The GNU Name System
draft-schanzen-gns-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9498.
|
|
|---|---|---|---|
| Authors | Martin Schanzenbach , Christian Grothoff , Bernd Fix | ||
| Last updated | 2020-05-24 | ||
| RFC stream | (None) | ||
| Formats | |||
| Reviews | |||
| IETF conflict review | conflict-review-schanzen-gns, conflict-review-schanzen-gns, conflict-review-schanzen-gns, conflict-review-schanzen-gns, conflict-review-schanzen-gns, conflict-review-schanzen-gns, conflict-review-schanzen-gns | ||
| Additional resources | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Became RFC 9498 (Informational) | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-schanzen-gns-00
Independent Stream M. Schanzenbach
Internet-Draft GNUnet e.V.
Intended status: Informational C. Grothoff
Expires: 25 November 2020 Berner Fachhochschule
B. Fix
GNUnet e.V.
24 May 2020
The GNU Name System
draft-schanzen-gns-00
Abstract
This document contains the GNU Name System (GNS) technical
specification.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 25 November 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Schanzenbach, et al. Expires 25 November 2020 [Page 1]
Internet-Draft The GNU Name System May 2020
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Resource Records . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Record Types . . . . . . . . . . . . . . . . . . . . . . 6
3.2. PKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.3. GNS2DNS . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.4. LEHO . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.5. NICK . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.6. BOX . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.7. VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4. Publishing Records . . . . . . . . . . . . . . . . . . . . . 10
4.1. Key Derivations . . . . . . . . . . . . . . . . . . . . . 10
4.2. Resource Records Block . . . . . . . . . . . . . . . . . 11
4.3. Record Data Encryption and Decryption . . . . . . . . . . 13
5. Internationalization and Character Encoding . . . . . . . . . 15
6. Name Resolution . . . . . . . . . . . . . . . . . . . . . . . 15
6.1. Recursion . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2. Record Processing . . . . . . . . . . . . . . . . . . . . 16
6.2.1. PKEY . . . . . . . . . . . . . . . . . . . . . . . . 17
6.2.2. GNS2DNS . . . . . . . . . . . . . . . . . . . . . . . 17
6.2.3. CNAME . . . . . . . . . . . . . . . . . . . . . . . . 18
6.2.4. BOX . . . . . . . . . . . . . . . . . . . . . . . . . 18
6.2.5. VPN . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.2.6. NICK . . . . . . . . . . . . . . . . . . . . . . . . 19
7. Zone Revocation . . . . . . . . . . . . . . . . . . . . . . . 20
8. Determining the Root Zone and Zone Governance . . . . . . . . 24
9. Security Considerations . . . . . . . . . . . . . . . . . . . 25
9.1. Cryptography . . . . . . . . . . . . . . . . . . . . . . 25
9.2. Abuse mitigation . . . . . . . . . . . . . . . . . . . . 26
9.3. Zone management . . . . . . . . . . . . . . . . . . . . . 26
9.4. Impact of underlying DHT . . . . . . . . . . . . . . . . 27
9.5. Revocations . . . . . . . . . . . . . . . . . . . . . . . 27
10. GANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
11. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 28
12. Normative References . . . . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
Schanzenbach, et al. Expires 25 November 2020 [Page 2]
Internet-Draft The GNU Name System May 2020
1. Introduction
The Domain Name System (DNS) is a unique distributed database and a
vital service for most Internet applications. While DNS is
distributed, it relies on centralized, trusted registrars to provide
globally unique names. As the awareness of the central role DNS
plays on the Internet rises, various institutions are using their
power (including legal means) to engage in attacks on the DNS, thus
threatening the global availability and integrity of information on
the Internet.
DNS was not designed with security as a goal. This makes it very
vulnerable, especially to attackers that have the technical
capabilities of an entire nation state at their disposal. This
specification describes a censorship-resistant, privacy-preserving
and decentralized name system: The GNU Name System (GNS). It is
designed to provide a secure alternative to DNS, especially when
censorship or manipulation is encountered. GNS can bind names to any
kind of cryptographically secured token, enabling it to double in
some respects as even as an alternative to some of today's Public Key
Infrastructures, in particular X.509 for the Web.
This document contains the GNU Name System (GNS) technical
specification of the GNU Name System [GNS], a fully decentralized and
censorship-resistant name system. GNS provides a privacy-enhancing
alternative to the Domain Name System (DNS). The design of GNS
incorporates the capability to integrate and coexist with DNS. GNS
is based on the principle of a petname system and builds on ideas
from the Simple Distributed Security Infrastructure (SDSI),
addressing a central issue with the decentralized mapping of secure
identifiers to memorable names: namely the impossibility of providing
a global, secure and memorable mapping without a trusted authority.
GNS uses the transitivity in the SDSI design to replace the trusted
root with secure delegation of authority thus making petnames useful
to other users while operating under a very strong adversary model.
This document defines the normative wire format of resource records,
resolution processes, cryptographic routines and security
considerations for use by implementors.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Schanzenbach, et al. Expires 25 November 2020 [Page 3]
Internet-Draft The GNU Name System May 2020
2. Zones
A zone in GNS is defined by a public/private ECDSA key pair (d,zk),
where d is the private key and zk the corresponding public key. GNS
employs the curve parameters of the twisted edwards representation of
Curve25519 [RFC7748] (a.k.a. edwards25519) with the ECDSA scheme
([RFC6979]). In the following, we use the following naming
convention for our cryptographic primitives:
d is a 256-bit ECDSA private key. In GNS, records are signed using
a key derived from "d" as described in Section 4.
p is the prime of edwards25519 as defined in [RFC7748], i.e. 2^255
- 19.
B is the group generator (X(P),Y(P)) of edwards25519 as defined in
[RFC7748].
L is the prime-order subgroup of edwards25519 in [RFC7748].
zk is the ECDSA public key corresponding to d. It is defined in
[RFC6979] as the curve point d*B where B is the group generator of
the elliptic curve. The public key is used to uniquely identify a
GNS zone and is referred to as the "zone key".
3. Resource Records
A GNS implementor MUST provide a mechanism to create and manage
resource records for local zones. A local zone is established by
creating a zone key pair. Records may be added to each zone, hence a
(local) persistency mechanism for resource records and zones must be
provided. This local zone database is used by the GNS resolver
implementation and to publish record information.
A GNS resource record holds the data of a specific record in a zone.
