Title: DNSSEC/Requirements
Author: trac
Date: 2016-12-15 22:44
- Should we even support SHA-1?
- GOST?
Target DNSSEC Algorithms:
- RSA/SHA-256 (RFC 5702)
- RSA/SHA-512 (RFC 5702)
Algorithms:
- Hash: SHA-256
- Hash: SHA-512
- Sign: RSA
Required PKCS11 Mechs:
- CKM_RSA_PKCS_KEY_PAIR_GEN
- CKM_SHA256_RSA_PKCS
- CKM_SHA512_RSA_PKCS
- CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
- CKM_SHA256
- CKM_SHA512
Target DNSSEC Algorithms:
- ECDSA/P-256/SHA-256 (RFC 6605)
- ECDSA/P-384/SHA-384 (RFC 6605)
Algorithms:
- Hash: SHA-256
- Hash: SHA-384
- Sign: P-256
- Sign: P-384
Required PKCS11 Mechs:
- CKM_EC_KEY_PAIR_GEN
- CKM_ECDSA_SHA256
- CKM_ECDSA_SHA384
- CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
- CKM_SHA256
- CKM_SHA384
Target DNSSEC Algorithms:
- RSA/SHA-1 (RFC 3110)
- GOST (RFC 5933)
Algorithms:
Required PKCS11 Mechs: