EdDSA for DNSSEC

DNSSEC, which is broadly defined in , , and , uses cryptographic keys and digital signatures to provide authentication of DNS data. Currently, the most popular signature algorithm in use is RSA. GOST () and NIST-specified elliptic curve cryptography () are also standardized. describes the elliptic curve signature system EdDSA and recommends two curves, Ed25519 and Ed448. This document defines the use of DNSSEC's DS, DNSKEY, and RRSIG resource records (RRs) with a new signing algorithm, Edwards-curve Digital Signature Algorithm (EdDSA) using a choice of two instances: Ed25519 and Ed448.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

An Ed25519 public key consists of a 32-octet value, which is encoded into the Public Key field of a DNSKEY resource record as a simple bit string. The generation of a public key is defined in Section 5.1.5 in . An Ed448 public key consists of a 57-octet value, which is encoded into the Public Key field of a DNSKEY resource record as a simple bit string. The generation of a public key is defined in Section 5.2.5 in .

An Ed25519 signature consists of a 64-octet value, which is encoded into the Signature field of an RRSIG resource record as a simple bit string. The Ed25519 signature algorithm is described in Section 5.1.6 and verification of the Ed25519 signature is described in Section5.1.7 in . An Ed448 signature consists of a 114-octet value, which is encoded into the Signature field of an RRSIG resource record as a simple bit string. The Ed448 signature algorithm is described in Section 5.2.6 and verification of the Ed448 signature is described in Section 5.2.7 in .

The algorithm number associated with the use of Ed25519 in DS, DNSKEY and RRSIG resource records is TBD1. The algorithm number associated with the use of Ed448 in DS, DNSKEY and RRSIG resource records is TBD2. This registration is fully defined in the IANA Considerations section.

This section needs an update after the algorithm number for Ed25519 is assigned.

This section needs an update after the algorithm number for Ed448 is assigned.

Some of the material in this document is copied liberally from . The authors of this document wish to thank Jan Vcelak, Pieter Lexis, Kees Monshouwer, Simon Josefsson, Paul Hoffman and others for a review of this document.

This document updates the IANA registry "Domain Name System Security (DNSSEC) Algorithm Numbers". The following entry has been added to the registry: Number TBD1 TBD2 Description Ed25519 Ed448 Mnemonic ED25519 ED448 Zone Signing Y Y Trans. Sec. * * Reference This document This document * There has been no determination of standardization of the use of this algorithm with Transaction Security.

Ed25519 and Ed448 offers improved security properties and implementation characteristics compared to RSA and ECDSA algorithms, and the introduction of these algorithms are thus expected to improve security of DNSSEC. The security considerations of and are inherited in the usage of Ed25519 and Ed448 in DNSSEC. Ed25519 is intended to operate at around the 128-bit security level, and Ed448 at around the 224-bit security level. A sufficiently large quantum computer would be able to break both. Reasonable projections of the abilities of classical computers conclude that Ed25519 is perfectly safe. Ed448 is provided for those applications with relaxed performance requirements and where there is a desire to hedge against analytical attacks on elliptic curves. These assessments could, of course, change in the future if new attacks that work better than the ones known today are found. A private key used for a DNSSEC zone MUST NOT be used for any other purpose than for that zone. Otherwise cross-protocol or cross-application attacks are possible.