The resource record format is defined as follows:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| EXPIRATION |
+-----+-----+-----+-----+-----+-----+-----+-----+
| DATA SIZE | TYPE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| FLAGS | DATA /
+-----+-----+-----+-----+ /
/ /
/ /
Schanzenbach, et al. Expires 25 November 2020 [Page 4]
Internet-Draft The GNU Name System May 2020
Figure 1
where:
EXPIRATION denotes the absolute 64-bit expiration date of the
record. In microseconds since midnight (0 hour), January 1, 1970
in network byte order.
DATA SIZE denotes the 32-bit size of the DATA field in bytes and in
network byte order.
TYPE is the 32-bit resource record type. This type can be one of
the GNS resource records as defined in Section 3 or a DNS record
type as defined in [RFC1035] or any of the complementary
standardized DNS resource record types. This value must be stored
in network byte order. Note that values below 2^16 are reserved
for allocation via IANA ([RFC6895]).
FLAGS is a 32-bit resource record flags field (see below).
DATA the variable-length resource record data payload. The contents
are defined by the respective type of the resource record.
Flags indicate metadata surrounding the resource record. A flag
value of 0 indicates that all flags are unset. The following
illustrates the flag distribution in the 32-bit flag value of a
resource record:
... 5 4 3 2 1 0
------+--------+--------+--------+--------+--------+
/ ... | SHADOW | EXPREL | SUPPL | PRIVATE| / |
------+--------+--------+--------+--------+--------+
Figure 2
where:
SHADOW If this flag is set, this record should be ignored by
resolvers unless all (other) records of the same record type have
expired. Used to allow zone publishers to facilitate good
performance when records change by allowing them to put future
values of records into the DHT. This way, future values can
propagate and may be cached before the transition becomes active.
Schanzenbach, et al. Expires 25 November 2020 [Page 5]
Internet-Draft The GNU Name System May 2020
EXPREL The expiration time value of the record is a relative time
(still in microseconds) and not an absolute time. This flag
should never be encountered by a resolver for records obtained
from the DHT, but might be present when a resolver looks up
private records of a zone hosted locally.
SUPPL This is a supplemental record. It is provided in addition to
the other records. This flag indicates that this record is not
explicitly managed alongside the other records under the
respective name but may be useful for the application. This flag
should only be encountered by a resolver for records obtained from
the DHT.
PRIVATE This is a private record of this peer and it should thus not
be published in the DHT. Thus, this flag should never be
encountered by a resolver for records obtained from the DHT.
Private records should still be considered just like regular
records when resolving labels in local zones.
3.1. Record Types
A registry of GNS Record Types is described in Section 10. The
registration policy for this registry is "First Come First Served",
as described in [RFC8126]. When requesting new entries, careful
consideration of the following criteria is strongly advised: FIXME:
ausdenken was wir da gerne haetten.
3.2. PKEY
In GNS, a delegation of a label to a zone is represented through a
PKEY record. A PKEY resource record contains the public key of the
zone to delegate to. A PKEY record MUST be the only record under a
label. No other records are allowed. A PKEY DATA entry has the
following format:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 3
where:
PUBLIC KEY A 256-bit ECDSA zone key.
Schanzenbach, et al. Expires 25 November 2020 [Page 6]
Internet-Draft The GNU Name System May 2020
3.3. GNS2DNS
It is possible to delegate a label back into DNS through a GNS2DNS
record. The resource record contains a DNS name for the resolver to
continue with in DNS followed by a DNS server. Both names are in the
format defined in [RFC1034] for DNS names. A GNS2DNS DATA entry has
the following format:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| DNS NAME |
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| DNS SERVER NAME |
/ /
/ /
| |
+-----------------------------------------------+
Figure 4
where:
DNS NAME The name to continue with in DNS (0-terminated).
DNS SERVER NAME The DNS server to use. May be an IPv4/IPv6 address
in dotted decimal form or a DNS name. It may also be a relative
GNS name ending with a "+" top-level domain. The value is UTF-8
encoded (also for DNS names) and 0-terminated.
3.4. LEHO
Legacy hostname records can be used by applications that are expected
to supply a DNS name on the application layer. The most common use
case is HTTP virtual hosting, which as-is would not work with GNS
names as those may not be globally unique. A LEHO resource record is
expected to be found together in a single resource record with an
IPv4 or IPv6 address. A LEHO DATA entry has the following format:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| LEGACY HOSTNAME |
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Schanzenbach, et al. Expires 25 November 2020 [Page 7]
Internet-Draft The GNU Name System May 2020
Figure 5
where:
LEGACY HOSTNAME A UTF-8 string (which is not 0-terminated)
representing the legacy hostname.
NOTE: If an application uses a LEHO value in an HTTP request header
(e.g. "Host:" header) it must be converted to a punycode
representation [RFC5891].
3.5. NICK
Nickname records can be used by zone administrators to publish an
indication on what label this zone prefers to be referred to. This
is a suggestion to other zones what label to use when creating a PKEY
(Section 3.2) record containing this zone's public zone key. This
record SHOULD only be stored under the empty label "@" but MAY be
returned with record sets under any label as a supplemental record.
Section 6.2.6 details how a resolver must process supplemental and
non-supplemental NICK records. A NICK DATA entry has the following
format:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| NICKNAME |
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 6
where:
NICKNAME A UTF-8 string (which is not 0-terminated) representing the
preferred label of the zone. This string MUST NOT include a "."
character.
3.6. BOX
In GNS, every "." in a name delegates to another zone, and GNS
lookups are expected to return all of the required useful information
in one record set. This is incompatible with the special labels used
by DNS for SRV and TLSA records. Thus, GNS defines the BOX record
format to box up SRV and TLSA records and include them in the record
set of the label they are associated with. For example, a TLSA
record for "_https._tcp.foo.gnu" will be stored in the record set of
Schanzenbach, et al. Expires 25 November 2020 [Page 8]
Internet-Draft The GNU Name System May 2020
"foo.gnu" as a BOX record with service (SVC) 443 (https) and protocol
(PROTO) 6 (tcp) and record TYPE "TLSA". For reference, see also
[RFC2782]. A BOX DATA entry has the following format:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| PROTO | SVC | TYPE |
+-----------+-----------------------------------+
| RECORD DATA |
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 7
where:
PROTO the 16-bit protocol number, e.g. 6 for tcp. In network byte
order.
