Commit 6f0fe31b authored by Mark Andrews's avatar Mark Andrews
Browse files

new draft

parent 717d095d
DNS Extensions working group V.Dolmatov, Ed.
Internet-Draft Cryptocom Ltd.
Intended status: Standards Track November 22, 2009
Expires: May 22, 2010
Intended status: Standards Track November 30, 2009
Expires: May 30, 2010
Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
for DNSSEC
draft-ietf-dnsext-dnssec-gost-04
draft-ietf-dnsext-dnssec-gost-05
Status of this Memo
......@@ -45,11 +45,11 @@ Copyright Notice
Abstract
This document describes how to produce signature and hash using
GOST algorithms for DNSKEY, RRSIG and DS resource records for use in
the Domain Name System Security Extensions (DNSSEC, RFC 4033,
RFC 4034, and RFC 4035).
GOST algorithms [DRAFT1, DRAFT2, DRAFT3] for DNSKEY, RRSIG and DS
resource records for use in the Domain Name System Security
Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
V.Dolmatov Expires May 22, 2010 [Page 1]
V.Dolmatov Expires May 30, 2010 [Page 1]
Table of Contents
......@@ -59,7 +59,7 @@ Table of Contents
2.2. GOST DNSKEY RR Example . . . . . . . . . . . . . . . . . . 3
3. RRSIG Resource Records . . . . . . . . . . . . . . . . . . . . 4
3.1 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . . 4
4. DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 4
4. DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 5
4.1 DS RR Example . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Deployment Considerations . . . . . . . . . . . . . . . . . . . 5
5.1. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 5
......@@ -75,7 +75,7 @@ Table of Contents
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
10.1. Normative References . . . . . . . . . . . . . . . . . . . 6
10.2. Informative References . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
......@@ -106,7 +106,7 @@ Table of Contents
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
V.Dolmatov Expires May 22, 2010 [Page 2]
V.Dolmatov Expires May 30, 2010 [Page 2]
2. DNSKEY Resource Records
......@@ -118,7 +118,7 @@ V.Dolmatov Expires May 22, 2010 [Page 2]
The wire format of the public key is compatible with
RFC 4491 [RFC4491]:
According to [GOSTR341001], a public key is a point on the elliptic
According to [GOST3410], a public key is a point on the elliptic
curve Q = (x,y).
The wire representation of a public key MUST contain 66 octets,
......@@ -127,7 +127,7 @@ V.Dolmatov Expires May 22, 2010 [Page 2]
little-endian representation of x and the second 32 octets contain
the little-endian representation of y.
This corresponds to the binary representation of (<y>256||<x>256)
from [GOSTR341001], ch. 5.3.
from [GOST3410], ch. 5.3.
The only valid value for both parameters octets is 0.
Other parameters octets values are reserved for future use.
......@@ -162,17 +162,17 @@ V.Dolmatov Expires May 22, 2010 [Page 2]
Private-key-format: v1.2
Algorithm: {TBA1} (GOST)
GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S
2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
V.Dolmatov Expires May 22, 2010 [Page 3]
V.Dolmatov Expires May 30, 2010 [Page 3]
The following DNSKEY RR stores a DNS zone key for example.net
example.net. 86400 IN DNSKEY 256 3 {TBA1} (
AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq
tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
yB7i836EfzmJo5LP
) ; key id = 15820
tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
yB7i836EfzmJo5LP
) ; key id = 15820
3. RRSIG Resource Records
......@@ -206,7 +206,7 @@ V.Dolmatov Expires May 22, 2010 [Page 3]
With the private key from section 2.2 sign the following RRSet,
consisting of one A record:
www.example.net. 3600 IN A 192.0.32.10
www.example.net. 3600 IN A 192.0.2.1
Setting the inception date to 2000-01-01 00:00:00 UTC and the
expiration date to 2030-01-01 00:00:00 UTC, the following signature
......@@ -215,9 +215,11 @@ V.Dolmatov Expires May 22, 2010 [Page 3]
www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 (
20000101000000 15820 example.net.
K4sw+TOJz47xqP6685ItDfPhkktyvgxXrLdX
aQLX01mMZbJUp6tzetBYGpdHciAW5RLvHLVB
P8RtFK8Qv5DRsA== )
2MIsZWtEx6pcfQrdl376B8sFg0qxsR8XMHpl
jHh+V6U7Qte7WwI4C3Z1nFMRVf//C9rO2dGB
rdp+C7wVoOHBqA== )
V.Dolmatov Expires May 30, 2010 [Page 4]
Note: Several GOST signatures calculated for the same message text
differ because of using of a random element is used in signature
......@@ -226,12 +228,11 @@ V.Dolmatov Expires May 22, 2010 [Page 3]
4. DS Resource Records
GOST R 34.11-94 digest algorithm is denoted in DS RRs by the digest
type {TBA2}. The wire format of a digest value is compatible with
RFC 4490 [RFC4490], that is digest is in little-endian representation.
type {TBA2}.The wire format of a digest value is compatible with
RFC4490 [RFC4490], that is digest is in little-endian representation.
V.Dolmatov Expires May 22, 2010 [Page 4]
The digest MUST always be calculated with GOST R 34.11-94 parameters
The digest MUST always be calculated with GOST R 34.11-94 parameters
identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
4.1. DS RR Example
......@@ -249,8 +250,7 @@ V.Dolmatov Expires May 22, 2010 [Page 4]
example.net. 3600 IN DS 21649 {TBA1} {TBA2} (
A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A
A44649C6 )
A44649C6 )
5. Deployment Considerations
......@@ -266,8 +266,8 @@ V.Dolmatov Expires May 22, 2010 [Page 4]
5.3. Digest Sizes
According to the GOST R 34.11-94 [GOST3411], the size of a GOST digest
is 256 bits.
According to the GOST R 34.11-94 [GOST3411], the size of a GOST
digest is 256 bits.
6. Implementation Considerations
......@@ -277,6 +277,8 @@ V.Dolmatov Expires May 22, 2010 [Page 4]
DNSKEY resource records created with the GOST algorithms as
defined in this document.
V.Dolmatov Expires May 30, 2010 [Page 5]
6.2. Support for NSEC3 Denial of Existence
Any DNSSEC-GOST implementation is required to have either NSEC or
......@@ -298,7 +300,6 @@ V.Dolmatov Expires May 22, 2010 [Page 4]
of multiple elliptic curve point computations on prime modulus
of order 2**256.
V.Dolmatov Expires May 22, 2010 [Page 5]
Currently, the cryptographic resistance of GOST 34.11-94 hash
algorithm is estimated as 2**128 operations of computations of a
......@@ -311,8 +312,8 @@ V.Dolmatov Expires May 22, 2010 [Page 5]
This document updates the IANA registry "DNS Security Algorithm
Numbers [RFC4034]"
(http://www.iana.org/assignments/dns-sec-alg-numbers). The
following entries are added to the registry:
(http://www.iana.org/assignments/dns-sec-alg-numbers).
The following entries are added to the registry:
Zone Trans.
Value Algorithm Mnemonic Signing Sec. References Status
{TBA1} GOST R 34.10-2001 GOST Y * (this memo) OPTIONAL
......@@ -332,6 +333,8 @@ V.Dolmatov Expires May 22, 2010 [Page 5]
contributors to these documents are gratefully acknowledged for
their hard work.
V.Dolmatov Expires May 30, 2010 [Page 6]
The following people provided additional feedback and text: Dmitry
Burkov, Jaap Akkerhuis, Olafur Gundmundsson, Jelte Jansen
and Wouter Wijngaards.
......@@ -355,8 +358,6 @@ V.Dolmatov Expires May 22, 2010 [Page 5]
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
V.Dolmatov Expires May 22, 2010 [Page 6]
[RFC4035] Arends R., Austein R., Larson M., Massey D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
......@@ -378,7 +379,7 @@ V.Dolmatov Expires May 22, 2010 [Page 6]
Algorithms", RFC 4357, January 2006.
[RFC4490] S. Leontiev and G. Chudov, "Using the GOST 28147-89,
GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001
GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001
Algorithms with Cryptographic Message Syntax (CMS)",
RFC 4490, May 2006.
......@@ -388,31 +389,19 @@ V.Dolmatov Expires May 22, 2010 [Page 6]
Infrastructure Certificate and CRL Profile", RFC 4491,
May 2006.
V.Dolmatov Expires May 30, 2010 [Page 7]
10.2. Informative References
[NIST800-57]
Barker E., Barker W., Burr W., Polk W., and M. Smid,
"Recommendations for Key Management", NIST SP 800-57,
March 2007.
[RFC3447] Jonsson J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003.
[RFC4509] Hardaker W., "Use of SHA-256 in DNSSEC Delegation Signer
(DS) Resource Records (RRs)", RFC 4509, May 2006.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, March 2008.
[DRAFT1] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.10-2001 digital signature algorithm"
draft-dolmatov-cryptocom-gost3410-2001-06, 11.10.09
draft-dolmatov-cryptocom-gost34102001-06, 11.10.09
work in progress.
V.Dolmatov Expires May 10, 2010 [Page 7]
[DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
"GOST R 34.11-94 Hash function algorithm"
......@@ -424,31 +413,34 @@ V.Dolmatov Expires May 10, 2010 [Page 7]
draft-dolmatov-cryptocom-gost2814789-04, 11.10.09
work in progress.
V.Dolmatov Expires May 30, 2010 [Page 8]
Authors' Addresses
Vasily Dolmatov, Ed.
Cryptocom Ltd.
Bolotnikovskaya, 23
Moscow, 117303, Russian Federation
Kedrova 14, bld.2
Moscow, 117218, Russian Federation
EMail: dol@cryptocom.ru
Artem Chuprina
Cryptocom Ltd.
Bolotnikovskaya, 23
Moscow, 117303, Russian Federation
Kedrova 14, bld.2
Moscow, 117218, Russian Federation
EMail: ran@cryptocom.ru
Igor Ustinov
Cryptocom Ltd.
Bolotnikovskaya, 23
Moscow, 117303, Russian Federation
Kedrova 14, bld.2
Moscow, 117218, Russian Federation
EMail: igus@cryptocom.ru
V.Dolmatov Expires May 22, 2010 [Page 8]
V.Dolmatov Expires May 30, 2010 [Page 9]
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment