doc/draft/draft-ietf-dnsext-tsig-md5-deprecated-03.txt

4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsDNSext Working Group                                           F. Dupont
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsInternet-Draft                                                       ISC
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsUpdates: 2845,2930,4635                                      May 8, 2009
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews(if approved)
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsIntended status: Standards Track
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsExpires: November 9, 2009
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews     Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              draft-ietf-dnsext-tsig-md5-deprecated-03.txt
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsStatus of this Memo
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   This Internet-Draft is submitted to IETF in full conformance with the
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   provisions of BCP 78 and BCP 79.  This document may contain material
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   from IETF Documents or IETF Contributions published or made publicly
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   available before November 10, 2008.  The person(s) controlling the
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   copyright in some of this material may not have granted the IETF
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Trust the right to allow modifications of such material outside the
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   IETF Standards Process.  Without obtaining an adequate license from
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   the person(s) controlling the copyright in such materials, this
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   document may not be modified outside the IETF Standards Process, and
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   derivative works of it may not be created outside the IETF Standards
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Process, except to format it for publication as an RFC or to
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   translate it into languages other than English.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Internet-Drafts are working documents of the Internet Engineering
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Task Force (IETF), its areas, and its working groups.  Note that
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   other groups may also distribute working documents as Internet-
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Drafts.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Internet-Drafts are draft documents valid for a maximum of six months
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   and may be updated, replaced, or obsoleted by other documents at any
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   time.  It is inappropriate to use Internet-Drafts as reference
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   material or to cite them other than as "work in progress."
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   The list of current Internet-Drafts can be accessed at
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   http://www.ietf.org/ietf/1id-abstracts.txt.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   The list of Internet-Draft Shadow Directories can be accessed at
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   http://www.ietf.org/shadow.html.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   This Internet-Draft will expire on November 9, 2009.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsCopyright Notice
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Copyright (c) 2009 IETF Trust and the persons identified as the
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   document authors.  All rights reserved.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsDupont                  Expires November 9, 2009                [Page 1]
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsInternet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   This document is subject to BCP 78 and the IETF Trust's Legal
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Provisions Relating to IETF Documents in effect on the date of
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   publication of this document (http://trustee.ietf.org/license-info).
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Please review these documents carefully, as they describe your rights
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   and restrictions with respect to this document.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsAbstract
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   The main purpose of this document is to deprecate the use of HMAC-MD5
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   as an algorithm for the TSIG (secret key transaction authentication)
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   resource record in the DNS (domain name system), and the use of MD5
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   in TKEY (secret key establishment for DNS).
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews1.  Introduction
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   The secret key transaction authentication for DNS (TSIG, [RFC2845])
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   was defined with the HMAC-MD5 [RFC2104] cryptographic algorithm.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   When the MD5 [RFC1321] security came to be considered lower than
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   expected, [RFC4635] standardized new TSIG algorithms based on SHA
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC3174][RFC3874][RFC4634] digests.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   But [RFC4635] did not deprecate the HMAC-MD5 algorithm.  This
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   document is targeted to complete the process, in detail:
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   1.  Mark HMAC-MD5.SIG-ALG.REG.INT as optional in the TSIG algorithm
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews       name registry managed by the IANA under the IETF Review Policy
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews       [RFC5226]
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   2.  Make HMAC-MD5.SIG-ALG.REG.INT support "not Mandatory" for
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews       implementations
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   3.  Provide a keying material derivation for the secret key
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews       establishment for DNS (TKEY, [RFC2930]) using a Diffie-Hellman
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews       exchange with SHA256 [RFC4634] in place of MD5 [RFC1321]
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   4.  Finally recommend the use of HMAC-SHA256.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   document are to be interpreted as described in [RFC2119].
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews2.  Implementation Requirements
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   The table of section 3 of [RFC4635] is replaced by:
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsDupont                  Expires November 9, 2009                [Page 2]
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsInternet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             +-------------------+--------------------------+
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             | Requirement Level | Algorithm Name           |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             +-------------------+--------------------------+
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             | Optional          | HMAC-MD5.SIG-ALG.REG.INT |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             | Optional          | gss-tsig                 |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             | Mandatory         | hmac-sha1                |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             | Optional          | hmac-sha224              |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             | Mandatory         | hmac-sha256              |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             | Optional          | hmac-sha384              |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             | Optional          | hmac-sha512              |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews             +-------------------+--------------------------+
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Implementations that support TSIG MUST also implement HMAC-SHA1 and
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   HMAC-SHA256 (i.e., algorithms at the "Mandatory" requirement level)
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   and MAY implement GSS-TSIG and the other algorithms listed above
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   (i.e., algorithms at a "not Mandatory" requirement level).