SVC the 16-bit service value of the boxed record, i.e. the port
number. In network byte order.
TYPE is the 32-bit record type of the boxed record. In network byte
order.
RECORD DATA is a variable length field containing the "DATA" format
of TYPE as defined for the respective TYPE in DNS.
3.7. VPN
A VPN DATA entry has the following format:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| HOSTING PEER PUBLIC KEY |
| (256 bits) |
| |
| |
+-----------+-----------------------------------+
| PROTO | SERVICE NAME |
+-----------+ +
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Schanzenbach, et al. Expires 25 November 2020 [Page 9]
Internet-Draft The GNU Name System May 2020
Figure 8
where:
HOSTING PEER PUBLIC KEY is a 256-bit EdDSA public key identifying
the peer hosting the service.
PROTO the 16-bit protocol number, e.g. 6 for TCP. In network byte
order.
SERVICE NAME a shared secret used to identify the service at the
hosting peer, used to derive the port number requird to connect to
the service. The service name MUST be a 0-terminated UTF-8
string.
4. Publishing Records
GNS resource records are published in a distributed hash table (DHT).
We assume that a DHT provides two functions: GET(key) and
PUT(key,value). In GNS, resource records are grouped by their
respective labels, encrypted and published together in a single
resource records block (RRBLOCK) in the DHT under a key "q": PUT(q,
RRBLOCK). The key "q" which is derived from the zone key "zk" and
the respective label of the contained records.
4.1. Key Derivations
Given a label, the DHT key "q" is derived as follows:
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
d_h := h * d mod L
zk_h := h mod L * zk
q := SHA512 (zk_h)
We use a hash-based key derivation function (HKDF) as defined in
[RFC5869]. We use HMAC-SHA512 for the extraction phase and HMAC-
SHA256 for the expansion phase.
PRK_h is key material retrieved using an HKDF using the string "key-
derivation" as salt and the public zone key "zk" as initial keying
material.
h is the 512-bit HKDF expansion result. The expansion info input is
a concatenation of the label and string "gns".
d is the 256-bit private zone key as defined in Section 2.
Schanzenbach, et al. Expires 25 November 2020 [Page 10]
Internet-Draft The GNU Name System May 2020
label is a UTF-8 string under which the resource records are
published.
d_h is a 256-bit private key derived from the "d" using the keying
material "h".
zk_h is a 256-bit public key derived from the zone key "zk" using
the keying material "h".
L is the prime-order subgroup as defined in Section 2.
q Is the 512-bit DHT key under which the resource records block is
published. It is the SHA512 hash over the public key "zk_h"
corresponding to the derived private key "d_h".
We point out that the multiplication of "zk" with "h" is a point
multiplication, while the multiplication of "d" with "h" is a scalar
multiplication.
4.2. Resource Records Block
GNS records are grouped by their labels and published as a single
block in the DHT. The grouped record sets MAY be paired with any
number of supplemental records. Supplemental records must have the
supplemental flag set (See Section 3). The contained resource
records are encrypted using a symmetric encryption scheme. A GNS
implementation must publish RRBLOCKs in accordance to the properties
and recommendations of the underlying DHT. This may include a
periodic refresh publication. A GNS RRBLOCK has the following
format:
Schanzenbach, et al. Expires 25 November 2020 [Page 11]
Internet-Draft The GNU Name System May 2020
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| SIGNATURE |
| |
| |
| |
| |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| SIZE | PURPOSE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| EXPIRATION |
+-----+-----+-----+-----+-----+-----+-----+-----+
| BDATA /
/ /
/ |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 9
where:
SIGNATURE A 512-bit ECDSA deterministic signature compliant with
[RFC6979]. The signature is computed over the data following the
PUBLIC KEY field. The signature is created using the derived
private key "d_h" (see Section 4).
PUBLIC KEY is the 256-bit public key "zk_h" to be used to verify
SIGNATURE. The wire format of this value is defined in [RFC8032],
Section 5.1.5.
SIZE A 32-bit value containing the length of the signed data
following the PUBLIC KEY field in network byte order. This value
always includes the length of the fields SIZE (4), PURPOSE (4) and
EXPIRATION (8) in addition to the length of the BDATA. While a
32-bit value is used, implementations MAY refuse to publish blocks
beyond a certain size significantly below 4 GB. However, a
minimum block size of 62 kilobytes MUST be supported.
PURPOSE A 32-bit signature purpose flag. This field MUST be 15 (in
network byte order).
Schanzenbach, et al. Expires 25 November 2020 [Page 12]
Internet-Draft The GNU Name System May 2020
EXPIRATION Specifies when the RRBLOCK expires and the encrypted
block SHOULD be removed from the DHT and caches as it is likely
stale. However, applications MAY continue to use non-expired
individual records until they expire. The value MUST be set to
the expiration time of the resource record contained within this
block with the smallest expiration time. If a records block
includes shadow records, then the maximum expiration time of all
shadow records with matching type and the expiration times of the
non-shadow records is considered. This is a 64-bit absolute date
in microseconds since midnight (0 hour), January 1, 1970 in
network byte order.
BDATA The encrypted resource records with a total size of SIZE - 16.
4.3. Record Data Encryption and Decryption
A symmetric encryption scheme is used to encrypt the resource records
set RDATA into the BDATA field of a GNS RRBLOCK. The wire format of
the RDATA looks as follows:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| RR COUNT | EXPIRA- /
+-----+-----+-----+-----+-----+-----+-----+-----+
/ -TION | DATA SIZE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| TYPE | FLAGS |
+-----+-----+-----+-----+-----+-----+-----+-----+
| DATA /
/ /
/ |
+-----+-----+-----+-----+-----+-----+-----+-----+
| EXPIRATION |
+-----+-----+-----+-----+-----+-----+-----+-----+
| DATA SIZE | TYPE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| FLAGS | DATA /
+-----+-----+-----+-----+ /
/ +-----------------------/
/ | /
+-----------------------+ /
/ PADDING /
/ /
Figure 10
where:
Schanzenbach, et al. Expires 25 November 2020 [Page 13]
Internet-Draft The GNU Name System May 2020
RR COUNT A 32-bit value containing the number of variable-length
resource records which are following after this field in network
byte order.
EXPIRATION, DATA SIZE, TYPE, FLAGS and DATA These fields were
defined in the resource record format in Section 3. There MUST be
a total of RR COUNT of these resource records present.
