[GH-ISSUE #41] Support *ring* in addition to OpenSSL #28

New issue

Closed

opened 2026-03-07 22:18:07 +03:00 by kerem · 12 comments

kerem commented 2026-03-07 22:18:07 +03:00

Owner

Copy link

Originally created by @bluejekyll on GitHub (Aug 24, 2016).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/41

Depends on

https://github.com/briansmith/ring/pull/226

Originally created by @bluejekyll on GitHub (Aug 24, 2016). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/41 Depends on https://github.com/briansmith/ring/pull/226

kerem 2026-03-07 22:18:07 +03:00

• closed this issue
• added the
  enhance
  trust
  labels

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@djc commented on GitHub (Sep 11, 2016):

ring-0.4.1 was just released, which has the primitive RSA verification API that you needed.

<!-- gh-comment-id:246173836 --> @djc commented on GitHub (Sep 11, 2016): _ring_-0.4.1 was just released, which has the primitive RSA verification API that you needed.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Sep 12, 2016):

thanks for the update!

I'll start looking into porting to this.

<!-- gh-comment-id:246306403 --> @bluejekyll commented on GitHub (Sep 12, 2016): thanks for the update! I'll start looking into porting to this.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@djc commented on GitHub (Sep 12, 2016):

Cool. I'm now subscribed to this, so if you run into any problems (that you're not sure are ring bugs) feel free to post them here.

<!-- gh-comment-id:246313138 --> @djc commented on GitHub (Sep 12, 2016): Cool. I'm now subscribed to this, so if you run into any problems (that you're not sure are _ring_ bugs) feel free to post them here.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Sep 12, 2016):

Cool, I'm working on some other things with futures, etc. right now. So it might be a week or two before I get started on this.

<!-- gh-comment-id:246316806 --> @bluejekyll commented on GitHub (Sep 12, 2016): Cool, I'm working on some other things with futures, etc. right now. So it might be a week or two before I get started on this.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@briansmith commented on GitHub (Oct 11, 2016):

I think it might be easier to do #43 before this. Then the client and server sides could be done separately. As far as ring's functionality is concerned, I think it implements all the client-side stuff, but it hasn't yet implemented RSA keygen or ECDSA signing for server-side stuff. ECDSA signing is relatively easy to add to ring but it might be a while before RSA keygen comes up. I imagine, though, that there's a lot more interest in getting ring + the TrustDNS client working than ring + the TrustDNS server, because the weight of OpenSSL matters much less for servers than clients (IMO).

<!-- gh-comment-id:252803507 --> @briansmith commented on GitHub (Oct 11, 2016): I think it might be easier to do #43 before this. Then the client and server sides could be done separately. As far as _ring_'s functionality is concerned, I think it implements all the client-side stuff, but it hasn't yet implemented RSA keygen or ECDSA signing for server-side stuff. ECDSA signing is relatively easy to add to _ring_ but it might be a while before RSA keygen comes up. I imagine, though, that there's a lot more interest in getting _ring_ + the TrustDNS client working than _ring_ + the TrustDNS server, because the weight of OpenSSL matters much less for servers than clients (IMO).

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Oct 11, 2016):

That's a great idea.

I looked briefly at splitting the Client/Server just the other day. I'm planning to work on that after I complete my futures work.

<!-- gh-comment-id:252919314 --> @bluejekyll commented on GitHub (Oct 11, 2016): That's a great idea. I looked briefly at splitting the Client/Server just the other day. I'm planning to work on that after I complete my futures work.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@briansmith commented on GitHub (Nov 9, 2016):

The client/server split seems to have been done in #68.

Regarding RSA support in ring, keep in mind that ring currently only supports RSA public keys of 2048 bits and larger. IIUC, the current root key is 1024 bits and "The new key signing key will be available on the Internet Assigned Numbers Authority website in February 2017, and it will appear in the DNS for the first time on July 11, 2017." See also https://blog.verisign.com/security/increasing-the-strength-of-the-zone-signing-key-for-the-root-zone-part-ii/. I don't know the schedule for the entire DNSSEC hierarchy to move to 2048-bit keys, though.

Regarding ECDSA verification in ring using the fixed-length eky format, it should be done within November.

I filed #60 to add EdDSA support to Trust-DNS. Note that EdDSA support in ring is already done, both for signing and verification. It might make sense to try EdDSA first.

