diff --git a/doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt b/doc/draft/draft-ietf-dnsext-dnssec-gost-02.txt similarity index 86% rename from doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt rename to doc/draft/draft-ietf-dnsext-dnssec-gost-02.txt index c7ffbce49c..73faa6be92 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-gost-02.txt @@ -1,12 +1,12 @@ DNS Extensions working group V.Dolmatov, Ed. Internet-Draft Cryptocom Ltd. -Intended status: Standards Track October 18, 2009 -Expires: April 18, 2010 +Intended status: Standards Track November 10, 2009 +Expires: May 10, 2010 Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records for DNSSEC - draft-ietf-dnsext-dnssec-gost-01 + draft-ietf-dnsext-dnssec-gost-02 Status of this Memo @@ -29,7 +29,7 @@ Status of this Memo The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on April 18 2010. + This Internet-Draft will expire on May 10 2010. Copyright Notice @@ -49,7 +49,7 @@ Abstract Name System Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). -V.Dolmatov Expires April 18, 2010 [Page 1] +V.Dolmatov Expires May 10, 2010 [Page 1] Table of Contents @@ -106,7 +106,7 @@ Table of Contents "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. -V.Dolmatov Expires April 18, 2010 [Page 2] +V.Dolmatov Expires May 10, 2010 [Page 2] 2. DNSKEY Resource Records @@ -145,7 +145,7 @@ V.Dolmatov Expires April 18, 2010 [Page 2] section 2.3.2. To make this encoding from the wire format of a GOST public key - with the parameters used in this document, prepend last 64 octets + with the parameters used in this document, prepend the last 64 octets of key data (in other words, substitute first two parameter octets) with the following 37-byte sequence: @@ -155,23 +155,24 @@ V.Dolmatov Expires April 18, 2010 [Page 2] 2.2. GOST DNSKEY RR Example - Given a private key with the following value: + Given a private key with the following value (the value of GostAsn1 + field is split here into two lines to simplify reading; in the + private key file it must be in one line): Private-key-format: v1.2 Algorithm: {TBA1} (GOST) - GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEE - IgQgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= + GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S + 2FXdMtzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E= - (corresponding to private key value 1) - -V.Dolmatov Expires April 18, 2010 [Page 3] +V.Dolmatov Expires May 10, 2010 [Page 3] The following DNSKEY RR stores a DNS zone key for example.net - example.net. 86400 IN DNSKEY 256 3 {TBA1} ( AAABAAAAAAAAAAAAAAAAAAAA - AAAAAAAAAAAAAAAAAAAAABQe - n56cyawiseMj3y1PKTV2Kz9F - WlDfJ9qcmOBx5JGN ) + example.net. 86400 IN DNSKEY 256 3 {TBA1} ( + AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq + tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6 + yB7i836EfzmJo5LP + ) ; key id = 15820 3. RRSIG Resource Records @@ -209,13 +210,18 @@ V.Dolmatov Expires April 18, 2010 [Page 3] Setting the inception date to 2000-01-01 00:00:00 UTC and the expiration date to 2030-01-01 00:00:00 UTC, the following signature - should be created (assuming {TBA1}==249 until proped code is + should be created (assuming {TBA1}==249 until proper code is assigned by IANA) - www.example.net. 3600 IN RRSIG ( A {TBA1} 3 3600 - 20300101000000 20000101000000 9033 example.net. - 96ObOt5gR6Xln8g42w70OZvi6BZoQvLIhrN9F+VBc29mp+ap - DQov1re0hApGenYDd2zLaHecw4H2vnPj0NhhxA== ) + www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 ( + 20000101000000 15820 example.net. + K4sw+TOJz47xqP6685ItDfPhkktyvgxXrLdX + aQLX01mMZbJUp6tzetBYGpdHciAW5RLvHLVB + P8RtFK8Qv5DRsA== ) + + Note: Several GOST signatures calculated for the same message text + will differ because of using of random element in signature + generation process. 4. DS Resource Records @@ -223,7 +229,7 @@ V.Dolmatov Expires April 18, 2010 [Page 3] type {TBA2}. The wire format of a digest value is compatible with RFC 4490 [RFC4490]. -V.Dolmatov Expires April 18, 2010 [Page 4] +V.Dolmatov Expires May 10, 2010 [Page 4] Quoting RFC 4490: @@ -234,9 +240,22 @@ V.Dolmatov Expires April 18, 2010 [Page 4] 4.1. DS RR Example - example.net. 3600 IN DS 9033 {TBA1} {TBA2} ( Su0ToNow7Lwex+wqac+cTQ - djJ733qubhan+KqUrselc= ) - + For key signing key (assuming {TBA1}==249 until proper code is + assigned by IANA) + + example.net. 86400 DNSKEY 257 3 {TBA1} ( + AAADr5vmKVdXo780hSRU1YZYWuMZUbEe9R7C + RRLc7Wj2osDXv2XbCnIpTUx8dVLnLKmDBquu + 9tCz5oSsZl0cL0R2 + ) ; key id = 21649 + + DS RR will be + + example.net. 3600 IN DS 21649 {TBA1} {TBA2} ( + A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A + A44649C6 ) + + 5. Deployment Considerations 5.1. Key Sizes @@ -283,7 +302,7 @@ V.Dolmatov Expires April 18, 2010 [Page 4] of multiple elliptic curve point computations on prime modulus 2**256. -V.Dolmatov Expires April 18, 2010 [Page 5] +V.Dolmatov Expires May 10, 2010 [Page 5] Currently, the cryptographic resistance of GOST 34.11-94 hash algorithm is estimated as 2**128 operations of computations of a @@ -339,7 +358,7 @@ V.Dolmatov Expires April 18, 2010 [Page 5] Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. -V.Dolmatov Expires April 18, 2010 [Page 6] +V.Dolmatov Expires May 10, 2010 [Page 6] [RFC4035] Arends R., Austein R., Larson M., Massey D., and S. Rose, "Protocol Modifications for the DNS Security @@ -396,7 +415,7 @@ V.Dolmatov Expires April 18, 2010 [Page 6] "GOST R 34.10-2001 digital signature algorithm" draft-dolmatov-cryptocom-gost3410-2001-05, work in progress -V.Dolmatov Expires April 18, 2010 [Page 7] +V.Dolmatov Expires May 10, 2010 [Page 7] [DRAFT2] Dolmatov V., Kabelev D., Ustinov I., Vyshensky S., "GOST R 34.11-94 Hash function algorithm" @@ -430,6 +449,7 @@ Moscow, 117303, Russian Federation EMail: igus@cryptocom.ru -V.Dolmatov Expires April 18, 2010 [Page 8] +V.Dolmatov Expires May 10, 2010 [Page 8] +