Network Working Group P. Hoffman
Internet-Draft VPN Consortium
Intended status: Standards Track July 6, 2009
Expires: January 7, 2010
DSA with SHA-2 for DNSSEC
draft-hoffman-dnssec-dsa-sha2-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 7, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Hoffman Expires January 7, 2010 [Page 1]
Internet-Draft DSA with SHA-2 for DNSSEC July 2009
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
This document describes how to specify DSA keys and signatures based
on SHA-256 with a specific set of parameters in DNSSEC. The keys
used are 2048 bits, and have an equivalent security level of 112
bits.
1. Introduction
DNSSEC, which is broadly defined in RFCs 4033, 4034, and 4035
([RFC4033], [RFC4034], and [RFC4035]), uses cryptographic keys and
digital signatures to provide authentication of DNS data. Currently,
the most popular signature algorithm is RSA with SHA-1, using keys
1024 or 2048 bits long. The RSA with SHA-256 signature algorithm (as
specified in [RSASHA256]) with keys of 1024 to 2048 bits is expected
to become popular in the coming years.
RFC 2536 [RFC2536] describes the KEY and SIG resource records (RRs)
for the DSA with SHA-1 signature algorithm. At the time RFC 2536 was
written, SHA-1 was the only hash algorithm that was defined for use
with DSA, and the only key size allowed was 1024 bits. FIPS 186-3
([FIPS-186-3]) extends the original DSA definition to permit larger
keys. This document neither updates nor replaces RFC 2536.
Using DSA with SHA-256 in DNSSEC has some advantages and
disadvantages relative to using RSA with SHA-256 when using 2048-bit
keys. DSA signatures are much shorter than RSA signatures; at this
size, the difference is 512 bits verus 2048 bits. On typical
platforms using 2048-bit keys, signing DSA is about three times
faster than for RSA, but verifying RSA signatures is more than ten
times faster than for DSA.
This document specifies the DNSKEY and RRSIG RRs for DSA when used
with the SHA-256 hash algorithm for a specific set of DSA parameters
from RFC 5114 [RFC5114].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Hoffman Expires January 7, 2010 [Page 2]
Internet-Draft DSA with SHA-2 for DNSSEC July 2009
2. DSA Parameters
In order for a DSA signature to be validated, the validator needs to
know the DSA parameters that were used. The three parameters are
called "p", "q", and "g" in FIPS 186-3. FIPS 186-3 calls the private
key "x" and the public key "y"; the per-signature secret value is
called "k".
In some cryptographic protocols, the signer picks their own
parameters and transmits them with the signature. However, because
of their size, this is often wasteful of bandwidth and storage.
Other cryptographic protocols pick well-known parameters that are
used by everyone, and the only thing that is passed is an indicator
of which parameter set is used.
Because DNS messages should be kept short, this document chooses the
latter method. The parameters are chosen following the methods
described in FIPS 186-3. The size of the parameters is based on the
desired strength of the signatures. This document uses DSA with SHA-
256 and a 2048-bit y, the public key. Thus, p is 2048 bits, q is 256
bits, and g is 2048 bits long.
