| Internet Engineering Task Force | J. Jansen |
| Internet-Draft | SIDN |
| Intended status: Experimental | M. Sivaraman |
| Expires: October 7, 2017 | Internet Systems Consortium |
| April 5, 2017 |
Use of SHA-3 (Keccak) Algorithms in DNSSEC
draft-muks-dnsop-dnssec-sha3-00
This document describes how to produce RSA/SHA3-256, RSA/SHA3-384, and RSA/SHA3-512 DNSKEY and RRSIG resource records for use in the Domain Name System Security Extensions ([RFC4033], [RFC4034], and [RFC4035]). It also describes how to produce SHA3-256 and SHA3-384 DS digest types.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 7, 2017.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Domain Name System (DNS) is the global, hierarchical distributed database for Internet Naming. The DNS has been extended to use cryptographic keys and digital signatures for the verification of the authenticity and integrity of its data. [RFC4033], [RFC4034], and [RFC4035] describe these DNS Security Extensions, called DNSSEC.
[RFC4033] describes how to store DNSKEY and RRSIG resource records, and specified a list of cryptographic algorithms to use. It was further updated by [RFC5702] to add the SHA-2 family of hash algorithms. This document extends that list with the SHA-3 algorithms RSA/SHA3-256, RSA/SHA3-384, and RSA/SHA3-512, and specifies how to store DNSKEY data and how to produce RRSIG resource records with these hash algorithms.
[RFC3658] first described the use of DS resource records. It was further updated by [RFC4509] and [RFC6605] to add SHA-256 and SHA-384 digest types respectively. This document extends that list with the SHA-3 algorithms SHA3-256 and SHA3-384.
Familiarity with DNSSEC, RSA, and the SHA-3 [FIPS.202.2015] family of algorithms is assumed in this document.
To refer to SHA3-256, SHA3-384, and SHA3-512, this document will use the name SHA-3. This is done to improve readability. When a part of text is specific for a particular SHA-3 hash function, their specific names are used. The same goes for RSA/SHA3-256, RSA/SHA3-384, and RSA/SHA3-512, which will be grouped using the name RSA/SHA-3.
The SHA3-224 algorithm is not used in DNSKEYs and RRSIGs. SHA3-224 and SHA3-512 algorithms are not used as DS digest types.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
An experimental BIND implementation of this draft can be found in the "sha3" branch in the git repository at: https://github.com/muks/bind9
It can be used to check for interoperability by other DNSSEC implementations.
The format of the DNSKEY RR can be found in [RFC4034]. [RFC3110] and [RFC5702] describe the use of RSA/SHA-1 and RSA/SHA-2 for DNSSEC signatures respectively.
RSA public keys for use with RSA/SHA3-256 are stored in DNSKEY resource records (RRs) with the algorithm number 249 [TBD].
The key size of RSA/SHA3-256 keys MUST NOT be less than 1024 bits and MUST NOT be more than 4096 bits.
RSA public keys for use with RSA/SHA3-384 are stored in DNSKEY resource records (RRs) with the algorithm number 250 [TBD].
The key size of RSA/SHA3-384 keys MUST NOT be less than 1024 bits and MUST NOT be more than 4096 bits.
RSA public keys for use with RSA/SHA3-512 are stored in DNSKEY resource records (RRs) with the algorithm number 251 [TBD].
The key size of RSA/SHA3-512 keys MUST NOT be less than 1024 bits and MUST NOT be more than 4096 bits.
The value of the signature field in the RRSIG RR follows the RSASSA-PKCS1-v1_5 signature scheme and is calculated as follows. The values for the RDATA fields that precede the signature data are specified in [RFC4034].
hash = SHA3-XXX(data)
Here XXX is either 256, 384, or 512, depending on the algorithm used, as specified in [FIPS.202.2015]; "data" is the wire format data of the resource record set that is signed, as specified in [RFC4034].
signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
Here "|" is concatenation; "00", "01", "FF", and "00" are fixed octets of corresponding hexadecimal value; "e" is the private exponent of the signing RSA key; and "n" is the public modulus of the signing key. The FF octet MUST be repeated the exact number of times so that the total length of the concatenated term in parentheses equals the length of the modulus of the signer's public key ("n").
The "prefix" is intended to make the use of standard cryptographic libraries easier. These specifications are taken directly from the specifications of RSASSA-PKCS1-v1_5 in PKCS #1 v2.1 (Section 8.2 of [RFC3447]), and EMSA-PKCS1-v1_5 encoding in PKCS #1 v2.1 (Section 9.2 of [RFC3447]). The prefixes for the different algorithms are specified below.
