path: root/markdown/DNSSEC%2FRequirements.md

   
DNSSEC Requirements
Questions

Should we even support SHA-1?
GOST?

Must implement
Target DNSSEC Algorithms:

RSA/SHA-256 (RFC 5702)
RSA/SHA-512 (RFC 5702)

Algorithms:

Hash: SHA-256
Hash: SHA-512
Sign: RSA

Required PKCS11 Mechs:

CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_SHA256_RSA_PKCS
CKM_SHA512_RSA_PKCS
CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
CKM_SHA256
CKM_SHA512

Should implement
Target DNSSEC Algorithms:

ECDSA/P-256/SHA-256 (RFC 6605)
ECDSA/P-384/SHA-384 (RFC 6605)

Algorithms:

Hash: SHA-256
Hash: SHA-384
Sign: P-256
Sign: P-384

Required PKCS11 Mechs:

CKM_EC_KEY_PAIR_GEN
CKM_ECDSA_SHA256
CKM_ECDSA_SHA384
CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
CKM_SHA256
CKM_SHA384

May implement
Target DNSSEC Algorithms:

RSA/SHA-1 (RFC 3110)
GOST (RFC 5933)

Algorithms:

Hash: SHA-1

Sign: RSA


Hash: GOST R 34.11-94 (RFC5831)

Sign: GOST R 34.10-2001 (RFC5832)

Required PKCS11 Mechs:

CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS (possible cross-check hash with CKM_SHA_1)
CKM_SHA1_RSA_PKCS

CKM_SHA_1


CKM_GOSTR3410_KEY_PAIR_GEN

CKM_GOSTR3410_WITH_GOSTR3411