diff options
Diffstat (limited to 'doc/draft/draft-ietf-dnsext-dnssec-rsasha256-06.txt')
-rw-r--r-- | doc/draft/draft-ietf-dnsext-dnssec-rsasha256-06.txt | 504 |
1 files changed, 504 insertions, 0 deletions
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-06.txt b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-06.txt new file mode 100644 index 0000000..1dc9070 --- /dev/null +++ b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-06.txt @@ -0,0 +1,504 @@ + + + +DNS Extensions working group J. Jansen +Internet-Draft NLnet Labs +Intended status: Standards Track October 23, 2008 +Expires: April 26, 2009 + + + Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records + for DNSSEC + draft-ietf-dnsext-dnssec-rsasha256-06 + +Status of this Memo + + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on April 26, 2009. + +Abstract + + This document describes how to produce RSA/SHA-256 and RSA/SHA-512 + DNSKEY and RRSIG resource records for use in the Domain Name System + Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). + + + + + + + + + + + +Jansen Expires April 26, 2009 [Page 1] + +Internet-Draft DNSSEC RSA/SHA-2 October 2008 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . 3 + 2.1. RSA/SHA-256 DNSKEY Resource Records . . . . . . . . . . . . 3 + 2.2. RSA/SHA-512 DNSKEY Resource Records . . . . . . . . . . . . 3 + 3. RRSIG Resource Records . . . . . . . . . . . . . . . . . . . . 4 + 3.1. RSA/SHA-256 RRSIG Resource Records . . . . . . . . . . . . 4 + 3.2. RSA/SHA-512 RRSIG Resource Records . . . . . . . . . . . . 5 + 4. Deployment Considerations . . . . . . . . . . . . . . . . . . . 5 + 4.1. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 4.2. Signature Sizes . . . . . . . . . . . . . . . . . . . . . . 5 + 5. Implementation Considerations . . . . . . . . . . . . . . . . . 5 + 5.1. Support for SHA-2 signatures . . . . . . . . . . . . . . . 5 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 + 7.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource + Records . . . . . . . . . . . . . . . . . . . . . . . . . . 6 + 7.2. Signature Type Downgrade Attacks . . . . . . . . . . . . . 6 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 + 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 + 9.2. Informative References . . . . . . . . . . . . . . . . . . 7 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 + Intellectual Property and Copyright Statements . . . . . . . . . . 9 + + + + + + + + + + + + + + + + + + + + + + + + + + +Jansen Expires April 26, 2009 [Page 2] + +Internet-Draft DNSSEC RSA/SHA-2 October 2008 + + +1. Introduction + + The Domain Name System (DNS) is the global hierarchical distributed + database for Internet Naming. The DNS has been extended to use + cryptographic keys and digital signatures for the verification of the + authenticity and integrity of its data. RFC 4033 [RFC4033], RFC 4034 + [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security + Extensions, called DNSSEC. + + RFC 4034 describes how to store DNSKEY and RRSIG resource records, + and specifies a list of cryptographic algorithms to use. This + document extends that list with the algorithms RSA/SHA-256 and RSA/ + SHA-512, and specifies how to store DNSKEY data and how to produce + RRSIG resource records with these hash algorithms. + + Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-2.2002] family + of algorithms is assumed in this document. + + To refer to both SHA-256 and SHA-512, this document will use the name + SHA-2. This is done to improve readability. When a part of text is + specific for either SHA-256 or SHA-512, their specific names are + used. The same goes for RSA/SHA-256 and RSA/SHA-512, which will be + grouped using the name RSA/SHA-2. + + +2. DNSKEY Resource Records + + The format of the DNSKEY RR can be found in RFC 4034 [RFC4034], RFC + 3110 [RFC3110] describes the use of RSA/SHA-1 for DNSSEC signatures. + +2.1. RSA/SHA-256 DNSKEY Resource Records + + RSA public keys for use with RSA/SHA-256 are stored in DNSKEY + resource records (RRs) with the algorithm number {TBA1}. + + For use with NSEC3 [RFC5155], the algorithm number for RSA/SHA-256 + will be {TBA2}. The use of a different