summaryrefslogblamecommitdiff
path: root/raw-wiki-dump/DNSSEC%2FRequirements.md
blob: 36b11526156415b59fb2798587ee9c57c8e53667 (plain) (tree)


































































































                                                                                        

   

DNSSEC Requirements

Questions

  • Should we even support SHA-1?
  • GOST?

Must implement

Target DNSSEC Algorithms:

  • RSA/SHA-256 (RFC 5702)
  • RSA/SHA-512 (RFC 5702)

Algorithms:

  • Hash: SHA-256
  • Hash: SHA-512
  • Sign: RSA

Required PKCS11 Mechs:

  • CKM_RSA_PKCS_KEY_PAIR_GEN
  • CKM_SHA256_RSA_PKCS
  • CKM_SHA512_RSA_PKCS
  • CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
  • CKM_SHA256
  • CKM_SHA512

Should implement

Target DNSSEC Algorithms:

  • ECDSA/P-256/SHA-256 (RFC 6605)
  • ECDSA/P-384/SHA-384 (RFC 6605)

Algorithms:

  • Hash: SHA-256
  • Hash: SHA-384
  • Sign: P-256
  • Sign: P-384

Required PKCS11 Mechs:

  • CKM_EC_KEY_PAIR_GEN
  • CKM_ECDSA_SHA256
  • CKM_ECDSA_SHA384
  • CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
  • CKM_SHA256
  • CKM_SHA384

May implement

Target DNSSEC Algorithms:

  • RSA/SHA-1 (RFC 3110)
  • GOST (RFC 5933)

Algorithms:

  • Hash: SHA-1
  • Sign: RSA

  • Hash: GOST R 34.11-94 (RFC5831)

  • Sign: GOST R 34.10-2001 (RFC5832)

Required PKCS11 Mechs:

  • CKM_RSA_PKCS_KEY_PAIR_GEN
  • CKM_RSA_PKCS (possible cross-check hash with CKM_SHA_1)
  • CKM_SHA1_RSA_PKCS
  • CKM_SHA_1

  • CKM_GOSTR3410_KEY_PAIR_GEN

  • CKM_GOSTR3410_WITH_GOSTR3411