RSA/SHA3-256 signatures are stored in the DNS using RRSIG resource records (RRs) with algorithm number 249 [TBD].
The "prefix" is the ASN.1 DER SHA3-256 algorithm designator prefix:
hex 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 08 05 00 04 20
RSA/SHA3-384 signatures are stored in the DNS using RRSIG resource records (RRs) with algorithm number 250 [TBD].
The "prefix" is the ASN.1 DER SHA3-384 algorithm designator prefix:
hex 30 41 30 0d 06 09 60 86 48 01 65 03 04 02 09 05 00 04 30
RSA/SHA3-512 signatures are stored in the DNS using RRSIG resource records (RRs) with algorithm number 251 [TBD].
The "prefix" is the ASN.1 DER SHA3-512 algorithm designator prefix:
hex 30 51 30 0d 06 09 60 86 48 01 65 03 04 02 0a 05 00 04 40
The format of the DS RR can be found in [RFC4034]. [RFC3658], [RFC4509], and [RFC6605] describe the use of SHA-1, SHA-256, and SHA-384 for the DS digest type respectively.
The implementation of SHA3-256 in DS RRs follows the implementation of SHA-256 as specified in [RFC4509] except that the underlying algorithm is SHA3-256, the digest value is 32 bytes long, and the digest type code is 252 [TBD].
The implementation of SHA3-384 in DS RRs follows the implementation of SHA-256 as specified in [RFC4509] except that the underlying algorithm is SHA3-384, the digest value is 48 bytes long, and the digest type code is 253 [TBD].
Apart from the restrictions in Section 2, this document will not specify what size of keys to use. That is an operational issue and depends largely on the environment and intended use. A good starting point for more information would be [NIST800-57].
In this family of signing algorithms, the size of signatures is related to the size of the key and not to the hashing algorithm used in the signing process. Therefore, RRSIG resource records produced with RSA/SHA3-256, RSA/SHA3-384, or RSA/SHA3-512 will have the same size as those produced with RSA/SHA-1 and RSA/SHA-2 hash algorithms, if the keys have the same length.
DS RDATA with digest type SHA3-256 has the same size as DS RDATA with digest type SHA-256 (32 bytes). DS RDATA with digest type SHA3-384 has the same size as DS RDATA with digest type SHA-384 (48 bytes). Corresponding to these existing digest types, it should be possible to understand the impact of the size of DS RDATA when using the new SHA-3 digest types.
DNSSEC-aware implementations SHOULD be able to support RRSIG and DNSKEY resource records created with the RSA/SHA-3 algorithms as defined in this document.
DNSSEC-aware implementations SHOULD be able to support DS resource records created with the SHA3-256 and SHA3-384 algorithms as defined in this document.
[RFC5155] defines new algorithm identifiers for existing signing algorithms, to indicate that zones signed with these algorithm identifiers can use NSEC3 as well as NSEC records to provide denial of existence. That mechanism was chosen to protect implementations predating [RFC5155] from encountering resource records about which they could not know. This document does not define such algorithm aliases.
A DNSSEC validator that implements RSA/SHA-3 MUST be able to validate negative answers in the form of both NSEC and NSEC3 with hash algorithm 1, as defined in [RFC5155]. An authoritative server that does not implement NSEC3 MAY still serve zones that use RSA/SHA-3 with NSEC denial of existence.