algorithm number to + differentiate between the use of NSEC and NSEC3 is in keeping with + the approach adopted in RFC5155. + + For interoperability, as in RFC 3110 [RFC3110], the key size of RSA/ + SHA-256 keys MUST NOT be less than 512 bits, and MUST NOT be more + than 4096 bits. + +2.2. RSA/SHA-512 DNSKEY Resource Records + + RSA public keys for use with RSA/SHA-512 are stored in DNSKEY + resource records (RRs) with the algorithm number {TBA3}. + + + +Jansen Expires April 26, 2009 [Page 3] + +Internet-Draft DNSSEC RSA/SHA-2 October 2008 + + + For use with NSEC3, the algorithm number for RSA/SHA-512 will be + {TBA4}. The use of a different algorithm number to differentiate + between the use of NSEC and NSEC3 is in keeping with the approach + adopted in RFC5155. + + The key size of RSA/SHA-512 keys MUST NOT be less than 1024 bits, and + MUST NOT be more than 4096 bits. + + +3. RRSIG Resource Records + + The value of the signature field in the RRSIG RR follows the RSASSA- + PKCS1-v1_5 signature scheme, and is calculated as follows. The + values for the RDATA fields that precede the signature data are + specified in RFC 4034 [RFC4034]. + + hash = SHA-XXX(data) + + Here XXX is either 256 or 512, depending on the algorithm used, as + specified in FIPS PUB 180-2 [FIPS.180-2.2002], and "data" is the wire + format data of the resource record set that is signed, as specified + in RFC 4034 [RFC4034]. + + signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n) + + Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets + of corresponding hexadecimal value, "e" is the private exponent of + the signing RSA key, and "n" is the public modulus of the signing + key. The FF octet MUST be repeated the exact number of times so that + the total length of the concatenated term in parentheses equals the + length of the modulus of the signer's public key ("n"). + + The "prefix" is intended to make the use of standard cryptographic + libraries easier. These specifications are taken directly from the + specifications of RSASSA-PKCS1-v1_5 in PKCS #1 v2.1 section 8.2 + [RFC3447], and EMSA-PKCS1-v1_5 encoding in PKCS #1 v2.1 section 9.2 + [RFC3447]. The prefixes for the different algorithms are specified + below. + +3.1. RSA/SHA-256 RRSIG Resource Records + + RSA/SHA-256 signatures are stored in the DNS using RRSIG resource + records (RRs) with algorithm number {TBA1} for use with NSEC, or + {TBA2} for use with NSEC3. + + The prefix is the ASN.1 BER SHA-256 algorithm designator prefix as + specified in PKCS #1 v2.1 [RFC3447]: + + + + +Jansen Expires April 26, 2009 [Page 4] + +Internet-Draft DNSSEC RSA/SHA-2 October 2008 + + + hex 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 + +3.2. RSA/SHA-512 RRSIG Resource Records + + RSA/SHA-512 signatures are stored in the DNS using RRSIG resource + records (RRs) with algorithm number {TBA3} for use with NSEC, or + {TBA4} for use with NSEC3. + + The prefix is the ASN.1 BER SHA-512 algorithm designator prefix as + specified in PKCS #1 v2.1 [RFC3447]: + + hex 30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 + + +4. Deployment Considerations + +4.1. Key Sizes + + Apart from the restrictions specified in section 2, this document + will not specify what size of keys to use. That is an operational + issue and depends largely on the environment and intended use. A + good starting point for more information would be NIST SP 800-57 + [NIST800-57]. + +4.2. Signature Sizes + + In this family of signing algorithms, the size of signatures is + related to the size of the key, and not the hashing algorithm used in + the signing process. Therefore, RRSIG resource records produced with + RSA/SHA256 or RSA/SHA512 will have the same size as those produced + with RSA/SHA1, if the keys have the same length. + + +5. Implementation Considerations + +5.1. Support for SHA-2 signatures + + DNSSEC aware implementations SHOULD be able to support RRSIG resource + records with the RSA/SHA-2 algorithms. + + +6. IANA Considerations + + IANA has assigned DNS Security Algorithm Numbers {TBA1} for RSA/ + SHA-256 with NSEC, {TBA2} for RSA/SHA-256 with NSEC3, {TBA3} for RSA/ + SHA-512 with NSEC, and {TBA4} for RSA/SHA-512 with