Re: [DNSOP] Specification of DNSKEY "Private-key-format"
Evan Hunt <each@isc.org> Thu, 29 August 2019 16:11 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F05312097D for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2019 09:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uo9qg9P8l8VS for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2019 09:11:30 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1532E120975 for <dnsop@ietf.org>; Thu, 29 Aug 2019 09:11:30 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed2.isc.org [IPv6:2001:4f8:1:f::88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0DD7A3AB000; Thu, 29 Aug 2019 16:11:24 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id BD4A14C888; Thu, 29 Aug 2019 16:11:23 +0000 (UTC)
Date: Thu, 29 Aug 2019 16:11:23 +0000
From: Evan Hunt <each@isc.org>
To: Mukund Sivaraman <muks@mukund.org>
Cc: dnsop@ietf.org
Message-ID: <20190829161123.GA52870@isc.org>
References: <20190829125502.GA2048@jurassic.lan.banu.com> <20190829134831.GC90696@straasha.imrryr.org> <20190829135554.GA3616@jurassic.lan.banu.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190829135554.GA3616@jurassic.lan.banu.com>
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WZpvnJXXoZWana0EGbwl_ssEjvE>
Subject: Re: [DNSOP] Specification of DNSKEY "Private-key-format"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 16:11:32 -0000
On Thu, Aug 29, 2019 at 07:25:54PM +0530, Mukund Sivaraman wrote: > I am asking about where this key format is specified - I want to extend > it. There's never been a written specification as far as I know, and if there was one, then it's definitely been obsolete since 2009, because I changed the format then and I didn't update any specs. What I can tell you is: the private key file contains a format version string, "Private-key-format", currently always set to 1.3, and an algorithm string, "Algorithm". After that comes a set of private keydata fields which are specific to the algorithm, and finally a set of *optional* metadata fields. Those were introduced in format version 1.3. They include "Created", "Publish", "Delete", etc, and also a few (such as "RollPeriod") that were reserved for future use but we'e never gotten around to using them. If the parser encounters any field that it doesn't recognize, and the key claims to be version 1.3, then it will reject the key with an error. However, if Private-key-format is increased to at least 1.4, then the version 1.3 parser will ignore the unknown fields and just use the ones that it does understand. A version number above 2.0 is assumed not to be backward-compatible, so that key would be rejected always. We've have had a few conversations at ISC recently about adding some new fields and increasing the format version to 1.4, so it would probably be best if we coordinate our changes to ensure that your extensions are interoperable with ours. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] Specification of DNSKEY "Private-key-form… Mukund Sivaraman
- Re: [DNSOP] Specification of DNSKEY "Private-key-… Viktor Dukhovni
- Re: [DNSOP] Specification of DNSKEY "Private-key-… Mukund Sivaraman
- Re: [DNSOP] Specification of DNSKEY "Private-key-… Evan Hunt
- Re: [DNSOP] Specification of DNSKEY "Private-key-… Mukund Sivaraman
- Re: [DNSOP] Specification of DNSKEY "Private-key-… Evan Hunt
- Re: [DNSOP] Specification of DNSKEY "Private-key-… Mukund Sivaraman
- Re: [DNSOP] Specification of DNSKEY "Private-key-… Viktor Dukhovni