DNS Extensions working group V.Dolmatov, Ed.
Internet-Draft Cryptocom Ltd.
-Intended status: Standards Track October 18, 2009
-Expires: April 18, 2010
+Intended status: Standards Track November 10, 2009
+Expires: May 10, 2010
Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
for DNSSEC
- draft-ietf-dnsext-dnssec-gost-01
+ draft-ietf-dnsext-dnssec-gost-02
Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
- This Internet-Draft will expire on April 18 2010.
+ This Internet-Draft will expire on May 10 2010.
Copyright Notice
Name System Security Extensions (DNSSEC, RFC 4033, RFC 4034,
and RFC 4035).
-V.Dolmatov Expires April 18, 2010 [Page 1]
+V.Dolmatov Expires May 10, 2010 [Page 1]
Table of Contents
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
-V.Dolmatov Expires April 18, 2010 [Page 2]
+V.Dolmatov Expires May 10, 2010 [Page 2]
2. DNSKEY Resource Records
section 2.3.2.
To make this encoding from the wire format of a GOST public key
- with the parameters used in this document, prepend last 64 octets
+ with the parameters used in this document, prepend the last 64 octets
of key data (in other words, substitute first two parameter octets)
with the following 37-byte sequence:
2.2. GOST DNSKEY RR Example
- Given a private key with the following value:
+ Given a private key with the following value (the value of GostAsn1
+ field is split here into two lines to simplify reading; in the
+ private key file it must be in one line):
Private-key-format: v1.2
Algorithm: {TBA1} (GOST)
- GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEE
- IgQgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S
+ 2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
- (corresponding to private key value 1)
-
-V.Dolmatov Expires April 18, 2010 [Page 3]
+V.Dolmatov Expires May 10, 2010 [Page 3]
The following DNSKEY RR stores a DNS zone key for example.net
- example.net. 86400 IN DNSKEY 256 3 {TBA1} ( AAABAAAAAAAAAAAAAAAAAAAA
- AAAAAAAAAAAAAAAAAAAAABQe
- n56cyawiseMj3y1PKTV2Kz9F
- WlDfJ9qcmOBx5JGN )
+ example.net. 86400 IN DNSKEY 256 3 {TBA1} (
+ AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq
+ tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
+ yB7i836EfzmJo5LP
+ ) ; key id = 15820
3. RRSIG Resource Records
Setting the inception date to 2000-01-01 00:00:00 UTC and the
expiration date to 2030-01-01 00:00:00 UTC, the following signature
- should be created (assuming {TBA1}==249 until proped code is
+ should be created (assuming {TBA1}==249 until proper code is
assigned by IANA)
- www.example.net. 3600 IN RRSIG ( A {TBA1} 3 3600
- 20300101000000 20000101000000 9033 example.net.
- 96ObOt5gR6Xln8g42w70OZvi6BZoQvLIhrN9F+VBc29mp+ap
- DQov1re0hApGenYDd2zLaHecw4H2vnPj0NhhxA== )
+ www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 (
+ 20000101000000 15820 example.net.
+ K4sw+TOJz47xqP6685ItDfPhkktyvgxXrLdX
+ aQLX01mMZbJUp6tzetBYGpdHciAW5RLvHLVB
+ P8RtFK8Qv5DRsA== )
+
+ Note: Several GOST signatures calculated for the same message text
+ will differ because of using of random element in signature
+ generation process.
4. DS Resource Records
type {TBA2}. The wire format of a digest value is compatible with
RFC 4490 [RFC4490].
-V.Dolmatov Expires April 18, 2010 [Page 4]
+V.Dolmatov Expires May 10, 2010 [Page 4]
Quoting RFC 4490:
4.1. DS RR Example
- example.net. 3600 IN DS 9033 {TBA1} {TBA2} ( Su0ToNow7Lwex+wqac+cTQ
- djJ733qubhan+KqUrselc= )
-
+ For key signing key (assuming {TBA1}==249 until proper code is
+ assigned by IANA)
+
+ example.net. 86400 DNSKEY 257 3 {TBA1} (
+ AAADr5vmKVdXo780hSRU1YZYWuMZUbEe9R7C
+ RRLc7Wj2osDXv2XbCnIpTUx8dVLnLKmDBquu
+ 9tCz5oSsZl0cL0R2
+ ) ; key id = 21649
+
+ DS RR will be
+
+ example.net. 3600 IN DS 21649 {TBA1} {TBA2} (
+ A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A
+ A44649C6 )
+
+
5. Deployment Considerations
5.1. Key Sizes
of multiple elliptic curve point computations on prime modulus
2**256.
-V.Dolmatov Expires April 18, 2010 [Page 5]
+V.Dolmatov Expires May 10, 2010 [Page 5]
Currently, the cryptographic resistance of GOST 34.11-94 hash
algorithm is estimated as 2**128 operations of computations of a
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
-V.Dolmatov Expires April 18, 2010 [Page 6]
+V.Dolmatov Expires May 10, 2010 [Page 6]
[RFC4035] Arends R., Austein R., Larson M., Massey D., and S.
Rose, "Protocol Modifications for the DNS Security
"GOST R 34.10-2001 digital signature algorithm"
draft-dolmatov-cryptocom-gost3410-2001-05,
work in progress
-V.Dolmatov Expires April 18, 2010 [Page 7]
+V.Dolmatov Expires May 10, 2010 [Page 7]
[DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.11-94 Hash function algorithm"
EMail: igus@cryptocom.ru
-V.Dolmatov Expires April 18, 2010 [Page 8]
+V.Dolmatov Expires May 10, 2010 [Page 8]
+
projects / thirdparty / bind9.git / commitdiff
