[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] WGLC: Gost algorithms for DNSSEC



Basil Dolmatov ÐÐÑÐÑ:
Document note: The document uses in examples an unallocated DNSKEY algorithm 
code 249, when this document is issued as an RFC a different code WILL be
allocated, the only use of this code is for early interoperabilty testing.
The example of signature in the current text of the draft will NOT check with this protocol code. 

If necessary, working examples for protocol code 249 can be supplied.


Attached are working examples for temporary protocol code 249.
These examples has been cross-checked between two independent implementations of GOST in DNSSec (by Cryptocom and by NLNetLabs) 



dol@


--- draft-ietf-dnsext-dnssec-gost-01.txt.orig	2009-10-18 19:51:39.000000000 +0400
+++ draft-ietf-dnsext-dnssec-gost-01.txt	2009-10-30 18:59:19.000000000 +0300
@@ -155,23 +155,24 @@
   
 2.2.  GOST DNSKEY RR Example
 
-   Given a private key with the following value:
+   Given a private key with the following value (the value of GostAsn1
+   field is split here into two lines to simplify reading; in the private key
+   file it must be in one line):
 
    Private-key-format: v1.2
    Algorithm: {TBA1} (GOST)
-   GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEE
-             IgQgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
-   (corresponding to private key value 1)
+   GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgV/S2FXdM
+             tzKJBehZvjF4lVSx6m66TwqSe/MFwKSH/3E=
 
 V.Dolmatov              Expires April 18, 2010                [Page 3]
 
    The following DNSKEY RR stores a DNS zone key for example.net
  
-  example.net. 86400 IN DNSKEY 256 3 {TBA1} ( AAABAAAAAAAAAAAAAAAAAAAA
-                                              AAAAAAAAAAAAAAAAAAAAABQe
-                                              n56cyawiseMj3y1PKTV2Kz9F
-                                              WlDfJ9qcmOBx5JGN )
+   example.net. 86400 IN DNSKEY 256 3 {TBA1} (
+                                AADMrbi2vAs4hklTmmzGE3WWNtJ8Dll0u0jq
+				tGRbNKeJguZQj/9EpGWmQK9hekPiPlzH2Ph6
+				yB7i836EfzmJo5LP
+				) ; key id = 15820
 
 3.  RRSIG Resource Records
 
@@ -209,13 +210,14 @@
 
    Setting the inception date to 2000-01-01 00:00:00 UTC and the 
    expiration date to 2030-01-01 00:00:00 UTC, the following signature
-   should be created (assuming {TBA1}==249 until proped code is 
+   should be created (assuming {TBA1}==249 until proper code is 
    assigned by IANA)
 
-   www.example.net. 3600 IN RRSIG ( A {TBA1} 3 3600
-                    20300101000000 20000101000000 9033 example.net.
-                    96ObOt5gR6Xln8g42w70OZvi6BZoQvLIhrN9F+VBc29mp+ap
-                    DQov1re0hApGenYDd2zLaHecw4H2vnPj0NhhxA== )
+   www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 (
+                                  20000101000000 15820 example.net.
+                                  K4sw+TOJz47xqP6685ItDfPhkktyvgxXrLdX
+                                  aQLX01mMZbJUp6tzetBYGpdHciAW5RLvHLVB
+                                  P8RtFK8Qv5DRsA== )
 
 4.  DS Resource Records
 
@@ -234,8 +236,20 @@
 
 4.1. DS RR Example
 
-   example.net. 3600 IN DS 9033 {TBA1} {TBA2} ( Su0ToNow7Lwex+wqac+cTQ
-                                                djJ733qubhan+KqUrselc= )
+   For key signing key (assuming {TBA1}==249 until proper code is 
+   assigned by IANA)
+
+   example.net. 86400   DNSKEY  257 3 {TBA1} (
+                                AAADr5vmKVdXo780hSRU1YZYWuMZUbEe9R7C
+                                RRLc7Wj2osDXv2XbCnIpTUx8dVLnLKmDBquu
+                                9tCz5oSsZl0cL0R2
+                                ) ; key id = 21649
+
+   DS RR will be
+
+   example.net. 3600 IN DS 21649 {TBA1} {TBA2} (
+             A8146F448569F30B91255BA8E98DE14B18569A524C49593ADCA4103A
+	     A44649C6 )
  
 5.  Deployment Considerations