rfc9563.original   rfc9563.txt 
Network Working Group C. Zhang Independent Submission C. Zhang
Internet-Draft Y. Liu Request for Comments: 9563 Y. Liu
Intended status: Informational F. Leng Category: Informational F. Leng
Expires: 21 July 2024 Q. Zhao ISSN: 2070-1721 Q. Zhao
Z. He Z. He
CNNIC CNNIC
18 January 2024 September 2024
SM2 Digital Signature Algorithm for DNSSEC SM2 Digital Signature Algorithm for DNSSEC
draft-cuiling-dnsop-sm2-alg-15
Abstract Abstract
This document specifies the use of the SM2 digital signature This document specifies the use of the SM2 digital signature
algorithm and SM3 hash algorithm for DNS Security (DNSSEC). algorithm and SM3 hash algorithm for DNS Security (DNSSEC).
This draft is an independent submission to the RFC series, and does This document is an Independent Submission to the RFC series and does
not have consensus of the IETF community. not have consensus of the IETF community.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This is a contribution to the RFC Series, independently of any other
and may be updated, replaced, or obsoleted by other documents at any RFC stream. The RFC Editor has chosen to publish this document at
time. It is inappropriate to use Internet-Drafts as reference its discretion and makes no statement about its value for
material or to cite them other than as "work in progress." implementation or deployment. Documents approved for publication by
the RFC Editor are not candidates for any level of Internet Standard;
see Section 2 of RFC 7841.
This Internet-Draft will expire on 21 July 2024. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9563.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document.
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. SM3 DS Records . . . . . . . . . . . . . . . . . . . . . . . 3 2. SM3 DS Records
3. SM2 Parameters . . . . . . . . . . . . . . . . . . . . . . . 3 3. SM2 Parameters
4. DNSKEY and RRSIG Resource Records for SM2 . . . . . . . . . . 3 4. DNSKEY and RRSIG Resource Records for SM2
4.1. DNSKEY Resource Records . . . . . . . . . . . . . . . . . 3 4.1. DNSKEY Resource Records
4.2. RRSIG Resource Records . . . . . . . . . . . . . . . . . 3 4.2. RRSIG Resource Records
5. Support for NSEC3 Denial of Existence . . . . . . . . . . . . 4 5. Support for NSEC3 Denial of Existence
6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6. Example
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations
8. Security Considerations . . . . . . . . . . . . . . . . . . . 6 8. Security Considerations
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 9. References
9.1. Normative References . . . . . . . . . . . . . . . . . . 6 9.1. Normative References
9.2. Informative References . . . . . . . . . . . . . . . . . 8 9.2. Informative References
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses
1. Introduction 1. Introduction
DNSSEC is broadly defined in [RFC4033], [RFC4034], and [RFC4035]. It DNSSEC is broadly defined in [RFC4033], [RFC4034], and [RFC4035]. It
uses cryptographic keys and digital signatures to provide uses cryptographic keys and digital signatures to provide
authentication of DNS data. DNSSEC signature algorithms are authentication of DNS data. DNSSEC signature algorithms are
registered in the DNSSEC algorithm IANA registry [IANA]. registered in the DNSSEC algorithm numbers registry [IANA].
This document defines the DNSKEY and RRSIG resource records (RRs) of This document defines the DNSKEY and RRSIG resource records (RRs) of
new signing algorithms: SM2 uses elliptic curves over 256-bit prime new signing algorithms: SM2 uses elliptic curves over 256-bit prime
fields with SM3 hash algorithm. (A description of SM2 and SM3 can be fields with SM3 hash algorithm. (A description of SM2 can be found
found in GB/T 32918.2-2016 [GBT-32918.2-2016] or ISO/IEC14888-3:2018 in GM/T 0003.2-2012 [GMT-0003.2] or ISO/IEC14888-3:2018
[ISO-IEC14888-3_2018], and GB/T 32905-2016 [GBT-32905-2016] or ISO/ [ISO-IEC14888-3_2018], and a description of SM3 can be found in GM/T
IEC10118-3:2018 [ISO-IEC10118-3_2018].) This document also defines 0004-2012 [GMT-0004] or ISO/IEC10118-3:2018 [ISO-IEC10118-3_2018].)
the DS RR for the SM3 one-way hash algorithm. In the signing This document also defines the DS RR for the SM3 one-way hash
algorithm defined in this document, the size of the key for the algorithm. In the signing algorithm defined in this document, the
elliptic curve is matched with the size of the output of the hash size of the key for the elliptic curve is matched with the size of
algorithm. Both are 256 bits. the output of the hash algorithm. Both are 256 bits.