NSEC3. + + The algorithm list from RFC 4034 Appendix A.1 [RFC4034] is extended + + + +Jansen Expires April 26, 2009 [Page 5] + +Internet-Draft DNSSEC RSA/SHA-2 October 2008 + + + with the following entries: + + Zone + Value Algorithm [Mnemonic] Signing References + {TBA1} RSA/SHA-256 RSASHA256 y {this memo} + {TBA2} RSA/SHA-256-NSEC3 RSASHA256NSEC3 y {this memo} + {TBA3} RSA/SHA-512 RSASHA512 y {this memo} + {TBA4} RSA/SHA-512-NSEC3 RSASHA512NSEC3 y {this memo} + + + +7. Security Considerations + +7.1. SHA-1 versus SHA-2 Considerations for RRSIG Resource Records + + Users of DNSSEC are encouraged to deploy SHA-2 as soon as software + implementations allow for it. SHA-2 is widely believed to be more + resilient to attack than SHA-1, and confidence in SHA-1's strength is + being eroded by recently-announced attacks. Regardless of whether or + not the attacks on SHA-1 will affect DNSSEC, it is believed (at the + time of this writing) that SHA-2 is the better choice for use in + DNSSEC records. + + SHA-2 is considered sufficiently strong for the immediate future, but + predictions about future development in cryptography and + cryptanalysis are beyond the scope of this document. + + The signature scheme RSASSA-PKCS1-v1_5 is chosen to match the one + used for RSA/SHA-1 signatures. This should ease implementation of + the new hashing algorithms in DNSSEC software. + +7.2. Signature Type Downgrade Attacks + + Since each RRSet MUST be signed with each algorithm present in the + DNSKEY RRSet at the zone apex (see [RFC4035] Section 2.2), a + malicious party cannot filter out the RSA/SHA-2 RRSIG, and force the + validator to use the RSA/SHA-1 signature if both are present in the + zone. This should provide resilience against algorithm downgrade + attacks, if the validator supports RSA/SHA-2. + + +8. Acknowledgments + + This document is a minor extension to RFC 4034 [RFC4034]. Also, we + try to follow the documents RFC 3110 [RFC3110] and RFC 4509 [RFC4509] + for consistency. The authors of and contributors to these documents + are gratefully acknowledged for their hard work. + + + + +Jansen Expires April 26, 2009 [Page 6] + +Internet-Draft DNSSEC RSA/SHA-2 October 2008 + + + The following people provided additional feedback and text: Jaap + Akkerhuis, Roy Arends, Rob Austein, Francis Dupont, Miek Gieben, + Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St. Johns, Scott + Rose and Wouter Wijngaards. + + +9. References + +9.1. Normative References + + [FIPS.180-2.2002] + National Institute of Standards and Technology, "Secure + Hash Standard", FIPS PUB 180-2, August 2002. + + [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain + Name System (DNS)", RFC 3110, May 2001. + + [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "DNS Security Introduction and Requirements", + RFC 4033, March 2005. + + [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "Resource Records for the DNS Security Extensions", + RFC 4034, March 2005. + + [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "Protocol Modifications for the DNS Security + Extensions", RFC 4035, March 2005. + +9.2. Informative References + + [NIST800-57] + Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid, + "Recommendations for Key Management", NIST SP 800-57, + March 2007. + + [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography + Standards (PKCS) #1: RSA Cryptography Specifications + Version 2.1", RFC 3447, February 2003. + + [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer + (DS) Resource Records (RRs)", RFC 4509, May 2006. + + [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS + Security (DNSSEC) Hashed Authenticated Denial of + Existence", RFC 5155, March 2008. + + + + + +Jansen Expires April 26, 2009 [Page 7] + +Internet-Draft DNSSEC RSA/SHA-2 October 2008 + + +Author's Address + + Jelte Jansen + NLnet Labs + Kruislaan 419 + Amsterdam 1098VA + NL + + Email: jelte@NLnetLabs.nl + URI: http://www.nlnetlabs.nl/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Jansen Expires April 26, 2009 [Page 8] + +Internet-Draft DNSSEC RSA/SHA-2 October 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + +Jansen Expires April 26, 2009 [Page 9] + |