aboutsummaryrefslogblamecommitdiff
path: root/pelican/content/DNSSEC-Requirements.md
blob: cef61c4c19fef6e9c40130959b78744b3cc5e0f2 (plain) (tree)






































































































                                                                                        

   

Title: DNSSEC/Requirements Author: trac Date: 2016-12-15 22:44

DNSSEC Requirements

Questions

  • Should we even support SHA-1?
  • GOST?

Must implement

Target DNSSEC Algorithms:

  • RSA/SHA-256 (RFC 5702)
  • RSA/SHA-512 (RFC 5702)

Algorithms:

  • Hash: SHA-256
  • Hash: SHA-512
  • Sign: RSA

Required PKCS11 Mechs:

  • CKM_RSA_PKCS_KEY_PAIR_GEN
  • CKM_SHA256_RSA_PKCS
  • CKM_SHA512_RSA_PKCS
  • CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
  • CKM_SHA256
  • CKM_SHA512

Should implement

Target DNSSEC Algorithms:

  • ECDSA/P-256/SHA-256 (RFC 6605)
  • ECDSA/P-384/SHA-384 (RFC 6605)

Algorithms:

  • Hash: SHA-256
  • Hash: SHA-384
  • Sign: P-256
  • Sign: P-384

Required PKCS11 Mechs:

  • CKM_EC_KEY_PAIR_GEN
  • CKM_ECDSA_SHA256
  • CKM_ECDSA_SHA384
  • CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
  • CKM_SHA256
  • CKM_SHA384

May implement

Target DNSSEC Algorithms:

  • RSA/SHA-1 (RFC 3110)
  • GOST (RFC 5933)

Algorithms:

  • Hash: SHA-1
  • Sign: RSA

  • Hash: GOST R 34.11-94 (RFC5831)

  • Sign: GOST R 34.10-2001 (RFC5832)

Required PKCS11 Mechs:

  • CKM_RSA_PKCS_KEY_PAIR_GEN
  • CKM_RSA_PKCS (possible cross-check hash with CKM_SHA_1)
  • CKM_SHA1_RSA_PKCS
  • CKM_SHA_1

  • CKM_GOSTR3410_KEY_PAIR_GEN

  • CKM_GOSTR3410_WITH_GOSTR3411