diff --git a/doc/draft/draft-ietf-dnsext-dnssec-gost-04.txt b/doc/draft/draft-ietf-dnsext-dnssec-gost-05.txt similarity index 85% rename from doc/draft/draft-ietf-dnsext-dnssec-gost-04.txt rename to doc/draft/draft-ietf-dnsext-dnssec-gost-05.txt index 1733c7d50d..152d96efac 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-gost-04.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-gost-05.txt @@ -1,12 +1,12 @@ DNS Extensions working group V.Dolmatov, Ed. Internet-Draft Cryptocom Ltd. -Intended status: Standards Track November 22, 2009 -Expires: May 22, 2010 +Intended status: Standards Track November 30, 2009 +Expires: May 30, 2010 Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records for DNSSEC - draft-ietf-dnsext-dnssec-gost-04 + draft-ietf-dnsext-dnssec-gost-05 Status of this Memo @@ -45,11 +45,11 @@ Copyright Notice Abstract This document describes how to produce signature and hash using - GOST algorithms for DNSKEY, RRSIG and DS resource records for use in - the Domain Name System Security Extensions (DNSSEC, RFC 4033, - RFC 4034, and RFC 4035). + GOST algorithms [DRAFT1, DRAFT2, DRAFT3] for DNSKEY, RRSIG and DS + resource records for use in the Domain Name System Security + Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). -V.Dolmatov Expires May 22, 2010 [Page 1] +V.Dolmatov Expires May 30, 2010 [Page 1] Table of Contents @@ -59,7 +59,7 @@ Table of Contents 2.2. GOST DNSKEY RR Example . . . . . . . . . . . . . . . . . . 3 3. RRSIG Resource Records . . . . . . . . . . . . . . . . . . . . 4 3.1 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . . 4 - 4. DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 4 + 4. DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 5 4.1 DS RR Example . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Deployment Considerations . . . . . . . . . . . . . . . . . . . 5 5.1. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 5 @@ -75,7 +75,7 @@ Table of Contents 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 10.1. Normative References . . . . . . . . . . . . . . . . . . . 6 10.2. Informative References . . . . . . . . . . . . . . . . . . 7 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction @@ -106,7 +106,7 @@ Table of Contents "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. -V.Dolmatov Expires May 22, 2010 [Page 2] +V.Dolmatov Expires May 30, 2010 [Page 2] 2. DNSKEY Resource Records @@ -118,7 +118,7 @@ V.Dolmatov Expires May 22, 2010 [Page 2] The wire format of the public key is compatible with RFC 4491 [RFC4491]: - According to [GOSTR341001], a public key is a point on the elliptic + According to [GOST3410], a public key is a point on the elliptic curve Q = (x,y). The wire representation of a public key MUST contain 66 octets, @@ -127,7 +127,7 @@ V.Dolmatov Expires May 22, 2010 [Page 2] little-endian representation of x and the second 32 octets contain the little-endian representation of y. This corresponds to the binary representation of (256||256) - from [GOSTR341001], ch. 5.3. + from [GOST3410], ch. 5.3. The only valid value for both parameters octets is 0. Other parameters octets values are reserved for future use. @@ -162,17 +162,17 @@ V.Dolmatov Expires May 22, 2010 [Page 2] Private-key-format: v1.2 Algorithm: {TBA1} (GOST) GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S - 2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E= + 2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E= -V.Dolmatov Expires May 22, 2010 [Page 3] +V.Dolmatov Expires May 30, 2010 [Page 3] The following DNSKEY RR stores a DNS zone key for example.net example.net. 86400 IN DNSKEY 256 3 {TBA1} ( AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq - tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6 - yB7i836EfzmJo5LP - ) ; key id = 15820 + tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6 + yB7i836EfzmJo5LP + ) ; key id = 15820 3. RRSIG Resource Records @@ -206,7 +206,7 @@ V.Dolmatov Expires May 22, 2010 [Page 3] With the private key from section 2.2 sign the following RRSet, consisting of one A record: - www.example.net. 3600 IN A 192.0.32.10 + www.example.net. 3600 IN A 192.0.2.1 Setting the inception date to 2000-01-01 00:00:00 UTC and the expiration date to 2030-01-01 00:00:00 UTC, the following signature @@ -215,9 +215,11 @@ V.Dolmatov Expires May 22, 2010 [Page 3] www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 ( 20000101000000 15820 example.net. - K4sw+TOJz47xqP6685ItDfPhkktyvgxXrLdX - aQLX01mMZbJUp6tzetBYGpdHciAW5RLvHLVB - P8RtFK8Qv5DRsA== ) + 2MIsZWtEx6pcfQrdl376B8sFg0qxsR8XMHpl + jHh+V6U7Qte7WwI4C3Z1nFMRVf//C9rO2dGB + rdp+C7wVoOHBqA== ) + +V.Dolmatov Expires May 30, 2010 [Page 4] Note: Several GOST signatures calculated for the same message text differ because of using of a random element is used in signature @@ -226,12 +228,11 @@ V.Dolmatov Expires May 22, 2010 [Page 3] 4. DS Resource Records GOST R 34.11-94 digest algorithm is denoted in DS RRs by the digest - type {TBA2}. The wire format of a digest value is compatible with - RFC 4490 [RFC4490], that is digest is in little-endian representation. + type {TBA2}.The wire format of a digest value is compatible with + RFC4490 [RFC4490], that is digest is in little-endian representation. -V.Dolmatov Expires May 22, 2010 [Page 4] - The digest MUST always be calculated with GOST R 34.11-94 parameters + The digest MUST always be calculated with GOST R 34.11-94 parameters identified by id-GostR3411-94-CryptoProParamSet [RFC4357]. 