| rfc9563.original | rfc9563.txt | |||
|---|---|---|---|---|
| Network Working Group C. Zhang | Independent Submission C. Zhang | |||
| Internet-Draft Y. Liu | Request for Comments: 9563 Y. Liu | |||
| Intended status: Informational F. Leng | Category: Informational F. Leng | |||
| Expires: 21 July 2024 Q. Zhao | ISSN: 2070-1721 Q. Zhao | |||
| Z. He | Z. He | |||
| CNNIC | CNNIC | |||
| 18 January 2024 | September 2024 | |||
| SM2 Digital Signature Algorithm for DNSSEC | SM2 Digital Signature Algorithm for DNSSEC | |||
| draft-cuiling-dnsop-sm2-alg-15 | ||||
| Abstract | Abstract | |||
| This document specifies the use of the SM2 digital signature | This document specifies the use of the SM2 digital signature | |||
| algorithm and SM3 hash algorithm for DNS Security (DNSSEC). | algorithm and SM3 hash algorithm for DNS Security (DNSSEC). | |||
| This draft is an independent submission to the RFC series, and does | This document is an Independent Submission to the RFC series and does | |||
| not have consensus of the IETF community. | not have consensus of the IETF community. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This document is not an Internet Standards Track specification; it is | |||
| provisions of BCP 78 and BCP 79. | published for informational purposes. | |||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This is a contribution to the RFC Series, independently of any other | |||
| and may be updated, replaced, or obsoleted by other documents at any | RFC stream. The RFC Editor has chosen to publish this document at | |||
| time. It is inappropriate to use Internet-Drafts as reference | its discretion and makes no statement about its value for | |||
| material or to cite them other than as "work in progress." | implementation or deployment. Documents approved for publication by | |||
| the RFC Editor are not candidates for any level of Internet Standard; | ||||
| see Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 21 July 2024. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9563. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. | |||
| described in Section 4.e of the Trust Legal Provisions and are | ||||
| provided without warranty as described in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. SM3 DS Records . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. SM3 DS Records | |||
| 3. SM2 Parameters . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. SM2 Parameters | |||
| 4. DNSKEY and RRSIG Resource Records for SM2 . . . . . . . . . . 3 | 4. DNSKEY and RRSIG Resource Records for SM2 | |||
| 4.1. DNSKEY Resource Records . . . . . . . . . . . . . . . . . 3 | 4.1. DNSKEY Resource Records | |||
| 4.2. RRSIG Resource Records . . . . . . . . . . . . . . . . . 3 | 4.2. RRSIG Resource Records | |||
| 5. Support for NSEC3 Denial of Existence . . . . . . . . . . . . 4 | 5. Support for NSEC3 Denial of Existence | |||
| 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Example | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 7. IANA Considerations | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 8. Security Considerations | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 9. References | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 9.1. Normative References | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 8 | 9.2. Informative References | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| DNSSEC is broadly defined in [RFC4033], [RFC4034], and [RFC4035]. It | DNSSEC is broadly defined in [RFC4033], [RFC4034], and [RFC4035]. It | |||
| uses cryptographic keys and digital signatures to provide | uses cryptographic keys and digital signatures to provide | |||
| authentication of DNS data. DNSSEC signature algorithms are | authentication of DNS data. DNSSEC signature algorithms are | |||
| registered in the DNSSEC algorithm IANA registry [IANA]. | registered in the DNSSEC algorithm numbers registry [IANA]. | |||
| This document defines the DNSKEY and RRSIG resource records (RRs) of | This document defines the DNSKEY and RRSIG resource records (RRs) of | |||
| new signing algorithms: SM2 uses elliptic curves over 256-bit prime | new signing algorithms: SM2 uses elliptic curves over 256-bit prime | |||
| fields with SM3 hash algorithm. (A description of SM2 and SM3 can be | fields with SM3 hash algorithm. (A description of SM2 can be found | |||
| found in GB/T 32918.2-2016 [GBT-32918.2-2016] or ISO/IEC14888-3:2018 | in GM/T 0003.2-2012 [GMT-0003.2] or ISO/IEC14888-3:2018 | |||
| [ISO-IEC14888-3_2018], and GB/T 32905-2016 [GBT-32905-2016] or ISO/ | [ISO-IEC14888-3_2018], and a description of SM3 can be found in GM/T | |||
| IEC10118-3:2018 [ISO-IEC10118-3_2018].) This document also defines | 0004-2012 [GMT-0004] or ISO/IEC10118-3:2018 [ISO-IEC10118-3_2018].) | |||
| the DS RR for the SM3 one-way hash algorithm. In the signing | This document also defines the DS RR for the SM3 one-way hash | |||
| algorithm defined in this document, the size of the key for the | algorithm. In the signing algorithm defined in this document, the | |||
| elliptic curve is matched with the size of the output of the hash | size of the key for the elliptic curve is matched with the size of | |||
| algorithm. Both are 256 bits. | the output of the hash algorithm. Both are 256 bits. | |||
| Many implementations may not support SM2 signatures and SM3 digests. | ||||
| Section 5.2 of [RFC6840] specifies handling of answers in such cases. | ||||
| Caution: This specification is not a standard and does not have IETF | ||||
| community consensus. It makes use of cryptographic algorithms that | ||||
| are national standards for China, as well as ISO/IEC standards (ISO/ | ||||
| IEC 14888:3-2018 [ISO-IEC14888-3_2018] and ISO/IEC 10118:3-2018 | ||||
| [ISO-IEC10118-3_2018]). Neither the IETF nor the IRTF has analyzed | ||||
| that algorithm for suitability for any given application, and it may | ||||
| contain either intended or unintended weaknesses. | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| document are to be interpreted as described in [RFC2119]. | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | ||||
| capitals, as shown here. | ||||
| 2. SM3 DS Records | 2. SM3 DS Records | |||
| The implementation of SM3 in DNSSEC follows the implementation of | The implementation of SM3 in DNSSEC follows the implementation of | |||
| SHA-256 as specified in [RFC4509] except that the underlying | SHA-256 as specified in [RFC4509] except that the underlying | |||
| algorithm is SM3 with digest type code [TBD1, waiting for an IANA's | algorithm is SM3 with digest type code 6. | |||
| code assignment]. | ||||
| The generation of a SM3 hash value is described in Section 5 of | The generation of an SM3 hash value is described in Section 5 of | |||
| [GBT-32905-2016] and generates 256-bit hash value. | [GMT-0004] and generates a 256-bit hash value. | |||
| 3. SM2 Parameters | 3. SM2 Parameters | |||
| Verifying SM2 signatures requires agreement between the signer and | Verifying SM2 signatures requires agreement between the signer and | |||
| the verifier of the parameters used. SM2 digital signature algorithm | the verifier on the parameters used. The SM2 digital signature | |||
| has been added to ISO/IEC 14888-3:2018. And the parameters of the | algorithm has been added to [ISO-IEC14888-3_2018]. The parameters of | |||
| curve used in this profile are as follows: | the curve used in this profile are as follows: | |||
| p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF | p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF | |||
| a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC | FFFFFFFF 00000000 FFFFFFFF FFFFFFFF | |||
| b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93 | a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF | |||