Many implementations may not support SM2 signatures and SM3 digests.
Section 5.2 of [RFC6840] specifies handling of answers in such cases.
Caution: This specification is not a standard and does not have IETF
community consensus. It makes use of cryptographic algorithms that
are national standards for China, as well as ISO/IEC standards (ISO/
IEC 14888:3-2018 [ISO-IEC14888-3_2018] and ISO/IEC 10118:3-2018
[ISO-IEC10118-3_2018]). Neither the IETF nor the IRTF has analyzed
that algorithm for suitability for any given application, and it may
contain either intended or unintended weaknesses.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. SM3 DS Records 2. SM3 DS Records
The implementation of SM3 in DNSSEC follows the implementation of The implementation of SM3 in DNSSEC follows the implementation of
SHA-256 as specified in [RFC4509] except that the underlying SHA-256 as specified in [RFC4509] except that the underlying
algorithm is SM3 with digest type code [TBD1, waiting for an IANA's algorithm is SM3 with digest type code 6.
code assignment].
The generation of a SM3 hash value is described in Section 5 of The generation of an SM3 hash value is described in Section 5 of
[GBT-32905-2016] and generates 256-bit hash value. [GMT-0004] and generates a 256-bit hash value.
3. SM2 Parameters 3. SM2 Parameters
Verifying SM2 signatures requires agreement between the signer and Verifying SM2 signatures requires agreement between the signer and
the verifier of the parameters used. SM2 digital signature algorithm the verifier on the parameters used. The SM2 digital signature
has been added to ISO/IEC 14888-3:2018. And the parameters of the algorithm has been added to [ISO-IEC14888-3_2018]. The parameters of
curve used in this profile are as follows: the curve used in this profile are as follows:
p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF
a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC FFFFFFFF 00000000 FFFFFFFF FFFFFFFF
b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93 a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF
xG = 32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7 FFFFFFFF 00000000 FFFFFFFF FFFFFFFC
yG = BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0 b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7
n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123 F39789F5 15AB8F92 DDBCBD41 4D940E93
xG = 32C4AE2C 1F198119 5F990446 6A39C994
8FE30BBF F2660BE1 715A4589 334C74C7
yG = BC3736A2 F4F6779C 59BDCEE3 6B692153
D0A9877C C62A4740 02DF32E5 2139F0A0
n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF
7203DF6B 21C6052B 53BBF409 39D54123
4. DNSKEY and RRSIG Resource Records for SM2 4. DNSKEY and RRSIG Resource Records for SM2
4.1. DNSKEY Resource Records 4.1. DNSKEY Resource Records
SM2 public keys consist of a single value, called "P". In DNSSEC SM2 public keys consist of a single value, called "P". In DNSSEC
keys, P is a string of 32 octets that represents the uncompressed keys, P is a string of 64 octets that represents the uncompressed
form of a curve point, "x | y". (Conversion of a point to an octet form of a curve point, "x | y". (Conversion of a point to an octet
string is described in Section 4.2.8 of GB/T 32918.1-2016 string is described in Section 4.2.8 of [GBT-32918.1-2016].)
[GBT-32918.1-2016].)
4.2. RRSIG Resource Records 4.2. RRSIG Resource Records
The SM2 signature is the combination of two non-negative integers, The SM2 signature is the combination of two non-negative integers,
called "r" and "s". The two integers, each of which is formatted as called "r" and "s". The two integers, each of which is formatted as
a simple octet string, are combined into a single longer octet string a simple octet string, are combined into a single longer octet string
for DNSSEC as the concatenation "r | s". (Conversion of the integers for DNSSEC as the concatenation "r | s". (Conversion of the integers
to bit strings is described in Section 4.2.1 of [GBT-32918.1-2016].) to bit strings is described in Section 4.2.1 of [GBT-32918.1-2016].)
Each integer MUST be encoded as 32 octets. Each integer MUST be encoded as 32 octets.
