Re: [dnsext] about ECDSA
Francis Dupont <Francis.Dupont@fdupont.fr> Wed, 11 April 2012 10:57 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4762011E8086; Wed, 11 Apr 2012 03:57:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1334141835; bh=BZeKuENHy1JSo2a9OP7jakPSTAcpywbDteTdKXnxxHg=; h=Message-Id:From:To:In-reply-to:Date:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=lJGq5b+V9wV3BbNjtQTwD4wvGte81E0imqM0p9ffA50IfWL4jWK1r/aOHftRW2Dik bxM6pKe+jqc4dqZr2SQ/QsddRii7dbcBF72J4c1gQF2zM0xgkpsETRZ8GqgK1VOaiM Q+tXShMoEJ2M+J7lupRvGSInE2Y4TN3/II540sYg=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7D211E8086 for <dnsext@ietfa.amsl.com>; Wed, 11 Apr 2012 03:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xf5z7Q9QEX4X for <dnsext@ietfa.amsl.com>; Wed, 11 Apr 2012 03:57:14 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by ietfa.amsl.com (Postfix) with ESMTP id 9A09B11E8075 for <dnsext@ietf.org>; Wed, 11 Apr 2012 03:57:13 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id q3BAvCSF044106; Wed, 11 Apr 2012 12:57:12 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201204111057.q3BAvCSF044106@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
In-reply-to: Your message of Tue, 10 Apr 2012 15:50:09 +0200. <4F843A91.4020808@nlnetlabs.nl>
Date: Wed, 11 Apr 2012 12:57:12 +0200
Cc: dnsext@ietf.org
Subject: Re: [dnsext] about ECDSA
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In your previous mail you wrote: > On 04/06/2012 08:23 PM, Francis Dupont wrote: > >>> - I still have a question about the 256/384 pair: are they > >>> supposed to be handled as two different algos (as RSASHA1 and > >>> RSASHA256, or RSASHA256 and RSASHA512) or as the same algo with > >>> two different "strengths"? Note at the beginning (i.e., when I > >>> asked this many months ago) it was only a concern for the > >>> signer but according to a recent discussion it is concern for > >>> resolvers too. > > The first not the latter, like RSASHA1 and RSASHA256, they are > different algorithms. Use the same algorithm for your ZSK and KSK > (but apply different policy). => note my question is really about the application of the word "same" to ECDSAP256SHA256 / ECDSAP384SHA384 (a priori if they have different code points and names they are not the "same", now RSA has a degree of freedom which is not present in ECDSA). > >> They are different algorithms with different strengths, so your > >> either/or question doesn't make sense. Similarly, each of the > >> defined SHA-2 variants are also different algorithms and each has > >> a different strength. > > > > => I'll rephrase the question: does it make sense to use > > ECDSAP256SHA256 for ZSKs and ECDSAP384SHA384 for the KSK? > > No, that is dnssec-bogus. The ECDSAP384SHA384 for KSK but does not > sign the zone is a signing-error. You must sign the entire zone with > that algorithm, if you use it. The algorithm-support is signalled > per-algorithm in DS and DNSKEY records, not for a range or suite of > algorithms. => I agree but I want to be sure it is the intented thing. If there is no opposed opinion in the list I follow you. Thanks Francis.Dupont@fdupont.fr _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] about ECDSA Olafur Gudmundsson
- [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Paul Hoffman
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA W.C.A. Wijngaards
- Re: [dnsext] about ECDSA Wes Hardaker
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Wes Hardaker
- Re: [dnsext] about ECDSA Michael StJohns