| xG = 32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7 | FFFFFFFF 00000000 FFFFFFFF FFFFFFFC | |||
| yG = BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0 | b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 | |||
| n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123 | F39789F5 15AB8F92 DDBCBD41 4D940E93 | |||
| xG = 32C4AE2C 1F198119 5F990446 6A39C994 | ||||
| 8FE30BBF F2660BE1 715A4589 334C74C7 | ||||
| yG = BC3736A2 F4F6779C 59BDCEE3 6B692153 | ||||
| D0A9877C C62A4740 02DF32E5 2139F0A0 | ||||
| n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF | ||||
| 7203DF6B 21C6052B 53BBF409 39D54123 | ||||
| 4. DNSKEY and RRSIG Resource Records for SM2 | 4. DNSKEY and RRSIG Resource Records for SM2 | |||
| 4.1. DNSKEY Resource Records | 4.1. DNSKEY Resource Records | |||
| SM2 public keys consist of a single value, called "P". In DNSSEC | SM2 public keys consist of a single value, called "P". In DNSSEC | |||
| keys, P is a string of 32 octets that represents the uncompressed | keys, P is a string of 64 octets that represents the uncompressed | |||
| form of a curve point, "x | y". (Conversion of a point to an octet | form of a curve point, "x | y". (Conversion of a point to an octet | |||
| string is described in Section 4.2.8 of GB/T 32918.1-2016 | string is described in Section 4.2.8 of [GBT-32918.1-2016].) | |||
| [GBT-32918.1-2016].) | ||||
| 4.2. RRSIG Resource Records | 4.2. RRSIG Resource Records | |||
| The SM2 signature is the combination of two non-negative integers, | The SM2 signature is the combination of two non-negative integers, | |||
| called "r" and "s". The two integers, each of which is formatted as | called "r" and "s". The two integers, each of which is formatted as | |||
| a simple octet string, are combined into a single longer octet string | a simple octet string, are combined into a single longer octet string | |||
| for DNSSEC as the concatenation "r | s". (Conversion of the integers | for DNSSEC as the concatenation "r | s". (Conversion of the integers | |||
| to bit strings is described in Section 4.2.1 of [GBT-32918.1-2016].) | to bit strings is described in Section 4.2.1 of [GBT-32918.1-2016].) | |||
| Each integer MUST be encoded as 32 octets. | Each integer MUST be encoded as 32 octets. | |||
| Process details are described in Section 6 "Digital signature | Process details are described in Section 6 of [GMT-0003.2]. | |||
| generation algorithm and its process" in [GBT-32918.2-2016]. | ||||
| The algorithm number associated with the DNSKEY and RRSIG resource | The algorithm number associated with the DNSKEY and RRSIG resource | |||
| records is [TBD2, waiting for an IANA’s code assignment], which is | records is 17, which is described in the IANA Considerations section. | |||
| described in the IANA Considerations section. | ||||
| Conformant implementations that create records to be put into the DNS | Conformant implementations that create records to be put into the DNS | |||
| MAY implement signing and verification for the above algorithm. | MAY implement signing and verification for the SM2 digital signature | |||
| Conformant DNSSEC verifiers MAY implement verification for the above | algorithm. Conformant DNSSEC verifiers MAY implement verification | |||
| algorithm. | for the above algorithm. | |||
| 5. Support for NSEC3 Denial of Existence | 5. Support for NSEC3 Denial of Existence | |||
| This document does not define algorithm aliases mentioned in | This document does not define algorithm aliases mentioned in | |||
| [RFC5155]. | [RFC5155]. | |||
| A DNSSEC validator that implements the signing algorithms defined in | A DNSSEC validator that implements the signing algorithms defined in | |||
| this document MUST be able to validate negative answers in the form | this document MUST be able to validate negative answers in the form | |||
