EdDSA for DNSSEC

DNSSEC, which is broadly defined in , , and , uses cryptographic keys and digital signatures to provide authentication of DNS data. Currently, the most popular signature algorithm in use is RSA. GOST () and NIST-specified elliptic curve cryptography () are also standardized. describes the elliptic curve signature system EdDSA and recommends two curves, Ed25519 and Ed448. This document defines the use of DNSSEC's DS, DNSKEY, and RRSIG resource records (RRs) with a new signing algorithm, Edwards-curve Digital Signature Algorithm (EdDSA) using a choice of two curves, Ed25519 and Ed448.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

An Ed25519 public key consists of a 32-octet value, which is encoded into the Public Key field of a DNSKEY resource record as a simple bit string. The generation of a public key is defined in Chapter 5.1.5 in . An Ed448 public key consists of a 57-octet value, which is encoded into the Public Key field of a DNSKEY resource record as a simple bit string. The generation of a public key is defined in Chapter 5.2.5 in .

In Chapter 10.3 in , the use of a context label is described. EdDSA signatures in this scheme use the 12-octet context label 'DNSSECRRSIG\0' (where \0 represents a zero-valued octet). An Ed25519 signature consists of a 64-octet value, which is encoded into the Signature field of an RRSIG resource record as a simple bit string. The Ed25519 signature algorithm is described in Chapter 5.1.6 in . An Ed448 signature consists of a 114-octet value, which is encoded into the Signature field of an RRSIG resource record as a simple bit string. The Ed448 signature algorithm is described in Chapter 5.2.6 and verification of the Ed448 signature is described in Chapter 5.2.7 in .

The algorithm number associated with the use of Ed25519 in DS, DNSKEY and RRSIG resource records is TBD. The algorithm number associated with the use of Ed448 in DS, DNSKEY and RRSIG resource records is TBD. This registration is fully defined in the IANA Considerations section.

This section needs an update after the algorithm for Ed25519 is assigned.

This section needs an update after the algorithm for Ed448 is assigned.

Some of the material in this document is copied liberally from . The authors of this document wish to thank Jan Vcelak, Pieter Lexis and Kees Monshouwer for a review of this document.

This document updates the IANA registry "Domain Name System Security (DNSSEC) Algorithm Numbers". The following entry has been added to the registry: Number TBD TBD Description Ed25519 Ed448 Mnemonic ED25519 Ed448 Zone Signing Y Y Trans. Sec. * * Reference This document This document * There has been no determination of standardization of the use of this algorithm with Transaction Security.

(Note to the RFC Editor: please remove this entire section as well as the reference to RFC 6982 before publication.) This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

The security level of Ed25519 is slightly under the standard 128-bit level and the security level of Ed448 is slightly under the standard 224-bit level (). Security considerations listed in also apply to the usage of Ed25519 and Ed448 in DNSSEC. Such an assessment could, of course, change in the future if new attacks that work better than the ones known today are found.