domain icon indicating copy to clipboard operation
domain copied to clipboard
verified publisher icon NLnetLabs

Loading, storing, and generating DNSSEC keys

Open bal-e opened this issue 1 year ago • 0 comments

This PR defines an ergonomic basis for DNSSEC signing.

The following features are supported:

  • [x] Keys can be generated.
  • [x] Keys can be parsed from or serialized to the conventional BIND format.
  • [x] Keys can be used to sign byte sequences.
  • [x] Public keys can be parsed from or serialized to DNSKEY records.

Cryptographic primitives are implemented using Ring or OpenSSL, at the user's choice. Note that OpenSSL supports more algorithms. For simplicity, a combined key type is provided which uses Ring where possible and falls back to OpenSSL for other algorithms.

Signatures can be created using the following algorithms:

  • [ ] RSA/SHA-1: support is prohibited as per RFC 8624.
  • [x] RSA/SHA-256 (also with Ring, for 2048-bit or larger keys).
  • [ ] RSA/SHA-512: support is not recommended as per RFC 8624.
  • [x] ECDSA P-256/SHA-256 (also with Ring).
  • [x] ECDSA P-384/SHA-384 (also with Ring).
  • [x] Ed25519 (also with Ring).
  • [x] Ed448.

In DNSSEC, keys are associated with important metadata, such as who they belong to and how they can be used (Zone Signing Keys sign resource records, while Key Signing Keys sign Zone Signing Keys). This implementations provides low-level or "raw" types which do not include this metadata, as well as higher-level types which do include it.

  • sign::generic::SecretKey: A generic representation of a secret key. It does not support any cryptographic operations itself.
  • sign::{openssl,ring,common}::SecretKey: A secret key that supports cryptographic operations and that can be used for signing.
  • sign::Signer: A secret key associated with important metadata.
  • validate::RawPublicKey: A generic representation of a public key.
  • validate::Key: A public key associated with important metadata.

The actual signing functionality is provided by the sign::SignRaw trait. This provides a synchronous sign_raw() function, which should be used for on-CPU signing operations. In the future, an asynchronous signing interface will be provided, for use with off-CPU signing operations (e.g. via HSMs).

bal-e avatar Oct 07 '24 14:10 bal-e