PADDING The padding MUST contain the value 0 in all octets. The
padding MUST ensure that the size of the RDATA WITHOUT the RR
COUNT field is a power of two. As a special exception, record
sets with (only) a PKEY record type are never padded. Note that a
record set with a PKEY record MUST NOT contain other records.
The symmetric keys and initialization vectors are derived from the
record label and the zone key "zk". For decryption of the resource
records block payload, the key material "K" and initialization vector
"IV" for the symmetric cipher are derived as follows:
PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
PRK_iv := HKDF-Extract ("gns-aes-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 512 / 8);
IV := HKDF-Expand (PRK_iv, label, 256 / 8)
HKDF is a hash-based key derivation function as defined in [RFC5869].
Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-
SHA256 for the expansion phase. The output keying material is 64
octets (512 bit) for the symmetric keys and 32 octets (256 bit) for
the initialization vectors. We divide the resulting keying material
"K" into a 256-bit AES [RFC3826] key and a 256-bit TWOFISH [TWOFISH]
key:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| AES KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| TWOFISH KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 11
Schanzenbach, et al. Expires 25 November 2020 [Page 14]
Internet-Draft The GNU Name System May 2020
Similarly, we divide "IV" into a 128-bit initialization vector and a
128-bit initialization vector:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| AES IV |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| TWOFISH IV |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 12
The keys and IVs are used for a CFB128-AES-256 and CFB128-TWOFISH-256
chained symmetric cipher. Both ciphers are used in Cipher FeedBack
(CFB) mode [RFC3826].
RDATA := AES(K[0:31], IV[0:15],
TWOFISH(K[32:63], IV[16:31], BDATA))
BDATA := TWOFISH(K[32:63], IV[16:31],
AES(K[0:31], IV[0:15], RDATA))
5. Internationalization and Character Encoding
All labels in GNS are encoded in UTF-8 [RFC3629]. This does not
include any DNS names found in DNS records, such as CNAME records,
which are internationalized through the IDNA specifications
[RFC5890].
6. Name Resolution
Names in GNS are resolved by recursively querying the DHT record
storage. In the following, we define how resolution is initiated and
each iteration in the resolution is processed.
GNS resolution of a name must start in a given starting zone
indicated using a zone public key. Details on how the starting zone
may be determined is discussed in Section 8.
When GNS name resolution is requested, a desired record type MAY be
provided by the client. The GNS resolver will use the desired record
type to guide processing, for example by providing conversion of VPN
records to A or AAAA records, if that is desired. However, filtering
of record sets according to the required record types MUST still be
done by the client after the resource record set is retrieved.
Schanzenbach, et al. Expires 25 November 2020 [Page 15]
Internet-Draft The GNU Name System May 2020
6.1. Recursion
In each step of the recursive name resolution, there is an
authoritative zone zk and a name to resolve. The name may be empty.
Initially, the authoritative zone is the start zone. If the name is
empty, it is interpreted as the apex label "@".
From here, the following steps are recursively executed, in order:
1. Extract the right-most label from the name to look up.
2. Calculate q using the label and zk as defined in Section 4.1.
3. Perform a DHT query GET(q) to retrieve the RRBLOCK.
4. Verify and process the RRBLOCK and decrypt the BDATA contained in
it as defined in Section 4.3.
Upon receiving the RRBLOCK from the DHT, apart from verifying the
provided signature, the resolver MUST check that the authoritative
zone key was used to sign the record: The derived zone key "h*zk"
MUST match the public key provided in the RRBLOCK, otherwise the
RRBLOCK MUST be ignored and the DHT lookup GET(q) MUST continue.
6.2. Record Processing
Record processing occurs at the end of a single recursion. We assume
that the RRBLOCK has been cryptographically verified and decrypted.
At this point, we must first determine if we have received a valid
record set in the context of the name we are trying to resolve:
1. Case 1: If the remainder of the name to resolve is empty and the
record set does not consist of a PKEY, CNAME or DNS2GNS record,
the record set is the result and the recursion is concluded.
2. Case 2: If the name to be resolved is of the format
"_SERVICE._PROTO" and the record set contains one or more
matching BOX records, the records in the BOX records are the
result and the recusion is concluded (Section 6.2.4).
3. Case 3: If the remainder of the name to resolve is not empty and
does not match the "_SERVICE._PROTO" syntax, then the current
record set MUST consist of a single PKEY record (Section 6.2.1),
a single CNAME record (Section 6.2.3), or one or more GNS2DNS
records (Section 6.2.2), which are processed as described in the
respective sections below. The record set may include any number
of supplemental records. Otherwise, resolution fails and the
resolver MUST return an empty record set. Finally, after the
Schanzenbach, et al. Expires 25 November 2020 [Page 16]
Internet-Draft The GNU Name System May 2020
recursion terminates, the client preferences for the record type
SHOULD be considered. If a VPN record is found and the client
requests an A or AAAA record, the VPN record SHOULD be converted
(Section 6.2.5) if possible.
6.2.1. PKEY
When the resolver encounters a PKEY record and the remainder of the
name is not empty, resolution continues recursively with the
remainder of the name in the GNS zone specified in the PKEY record.
If the remainder of the name to resolve is empty and we have received
a record set containing only a single PKEY record, the recursion is
continued with the PKEY as authoritative zone and the empty apex
label "@" as remaining name, except in the case where the desired
record type is PKEY, in which case the PKEY record is returned and
the resolution is concluded without resolving the empty apex label.
6.2.2. GNS2DNS
When a resolver encounters one or more GNS2DNS records and the
remaining name is empty and the desired record type is GNS2DNS, the
GNS2DNS records are returned.
Otherwise, it is expected that the resolver first resolves the IP(s)
of the specified DNS name server(s). GNS2DNS records MAY contain
numeric IPv4 or IPv6 addresses, allowing the resolver to skip this
step. The DNS server names may themselves be names in GNS or DNS.
If the DNS server name ends in ".+", the rest of the name is to be
interpreted relative to the zone of the GNS2DNS record. If the DNS
server name ends in ".<Base32(zk)>", the DNS server name is to be
resolved against the GNS zone zk.
Multiple GNS2DNS records may be stored under the same label, in which
case the resolver MUST try all of them. The resolver MAY try them in
any order or even in parallel. If multiple GNS2DNS records are
present, the DNS name MUST be identical for all of them, if not the
resolution fails and an emtpy record set is returned as the record
set is invalid.
