aboutsummaryrefslogblamecommitdiff
path: root/wiki/DNSSEC%2FRequirements.trac
blob: b8f40f0ff9c40c2c272f937c53dbee91e54e4c37 (plain) (tree)











































































                                                                                         
= DNSSEC Requirements =

== Questions ==

- Should we even support SHA-1?
- GOST?

== Must implement ==

Target DNSSEC Algorithms:

- RSA/SHA-256 (RFC 5702)
- RSA/SHA-512 (RFC 5702)

Algorithms:

- Hash: SHA-256
- Hash: SHA-512
- Sign: RSA

Required PKCS11 Mechs:

- CKM_RSA_PKCS_KEY_PAIR_GEN
- CKM_SHA256_RSA_PKCS
- CKM_SHA512_RSA_PKCS
- CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
- CKM_SHA256
- CKM_SHA512

== Should implement ==

Target DNSSEC Algorithms:

- ECDSA/P-256/SHA-256 (RFC 6605)
- ECDSA/P-384/SHA-384 (RFC 6605)

Algorithms:

- Hash: SHA-256
- Hash: SHA-384
- Sign: P-256
- Sign: P-384

Required PKCS11 Mechs:

- CKM_EC_KEY_PAIR_GEN
- CKM_ECDSA_SHA256
- CKM_ECDSA_SHA384
- CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
- CKM_SHA256
- CKM_SHA384

== May implement ==

Target DNSSEC Algorithms:

- RSA/SHA-1 (RFC 3110)
- GOST (RFC 5933)

Algorithms:

- Hash: SHA-1
- Sign: RSA

- Hash: GOST R 34.11-94 (RFC5831)
- Sign: GOST R 34.10-2001 (RFC5832)

Required PKCS11 Mechs:

- CKM_RSA_PKCS_KEY_PAIR_GEN
- CKM_RSA_PKCS (possible cross-check hash with CKM_SHA_1)
- CKM_SHA1_RSA_PKCS
- CKM_SHA_1

- CKM_GOSTR3410_KEY_PAIR_GEN
- CKM_GOSTR3410_WITH_GOSTR3411