| of both NSEC and NSEC3 with hash algorithm SHA-1, as defined in | of both NSEC and NSEC3 with hash algorithm SHA-1, as defined in | |||
| [RFC5155]. An authoritative server that does not implement NSEC3 MAY | [RFC5155]. An authoritative server that does not implement NSEC3 MAY | |||
| still serve zones that use the signing algorithms defined in this | still serve zones that use the signing algorithms defined in this | |||
| document with NSEC denial of existence. | document with NSEC denial of existence. | |||
| If using NSEC3, the iterations MUST be 0 and salt MUST be an empty | If using NSEC3, the iterations MUST be 0 and salt MUST be an empty | |||
| string as recommended in Section 3.1 of [RFC9276]. | string as recommended in Section 3.1 of [RFC9276]. | |||
| 6. Example | 6. Example | |||
| The following is an example of SM2 keys and signatures in DNS zone | The following is an example of SM2 keys and signatures in DNS zone | |||
| file format, including DNSKEY RR, NSEC3PARAM RR, NSEC3 RR with RRSIG | file format, including DNSKEY RR, NSEC3PARAM RR, NSEC3 RR with RRSIG | |||
| RRs and DS RR. | RRs, and DS RR. | |||
| Private-key-format: v1.3 | Private-key-format: v1.3 | |||
| Algorithm: [TBD2] (SM2SM3) | Algorithm: 17 (SM2SM3) | |||
| PrivateKey: V24tjJgXxp2ykscKRZdT+iuR5J1xRQN+FKoQACmo9fA= | PrivateKey: V24tjJgXxp2ykscKRZdT+iuR5J1xRQN+FKoQACmo9fA= | |||
| example. 3600 IN DS 27215 TBD2 TBD1 ( | example. 3600 IN DS 27215 17 6 ( | |||
| 86671f82dd872e4ee73647a95dff7fd0af599ff8a43f fa26c9a2593091653c0e | 86671f82dd872e4ee73647a95dff7fd0af599ff8a43f fa26c9a2593091653c0e | |||
| ) | ) | |||
| example. 3600 IN DNSKEY 256 3 TBD2 ( | example. 3600 IN DNSKEY 256 3 17 ( | |||
| 7EQ32PTAp+1ac6R9Ze2nfB8pPc2OJqkHSjug | 7EQ32PTAp+1ac6R9Ze2nfB8pPc2OJqkHSjug | |||
| ALr4SuD9awuQxhfw7wMpiXv7JK4/VwwTrCxJ | ALr4SuD9awuQxhfw7wMpiXv7JK4/VwwTrCxJ | |||
| wu+qUuDsgoBK4w== | wu+qUuDsgoBK4w== | |||
| ) ; ZSK; alg = SM2SM3 ; key id = 65042 | ) ; ZSK; alg = SM2SM3 ; key id = 65042 | |||
| example. 3600 IN RRSIG DNSKEY TBD2 1 3600 ( | example. 3600 IN RRSIG DNSKEY 17 1 3600 ( | |||
| 20230901000000 20220901000000 65042 example. | 20230901000000 20220901000000 65042 example. | |||
| lF2eq49e62Nn4aT5x8ZI6PdRSTPHPDixZdyl | lF2eq49e62Nn4aT5x8ZI6PdRSTPHPDixZdyl | |||
| lM6GWu4lkRWkpTgWLE4lQK/+qHdNS4DdTd36 | lM6GWu4lkRWkpTgWLE4lQK/+qHdNS4DdTd36 | |||
| Jsuu0FSO5k48Qg== ) | Jsuu0FSO5k48Qg== ) | |||
| example. 0 IN NSEC3PARAM 1 0 10 AABBCCDD | example. 0 IN NSEC3PARAM 1 0 10 AABBCCDD | |||
| example. 0 IN RRSIG NSEC3PARAM TBD2 1 0 ( | example. 0 IN RRSIG NSEC3PARAM 17 1 0 ( | |||
| 20230901000000 20220901000000 65042 example. | 20230901000000 20220901000000 65042 example. | |||
| aqntwEYEJzkVb8SNuJLwdx7f+vivv5IUIeAj | aqntwEYEJzkVb8SNuJLwdx7f+vivv5IUIeAj ) | |||
| 62KP1QB93KRGR6LM7SEVPJVNG90BLUE8.example. 3600 IN NSEC3 1 1 10 | 62KP1QB93KRGR6LM7SEVPJVNG90BLUE8.example. 3600 IN NSEC3 1 1 10 | |||
| AABBCCDD ( | AABBCCDD ( | |||
| GTGVQIILTSSJ8FFO9J6DC8PRTFAEA8G2 NS SOA RRSIG DNSKEY NSEC3PARAM ) | GTGVQIILTSSJ8FFO9J6DC8PRTFAEA8G2 NS SOA RRSIG DNSKEY NSEC3PARAM ) | |||
| 62KP1QB93KRGR6LM7SEVPJVNG90BLUE8.example. 3600 IN RRSIG NSEC3 TBD2 2 | 62KP1QB93KRGR6LM7SEVPJVNG90BLUE8.example. 3600 IN RRSIG NSEC3 17 2 | |||
| 3600 ( | 3600 ( | |||
| 20230901000000 20220901000000 65042 example. | 20230901000000 20220901000000 65042 example. | |||
| FOWLegTgFkFY9vCOo4kHwjEvZ+IL1NMl4s9V | FOWLegTgFkFY9vCOo4kHwjEvZ+IL1NMl4s9V | |||
| hVyPOwokd5uOLKeXTP19HIeEtW73WcJ9XNe/ ie/knp7Edo/hxw== ) | hVyPOwokd5uOLKeXTP19HIeEtW73WcJ9XNe/ ie/knp7Edo/hxw== ) | |||
| Here is an example program [Example_Program] based on dnspython and | [Example_Program] is an example program based on dnspython and gmssl, | |||
| gmssl, which supplies key generating, zone signing, zone validating | which supplies key generating, zone signing, zone validating, and DS | |||