<!-- gh-comment-id:259557229 --> @briansmith commented on GitHub (Nov 9, 2016): The client/server split seems to have been done in #68. Regarding RSA support in _ring_, keep in mind that _ring_ currently only supports RSA public keys of 2048 bits and larger. IIUC, the current root key is 1024 bits and "The new key signing key will be available on the Internet Assigned Numbers Authority website in February 2017, and it will appear in the DNS for the first time on July 11, 2017." See also https://blog.verisign.com/security/increasing-the-strength-of-the-zone-signing-key-for-the-root-zone-part-ii/. I don't know the schedule for the entire DNSSEC hierarchy to move to 2048-bit keys, though. Regarding ECDSA verification in _ring_ using the fixed-length eky format, it should be done within November. I filed #60 to add EdDSA support to Trust-DNS. Note that EdDSA support in _ring_ is already done, both for signing and verification. It might make sense to try EdDSA first.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Nov 9, 2016):

This is the current root key used in Trust-DNS: https://github.com/bluejekyll/trust-dns/blob/master/client/src/rr/dnssec/Kjqmt7v.pem

It's 2048, so that should be good, no?

<!-- gh-comment-id:259557913 --> @bluejekyll commented on GitHub (Nov 9, 2016): This is the current root key used in Trust-DNS: https://github.com/bluejekyll/trust-dns/blob/master/client/src/rr/dnssec/Kjqmt7v.pem It's 2048, so that should be good, no?

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@briansmith commented on GitHub (Nov 9, 2016):

This is the current root key used in Trust-DNS: https://github.com/bluejekyll/trust-dns/blob/master/client/src/rr/dnssec/Kjqmt7v.pem

It's 2048, so that should be good, no?

ring supports keys from 2048 through 8192 bits, so that's good. Whether all or enough of the RSA keys underneath the root key are 2048+ bits is another issue. That is, either you might decide that Trust-DNS is only going to support secure key sizes, in which you are good to go with ring for RSA, and/or you might want to find out how frequently smaller keys are still being used.

<!-- gh-comment-id:259560190 --> @briansmith commented on GitHub (Nov 9, 2016): > This is the current root key used in Trust-DNS: https://github.com/bluejekyll/trust-dns/blob/master/client/src/rr/dnssec/Kjqmt7v.pem > > It's 2048, so that should be good, no? _ring_ supports keys from 2048 through 8192 bits, so that's good. Whether all or enough of the RSA keys underneath the root key are 2048+ bits is another issue. That is, either you might decide that Trust-DNS is only going to support secure key sizes, in which you are good to go with _ring_ for RSA, and/or you might want to find out how frequently smaller keys are still being used.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Nov 10, 2016):

ah yes... I think we can wait until someone decides they want that. for now, assuming that we'll only validate secure key sizes is fine for my own use cases.

<!-- gh-comment-id:259754785 --> @bluejekyll commented on GitHub (Nov 10, 2016): ah yes... I think we can wait until someone decides they want that. for now, assuming that we'll only validate secure key sizes is fine for my own use cases.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Jan 10, 2017):

FYI, ed25519 support just landed in master. My plan right now is to support both openssl and ring in through features.

<!-- gh-comment-id:271511057 --> @bluejekyll commented on GitHub (Jan 10, 2017): FYI, ed25519 support just landed in master. My plan right now is to support both openssl and ring in through features.

kerem commented 2026-03-07 22:18:09 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Feb 28, 2017):

Landed in master. Ring is an optional feature, as I had some compile issues in 1.13, current min version for trust-dns.

--features=ring

<!-- gh-comment-id:282936726 --> @bluejekyll commented on GitHub (Feb 28, 2017): Landed in master. Ring is an optional feature, as I had some compile issues in 1.13, current min version for trust-dns. --features=ring

kerem referenced this issue 2026-03-15 21:56:52 +03:00

[GH-ISSUE #28] Wildcard is not handled correctly when verifying RRset #319

kerem referenced this issue 2026-03-16 01:53:28 +03:00

[PR #31] [MERGED] fixes #28: wildcard names in dnssec signing and validation #1200