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews3.  TKEY keying material derivation
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   When the TKEY [RFC2930] uses a Diffie-Hellman exchange, the keying
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   material is derived from the shared secret and TKEY resource record
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   data using MD5 [RFC1321] at the end of section 4.1 page 9.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   This is amended into:
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews         keying material =
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              XOR ( DH value, SHA256 ( query data | DH value ) |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews                              SHA256 ( server data | DH value ) )
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   using the same conventions.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews4.  IANA Consideration
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   This document extends the "TSIG Algorithm Names - per [] and
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC2845]" located at
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   http://www.iana.org/assignments/tsig-algorithm-names by adding a new
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   column to the registry "Compliance Requirement".
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   The registry should contain the following:
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsDupont                  Expires November 9, 2009                [Page 3]
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsInternet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    +--------------------------+------------------------+-------------+
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    | Algorithm Name           | Compliance Requirement | Reference   |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    +--------------------------+------------------------+-------------+
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    | gss-tsig                 | Optional               | [RFC3645]   |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    | HMAC-MD5.SIG-ALG.REG.INT | Optional               | [][RFC2845] |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    | hmac-sha1                | Mandatory              | [RFC4635]   |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    | hmac-sha224              | Optional               | [RFC4635]   |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    | hmac-sha256              | Mandatory              | [RFC4635]   |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    | hmac-sha384              | Optional               | [RFC4635]   |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    | hmac-sha512              | Optional               | [RFC4635]   |
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews    +--------------------------+------------------------+-------------+
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   where [] is this document.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews5.  Availability Considerations
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   MD5 is no longer universally available and its use may lead to
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   increasing operation issues.  SHA1 is likely to suffer from the same
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   kind of problem.  In summary MD5 has reached end-of-life and SHA1
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   will likely follow in the near term.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   According to [RFC4635], implementations which support TSIG are
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   REQUIRED to implement HMAC-SHA256.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews6.  Security Considerations
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   This document does not assume anything about the cryptographic
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   security of different hash algorithms.  Its purpose is a better
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   availability of some security mechanisms in a predictable time frame.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Requirement levels are adjusted for TSIG and related specifications
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   (i.e., TKEY):
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews      The support of HMAC-MD5 is changed from mandatory to optional.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews      The use of MD5 and HMAC-MD5 is NOT RECOMMENDED.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews      The use of HMAC-SHA256 is RECOMMENDED.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews7.  Acknowledgments
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Olafur Gudmundsson kindly helped in the procedure to deprecate the
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   MD5 use in TSIG, i.e., the procedure which led to this memo.  Alfred
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Hoenes, Peter Koch, Paul Hoffman and Edward Lewis proposed some
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   improvements.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews8.  References
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsDupont                  Expires November 9, 2009                [Page 4]
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsInternet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews8.1.  Normative References
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              Requirement Levels", RFC 2119, BCP 14, March 1997.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D., and B.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              Wellington, "Secret Key Transaction Authentication for DNS
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              (TSIG)", RFC 2845, May 2000.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              RR)", RFC 2930, September 2000.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC4635]  Eastlake, D., "HMAC SHA TSIG Algorithm Identifiers",
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              RFC 4635, August 2006.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews8.2.  Informative References
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              April 1992.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              Hashing for Message Authentication", RFC 2104,
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              February 1997.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC3174]  Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              (SHA1)", RFC 3174, September 2001.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC3645]  Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J.,
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              and R. Hall, "Generic Security Service Algorithm for
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              Secret Key Transaction Authentication for DNS (GSS-TSIG)",
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              RFC 3645, October 2003.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC3874]  Housley, R., "A 224-bit One-way Hash Function: SHA-224",
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              RFC 3874, September 2004.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC4634]  Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              (SHA and HMAC-SHA)", RFC 4634, July 2006.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              IANA Considerations Section in RFCs", RFC 5226, BCP 26,
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews              May 2008.
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsDupont                  Expires November 9, 2009                [Page 5]
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsInternet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsAuthor's Address
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Francis Dupont
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   ISC
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews   Email: Francis.Dupont@fdupont.fr
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews
4bb70681e055760f6ba342055dc945f6b73361dfMark AndrewsDupont                  Expires November 9, 2009                [Page 6]
4bb70681e055760f6ba342055dc945f6b73361dfMark Andrews