Jelte Jansen
and Wouter Wijngaards.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
-V.Dolmatov Expires May 22, 2010 [Page 6]
-
[RFC4035] Arends R., Austein R., Larson M., Massey D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
Algorithms", RFC 4357, January 2006.
[RFC4490] S. Leontiev and G. Chudov, "Using the GOST 28147-89,
- GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001
+ GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001
Algorithms with Cryptographic Message Syntax (CMS)",
RFC 4490, May 2006.
Infrastructure Certificate and CRL Profile", RFC 4491,
May 2006.
+V.Dolmatov Expires May 30, 2010 [Page 7]\f
10.2. Informative References
- [NIST800-57]
- Barker E., Barker W., Burr W., Polk W., and M. Smid,
- "Recommendations for Key Management", NIST SP 800-57,
- March 2007.
-
- [RFC3447] Jonsson J. and B. Kaliski, "Public-Key Cryptography
- Standards (PKCS) #1: RSA Cryptography Specifications
- Version 2.1", RFC 3447, February 2003.
-
[RFC4509] Hardaker W., "Use of SHA-256 in DNSSEC Delegation Signer
(DS) Resource Records (RRs)", RFC 4509, May 2006.
- [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
- Security (DNSSEC) Hashed Authenticated Denial of
- Existence", RFC 5155, March 2008.
-
[DRAFT1] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.10-2001 digital signature algorithm"
- draft-dolmatov-cryptocom-gost3410-2001-06, 11.10.09
+ draft-dolmatov-cryptocom-gost34102001-06, 11.10.09
work in progress.
-V.Dolmatov Expires May 10, 2010 [Page 7]
+
[DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.11-94 Hash function algorithm"
draft-dolmatov-cryptocom-gost2814789-04, 11.10.09
work in progress.
+V.Dolmatov Expires May 30, 2010 [Page 8]\f
+
+
Authors' Addresses
Vasily Dolmatov, Ed.
Cryptocom Ltd.
-Bolotnikovskaya, 23
-Moscow, 117303, Russian Federation
+Kedrova 14, bld.2
+Moscow, 117218, Russian Federation
EMail: dol@cryptocom.ru
Artem Chuprina
Cryptocom Ltd.
-Bolotnikovskaya, 23
-Moscow, 117303, Russian Federation
+Kedrova 14, bld.2
+Moscow, 117218, Russian Federation
EMail: ran@cryptocom.ru
Igor Ustinov
Cryptocom Ltd.
-Bolotnikovskaya, 23
-Moscow, 117303, Russian Federation
+Kedrova 14, bld.2
+Moscow, 117218, Russian Federation
EMail: igus@cryptocom.ru
-V.Dolmatov Expires May 22, 2010 [Page 8]
+V.Dolmatov Expires May 30, 2010 [Page 9]\f
projects / thirdparty / bind9.git / commitdiff
