aboutsummaryrefslogtreecommitdiff
path: root/content/DNSSEC-Requirements.md
blob: d651f48cf40b91dd74a91413580a509c962f020f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

   

Slug: DNSSEC-Requirements Title: DNSSEC/Requirements Date: 2016-12-15 22:44 Category: DNSSEC

DNSSEC Requirements

Questions

  • Should we even support SHA-1?
  • GOST?

Must implement

Target DNSSEC Algorithms:

  • RSA/SHA-256 (RFC 5702)
  • RSA/SHA-512 (RFC 5702)

Algorithms:

  • Hash: SHA-256
  • Hash: SHA-512
  • Sign: RSA

Required PKCS11 Mechs:

  • CKM_RSA_PKCS_KEY_PAIR_GEN
  • CKM_SHA256_RSA_PKCS
  • CKM_SHA512_RSA_PKCS
  • CKM_RSA_PKCS (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
  • CKM_SHA256
  • CKM_SHA512

Should implement

Target DNSSEC Algorithms:

  • ECDSA/P-256/SHA-256 (RFC 6605)
  • ECDSA/P-384/SHA-384 (RFC 6605)

Algorithms:

  • Hash: SHA-256
  • Hash: SHA-384
  • Sign: P-256
  • Sign: P-384

Required PKCS11 Mechs:

  • CKM_EC_KEY_PAIR_GEN
  • CKM_ECDSA_SHA256
  • CKM_ECDSA_SHA384
  • CKM_ECDSA (possible cross-check hash with CKM_SHA256 and CKM_SHA512 before signing)
  • CKM_SHA256
  • CKM_SHA384

May implement

Target DNSSEC Algorithms:

  • RSA/SHA-1 (RFC 3110)
  • GOST (RFC 5933)

Algorithms:

  • Hash: SHA-1
  • Sign: RSA

  • Hash: GOST R 34.11-94 (RFC5831)

  • Sign: GOST R 34.10-2001 (RFC5832)

Required PKCS11 Mechs:

  • CKM_RSA_PKCS_KEY_PAIR_GEN
  • CKM_RSA_PKCS (possible cross-check hash with CKM_SHA_1)
  • CKM_SHA1_RSA_PKCS
  • CKM_SHA_1

  • CKM_GOSTR3410_KEY_PAIR_GEN

  • CKM_GOSTR3410_WITH_GOSTR3411