| and DS RR generating functions for convenience. | RR generating functions for convenience. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document will update the IANA registry for digest types in DS | IANA has registered the following in the "Digest Algorithms" registry | |||
| records, currently called "Digest Algorithms," in the "Delegation | within the "DNSSEC Delegation Signer (DS) Resource Record (RR) Type | |||
| Signer (DS) Resource Record (RR) Type Digest Algorithms" registry | Digest Algorithms" registry group. | |||
| group. | ||||
| Value TBD1 | +=======+=============+==========+===============+ | |||
| Digest Type SM3 | | Value | Digest Type | Status | Reference | | |||
| Status OPTIONAL | +=======+=============+==========+===============+ | |||
| Reference This document | | 6 | SM3 | OPTIONAL | This document | | |||
| +-------+-------------+----------+---------------+ | ||||
| This document will update the IANA registry "Domain Name System | Table 1 | |||
| Security (DNSSEC) Algorithm Numbers". | ||||
| Number TBD2 | IANA has registered the following in the "DNS Security Algorithm | |||
| Description SM2 signing algorithm with SM3 hashing algorithm | Numbers" registry within the "Domain Name System Security (DNSSEC) | |||
| Mnemonic SM2SM3 | Algorithm Numbers" registry group. | |||
| Zone Signing Y | ||||
| Trans. Sec. * | +========+================+==========+=========+========+===========+ | |||
| Reference This document | | Number | Description | Mnemonic | Zone | Trans. | Reference | | |||
| | | | | Signing | Sec. | | | ||||
| +========+================+==========+=========+========+===========+ | ||||
| | 17 | SM2 signing | SM2SM3 | Y | * | This | | ||||
| | | algorithm | | | | document | | ||||
| | | with SM3 | | | | | | ||||
| | | hashing | | | | | | ||||
| | | algorithm | | | | | | ||||
| +--------+----------------+----------+---------+--------+-----------+ | ||||
| Table 2 | ||||
| * There has been no determination of standardization of the use of | * There has been no determination of standardization of the use of | |||
| this algorithm with Transaction Security. | this algorithm with Transaction Security. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| The security strength of SM2 depends on the size of the key. Longer | The security strength of SM2 depends on the size of the key. A | |||
| key provides stronger security strength. The security of ECC-based | longer key provides stronger security strength. The security of ECC- | |||
| algorithms is influenced by the curve it uses, too. | based algorithms is influenced by the curve it uses, too. | |||
| Like any cryptographic algorithm, it may come to pass that a weakness | Like any cryptographic algorithm, it may come to pass that a weakness | |||
| is found in either SM2 or SM3. In this case, the proper remediation | is found in either SM2 or SM3. In this case, the proper remediation | |||
| is crypto-agility. In the case of DNSSEC, the appropriate approach | is crypto-agility. In the case of DNSSEC, the appropriate approach | |||
| would be to regenerate appropriate DS, DNSKEY, RRSIG, and NSEC3 | would be to regenerate appropriate DS, DNSKEY, RRSIG, and NSEC3 | |||
| records. Care MUST be taken in this situation to permit appropriate | records. Care MUST be taken in this situation to permit appropriate | |||
| rollovers, taking into account record caching. See [RFC7583] for | rollovers, taking into account record caching. See [RFC7583] for | |||
| details. Choice of a suitable replacement algorithm should be one | details. A suitable replacement algorithm should be both widely | |||
| that is both widely implemented and not known to have weaknesses. | implemented and not known to have weaknesses. | |||
| The security considerations listed in [RFC4509] apply here as well. | The security considerations listed in [RFC4509] apply here as well. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [GBT-32918.1-2016] | ||||
| Standardization Administration of China, "Information | ||||