Process details are described in Section 6 "Digital signature Process details are described in Section 6 of [GMT-0003.2].
generation algorithm and its process" in [GBT-32918.2-2016].
The algorithm number associated with the DNSKEY and RRSIG resource The algorithm number associated with the DNSKEY and RRSIG resource
records is [TBD2, waiting for an IANA’s code assignment], which is records is 17, which is described in the IANA Considerations section.
described in the IANA Considerations section.
Conformant implementations that create records to be put into the DNS Conformant implementations that create records to be put into the DNS
MAY implement signing and verification for the above algorithm. MAY implement signing and verification for the SM2 digital signature
Conformant DNSSEC verifiers MAY implement verification for the above algorithm. Conformant DNSSEC verifiers MAY implement verification
algorithm. for the above algorithm.
5. Support for NSEC3 Denial of Existence 5. Support for NSEC3 Denial of Existence
This document does not define algorithm aliases mentioned in This document does not define algorithm aliases mentioned in
[RFC5155]. [RFC5155].
A DNSSEC validator that implements the signing algorithms defined in A DNSSEC validator that implements the signing algorithms defined in
this document MUST be able to validate negative answers in the form this document MUST be able to validate negative answers in the form
of both NSEC and NSEC3 with hash algorithm SHA-1, as defined in of both NSEC and NSEC3 with hash algorithm SHA-1, as defined in
[RFC5155]. An authoritative server that does not implement NSEC3 MAY [RFC5155]. An authoritative server that does not implement NSEC3 MAY
still serve zones that use the signing algorithms defined in this still serve zones that use the signing algorithms defined in this
document with NSEC denial of existence. document with NSEC denial of existence.
If using NSEC3, the iterations MUST be 0 and salt MUST be an empty If using NSEC3, the iterations MUST be 0 and salt MUST be an empty
string as recommended in Section 3.1 of [RFC9276]. string as recommended in Section 3.1 of [RFC9276].
6. Example 6. Example
The following is an example of SM2 keys and signatures in DNS zone The following is an example of SM2 keys and signatures in DNS zone
file format, including DNSKEY RR, NSEC3PARAM RR, NSEC3 RR with RRSIG file format, including DNSKEY RR, NSEC3PARAM RR, NSEC3 RR with RRSIG
RRs and DS RR. RRs, and DS RR.
Private-key-format: v1.3 Private-key-format: v1.3
Algorithm: [TBD2] (SM2SM3) Algorithm: 17 (SM2SM3)
PrivateKey: V24tjJgXxp2ykscKRZdT+iuR5J1xRQN+FKoQACmo9fA= PrivateKey: V24tjJgXxp2ykscKRZdT+iuR5J1xRQN+FKoQACmo9fA=
example. 3600 IN DS 27215 TBD2 TBD1 ( example. 3600 IN DS 27215 17 6 (
86671f82dd872e4ee73647a95dff7fd0af599ff8a43f fa26c9a2593091653c0e 86671f82dd872e4ee73647a95dff7fd0af599ff8a43f fa26c9a2593091653c0e
) )
example. 3600 IN DNSKEY 256 3 TBD2 ( example. 3600 IN DNSKEY 256 3 17 (
7EQ32PTAp+1ac6R9Ze2nfB8pPc2OJqkHSjug 7EQ32PTAp+1ac6R9Ze2nfB8pPc2OJqkHSjug
ALr4SuD9awuQxhfw7wMpiXv7JK4/VwwTrCxJ ALr4SuD9awuQxhfw7wMpiXv7JK4/VwwTrCxJ
wu+qUuDsgoBK4w== wu+qUuDsgoBK4w==
) ; ZSK; alg = SM2SM3 ; key id = 65042 ) ; ZSK; alg = SM2SM3 ; key id = 65042
example. 3600 IN RRSIG DNSKEY TBD2 1 3600 ( example. 3600 IN RRSIG DNSKEY 17 1 3600 (
20230901000000 20220901000000 65042 example. 20230901000000 20220901000000 65042 example.
