commit 264aa47c0e198c7cc5e69c1711bdfd09db22ffaf
parent bb8f0eb5a0fd4d58577a2ef2e39c1f3ae31196c3
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Mon, 20 Dec 2021 14:52:52 +0100
update
Diffstat:
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -378,8 +378,7 @@ zTLD := zkl[126:129].zkl[63:125].zkl[0:62]
A GNS implementor MUST provide a mechanism to create and manage resource
records for local zones. A local zone is established by selecting a
zone type and creating a zone
- key pair. Implementations SHOULD select a secure zone type automatically
- and not leave the zone type selection to the user.
+ key pair.
Records may be added to each zone, hence a (local) persistency
mechanism for resource records and zones must be provided.
This local zone database is used by the GNS resolver implementation
@@ -1390,7 +1389,7 @@ q := SHA512 (HDKD-Public(zk, label))
<t>
In the following, we give examples how a local client resolver SHOULD
discover the start zone. The process given is not exhaustive and
- clients MAY suppliement it with other mechanisms or ignore it if the
+ clients MAY supplement it with other mechanisms or ignore it if the
particular application requires a different process.
</t>
<t>
@@ -1411,8 +1410,7 @@ Example name: www.example.<zTLD>
but users MAY choose to use longer names consisting of
multiple labels.
If the name of a locally managed zone matches the suffix
- of the name to be resolved,
- resolution SHOULD start from the respective local zone:
+ of the name to be resolved, resolution MUST start from the respective local zone:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
Example name: www.example.org
@@ -1426,11 +1424,11 @@ com = (d2,zk2)
]]></artwork>
<t>
Finally, additional "suffix to zone" mappings MAY be configured.
- Suffix to zone key mappings SHOULD be configurable through a local
+ Suffix to zone key mappings MUST be configurable through a local
configuration file or database by the user or system administrator.
The suffix MAY consist of multiple GNS labels concatenated with a
".". If multiple suffixes match the name to resolve, the longest
- matching suffix MUST BE used. The suffix length of two results
+ matching suffix MUST be used. The suffix length of two results
cannot be equal, as this would indicate a misconfiguration.
If both a locally managed zone and a configuration entry exist
for the same suffix, the locally managed zone MUST have priority.
@@ -1510,10 +1508,8 @@ example.com = zk2
and the resolver MUST return an empty record set.
Finally, after the recursion terminates, the client preferences
- for the record type SHOULD be considered. If a VPN record is found
- and the client requests an A or AAAA record, the VPN record
- SHOULD be converted (<xref target="vpn_processing" />)
- if possible.
+ for the record type MUST be considered and possible conversions such as
+ defined in <xref target="vpn_processing" /> MUST be performed.
</li>
</ol>
<section anchor="delegation_processing" numbered="true" toc="default">
@@ -1586,7 +1582,7 @@ example.com = zk2
relative expiration time of one hour.
</t>
<t>
- GNS resolvers SHOULD offer a configuration
+ GNS resolvers MUST offer a configuration
option to disable DNS processing to avoid information leakage
and provide a consistent security profile for all name resolutions.
Such resolvers would return an empty record set upon encountering
@@ -1710,7 +1706,7 @@ NICK: john (Supplemental)
resolution MUST fail with an empty result set.
</t>
<t>
- In order to revoke a zone key, a signed revocation object SHOULD be
+ In order to revoke a zone key, a signed revocation object MUST be
published.
This object MUST be signed using the private zone key.
The revocation object is flooded in the overlay network. To prevent