| security technology--Public key cryptographic algorithm | ||||
| SM2 based on elliptic curves--Part 1: General", [In | ||||
| Chinese], GB/T 32918.1-2016, March 2017. English | ||||
| translation available at: http://www.gmbz.org.cn/ | ||||
| upload/2018-07-24/1532401673134070738.pdf | ||||
| (http://www.gmbz.org.cn/ | ||||
| upload/2018-07-24/1532401673134070738.pdf) | ||||
| [GMT-0003.2] | ||||
| Cryptography Standardization Technical Committee of China, | ||||
| "SM2 public key cryptographic algorithm based on elliptic | ||||
| curves -- Part 2: Digital signature algorithm", [In | ||||
| Chinese], GM/T 0003.2-2012, March 2012. English | ||||
| translation available at: TBD (TBD) | ||||
| [GMT-0004] Cryptography Standardization Technical Committee of China, | ||||
| "SM3 Cryptographic Hash Algorithm", [In Chinese], GM/ | ||||
| T 0004-2012, March 2012. English translation available | ||||
| at: TBD (TBD). | ||||
| [IANA] IANA, "DNS Security Algorithm Numbers", | ||||
| <https://www.iana.org/assignments/dns-sec-alg-numbers>. | ||||
| [ISO-IEC10118-3_2018] | ||||
| ISO/IEC, "IT Security techniques -- Hash-functions -- Part | ||||
| 3: Dedicated hash-functions", ISO/IEC 10118-3:2018, | ||||
| October 2018. | ||||
| [ISO-IEC14888-3_2018] | ||||
| ISO/IEC, "IT Security techniques -- Digital signatures | ||||
| with appendix -- Part 3: Discrete logarithm based | ||||
| mechanisms", ISO/IEC 14888-3:2018, November 2018. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", | Rose, "DNS Security Introduction and Requirements", | |||
| RFC 4033, DOI 10.17487/RFC4033, March 2005, | RFC 4033, DOI 10.17487/RFC4033, March 2005, | |||
| <https://www.rfc-editor.org/info/rfc4033>. | <https://www.rfc-editor.org/info/rfc4033>. | |||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Resource Records for the DNS Security Extensions", | Rose, "Resource Records for the DNS Security Extensions", | |||
| RFC 4034, DOI 10.17487/RFC4034, March 2005, | RFC 4034, DOI 10.17487/RFC4034, March 2005, | |||
| <https://www.rfc-editor.org/info/rfc4034>. | <https://www.rfc-editor.org/info/rfc4034>. | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Protocol Modifications for the DNS Security | Rose, "Protocol Modifications for the DNS Security | |||
| Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | |||
| <https://www.rfc-editor.org/info/rfc4035>. | <https://www.rfc-editor.org/info/rfc4035>. | |||
| [IANA] IANA, "Domain Name System Security (DNSSEC) Algorithm | ||||
| Numbers", Registered DNSSEC Algorithm Numbers, April 2020, | ||||
| <https://www.iana.org/assignments/dns-sec-alg-numbers/dns- | ||||
| sec-alg-numbers.xhtml>. | ||||
| [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer | [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer | |||
| (DS) Resource Records (RRs)", RFC 4509, | (DS) Resource Records (RRs)", RFC 4509, | |||
| DOI 10.17487/RFC4509, May 2006, | DOI 10.17487/RFC4509, May 2006, | |||
| <https://www.rfc-editor.org/info/rfc4509>. | <https://www.rfc-editor.org/info/rfc4509>. | |||
| [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | |||
| Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
| Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
| <https://www.rfc-editor.org/info/rfc5155>. | <https://www.rfc-editor.org/info/rfc5155>. | |||
| [RFC9276] Hardaker, W. and V. Dukhovni, "Guidance for NSEC3 | [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and | |||
| Parameter Settings", BCP 236, RFC 9276, | Implementation Notes for DNS Security (DNSSEC)", RFC 6840, | |||
| DOI 10.17487/RFC9276, August 2022, | DOI 10.17487/RFC6840, February 2013, | |||
| <https://www.rfc-editor.org/info/rfc9276>. | <https://www.rfc-editor.org/info/rfc6840>. | |||
| [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, | [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, | |||
| "DNSSEC Key Rollover Timing Considerations", RFC 7583, | "DNSSEC Key Rollover Timing Considerations", RFC 7583, | |||
