[Opendnssec-develop] Adding ECC to ods-signer

Rick van Rein rick at openfortress.nl
Mon Sep 26 12:32:52 UTC 2016


> I have been asked by SURFnet to enhance the ods-signer with Elliptic
> Curve algorithms. You are probably aware of the research that has been
> done by Roland, which turns out in favour of ECDSA signatures.
I was happy to find ECDSA on P-256 and P-384 already setup in libhsm,
thanks to Rickard!

And if I'm not mistaken... that is all that is needed?  At least it looks
like the ods-signer is pretty agnostic about algorithms, it only loads the
DNS algorithm id from .signconf and libhsm() finds the PKCS #11 algorithm
by looking at the CKA_KEY_TYPE for the handle to the keys.  Cool :)

I found and ran the hsmtest, including

    Generating ECDSA Curve P-256 key... OK
    Extracting key identifier... OK, fa9f31f32e1bc52ca7b153ee7667b079
    Signing (ECDSA/SHA256) with key... OK
    Deleting key... OK
    Generating ECDSA Curve P-384 key... OK
    Extracting key identifier... OK, 3d4aa6e60123480507a2b2e20d6dc52a
    Signing (ECDSA/SHA384) with key... OK
    Deleting key... OK

Has signing with ods-signer on zones already been tested?  I didn't
find it in the OpenDNSSEC release notes (the site finds ECDSA mentioned
only in conjunction with SoftHSMv2).

I had understood ECDSA wasn't supported, but it now looks like it is all
ready for use under RFC 6605!  Is there work that is left to be done?
Please let me know if there is :)


More information about the Opendnssec-develop mailing list