Schanzenbach, et al. Expires 25 November 2020 [Page 17]
Internet-Draft The GNU Name System May 2020
Once the IP addresses of the DNS servers have been determined, the
DNS name from the GNS2DNS record is appended to the remainder of the
name to be resolved, and resolved by querying the DNS name server(s).
As the DNS servers specified are possibly authoritative DNS servers,
the GNS resolver MUST support recursive resolution and MUST NOT
delegate this to the authoritative DNS servers. The first successful
recursive name resolution result is returned to the client. In
addition, the resolver returns the queried DNS name as a supplemental
LEHO record (Section 3.4) with a relative expiration time of one
hour.
GNS resolvers SHOULD offer a configuration option to disable DNS
processing to avoid information leakage and provide a consistent
security profile for all name resolutions. Such resolvers would
return an empty record set upon encountering a GNS2DNS record during
the recursion. However, if GNS2DNS records are encountered in the
record set for the apex and a GNS2DNS record is expicitly requested
by the application, such records MUST still be returned, even if DNS
support is disabled by the GNS resolver configuration.
6.2.3. CNAME
If a CNAME record is encountered, the canonical name is appended to
the remaining name, except if the remaining name is empty and the
desired record type is CNAME, in which case the resolution concludes
with the CNAME record. If the canonical name ends in ".+",
resolution continues in GNS with the new name in the current zone.
Otherwise, the resulting name is resolved via the default operating
system name resolution process. This may in turn again trigger a GNS
resolution process depending on the system configuration.
The recursive DNS resolution process may yield a CNAME as well which
in turn may either point into the DNS or GNS namespace (if it ends in
a ".<Base32(zk)>"). In order to prevent infinite loops, the resolver
MUST implement loop detections or limit the number of recursive
resolution steps. If the last CNAME was a DNS name, the resolver
returns the DNS name as a supplemental LEHO record (Section 3.4) with
a relative expiration time of one hour.
6.2.4. BOX
When a BOX record is received, a GNS resolver must unbox it if the
name to be resolved continues with "_SERVICE._PROTO". Otherwise, the
BOX record is to be left untouched. This way, TLSA (and SRV) records
do not require a separate network request, and TLSA records become
inseparable from the corresponding address records.
Schanzenbach, et al. Expires 25 November 2020 [Page 18]
Internet-Draft The GNU Name System May 2020
6.2.5. VPN
At the end of the recursion, if the queried record type is either A
or AAAA and the retrieved record set contains at least one VPN
record, the resolver SHOULD open a tunnel and return the IPv4 or IPv6
tunnel address, respectively. The type of tunnel depends on the
contents of the VPN record data. The VPN record MUST be returned if
the resolver implementation does not support setting up a tunnnel.
6.2.6. NICK
NIICK records are only relevant to the recursive resolver if the
record set in question is the final result which is to be returned to
the client. The encountered NICK records may either be supplemental
(see Section 3) or non-supplemental. If the NICK record is
supplemental, the resolver only returns the record set if one of the
non-supplemental records matches the queried record type.
The differentiation between a supplemental and non-supplemental NICK
record allows the client to match the record to the authoritative
zone. Consider the following example:
Query: alice.doe (type=A)
Result:
A: 1.2.3.4
NICK: eve
Figure 13
In this example, the returned NICK record is non-supplemental. For
the client, this means that the NICK belongs to the zone "alice.doe"
and is published under the empty label along with an A record. The
NICK record should be interpreted as: The zone defined by "alice.doe"
wants to be referred to as "eve". In contrast, consider the
following:
Query: alice.doe (type=A)
Result:
A: 1.2.3.4
NICK: john (Supplemental)
Figure 14
Schanzenbach, et al. Expires 25 November 2020 [Page 19]
Internet-Draft The GNU Name System May 2020
In this case, the NICK record is marked as supplemental. This means
that the NICK record belongs to the zone "doe" and is published under
the label "alice" along with an A record. The NICK record should be
interpreted as: The zone defined by "doe" wants to be referred to as
"john". This distinction is likely useful for other records
published as supplemental.
7. Zone Revocation
Whenever a recursive resolver encounters a new GNS zone, it MUST
check against the local revocation list whether the respective zone
key has been revoked. If the zone key was revoked, the resolution
MUST fail with an empty result set.
In order to revoke a zone key, a signed revocation object SHOULD be
published. This object MUST be signed using the private zone key.
The revocation object is flooded in the overlay network. To prevent
flooding attacks, the revocation message MUST contain a proof of work
(PoW). The revocation message including the PoW MAY be calculated
ahead of time to support timely revocation.
For all occurences below, "Argon2d" is the Password-based Key
Derivation Function as defined in [Argon2]. For the PoW calculations
the algorithm is instantiated with the following parameters:
S := "gnunet-revocation-proof-of-work" /* Salt */
t := 3 /* Iterations */
m := 1024 /* Memory size, 1 MiB */
T := 64 /* Tag (=output) length in bytes */
p := 1 /* Parallelization parameter */
v := 0x13 /* Version */
y := 0 /* Type (Argon2d) */
X, K are unused
The following is the message string "P" on which the PoW is
calculated:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| POW |
+-----------------------------------------------+
| TIMESTAMP |
+-----------------------------------------------+
| PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Schanzenbach, et al. Expires 25 November 2020 [Page 20]
Internet-Draft The GNU Name System May 2020
Figure 15
where:
POW A 64-bit solution to the PoW. In network byte order.
TIMESTAMP denotes the absolute 64-bit date when the revocation was
computed. In microseconds since midnight (0 hour), January 1,
1970 in network byte order.
PUBLIC KEY A 512-bit ECDSA deterministic signature compliant with
[RFC6979] over the public zone zk of the zone which is revoked and
corresponds to the key used in the PoW. The signature is created
using the private zone key "d" (see Section 2).
Traditionally, PoW schemes require to find a "POW" such that at least
D leading zeroes are found in the hash result. D is then referred to
as the "difficulty" of the PoW. In order to reduce the variance in
time it takes to calculate the PoW, we require that a number "Z"
different PoWs must be found that on average have "D" leading zeroes.
The resulting proofs may then published and disseminated. The
concrete dissemination and publication methods are out of scope of
this document. Given an average difficulty of "D", the proofs have
an expiration time of EPOCH. With each additional bit difficulty,
the lifetime of the proof is prolonged for another EPOCH.
