| Internet-Draft | IPSECKEY EdDSA | November 2022 |
| Moskowitz, et al. | Expires 25 May 2023 | [Page] |
This document assigns a value for EdDSA Public Keys to the IPSECKEY IANA registry.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 May 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
IPSECKEY [RFC4025) is a resource record (RR) for the Domain Name System (DNS) that is used to store public keys for use in IP security (IPsec) systems. The IPSECKEY RR relies on the IPSECKEY Algorithm Type Field registry [IANA-IPSECKEY] to enumerate the permissible formats for the public keys.¶
This documents adds support for Edwards-Curve Digital Security Algorithm (EdDSA) public keys in the format defined in [RFC8080] to the IPSECKEY RR.¶
When using the EdDSA public key in the IPSECKEY RR, then the value TBD1 is used as an algorithm and the public key is formatted as specified in Section 3 of the "Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC" ([RFC8080]) document.¶
Value Description Format description Reference TBD1 An EdDSA Public Key [RFC8080], Sec. 3 [ThisRFC]¶
This document requests IANA to update the "Description" field in existing entries of the "Algorithm Type Field" subregistry of the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY] to explicitly state that is for "Public" keys:¶
Value Description Format description Reference 0 No key is present [RFC4025] 1 A DSA Public Key [RFC2536], Sec. 2 [RFC4025] 2 A RSA Public Key [RFC3110], Sec. 2 [RFC4025] 3 An ECDSA Public Key [RFC6605], Sec. 4 [RFC4025]¶
Further, this document requests IANA to make the following addition to the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY] registry:¶
Value Description Format description Reference TBD1 An EdDSA Public Key [RFC8080], Sec. 3 [ThisRFC]¶
The following is an example of an IPSECKEY RR with an EdDSA public key base64 encode with no gateway:¶
foo.example.com. IN IPSECKEY (
10 0 4 . 3WTXgUvpn1RlCXnm80gGY2LZ/ErUUEZtZ33IDi8yfhM= )
¶
The associated EdDSA private key (in hex):¶
c7be71a45cbf87785f639dc4fd1c82637c21b5e02488939976ece32b9268d0b7¶
Thanks to Security Area director, Paul Wouters, for initial review. And Security Area director, Roman Danyliw, for final reviews and draft shepherding.¶