IETF Logo Mail Archive

Re: [dnsext] about ECDSA

"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Tue, 10 April 2012 13:50 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B36D711E80B6; Tue, 10 Apr 2012 06:50:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1334065815; bh=ADNvmbQypYUf4ayUZHMTnh36s6BenaeN/OhUH1DgSd0=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=ONh2xxus8rMWyFBZe2sW5IL203XQWnkr653hGVt1A1MbhJ5h6KlGZPpvzdrPJUo67 uO0sWMQXhn6WeBFntFhN5rlqJoXTK34s1NA/Qjk6wmqPMgBJe3QXfU+mXNETQvU0Xn aBRtk8GpS4pg/ykVULJAKy3skVs4TiSeJgudwHNY=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D055C11E80AF for <dnsext@ietfa.amsl.com>; Tue, 10 Apr 2012 06:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5plXoUz-4MZf for <dnsext@ietfa.amsl.com>; Tue, 10 Apr 2012 06:50:12 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 85C7A11E80AB for <dnsext@ietf.org>; Tue, 10 Apr 2012 06:50:12 -0700 (PDT)
Received: from axiom.nlnetlabs.nl (axiom.nlnetlabs.nl [IPv6:2001:7b8:206:1:222:4dff:fe55:4d46]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id q3ADo9da078785 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsext@ietf.org>; Tue, 10 Apr 2012 15:50:10 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1334065811; bh=QyTX2+PYKTxt0OONMyKlXmSRlnwXyRC4VnEUG8HVMQA=; h=Date:From:To:Subject:References:In-Reply-To; b=MSBMMW+ZdrCi02NMwqdYMCeWDkR5hTPJJKjjXztfuPwUxL5AyQw2P/VERcglL5vpK DjFPXyDVuphl6OumdFDGJspBiTga3MF0KWJis39iuc9zoNc2azBvS2bjz0k3BXAo4P CRx62O0Wd6OXByQGOeieKSnZWFhcL9m78mWbZdNo=
Message-ID: <4F843A91.4020808@nlnetlabs.nl>
Date: Tue, 10 Apr 2012 15:50:09 +0200
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120316 Thunderbird/11.0
MIME-Version: 1.0
To: dnsext@ietf.org
References: <201204061823.q36INnkS029691@givry.fdupont.fr>
In-Reply-To: <201204061823.q36INnkS029691@givry.fdupont.fr>
X-Enigmail-Version: 1.4
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Tue, 10 Apr 2012 15:50:10 +0200 (CEST)
Subject: Re: [dnsext] about ECDSA
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Francis,

On 04/06/2012 08:23 PM, Francis Dupont wrote:
>>> - I still have a question about the 256/384 pair: are they 
>>> supposed to be handled as two different algos (as RSASHA1 and 
>>> RSASHA256, or RSASHA256 and RSASHA512) or as the same algo with
>>> two different "strengths"? Note at the beginning (i.e., when I
>>> asked this many months ago) it was only a concern for the
>>> signer but according to a recent discussion it is concern for
>>> resolvers too.

The first not the latter, like RSASHA1 and RSASHA256, they are
different algorithms.  Use the same algorithm for your ZSK and KSK
(but apply different policy).

>> They are different algorithms with different strengths, so your 
>> either/or question doesn't make sense. Similarly, each of the
>> defined SHA-2 variants are also different algorithms and each has
>> a different strength.
> 
> => I'll rephrase the question: does it make sense to use 
> ECDSAP256SHA256 for ZSKs and ECDSAP384SHA384 for the KSK?

No, that is dnssec-bogus.  The ECDSAP384SHA384 for KSK but does not
sign the zone is a signing-error.  You must sign the entire zone with
that algorithm, if you use it.  The algorithm-support is signalled
per-algorithm in DS and DNSKEY records, not for a range or suite of
algorithms.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPhDqRAAoJEJ9vHC1+BF+N4oQP/2j9F82vwsPHqygq2Tsye1ba
I25E0S6AdFsn2jqg1iQNm6Z1H/kG8XQvND+2nv4CzOeWwIOKpEpsw0jDSh3BwbCC
im5ggmfFqMsHE8tQ3e18xXTbPV4WtiXgwLJEo5omQElURfZZRf4f8H1yLW5SPvA9
C/baKkfnAmY7u7UIMHQh/x2xp57WIgYq/RW6NHbbh1C8oylnf061flBAGgxa2NLu
sHtYMiEEQuqGKiGklthh5TlqoGOqI41zbRWQlSaStSpjK/OofkfDXJR5mwzQB9BS
NTUNgVojVi0TgQqHv8bn1WwEqiiPaiJc/3CkXDu2maqwWu3AMd+K45Cw89v7kSeZ
BcEHEiv991+/lWcTGhYWSIuZNzV73zPLhAgZC/8lHiEJlwdfvSTvTnm3d7LUyNm6
AJJM/1ze1IdkBb81bCxP+2SBecjajqV69C9fdG23uMPazcQElbkpARRrFrhqTCCK
wrjVA9ygDeStgHX1h/HTt3NuCi99UwPP2Wm+qw85+6Dtv9C4tCwC01KvqaxGmnjm
h+oxEInVJvYhg+WRet1jH/x1hppRusvRF/B5PZHX1Tkk9Jzcte8MpqVcx1TSN4na
rhTEoVMKs+ylmxKISHDl+doPqGZEF0kgmoLFGLxu1XtnVMU1GqJX0GTqTIKquDeo
q0EKcTRCZRdTcpOxYZoz
=7av+
-----END PGP SIGNATURE-----
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email