Consequently, by calculating a more difficult PoW, the lifetime of
the proof can be increased on demand by the zone owner.
The parameters are defined as follows:
Z The number of PoWs required is fixed at 32.
D The difficulty is fixed at 25.
EPOCH A single epoch is fixed at 365 days.
Given that proof has been found, a revocation data object is defined
as follows:
Schanzenbach, et al. Expires 25 November 2020 [Page 21]
Internet-Draft The GNU Name System May 2020
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| TIMESTAMP |
+-----+-----+-----+-----+-----+-----+-----+-----+
| TTL |
+-----+-----+-----+-----+-----+-----+-----+-----+
| POW_0 |
+-----+-----+-----+-----+-----+-----+-----+-----+
| ... |
+-----+-----+-----+-----+-----+-----+-----+-----+
| POW_Z-1 |
+-----------------------------------------------+
| SIGNATURE |
| |
| |
| |
| |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 16
where:
TIMESTAMP denotes the absolute 64-bit date when the revocation was
computed. In microseconds since midnight (0 hour), January 1,
1970 in network byte order. This is the same value as the
timestamp used in the individual PoW calculations.
TTL denotes the relative 64-bit time to live of of the record in
microseconds also in network byte order. This field is
informational for a verifier. The verifier may discard revocation
if the TTL indicates that it is already expired. However, the
actual TTL of the revocation must be determined by examining the
leading zeros in the proof of work calculation.
POW_i The values calculated as part of the PoW, in network byte
order. Each POW_i MUST be unique in the set of POW values. To
facilitate fast verification of uniqueness, the POW values must be
given in strictly monotonically increasing order in the message.
Schanzenbach, et al. Expires 25 November 2020 [Page 22]
Internet-Draft The GNU Name System May 2020
SIGNATURE A 512-bit ECDSA deterministic signature compliant with
[RFC6979] over the public zone zk of the zone which is revoked and
corresponds to the key used in the PoW. The signature is created
using the private zone key "d" (see Section 2).
PUBLIC KEY is the 256-bit public key "zk" of the zone which is being
revoked and the key to be used to verify SIGNATURE. The wire
format of this value is defined in [RFC8032], Section 5.1.5.
The signature over the public key covers a 32 bit pseudo header
conceptually prefixed to the public key. The pseudo header includes
the key length and signature purpose:
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| SIZE (0x30) | PURPOSE (0x03) |
+-----+-----+-----+-----+-----+-----+-----+-----+
| PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| TIMESTAMP |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 17
where:
SIZE A 32-bit value containing the length of the signed data in
bytes (48 bytes) in network byte order.
PURPOSE A 32-bit signature purpose flag. This field MUST be 3 (in
network byte order).
PUBLIC KEY / TIMESTAMP Both values as defined in the revocation data
object above.
In order to verify a revocation the following steps must be taken, in
order:
1. The current time MUST be between TIMESTAMP and TIMESTAMP+TTL.
2. The signature MUST match the public key.
3. The set of POW values MUST NOT contain duplicates.
Schanzenbach, et al. Expires 25 November 2020 [Page 23]
Internet-Draft The GNU Name System May 2020
4. The average number of leading zeroes resulting from the provided
POW values D' MUST be greater than D.
5. The validation period (TTL) of the revocation is calculated as
(D'-D) * EPOCH * 1.1. The EPOCH is extended by 10% in order to
deal with unsynchronized clocks. The TTL added on top of the
TIMESTAMP yields the expiration date.
8. Determining the Root Zone and Zone Governance
The resolution of a GNS name must start in a given start zone
indicated to the resolver using any public zone key. The local
resolver may have a local start zone configured/hard-coded which
points to a local or remote start zone key. A resolver client may
also determine the start zone from the suffix of the name given for
resolution or using information retrieved out of band. The
governance model of any zone is at the sole discretion of the zone
owner. However, the choice of start zone(s) is at the sole
discretion of the local system administrator or user.
This is an important distinguishing factor from the Domain Name
System where root zone governance is centralized at the Internet
Corporation for Assigned Names and Numbers (ICANN). In DNS
terminology, GNS roughly follows the idea of a hyper-hyper local root
zone deployment, with the difference that it is not expected that all
deployments use the same local root zone.
In the following, we give examples how a local client resolver SHOULD
discover the start zone. The process given is not exhaustive and
clients MAY suppliement it with other mechanisms or ignore it if the
particular application requires a different process.
GNS clients SHOULD first try to interpret the top-level domain of a
GNS name as a zone key. For example. if the top-level domain is a
Base32-encoded public zone key "zk", the root zone of the resolution
process is implicitly given by the name:
Example name: www.example.<Base32(zk)>
=> Root zone: zk
=> Name to resolve from root zone: www.example
In GNS, users MAY own and manage their own zones. Each local zone
SHOULD be associated with a single GNS label, but users MAY choose to
use longer names consisting of multiple labels. If the name of a
locally managed zone matches the suffix of the name to be resolved,
resolution SHOULD start from the respective local zone:
Schanzenbach, et al. Expires 25 November 2020 [Page 24]
Internet-Draft The GNU Name System May 2020
Example name: www.example.gnu
Local zones:
fr = (d0,zk0)
gnu = (d1,zk1)
com = (d2,zk2)
...
=> Entry zone: zk1
=> Name to resolve from entry zone: www.example
Finally, additional "suffix to zone" mappings MAY be configured.
Suffix to zone key mappings SHOULD be configurable through a local
configuration file or database by the user or system administrator.
The suffix MAY consist of multiple GNS labels concatenated with a
".". If multiple suffixes match the name to resolve, the longest
matching suffix MUST BE used. The suffix length of two results
cannot be equal, as this would indicate a misconfiguration. If both
a locally managed zone and a configuration entry exist for the same
suffix, the locally managed zone MUST have priority.
Example name: www.example.gnu
Local suffix mappings:
gnu = zk0
example.gnu = zk1
example.com = zk2
...
=> Entry zone: zk1
=> Name to resolve from entry zone: www
9. Security Considerations
9.1. Cryptography
The security of cryptographic systems depends on both the strength of
the cryptographic algorithms chosen and the strength of the keys used
with those algorithms. The security also depends on the engineering
of the protocol used by the system to ensure that there are no non-
cryptographic ways to bypass the security of the overall system.
