From 71487660812754e5f26f26595b6c3d456f9f6db8 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 8 Oct 2021 00:30:08 -0400 Subject: Get rid of conversion stuff, just build content -> website --- content/DNSSEC-Requirements.md | 103 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 content/DNSSEC-Requirements.md (limited to 'content/DNSSEC-Requirements.md') diff --git a/content/DNSSEC-Requirements.md b/content/DNSSEC-Requirements.md new file mode 100644 index 0000000..cef61c4 --- /dev/null +++ b/content/DNSSEC-Requirements.md @@ -0,0 +1,103 @@ +Title: DNSSEC/Requirements +Author: trac +Date: 2016-12-15 22:44 + +# DNSSEC Requirements + +## Questions + + +- Should we even support SHA-1? +- GOST? + + +## Must implement + +Target DNSSEC Algorithms: + + +- RSA/SHA-256 (RFC 5702) +- RSA/SHA-512 (RFC 5702) + + +Algorithms: + + +- Hash: SHA-256 +- Hash: SHA-512 +- Sign: RSA + + +Required PKCS11 Mechs: + + +- CKM_RSA_PKCS_KEY_PAIR_GEN +- CKM_SHA256_RSA_PKCS +- CKM_SHA512_RSA_PKCS +- CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing) +- CKM_SHA256 +- CKM_SHA512 + + +## Should implement + +Target DNSSEC Algorithms: + + +- ECDSA/P-256/SHA-256 (RFC 6605) +- ECDSA/P-384/SHA-384 (RFC 6605) + + +Algorithms: + + +- Hash: SHA-256 +- Hash: SHA-384 +- Sign: P-256 +- Sign: P-384 + + +Required PKCS11 Mechs: + + +- CKM_EC_KEY_PAIR_GEN +- CKM_ECDSA_SHA256 +- CKM_ECDSA_SHA384 +- CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing) +- CKM_SHA256 +- CKM_SHA384 + + +## May implement + +Target DNSSEC Algorithms: + + +- RSA/SHA-1 (RFC 3110) +- GOST (RFC 5933) + + +Algorithms: + + +- Hash: SHA-1 +- Sign: RSA + + + +- Hash: GOST R 34.11-94 (RFC5831) +- Sign: GOST R 34.10-2001 (RFC5832) + + +Required PKCS11 Mechs: + + +- CKM_RSA_PKCS_KEY_PAIR_GEN +- CKM_RSA_PKCS (possible cross-check hash with CKM_SHA_1) +- CKM_SHA1_RSA_PKCS +- CKM_SHA_1 + + + +- CKM_GOSTR3410_KEY_PAIR_GEN +- CKM_GOSTR3410_WITH_GOSTR3411 -- cgit v1.2.3