lF2eq49e62Nn4aT5x8ZI6PdRSTPHPDixZdyl lF2eq49e62Nn4aT5x8ZI6PdRSTPHPDixZdyl
lM6GWu4lkRWkpTgWLE4lQK/+qHdNS4DdTd36 lM6GWu4lkRWkpTgWLE4lQK/+qHdNS4DdTd36
Jsuu0FSO5k48Qg== ) Jsuu0FSO5k48Qg== )
example. 0 IN NSEC3PARAM 1 0 10 AABBCCDD example. 0 IN NSEC3PARAM 1 0 10 AABBCCDD
example. 0 IN RRSIG NSEC3PARAM TBD2 1 0 ( example. 0 IN RRSIG NSEC3PARAM 17 1 0 (
20230901000000 20220901000000 65042 example. 20230901000000 20220901000000 65042 example.
aqntwEYEJzkVb8SNuJLwdx7f+vivv5IUIeAj aqntwEYEJzkVb8SNuJLwdx7f+vivv5IUIeAj )
62KP1QB93KRGR6LM7SEVPJVNG90BLUE8.example. 3600 IN NSEC3 1 1 10 62KP1QB93KRGR6LM7SEVPJVNG90BLUE8.example. 3600 IN NSEC3 1 1 10
AABBCCDD ( AABBCCDD (
GTGVQIILTSSJ8FFO9J6DC8PRTFAEA8G2 NS SOA RRSIG DNSKEY NSEC3PARAM ) GTGVQIILTSSJ8FFO9J6DC8PRTFAEA8G2 NS SOA RRSIG DNSKEY NSEC3PARAM )
62KP1QB93KRGR6LM7SEVPJVNG90BLUE8.example. 3600 IN RRSIG NSEC3 TBD2 2 62KP1QB93KRGR6LM7SEVPJVNG90BLUE8.example. 3600 IN RRSIG NSEC3 17 2
3600 ( 3600 (
20230901000000 20220901000000 65042 example. 20230901000000 20220901000000 65042 example.
FOWLegTgFkFY9vCOo4kHwjEvZ+IL1NMl4s9V FOWLegTgFkFY9vCOo4kHwjEvZ+IL1NMl4s9V
hVyPOwokd5uOLKeXTP19HIeEtW73WcJ9XNe/ ie/knp7Edo/hxw== ) hVyPOwokd5uOLKeXTP19HIeEtW73WcJ9XNe/ ie/knp7Edo/hxw== )
Here is an example program [Example_Program] based on dnspython and [Example_Program] is an example program based on dnspython and gmssl,
gmssl, which supplies key generating, zone signing, zone validating which supplies key generating, zone signing, zone validating, and DS
and DS RR generating functions for convenience. RR generating functions for convenience.
7. IANA Considerations 7. IANA Considerations
This document will update the IANA registry for digest types in DS IANA has registered the following in the "Digest Algorithms" registry
records, currently called "Digest Algorithms," in the "Delegation within the "DNSSEC Delegation Signer (DS) Resource Record (RR) Type
Signer (DS) Resource Record (RR) Type Digest Algorithms" registry Digest Algorithms" registry group.
group.
Value TBD1 +=======+=============+==========+===============+
Digest Type SM3 | Value | Digest Type | Status | Reference |
Status OPTIONAL +=======+=============+==========+===============+
Reference This document | 6 | SM3 | OPTIONAL | This document |
+-------+-------------+----------+---------------+
This document will update the IANA registry "Domain Name System Table 1
Security (DNSSEC) Algorithm Numbers".
Number TBD2 IANA has registered the following in the "DNS Security Algorithm
Description SM2 signing algorithm with SM3 hashing algorithm Numbers" registry within the "Domain Name System Security (DNSSEC)
Mnemonic SM2SM3 Algorithm Numbers" registry group.
Zone Signing Y
Trans. Sec. * +========+================+==========+=========+========+===========+
Reference This document | Number | Description | Mnemonic | Zone | Trans. | Reference |
| | | | Signing | Sec. | |
+========+================+==========+=========+========+===========+
| 17 | SM2 signing | SM2SM3 | Y | * | This |
| | algorithm | | | | document |
| | with SM3 | | | | |
| | hashing | | | | |
| | algorithm | | | | |
+--------+----------------+----------+---------+--------+-----------+
Table 2
* There has been no determination of standardization of the use of * There has been no determination of standardization of the use of
this algorithm with Transaction Security. this algorithm with Transaction Security.
