Slug: DNSSEC-Requirements Title: DNSSEC/Requirements Date: 2016-12-15 22:44 Category: DNSSEC # DNSSEC Requirements ## Questions - Should we even support SHA-1? - GOST? ## Must implement Target DNSSEC Algorithms: - RSA/SHA-256 (RFC 5702) - RSA/SHA-512 (RFC 5702) Algorithms: - Hash: SHA-256 - Hash: SHA-512 - Sign: RSA Required PKCS11 Mechs: - CKM_RSA_PKCS_KEY_PAIR_GEN - CKM_SHA256_RSA_PKCS - CKM_SHA512_RSA_PKCS - CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing) - CKM_SHA256 - CKM_SHA512 ## Should implement Target DNSSEC Algorithms: - ECDSA/P-256/SHA-256 (RFC 6605) - ECDSA/P-384/SHA-384 (RFC 6605) Algorithms: - Hash: SHA-256 - Hash: SHA-384 - Sign: P-256 - Sign: P-384 Required PKCS11 Mechs: - CKM_EC_KEY_PAIR_GEN - CKM_ECDSA_SHA256 - CKM_ECDSA_SHA384 - CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing) - CKM_SHA256 - CKM_SHA384 ## May implement Target DNSSEC Algorithms: - RSA/SHA-1 (RFC 3110) - GOST (RFC 5933) Algorithms: - Hash: SHA-1 - Sign: RSA - Hash: GOST R 34.11-94 (RFC5831) - Sign: GOST R 34.10-2001 (RFC5832) Required PKCS11 Mechs: - CKM_RSA_PKCS_KEY_PAIR_GEN - CKM_RSA_PKCS (possible cross-check hash with CKM_SHA_1) - CKM_SHA1_RSA_PKCS - CKM_SHA_1 - CKM_GOSTR3410_KEY_PAIR_GEN - CKM_GOSTR3410_WITH_GOSTR3411