This document concerns itself with the selection of cryptographic
algorithms for use in GNS. The algorithms identified in this
document are not known to be broken (in the cryptographic sense) at
the current time, and cryptographic research so far leads us to
believe that they are likely to remain secure into the foreseeable
future. However, this isn't necessarily forever, and it is expected
that new revisions of this document will be issued from time to time
to reflect the current best practices in this area.
Schanzenbach, et al. Expires 25 November 2020 [Page 25]
Internet-Draft The GNU Name System May 2020
GNS uses ECDSA over Curve25519. This is an unconventional choice, as
ECDSA is usually used with other curves. However, traditional ECDSA
curves are problematic for a range of reasons described in the
Curve25519 and EdDSA papers. Using EdDSA directly is also not
possible, as a hash function is used on the private key which
destroys the linearity that the GNU Name System depends upon. We are
not aware of anyone suggesting that using Curve25519 instead of
another common curve of similar size would lower the security of
ECDSA. GNS uses 256-bit curves because that way the encoded (public)
keys fit into a single DNS label, which is good for usability.
9.2. Abuse mitigation
GNS names are UTF-8 strings. Consequently, GNS faces similar issues
with respect to name spoofing as DNS does for internationalized
domain names. In DNS, attackers may register similar sounding or
looking names (see above) in order to execute phishing attacks. GNS
zone administrators must take into account this attack vector and
incorporate rules in order to mitigate it.
Further, DNS can be used to combat illegal content on the internet by
having the respective domains seized by authorities. However, the
same mechanisms can also be abused in order to impose state
censorship, which ist one of the motivations behind GNS. Hence, such
a seizure is, by design, difficult to impossible in GNS. In
particular, GNS does not support WHOIS ([RFC3912]).
9.3. Zone management
In GNS, zone administrators need to manage and protect their zone
keys. Once a zone key is lost it cannot be recovered. Once it is
compromised it cannot be revoked (unless a revocation message was
pre-calculated and is still available). Zone administrators, and for
GNS this includes end-users, are required to responsibly and
dilligently protect their cryptographic keys. Offline signing is in
principle possible, but GNS does not support separate zone signing
and key-signing keys (as in [RFC6781]) in order to provide usable
security.
Similarly, users are required to manage their local root zone. In
order to ensure integrity and availability or names, users must
ensure that their local root zone information is not compromised or
outdated. It can be expected that the processing of zone revocations
and an initial root zone is provided with a GNS client implementation
("drop shipping"). Extension and customization of the zone is at the
full discretion of the user.
Schanzenbach, et al. Expires 25 November 2020 [Page 26]
Internet-Draft The GNU Name System May 2020
9.4. Impact of underlying DHT
This document does not specifiy the properties of the underlying
distributed hash table (DHT) which is required by any GNS
implementation. For implementors, it is important to note that the
properties of the DHT are directly inherited by the GNS
implementation. This includes both security as well as other non-
functional properties such as scalability and performance.
Implementors should take great care when selecting or implementing a
DHT for use in a GNS implementation. DHTs with string security and
performance guarantees exist [R5N]. It should also be taken into
consideration that GNS implementations which build upon different DHT
overlays are unlikely to be interoperable with each other.
9.5. Revocations
Zone administrators are advised to pre-generate zone revocations and
securely store the revocation information in case the zone key is
lost, compromised or replaced in the furture. Pre-calculated
revocations may become invalid due to expirations or protocol changes
such as epoch adjustments. Consequently, implementors and users must
make precautions in order to manage revocations accordingly.
Revocation payloads do NOT include a 'new' key for key replacement.
Inclusion of such a key would have two major disadvantages:
If revocation is used after a private key was compromised, allowing
key replacement would be dangerous: if an adversary took over the
private key, the adversary could then broadcast a revocation with a
key replacement. For the replacement, the compromised owner would
have no chance to issue even a revocation. Thus, allowing a
revocation message to replace a private key makes dealing with key
compromise situations worse.
Sometimes, key revocations are used with the objective of changing
cryptosystems. Migration to another cryptosystem by replacing keys
via a revocation message would only be secure as long as both
cryptosystems are still secure against forgery. Such a planned, non-
emergency migration to another cryptosystem should be done by running
zones for both ciphersystems in parallel for a while. The migration
would conclude by revoking the legacy zone key only once it is deemed
no longer secure, and hopefully after most users have migrated to the
replacement.
10. GANA Considerations
GANA is requested to create an "GNU Name System Record Types"
registry. The registry shall record for each entry:
Schanzenbach, et al. Expires 25 November 2020 [Page 27]
Internet-Draft The GNU Name System May 2020
* Name: The name of the record type (case-insensitive ASCII string,
restricted to alphanumeric characters
* Number: 32-bit, above 65535
* Comment: Optionally, a brief English text describing the purpose
of the record type (in UTF-8)
* Contact: Optionally, the contact information of a person to
contact for further information
* References: Optionally, references describing the record type
(such as an RFC)
The registration policy for this sub-registry is "First Come First
Served", as described in [RFC8126]. GANA is requested to populate
this registry as follows:
Number | Name | Contact | References | Description
-------+---------+---------+------------+-------------------------
65536 | PKEY | N/A | [This.I-D] | GNS zone delegation
65537 | NICK | N/A | [This.I-D] | GNS zone nickname
65538 | LEHO | N/A | [This.I-D] | GNS legacy hostname
65539 | VPN | N/A | [This.I-D] | VPN resolution
65540 | GNS2DNS | N/A | [This.I-D] | Delegation to DNS
65541 | BOX | N/A | [This.I-D] | Boxed record
Figure 18
GANA is requested to amend the "GNUnet Signature Purpose" registry as
follows:
Purpose | Name | References | Description
--------+-----------------+------------+--------------------------
3 | GNS_REVOCATION | [This.I-D] | GNS zone key revocation
15 | GNS_RECORD_SIGN | [This.I-D] | GNS record set signature
Figure 19
11. Test Vectors
The following represents a test vector for a record set with a DNS
record of type "A" as well as a GNS record of type "PKEY" under the
label "test".