8. Security Considerations 8. Security Considerations
The security strength of SM2 depends on the size of the key. Longer The security strength of SM2 depends on the size of the key. A
key provides stronger security strength. The security of ECC-based longer key provides stronger security strength. The security of ECC-
algorithms is influenced by the curve it uses, too. based algorithms is influenced by the curve it uses, too.
Like any cryptographic algorithm, it may come to pass that a weakness Like any cryptographic algorithm, it may come to pass that a weakness
is found in either SM2 or SM3. In this case, the proper remediation is found in either SM2 or SM3. In this case, the proper remediation
is crypto-agility. In the case of DNSSEC, the appropriate approach is crypto-agility. In the case of DNSSEC, the appropriate approach
would be to regenerate appropriate DS, DNSKEY, RRSIG, and NSEC3 would be to regenerate appropriate DS, DNSKEY, RRSIG, and NSEC3
records. Care MUST be taken in this situation to permit appropriate records. Care MUST be taken in this situation to permit appropriate
rollovers, taking into account record caching. See [RFC7583] for rollovers, taking into account record caching. See [RFC7583] for
details. Choice of a suitable replacement algorithm should be one details. A suitable replacement algorithm should be both widely
that is both widely implemented and not known to have weaknesses. implemented and not known to have weaknesses.
The security considerations listed in [RFC4509] apply here as well. The security considerations listed in [RFC4509] apply here as well.
9. References 9. References
9.1. Normative References 9.1. Normative References
[GBT-32918.1-2016]
Standardization Administration of China, "Information
security technology--Public key cryptographic algorithm
SM2 based on elliptic curves--Part 1: General", [In
Chinese], GB/T 32918.1-2016, March 2017. English
translation available at: http://www.gmbz.org.cn/
upload/2018-07-24/1532401673134070738.pdf
(http://www.gmbz.org.cn/
upload/2018-07-24/1532401673134070738.pdf)
[GMT-0003.2]
Cryptography Standardization Technical Committee of China,
"SM2 public key cryptographic algorithm based on elliptic
curves -- Part 2: Digital signature algorithm", [In
Chinese], GM/T 0003.2-2012, March 2012. English
translation available at: TBD (TBD)
[GMT-0004] Cryptography Standardization Technical Committee of China,
"SM3 Cryptographic Hash Algorithm", [In Chinese], GM/
T 0004-2012, March 2012. English translation available
at: TBD (TBD).
[IANA] IANA, "DNS Security Algorithm Numbers",
<https://www.iana.org/assignments/dns-sec-alg-numbers>.
[ISO-IEC10118-3_2018]
ISO/IEC, "IT Security techniques -- Hash-functions -- Part
3: Dedicated hash-functions", ISO/IEC 10118-3:2018,
October 2018.
[ISO-IEC14888-3_2018]
ISO/IEC, "IT Security techniques -- Digital signatures
with appendix -- Part 3: Discrete logarithm based
mechanisms", ISO/IEC 14888-3:2018, November 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005, RFC 4033, DOI 10.17487/RFC4033, March 2005,
<https://www.rfc-editor.org/info/rfc4033>. <https://www.rfc-editor.org/info/rfc4033>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005, RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>. <https://www.rfc-editor.org/info/rfc4034>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<https://www.rfc-editor.org/info/rfc4035>. <https://www.rfc-editor.org/info/rfc4035>.
[IANA] IANA, "Domain Name System Security (DNSSEC) Algorithm
Numbers", Registered DNSSEC Algorithm Numbers, April 2020,
<https://www.iana.org/assignments/dns-sec-alg-numbers/dns-
sec-alg-numbers.xhtml>.
[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
(DS) Resource Records (RRs)", RFC 4509, (DS) Resource Records (RRs)", RFC 4509,
DOI 10.17487/RFC4509, May 2006, DOI 10.17487/RFC4509, May 2006,
<https://www.rfc-editor.org/info/rfc4509>. <https://www.rfc-editor.org/info/rfc4509>.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
<https://www.rfc-editor.org/info/rfc5155>. <https://www.rfc-editor.org/info/rfc5155>.
[RFC9276] Hardaker, W. and V. Dukhovni, "Guidance for NSEC3 [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and
Parameter Settings", BCP 236, RFC 9276, Implementation Notes for DNS Security (DNSSEC)", RFC 6840,
DOI 10.17487/RFC9276, August 2022, DOI 10.17487/RFC6840, February 2013,
<https://www.rfc-editor.org/info/rfc9276>. <https://www.rfc-editor.org/info/rfc6840>.
[RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking,
"DNSSEC Key Rollover Timing Considerations", RFC 7583, "DNSSEC Key Rollover Timing Considerations", RFC 7583,
DOI 10.17487/RFC7583, October 2015, DOI 10.17487/RFC7583, October 2015,
<https://www.rfc-editor.org/info/rfc7583>. <https://www.rfc-editor.org/info/rfc7583>.
[GBT-32918.1-2016] [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
Standardization Administration of China, "Information 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
security technology --- Public key cryptographic algorithm May 2017, <https://www.rfc-editor.org/info/rfc8174>.
SM2 based on elliptic curves --- Part 1: General", GB/
T 32918.2-2016, March 2017, <http://www.gmbz.org.cn/
upload/2018-07-24/1532401673134070738.pdf>.
[GBT-32918.2-2016]
Standardization Administration of China, "Information
security technology --- Public key cryptographic algorithm
SM2 based on elliptic curves --- Part 2: Digital signature
algorithm", GB/T 32918.2-2016, March 2017,
<http://www.gmbz.org.cn/
upload/2018-07-24/1532401673138056311.pdf>.
[ISO-IEC14888-3_2018]
International Organization for Standardization, "IT
Security techniques -- Digital signatures with appendix --
Part 3: Discrete logarithm based mechanisms", ISO/
IEC 14888-3:2018, November 2018.
[GBT-32905-2016]
Standardization Administration of China, "Information
security technology --- SM3 cryptographic hash algorithm",
GB/T 32905-2016, March 2017, <http://www.gmbz.org.cn/
upload/2018-07-24/1532401392982079739.pdf>.
[ISO-IEC10118-3_2018] [RFC9276] Hardaker, W. and V. Dukhovni, "Guidance for NSEC3
International Organization for Standardization, "IT Parameter Settings", BCP 236, RFC 9276,
Security techniques -- Hash-functions -- Part 3: Dedicated DOI 10.17487/RFC9276, August 2022,
hash-functions", ISO/IEC 10118-3:2018, October 2018. <https://www.rfc-editor.org/info/rfc9276>.
9.2. Informative References 9.2. Informative References
[Example_Program] [Example_Program]
Zhang, C., "Sign and Validate DNSSEC Signature with SM2SM3 "sign and validate dnssec signature with sm2sm3
Algorithm", SM2SM3 DNSSEC Example Program, April 2023, algorithm", commit 6f98c17, April 2023,
<https://github.com/scooct/dnssec_sm2sm3>. <https://github.com/scooct/dnssec_sm2sm3>.
Authors' Addresses Authors' Addresses
Cuiling Zhang Cuiling Zhang
CNNIC CNNIC
No.4 South 4th Street, Zhongguancun No.4 South 4th Street, Zhongguancun
Beijing, 100190 Beijing
100190
China China
Email: zhangcuiling@cnnic.cn Email: zhangcuiling@cnnic.cn
Yukun Liu Yukun Liu
CNNIC CNNIC
No.4 South 4th Street, Zhongguancun No.4 South 4th Street, Zhongguancun
Beijing, 100190 Beijing
100190
China China
Email: liuyukun@cnnic.cn Email: liuyukun@cnnic.cn
Feng Leng Feng Leng
CNNIC CNNIC
No.4 South 4th Street, Zhongguancun No.4 South 4th Street, Zhongguancun
Beijing, 100190 Beijing
100190
China China
Email: lengfeng@cnnic.cn Email: lengfeng@cnnic.cn
Qi Zhao Qi Zhao
CNNIC CNNIC
No.4 South 4th Street, Zhongguancun No.4 South 4th Street, Zhongguancun
Beijing, 100190 Beijing
100190
China China
Email: zhaoqi@cnnic.cn Email: zhaoqi@cnnic.cn
Zheng He Zheng He
CNNIC CNNIC
No.4 South 4th Street, Zhongguancun No.4 South 4th Street, Zhongguancun
Beijing, 100190 Beijing
100190
China China
Email: hezh@cnnic.cn Email: hezh@cnnic.cn
 End of changes. 49 change blocks. 
155 lines changed or deleted 186 lines changed or added

This html diff was produced by rfcdiff 1.48.