Given a 1024-bit private key with the following values (in Base64):
Private-key-format: v1.2
Algorithm: 249 (RSASHA3-256)
Modulus: v/oS+J8ADp6D+aMAGuwCAgCvCn8SCoj2squtB0q3PMSdmHlr1yyWoCAPYfb8EwPlnNYjV1ztHkE8ske7saP7DlL9DDxTPn46Pg3RiM4ewlpKlfZm5eZrSODbxTMH9H4xXuwzHNv7W49Zi6rmtO3lVGM3U62cL8Snnh5v/iW/weU=
PublicExponent: AQAB
PrivateExponent: lJsVEmWqWqa0DIrz6uMkTr6OwPZKVeNd7ELeZtWccCrWv4/GPcNjOcJ3heL1kBalKDnPE7J4TsI7JNpIXaNNE5lFoCUPhtVqJBUl+M2EeLuKR9CGOOCSI94/F3AUXlcf3961EA8kphmuAarmzR+pbIn0xnOQuM+nEWYfGogEsMU=
Prime1: 9yGjgfQdbEuHP1zOyORVnO/Fn1l73TxFA19yBN8D/loauJElfcti6bzJykPNcoxgFsdhlnDK7aLIJB2U+PSwHw==
Prime2: xt29BEUpbpOEJqictutmTkCAQzNLT3o7XdyeWmGGk575zqxXrdqFt66suq5rabu/jbQc8PqTKEYX5paxa9B9ew==
Exponent1: ogunqEXGqUUZKP4VBXtbe+1o+yT06EtlwWFrZTBK8RRqIw3htIuRj0xgUMWGyI6tTyJrpfbNyWaMr8nJ7jib5w==
Exponent2: d1l0qy9m4joeQaVICG/WgngrgikytYxCPN6/GrcVMVtjySmdpXVUcxyeBZvQUzCekcja5bU8xBrtFTKzYGVMKQ==
Coefficient: B7Kj5lCvBk4i0HvhoaWdEF0Z9PO8RVHVRqQIJPIpXtN8lNEOUuAQg0a9pKUFD3w2oTh2dk4xie3GxyJDMGguPA==
The DNSKEY record for this key would be:
example.org. IN DNSKEY 256 3 249 AwEAAb/6EvifAA6eg/mjABrsAgIArwp/EgqI9rKrrQdKtzzEnZh5a9cs lqAgD2H2/BMD5ZzWI1dc7R5BPLJHu7Gj+w5S/Qw8Uz5+Oj4N0YjOHsJa SpX2ZuXma0jg28UzB/R+MV7sMxzb+1uPWYuq5rTt5VRjN1OtnC/Ep54e b/4lv8Hl
With this key, sign the following RRSet, consisting of 1 A record:
example.org. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and the expiration date at 00:00 hours on January 1st, 2030, the following signature should be created:
example.org. 3600 IN RRSIG A 249 2 3600 (
20300101000000 20000101000000 53767 example.org.
EiYve+lvKloKpzFXR9pGpqkPD6ZLgpOiZ8Ua
m4LJkuNSD2pS95nlFESQT3SCp0RsK0JVEFIg
c2KRJsVFkdTGf6y/i74h4UBDaSGEOoUNvRXd
4j+P/ishkiC46c1KSu4MqxzFjz4DVqaOGt9d
Nlm8fHKcq8WfAAByORwilDpAH14= )
Given a 1024-bit private key with the following values (in Base64):
Private-key-format: v1.2
Algorithm: 250 (RSASHA3-384)
Modulus: 1mTG6tg39IXsvEqqKtTenJdnawiQSNIQIgRy/BbZQP7Qu+j3l6DmFgpw5DfHApRox9fYjJR6shpDsmfGC11gMqJzaSaXRpgd4ER1pSMl3qX7FJ749WySSxC6iOmAQ3zjYSND3HxCVgJBojvm64yQGOaS0d/qMhmamMPY1KMT03E=
PublicExponent: AQAB
PrivateExponent: XDI0VJOs5GufVY2qRgcKwD5fy+h/28DyDR7qr7vHq6qo6tYRe1RG/d15lLrjyxk1QhNxXWsQpHyk9hioUwTRs8sLiaSGZLlrSTR8X2a0+Ux7SMPE4F13fewYjbUaW+lYspx5gbzLUvztmaIB7YV7RdtgTTM8Yzw9wRnMU4QVhME=
Prime1: 8ii1QhM8POBWqrrLdeg5l5Oqb7WPXMOpmaKyf3feSYZUb2xy6qTFQzo7YcIOB+Nd2HqEwN5nxiADgtaNAB6laQ==
Prime2: 4qXNygKERta5ko7JjYSRjxfzPrMK6jY+GHdQ3zDoVSOyZJPt4E4h3JvGheO5CQXmdYucZafgcqBQD1rLq6HUyQ==
Exponent1: ZXX+9A9hJtSMG36mbuF89/Br8eAtkB1++xs7FMNhhIbe68yRnZSp/g/w/3WyMUXndSNoafMFofKZ5gEFFO7COQ==
Exponent2: ruhlt8/ZZRGwhHnM8XmtG1DQV0K02aqioR7zOkr0AUBbG2NN4Bxr5WQSAKGM2nnDMFNdjtXPUKaHIlJfe0SYgQ==
Coefficient: JCIHcbynHteOdmwqYAPEN0taYxb1tNvJKb9sYu9u8v3GQAia0DxGm+XIZxxExpwUDqqB3L12QYli65bsLIrkPg==
The DNSKEY record for this key would be:
example.org. IN DNSKEY 256 3 250 AwEAAdZkxurYN/SF7LxKqirU3pyXZ2sIkEjSECIEcvwW2UD+0Lvo95eg 5hYKcOQ3xwKUaMfX2IyUerIaQ7JnxgtdYDKic2kml0aYHeBEdaUjJd6l +xSe+PVskksQuojpgEN842EjQ9x8QlYCQaI75uuMkBjmktHf6jIZmpjD 2NSjE9Nx
With this key, sign the following RRSet, consisting of 1 A record:
example.org. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and the expiration date at 00:00 hours on January 1st, 2030, the following signature should be created:
example.org. 3600 IN RRSIG A 250 2 3600 (
20300101000000 20000101000000 58391 example.org.