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

david/conformance-dnssec-negative-tests

prepare-0.26.1

release/0.26

query-api

opt-types

cname-nsec

no-cname-recursion

conformance-min-ttl

dname-base

drop-message-request

no-error-queries

cpu-sig0-rm-message-sig_dev

cpu-tsig-test-update_dev

windows-config

dnssec-net

release/0.25

opp-enc-persist

integration-test

cpu-tidying-recursor-opts_dev

happy-eyeballs

david/authoritative-zone-storage-trait

dnssec-ad

no-authority

release/0.24

pvdrz/remove-top-file

pvdrz/h3-handshake-timeout

pvdrz/quic-handshake-timeout

nxdomain-for-recursor

ja-test-merque-queue

ja-fix-ci-again

sz-add-ede-tests

sz-test-tc-bit-with-large-response

sz-fix-tokio-dependency

gh-2275-test-rrsig-signature

refactor-sign-zone-file

fix-1.79-cleanliness

update-nightly-hash

release/0.23

gh-pages

use-just-for-server-toml

release/0.22

revert-1874-cpu-zone-parse-default-class

disable-bind-compatibility-tests

disable-test_tls_client_stream_ipv4

update-native-tls-0.2.11

recursor-tests

fix-clippy-self

release/0.20

saethlin-fix-rdata-zero

release/0.19

flat_name

drop_unused_futures

release/0.18

release-r0.12-cs0.17

release/r0.12-cs0.17

trust-dns-book

r0.10

test-connections-not-dropped

fix_exec_status_on_rs_files

release-0.9

add-mutex-to-integration-tests

0.8_release

bfry/dns-crypt

v0.26.0

v0.26.0-beta.4

v0.26.0-beta.3

v0.26.0-beta.2

v0.26.0-beta.1

v0.26.0-alpha.1

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.25.0-alpha.5

v0.24.2

v0.25.0-alpha.4

v0.25.0-alpha.3

v0.25.0-alpha.2

v0.25.0-alpha.1

v0.24.1

v0.23.2

v0.24.0

v0.23.1

v0.23.0

v0.23.0-alpha.5

v0.23.0-alpha.4

v0.23.0-alpha.3

v0.22.1

v0.23.0-alpha.2

v0.23.0-alpha.1

v0.22.0

v0.21.2

v0.21.1

v0.21.0

v0.21.0-alpha.5

v0.20.4

v0.21.0-alpha.4

v0.21.0-alpha.3

v0.21.0-alpha.2

v0.21.0-alpha.1

v0.20.3

v0.20.2

v0.20.1

v0.19.7

v0.20.0

0.19.6

v0.20.0-alpha.3

v0.20.0-alpha.2

v0.20.0-alpha.1

0.19.5

0.19.4

0.19.3

0.19.0

0.18.1

0.18

0.18.0.alpha.2

r0.12_cs0.17

r0.11.1

cs0.16.1

r0.11

cs0.16

r0.10.1

r0.10.0

cs0.15.0

r0.9.1

v0.14.0

r0.9.0

r0.8.1

r0.8.0

v0.13.0

r0.7.0

c0.12.0

r0.6.0

r0.5.0

resolver.0.4.0

0.11.0

0.10.5

0.10.4

0.10.3

0.10.2

0.10.1

0.10.0

0.9.3

0.9.2

0.9.1

0.9.0

0.8.1

0.8.0

0.7.3

0.7.2

0.7.1

0.7.0

0.6.0

0.5.3

0.5.1

0.5.0

0.4.0

0.3.1

0.3.0

0.2.1

0.2.0

0.1.0

Labels

Clear labels   

blocked

  

breaking-change

  

bug

  

bug:critical

  

bug:tests

  

cleanup

  

compliance

  

compliance

  

compliance

  

crate:all

  

crate:client

  

crate:native-tls

  

crate:proto

  

crate:recursor

  

crate:resolver

  

crate:resolver

  

crate:rustls

  

crate:server

  

crate:util

  

dependencies

  

docs

  

duplicate

  

easy

  

easy

  

enhance

  

enhance

  

enhance

  

feature:dns-over-https

  

feature:dns-over-quic

  

feature:dns-over-tls

  

feature:dnsssec

  

feature:global_lb

  

feature:mdns

  

feature:tsig

  

features:edns

  

has workaround

  

ops

  

perf

  

platform:WASM

  

platform:android

  

platform:fuchsia

  

platform:linux

  

platform:macos

  

platform:windows

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

test

  

tools

  

tools

  

trust

  

unclear

  

wontfix

No labels

blocked

breaking-change

bug

bug:critical

bug:tests

cleanup

compliance

compliance

compliance

crate:all

crate:client

crate:native-tls

crate:proto

crate:recursor

crate:resolver

crate:resolver

crate:rustls

crate:server

crate:util

dependencies

docs

duplicate

easy

easy

enhance

enhance

enhance

feature:dns-over-https

feature:dns-over-quic

feature:dns-over-tls

feature:dnsssec

feature:global_lb

feature:mdns

feature:tsig

features:edns

has workaround

ops

perf

platform:WASM

platform:android

platform:fuchsia

platform:linux

platform:macos

platform:windows

pull-request

question

test

tools

tools

trust

unclear

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hickory-dns#28

No description provided.