The values used in this document are from RFC 5114, section 2.3. In
hexadecimal, they are:
Hoffman Expires January 7, 2010 [Page 3]
Internet-Draft DSA with SHA-2 for DNSSEC July 2009
p = 87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2
5D2CEED4 435E3B00 E00DF8F1 D61957D4 FAF7DF45 61B2AA30
16C3D911 34096FAA 3BF4296D 830E9A7C 209E0C64 97517ABD
5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B
6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C
4FDB70C5 81B23F76 B63ACAE1 CAA6B790 2D525267 35488A0E
F13C6D9A 51BFA4AB 3AD83477 96524D8E F6A167B5 A41825D9
67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026
C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3
75F26375 D7014103 A4B54330 C198AF12 6116D227 6E11715F
693877FA D7EF09CA DB094AE9 1E1A1597
q = 8CF83642 A709A097 B4479976 40129DA2 99B1A47D 1EB3750B
A308B0FE 64F5FBD3
g = 3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054
07F4793A 1A0BA125 10DBC150 77BE463F FF4FED4A AC0BB555
BE3A6C1B 0C6B47B1 BC3773BF 7E8C6F62 901228F8 C28CBB18
A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B
777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83
1D14348F 6F2F9193 B5045AF2 767164E1 DFC967C1 FB3F2E55
A4BD1BFF E83B9C80 D052B985 D182EA0A DB2A3B73 13D3FE14
C8484B1E 052588B9 B7D2BBD2 DF016199 ECD06E15 57CD0915
B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6
184B523D 1DB246C3 2F630784 90F00EF8 D647D148 D4795451
5E2327CF EF98C582 664B4C0F 6CC41659
3. DNSKEY and RRSIG Resource Records for DSA with SHA-256
The DSA signature is the combination of two non-negative integers,
called "r" and "s" in FIPS 186-3. Because q was chosen to be the
same size as the output of SHA-256 (256 bits), r and s are each 256
bits. The two integers, each of which is formatted as a simple bit
string, are combined into a single longer bit string for DNSSEC as
the concatenation "r | s".
The algorithm number associated with the DNSKEY and RRSIG resource
records for DSA with SHA-256 and the parameters in this document is
{TBA}; it is fully defined in the IANA Considerations section. The
associated DS RR for SHA-256 is already defined in RFC 4509
[RFC4509].
4. Support for NSEC3 Denial of Existence
RFC 5155 [RFC5155] defines new algorithm identifiers for existing
signing algorithms, to indicate that zones signed with these
Hoffman Expires January 7, 2010 [Page 4]
Internet-Draft DSA with SHA-2 for DNSSEC July 2009
algorithm identifiers can use NSEC3 as well as NSEC records to
provide denial of existence. That mechanism was chosen to protect
implementations predating RFC 5155 from encountering resource records
they could not know about. This document does not define such
algorithm aliases.
A DNSSEC validator that implements the signing algorithm defined in
this document MUST be able to validate negative answers in the form
of both NSEC and NSEC3 with hash algorithm 1, as defined in RFC 5155.
An authoritative server that does not implement NSEC3 MAY still serve
zones that use the signing algorithm defined in this document with
NSEC denial of existence.
5. Examples
[[ To be filled in later. ]]
6. IANA Considerations
This document updates the IANA registry "Domain Name System Security
(DNSSEC) Algorithm Numbers". The following entry is added to the
registry:
Number {TBA}
Description DSA with SHA-256 using parameters from RFC 5114,
section 2.3
Mnemonic DSA2048SHA256
Zone Signing Y
Trans. Sec. **** Unknown; will fill in later ****
Reference This document
7. Security Considerations
The cryptographic strength of DSA is generally considered to be
equivalent to RSA when the DSA public key and the RSA public keys are
the same size. Such an assessment could, of course, change in the
future if new attacks that work better with one or the other
algorithms are found.
There are currently no known attacks on the specific set of DSA
parameters chosen for this document. Such an assessment could, of
course, change in the future.
8. References
Hoffman Expires January 7, 2010 [Page 5]
Internet-Draft DSA with SHA-2 for DNSSEC July 2009
8.1. Normative References
[FIPS-186-3]
National Institute of Standards and Technology, U.S.
Department of Commerce, "Digital Signature Standard",
FIPS 186-3, June 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
(DS) Resource Records (RRs)", RFC 4509, May 2006.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, March 2008.
[RSASHA256]
Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY
and RRSIG Resource Records for DNSSEC", RFC-to-be derived
from draft-ietf-dnsext-dnssec-rsasha256, March 2009.
8.2. Informative References
[RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
(DNS)", RFC 2536, March 1999.
[RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman
Groups for Use with IETF Standards", RFC 5114,
January 2008.
Hoffman Expires January 7, 2010 [Page 6]
Internet-Draft DSA with SHA-2 for DNSSEC July 2009
Author's Address
Paul Hoffman
VPN Consortium
Email: paul.hoffman@vpnc.org
Hoffman Expires January 7, 2010 [Page 7]