O6/yCttmjt0KMyPMNIuM4Hl76Eq0fAfBVhpx
GLU/ozJBlLbuvBmnExOMyIKpx8zOwNe8GSnm
8wF0chAFHCkdAA2KiJSwFlAstw6HGC5X+/Ou
eqhw6GVXMdP+9CdS3HfnjBR0N7zE/5mWgQp2
SxmjcNe1Z+Tfx14cZDV7Fm3tpEU= )
Given a 1024-bit private key with the following values (in Base64):
Private-key-format: v1.2
Algorithm: 251 (RSASHA3-512)
Modulus: 1xcZnBvTsdnF3QW2VlGZOMw5Lo/Av8cv4ogyFmngVsSZkqT3TwJNZ3bSCG70Aer5tQkyf+cx8INu4ZGC/CpTuaaxnEFpH0G2fPSadRwELcqf7LQKjLU9kjrdS8bFTElw0ugukXF/TJ1/KOywFsOHfFQ14Gqk5RB7EL8lXf1ZESs=
PublicExponent: AQAB
PrivateExponent: I4b8Qu3RvLm01fogkQdvYJNTCp7R/ptfDHLkmxEn7g0RNMis1M8Ti/hzXtM82KhAUKfRQJEmjYyYHwgS86XmKCGPslN1rZR9K1vXadHH2PKu4CL1ZLArWLz7Y9lpuVRVvlqrMM3IAVm7pTpd8Bx2jtD7Xt/9yXKW4TjIp/ctN4E=
Prime1: 80uohrGN+E1OWMwxLRK0Jl32BwfJ7XnP3HiAdhhGnwi/zPbp/Ngpj985avjmabVNN8JzRIOnqjAjIMP0u6RG6w==
Prime2: 4lJlpIjD6kz48ukFNjSY6qowVf5k54AyRJDnS+irwDuZKZtSxPghqgPyrOUIbAPRC+RmnP9dOOECS7rzuaxOwQ==
Exponent1: KNm/Rj5x1AtG6GoAp8zIKtkEAlIweYtGd4JUL4AL+5AAhG3BBA9Xiyyz+14ncgBbIs2nhQ2GDXFftJSydv8yWQ==
Exponent2: oUOpHWY+g3M5aIzVo9wyofOG4Z+VcseMCgNebF5sE1vkNRtyDNvp0OVjRAMmzyChEmI7I99qI59hLWkXRdQbgQ==
Coefficient: JpZ110OE8oR9yBPGrnoTxRht6SXFPOUmj8wCgvqgqROBc8uN2s87FPJqTSsN3qQTNg987OQii7+EYobCs93Z7g==
The DNSKEY record for this key would be:
example.org. IN DNSKEY 256 3 251 AwEAAdcXGZwb07HZxd0FtlZRmTjMOS6PwL/HL+KIMhZp4FbEmZKk908C TWd20ghu9AHq+bUJMn/nMfCDbuGRgvwqU7mmsZxBaR9Btnz0mnUcBC3K n+y0Coy1PZI63UvGxUxJcNLoLpFxf0ydfyjssBbDh3xUNeBqpOUQexC/ JV39WREr
With this key, sign the following RRSet, consisting of 1 A record:
example.org. 3600 IN A 192.0.2.91
If the inception date is set at 00:00 hours on January 1st, 2000, and the expiration date at 00:00 hours on January 1st, 2030, the following signature should be created:
example.org. 3600 IN RRSIG A 251 2 3600 (
20300101000000 20000101000000 7458 example.org.