Schanzenbach, et al. Expires 25 November 2020 [Page 28]
Internet-Draft The GNU Name System May 2020
Zone private key (d):
WGb/eoy8BDWvaK2vRab0xTlqvS0+PeS5HG5Rh4z4cWI=
Zone public key (zk):
n7TNZeJ+Ks6wQymnwjZXR/cj0ae8NZMZ/PcuDVrONAo=
Label: test
RRCOUNT: 2
Record #0
EXPIRATION: 1589117218087117
DATA_SIZE: 4
TYPE: 1
FLAGS: 0
DATA (base64):
AQIDBA==
DATA (Human readable):
1.2.3.4
Record #1
EXPIRATION: 1589117218087117
DATA_SIZE: 32
TYPE: 65536
FLAGS: 2
DATA (base64):
+AT14h9SMRAwkor+azlHpE8DkvsUyeQyN49NEmsOXew=
DATA (Human readable):
Z02FBRGZA8RH0C4JHBZ6PEA7MH7G74QV2K4Y8CHQHX6H4TREBQP0
RDATA:
AAWlSy9KYM0AAAAEAAAAAQAAAAABAgMEAAWlSy9KYM0AAAAgAAEAAAAAAAL4BPXi
H1IxEDCSiv5rOUekTwOS+xTJ5DI3j00Saw5d7AAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
BDATA:
5e5936fttKU61GByslXav57Zgi4rac2N0F6VJCKC7NVn1YPJyiL/0+f2vZSUfHpk
ZfRPv9clYgzO4m+PdRcYFpkG0vqmrFnDNJQRd/y9V2Wfg4ud82FK3CT9lcMpu6Sd
fbZyE8PmL7cySfdMa/RsNWCVAES98UOvNJ7CaBDJlY2mb6iA
RRBLOCK:
Cqk3xJHTNxM1EE69iH33z0dK78FrhK+gUHMIUY//WHYCPZmbdgJc5Avb9uVTAAyT
5No5uINZwxXuWpL72Xh4IIqWAE/BdKHS9deQusO6CSiZN1swM5zsupJq1qjgHusG
AAAAlAAAAA8ABaVLL0pgzeXufd+n7bSlOtRgcrJV2r+e2YIuK2nNjdBelSQiguzV
Z9WDycoi/9Pn9r2UlHx6ZGX0T7/XJWIMzuJvj3UXGBaZBtL6pqxZwzSUEXf8vVdl
n4OLnfNhStwk/ZXDKbuknX22chPD5i+3Mkn3TGv0bDVglQBEvfFDrzSewmgQyZWN
pm+ogA==
The following is an example revocation for a zone:
Schanzenbach, et al. Expires 25 November 2020 [Page 29]
Internet-Draft The GNU Name System May 2020
Zone private key (d):
EJJaW7UymipsU6IkFFdt/jkE/kNd22IAyqNb3sMRk2g=
Zone public key (zk):
fUBR/J2vCuXXv70BdSi/J0G8n+qxs7LctC34hJaQ7S4=
Difficulty (5 base difficulty + 2 epochs): 7
Proof:
AAWlWugT9IoAWl4FAQAAAG40PmjcaH+LbjQ+aNxogM1uND5o3GiBPG40PmjcaIKM
bjQ+aNxogzhuND5o3GiDvG40PmjcaIPLbjQ+aNxohAFuND5o3GiEVm40PmjcaIRb
bjQ+aNxohF1uND5o3GiE2W40PmjcaIV1bjQ+aNxohfluND5o3GiGEG40PmjcaIY1
bjQ+aNxohvRuND5o3GiHgW40PmjcaIezbjQ+aNxoiABuND5o3GiIF240PmjcaIgf
bjQ+aNxoiD1uND5o3GiIVW40PmjcaIilbjQ+aNxoiLBuND5o3GiIzm40PmjcaIj/
bjQ+aNxoiQduND5o3GiJgW40PmjcaIm8bjQ+aNxoidILkGuzZsdbclNZaOXvMPrC
O+EHuA6+tacFI1bhURGBowFyaFZjgi3mOOdlKFnkJ0vnauZPIb12C3V6qhoHmhNy
fUBR/J2vCuXXv70BdSi/J0G8n+qxs7LctC34hJaQ7S4=
12. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
<https://www.rfc-editor.org/info/rfc2782>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826,
DOI 10.17487/RFC3826, June 2004,
<https://www.rfc-editor.org/info/rfc3826>.
Schanzenbach, et al. Expires 25 November 2020 [Page 30]
Internet-Draft The GNU Name System May 2020
[RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
DOI 10.17487/RFC3912, September 2004,
<https://www.rfc-editor.org/info/rfc3912>.
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/info/rfc5869>.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>.
[RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891,
DOI 10.17487/RFC5891, August 2010,
<https://www.rfc-editor.org/info/rfc5891>.
[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
Operational Practices, Version 2", RFC 6781,
DOI 10.17487/RFC6781, December 2012,
<https://www.rfc-editor.org/info/rfc6781>.
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <https://www.rfc-editor.org/info/rfc6895>.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
Algorithm (DSA) and Elliptic Curve Digital Signature
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
2013, <https://www.rfc-editor.org/info/rfc6979>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
Schanzenbach, et al. Expires 25 November 2020 [Page 31]
Internet-Draft The GNU Name System May 2020
[TWOFISH] Schneier, B., "The Twofish Encryptions Algorithm: A
128-Bit Block Cipher, 1st Edition", March 1999.
[GNS] Wachs, M., Schanzenbach, M., and C. Grothoff, "A
Censorship-Resistant, Privacy-Enhancing and Fully
Decentralized Name System", 2014,
<https://doi.org/10.1007/978-3-319-12280-9_9>.
[R5N] Evans, N. S. and C. Grothoff, "R5N: Randomized recursive
routing for restricted-route networks", 2011,
<https://doi.org/10.1109/ICNSS.2011.6060022>.
[Argon2] Biryukov, A., Dinu, D., Khovratovich, D., and S.
Josefsson, "The memory-hard Argon2 password hash and
proof-of-work function", March 2020,
<https://datatracker.ietf.org/doc/draft-irtf-cfrg-
argon2/>.
Authors' Addresses
Martin Schanzenbach
GNUnet e.V.
Boltzmannstrasse 3
85748 Garching
Germany
Email: schanzen@gnunet.org
Christian Grothoff
Berner Fachhochschule
Hoeheweg 80
CH-2501 Biel/Bienne
Switzerland
Email: grothoff@gnunet.org
Bernd Fix
GNUnet e.V.
Boltzmannstrasse 3
85748 Garching
Germany
Email: fix@gnunet.org
Schanzenbach, et al. Expires 25 November 2020 [Page 32]