| DOI 10.17487/RFC7583, October 2015, | DOI 10.17487/RFC7583, October 2015, | |||
| <https://www.rfc-editor.org/info/rfc7583>. | <https://www.rfc-editor.org/info/rfc7583>. | |||
| [GBT-32918.1-2016] | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| Standardization Administration of China, "Information | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| security technology --- Public key cryptographic algorithm | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| SM2 based on elliptic curves --- Part 1: General", GB/ | ||||
| T 32918.2-2016, March 2017, <http://www.gmbz.org.cn/ | ||||
| upload/2018-07-24/1532401673134070738.pdf>. | ||||
| [GBT-32918.2-2016] | ||||
| Standardization Administration of China, "Information | ||||
| security technology --- Public key cryptographic algorithm | ||||
| SM2 based on elliptic curves --- Part 2: Digital signature | ||||
| algorithm", GB/T 32918.2-2016, March 2017, | ||||
| <http://www.gmbz.org.cn/ | ||||
| upload/2018-07-24/1532401673138056311.pdf>. | ||||
| [ISO-IEC14888-3_2018] | ||||
| International Organization for Standardization, "IT | ||||
| Security techniques -- Digital signatures with appendix -- | ||||
| Part 3: Discrete logarithm based mechanisms", ISO/ | ||||
| IEC 14888-3:2018, November 2018. | ||||
| [GBT-32905-2016] | ||||
| Standardization Administration of China, "Information | ||||
| security technology --- SM3 cryptographic hash algorithm", | ||||
| GB/T 32905-2016, March 2017, <http://www.gmbz.org.cn/ | ||||
| upload/2018-07-24/1532401392982079739.pdf>. | ||||
| [ISO-IEC10118-3_2018] | [RFC9276] Hardaker, W. and V. Dukhovni, "Guidance for NSEC3 | |||
| International Organization for Standardization, "IT | Parameter Settings", BCP 236, RFC 9276, | |||
| Security techniques -- Hash-functions -- Part 3: Dedicated | DOI 10.17487/RFC9276, August 2022, | |||
| hash-functions", ISO/IEC 10118-3:2018, October 2018. | <https://www.rfc-editor.org/info/rfc9276>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [Example_Program] | [Example_Program] | |||
| Zhang, C., "Sign and Validate DNSSEC Signature with SM2SM3 | "sign and validate dnssec signature with sm2sm3 | |||
| Algorithm", SM2SM3 DNSSEC Example Program, April 2023, | algorithm", commit 6f98c17, April 2023, | |||
| <https://github.com/scooct/dnssec_sm2sm3>. | <https://github.com/scooct/dnssec_sm2sm3>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Cuiling Zhang | Cuiling Zhang | |||
| CNNIC | CNNIC | |||
| No.4 South 4th Street, Zhongguancun | No.4 South 4th Street, Zhongguancun | |||
| Beijing, 100190 | Beijing | |||
| 100190 | ||||
| China | China | |||
| Email: zhangcuiling@cnnic.cn | Email: zhangcuiling@cnnic.cn | |||
| Yukun Liu | Yukun Liu | |||
| CNNIC | CNNIC | |||
| No.4 South 4th Street, Zhongguancun | No.4 South 4th Street, Zhongguancun | |||
| Beijing, 100190 | Beijing | |||
| 100190 | ||||
| China | China | |||
| Email: liuyukun@cnnic.cn | Email: liuyukun@cnnic.cn | |||
| Feng Leng | Feng Leng | |||
| CNNIC | CNNIC | |||
| No.4 South 4th Street, Zhongguancun | No.4 South 4th Street, Zhongguancun | |||
| Beijing, 100190 | Beijing | |||
| 100190 | ||||
| China | China | |||
| Email: lengfeng@cnnic.cn | Email: lengfeng@cnnic.cn | |||
| Qi Zhao | Qi Zhao | |||
| CNNIC | CNNIC | |||
| No.4 South 4th Street, Zhongguancun | No.4 South 4th Street, Zhongguancun | |||
| Beijing, 100190 | Beijing | |||
| 100190 | ||||
| China | China | |||
| Email: zhaoqi@cnnic.cn | Email: zhaoqi@cnnic.cn | |||
| Zheng He | Zheng He | |||
| CNNIC | CNNIC | |||
| No.4 South 4th Street, Zhongguancun | No.4 South 4th Street, Zhongguancun | |||
| Beijing, 100190 | Beijing | |||
| 100190 | ||||
| China | China | |||
| Email: hezh@cnnic.cn | Email: hezh@cnnic.cn | |||
| End of changes. 49 change blocks. | ||||
| 155 lines changed or deleted | 186 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||