PqdYQGN2Ml9ttU6ZqcL8iNKbhkw5nHuxnUFK
luR7aMMKNtPaVC7P4SjIGXmbhEA9/EQ4UhAg
+ekqwANViVuhEwbg//mJ+ffOq18qWRxWUKxX
HPbtBvJDSuvo04D2BTZIx9qMMjvrMWuowlol
mrz3bvDRtQkoD5kZQPLAD6+r6Ps= )
Given a 1024-bit RSA/SHA-256 DNSKEY with the following contents:
example.org. IN DNSKEY 256 3 8 AwEAAbljrZZb1Qyq8ui+vnYL5exWSrQYFkCFD6VvJoJr5ADo7CxZiyxu sJM6oVHF7pA22rKJqjgIR9lksZ1+nT2WcwdXQuAFLrLFAI5L42mQKOHS hx1S3vHosO0iSIX47IyyR2O+J9qLhy7B+T4cJzAq2dOtSziqL1l5BCtw 5ZNYJX8N
The DS record for this key with digest type SHA3-256 would be:
example.org. IN DS 25803 8 252 AE03EA9388D4BA12725999B8E2C4ED14E06EAE8B78229B81154F61FE8EDBAA5F
Given a 1024-bit RSA/SHA-256 DNSKEY with the following contents:
example.org. IN DNSKEY 256 3 8 AwEAAbljrZZb1Qyq8ui+vnYL5exWSrQYFkCFD6VvJoJr5ADo7CxZiyxu sJM6oVHF7pA22rKJqjgIR9lksZ1+nT2WcwdXQuAFLrLFAI5L42mQKOHS hx1S3vHosO0iSIX47IyyR2O+J9qLhy7B+T4cJzAq2dOtSziqL1l5BCtw 5ZNYJX8N
The DS record for this key with digest type SHA3-384 would be:
example.org. IN DS 25803 8 253 BA8A4350F844CCCB8308694B3ADD478FC7EFBAC936D82D482D88F792FAB0766567E1F58F3A1075708CCC0457C9435ECA
DNSSEC implementations are encouraged to implement SHA-3 as soon as possible now that SHA-1's security is known to be degraded and the SHA-2 hash algorithms are currently the last line of defence for use with RSA in DNSSEC.
Users of DNS software are encouraged to deploy SHA-3 with DNSSEC when software implementations allow for it. Users are encouraged to run DNSSEC validator implementations that support SHA-3.
SHA-3 is considered sufficiently strong for the immediate future, but predictions about future development in cryptography and cryptanalysis are beyond the scope of this document.
The signature scheme RSASSA-PKCS1-v1_5 is chosen to match the one used for RSA/SHA-1 signatures. This should ease implementation of the new hashing algorithms in DNSSEC software.
Since each RRSet MUST be signed with each algorithm present in the DNSKEY RRSet at the zone apex (see Section 2.2 of [RFC4035]), a malicious party cannot filter out the RSA/SHA-3 RRSIG and force the validator to use a RSA/SHA-1 signature if both are present in the zone. This should provide resilience against algorithm downgrade attacks, if the validator supports RSA/SHA-3.
This document updates the IANA registry "Domain Name System Security (DNSSEC) Algorithm Numbers" (http://www.iana.org/protocols). The following entries are added to the registry:
| Number | Description | Mnemonic | Zone Signing | Trans. Sec. | References |
|---|---|---|---|---|---|
| 249 [TBD] | RSA/SHA3-256 | RSASHA3-256 | Y | * | [draft-muks-dnsop-dnssec-sha3] |
| 250 [TBD] | RSA/SHA3-384 | RSASHA3-384 | Y | * | [draft-muks-dnsop-dnssec-sha3] |
| 251 [TBD] | RSA/SHA3-512 | RSASHA3-512 | Y | * | [draft-muks-dnsop-dnssec-sha3] |
This document updates the IANA registry "Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms" (http://www.iana.org/protocols). The following entries are added to the registry:
| Value | Description | Status | References |
|---|---|---|---|
| 252 [TBD] | SHA3-256 | OPTIONAL | [draft-muks-dnsop-dnssec-sha3] |
| 253 [TBD] | SHA3-384 | OPTIONAL | [draft-muks-dnsop-dnssec-sha3] |
TBD.
| [NIST800-57] | Barker, E., Barker, W., Burr, W., Polk, W. and M. Smid, "Recommendation for Key Management", NIST SP 800-57, March 2007. |