4.1. DS RR Example @@ -249,8 +250,7 @@ V.Dolmatov Expires May 22, 2010 [Page 4] example.net. 3600 IN DS 21649 {TBA1} {TBA2} ( A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A - A44649C6 ) - + A44649C6 ) 5. Deployment Considerations @@ -266,8 +266,8 @@ V.Dolmatov Expires May 22, 2010 [Page 4] 5.3. Digest Sizes - According to the GOST R 34.11-94 [GOST3411], the size of a GOST digest - is 256 bits. + According to the GOST R 34.11-94 [GOST3411], the size of a GOST + digest is 256 bits. 6. Implementation Considerations @@ -277,6 +277,8 @@ V.Dolmatov Expires May 22, 2010 [Page 4] DNSKEY resource records created with the GOST algorithms as defined in this document. +V.Dolmatov Expires May 30, 2010 [Page 5] + 6.2. Support for NSEC3 Denial of Existence Any DNSSEC-GOST implementation is required to have either NSEC or @@ -298,7 +300,6 @@ V.Dolmatov Expires May 22, 2010 [Page 4] of multiple elliptic curve point computations on prime modulus of order 2**256. -V.Dolmatov Expires May 22, 2010 [Page 5] Currently, the cryptographic resistance of GOST 34.11-94 hash algorithm is estimated as 2**128 operations of computations of a @@ -311,8 +312,8 @@ V.Dolmatov Expires May 22, 2010 [Page 5] This document updates the IANA registry "DNS Security Algorithm Numbers [RFC4034]" - (http://www.iana.org/assignments/dns-sec-alg-numbers). The - following entries are added to the registry: + (http://www.iana.org/assignments/dns-sec-alg-numbers). + The following entries are added to the registry: Zone Trans. Value Algorithm Mnemonic Signing Sec. References Status {TBA1} GOST R 34.10-2001 GOST Y * (this memo) OPTIONAL @@ -332,6 +333,8 @@ V.Dolmatov Expires May 22, 2010 [Page 5] contributors to these documents are gratefully acknowledged for their hard work. +V.Dolmatov Expires May 30, 2010 [Page 6] + The following people provided additional feedback and text: Dmitry Burkov, Jaap Akkerhuis, Olafur Gundmundsson, Jelte Jansen and Wouter Wijngaards. @@ -355,8 +358,6 @@ V.Dolmatov Expires May 22, 2010 [Page 5] Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. -V.Dolmatov Expires May 22, 2010 [Page 6] - [RFC4035] Arends R., Austein R., Larson M., Massey D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005. @@ -378,7 +379,7 @@ V.Dolmatov Expires May 22, 2010 [Page 6] Algorithms", RFC 4357, January 2006. [RFC4490] S. Leontiev and G. Chudov, "Using the GOST 28147-89, - GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 + GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 Algorithms with Cryptographic Message Syntax (CMS)", RFC 4490, May 2006. @@ -388,31 +389,19 @@ V.Dolmatov Expires May 22, 2010 [Page 6] Infrastructure Certificate and CRL Profile", RFC 4491, May 2006. +V.Dolmatov Expires May 30, 2010 [Page 7] 10.2. Informative References - [NIST800-57] - Barker E., Barker W., Burr W., Polk W., and M. Smid, - "Recommendations for Key Management", NIST SP 800-57, - March 2007. - - [RFC3447] Jonsson J. and B. Kaliski, "Public-Key Cryptography - Standards (PKCS) #1: RSA Cryptography Specifications - Version 2.1", RFC 3447, February 2003. - [RFC4509] Hardaker W., "Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)", RFC 4509, May 2006. - [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS - Security (DNSSEC) Hashed Authenticated Denial of - Existence", RFC 5155, March 2008. - [DRAFT1] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S., "GOST R 34.10-2001 digital signature algorithm" - draft-dolmatov-cryptocom-gost3410-2001-06, 11.10.09 + draft-dolmatov-cryptocom-gost34102001-06, 11.10.09 work in progress. -V.Dolmatov Expires May 10, 2010 [Page 7] + [DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S., "GOST R 34.11-94 Hash function algorithm" @@ -424,31 +413,34 @@ V.Dolmatov Expires May 10, 2010 [Page 7] draft-dolmatov-cryptocom-gost2814789-04, 11.10.09 work in progress. +V.Dolmatov Expires May 30, 2010 [Page 8] + + Authors' Addresses Vasily Dolmatov, Ed. Cryptocom Ltd. -Bolotnikovskaya, 23 -Moscow, 117303, Russian Federation +Kedrova 14, bld.2 +Moscow, 117218, Russian Federation EMail: dol@cryptocom.ru Artem Chuprina Cryptocom Ltd. -Bolotnikovskaya, 23 -Moscow, 117303, Russian Federation +Kedrova 14, bld.2 +Moscow, 117218, Russian Federation EMail: ran@cryptocom.ru Igor Ustinov Cryptocom Ltd. -Bolotnikovskaya, 23 -Moscow, 117303, Russian Federation +Kedrova 14, bld.2 +Moscow, 117218, Russian Federation EMail: igus@cryptocom.ru -V.Dolmatov Expires May 22, 2010 [Page 8] +V.Dolmatov Expires May 30, 2010 [Page 9]