commit 6ea4ff464f980130f7baed319552ef0e39c7e03d
parent 5f18c8152f8690b741e4869a0991fa655a261d08
Author: Schanzenbach, Martin <mschanzenbach@posteo.de>
Date: Sun, 15 Dec 2019 22:15:06 +0100
update
Diffstat:
3 files changed, 29 insertions(+), 23 deletions(-)
diff --git a/draft-schanzen-gns.html b/draft-schanzen-gns.html
@@ -1866,6 +1866,7 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
</dl>
</section>
</div>
+<div id="recordencryption">
<section id="section-4.3">
<h3 id="name-record-data-encryption-and-">
<a href="#section-4.3" class="section-number selfRef">4.3. </a><a href="#name-record-data-encryption-and-" class="section-name selfRef">Record Data Encryption and Decryption</a>
@@ -2002,6 +2003,7 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
</pre><a href="#section-4.3-12" class="pilcrow">¶</a>
</div>
</section>
+</div>
</section>
</div>
<div id="encoding">
@@ -2053,12 +2055,13 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
<ol start="1" type="1" class="normal" id="section-6.1-4">
<li id="section-6.1-4.1">Extract the right-most label from the name to look up.<a href="#section-6.1-4.1" class="pilcrow">¶</a>
</li>
- <li id="section-6.1-4.2">Calculate q using the label and zk.<a href="#section-6.1-4.2" class="pilcrow">¶</a>
+ <li id="section-6.1-4.2">Calculate q using the label and zk as defined in
+ <a href="#blinding" class="xref">Section 4.1</a>.<a href="#section-6.1-4.2" class="pilcrow">¶</a>
</li>
<li id="section-6.1-4.3">Perform a DHT query GET(q) to retrieve the RRBLOCK.<a href="#section-6.1-4.3" class="pilcrow">¶</a>
</li>
<li id="section-6.1-4.4">Verify and process the RRBLOCK and decrypt the BDATA contained
- in it.<a href="#section-6.1-4.4" class="pilcrow">¶</a>
+ in it as defined in <a href="#recordencryption" class="xref">Section 4.3</a>.<a href="#section-6.1-4.4" class="pilcrow">¶</a>
</li>
</ol>
<p id="section-6.1-5">
@@ -2079,7 +2082,7 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
If the remainder of the name to resolve is not empty, the records
result MUST consist of a single PKEY record, CNAME record,
or one or more GNS2DNS records. Otherwise, resolution fails
- and GNS returns an empty record set.<a href="#section-6.2-1" class="pilcrow">¶</a></p>
+ and the resolver MUST return an empty record set.<a href="#section-6.2-1" class="pilcrow">¶</a></p>
<p id="section-6.2-2">
If the remainder of the name to resolve is empty and the records set
does not consist of a PKEY, CNAME or DNS2GNS record, the record set
@@ -2095,12 +2098,13 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
recursively with the remainder of the name in the newly discovered
GNS zone.<a href="#section-6.2.1-1" class="pilcrow">¶</a></p>
<p id="section-6.2.1-2">
- If the remainder of the name to resolve is empty and we have received
- a record set containing only a single PKEY record, the recursion is
- continued with the PKEY as authoritative zone and the empty apex
- label "@" as remaining name, except in the case where the desired
- record type is PKEY, in which case the PKEY record is returned and
- the resolution is concluded without resolving the empty apex label.<a href="#section-6.2.1-2" class="pilcrow">¶</a></p>
+ If the remainder of the name to resolve is empty and we have
+ received a record set containing only a single PKEY record, the
+ recursion is continued with the PKEY as authoritative zone and
+ the empty apex label "@" as remaining name, except in the case
+ where the desired record type is PKEY, in which case the PKEY
+ record is returned and the resolution is concluded without
+ resolving the empty apex label.<a href="#section-6.2.1-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="gns2dns_processing">
diff --git a/draft-schanzen-gns.txt b/draft-schanzen-gns.txt
@@ -849,12 +849,12 @@ Internet-Draft The GNU Name System November 2019
1. Extract the right-most label from the name to look up.
- 2. Calculate q using the label and zk.
+ 2. Calculate q using the label and zk as defined in Section 4.1.
3. Perform a DHT query GET(q) to retrieve the RRBLOCK.
4. Verify and process the RRBLOCK and decrypt the BDATA contained in
- it.
+ it as defined in Section 4.3.
Upon receiving the RRBLOCK from the DHT, apart from verifying the
provided signature, the resolver MUST check that the authoritative
@@ -866,8 +866,8 @@ Internet-Draft The GNU Name System November 2019
If the remainder of the name to resolve is not empty, the records
result MUST consist of a single PKEY record, CNAME record, or one or
- more GNS2DNS records. Otherwise, resolution fails and GNS returns an
- empty record set.
+ more GNS2DNS records. Otherwise, resolution fails and the resolver
+ MUST return an empty record set.
If the remainder of the name to resolve is empty and the records set
does not consist of a PKEY, CNAME or DNS2GNS record, the record set
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -702,7 +702,7 @@
</dd>
</dl>
</section>
- <section numbered="true" toc="default">
+ <section anchor="recordencryption" numbered="true" toc="default">
<name>Record Data Encryption and Decryption</name>
<t>
A symmetric encryption scheme is used to encrypt the resource records
@@ -880,10 +880,11 @@
</t>
<ol>
<li>Extract the right-most label from the name to look up.</li>
- <li>Calculate q using the label and zk.</li>
+ <li>Calculate q using the label and zk as defined in
+ <xref target="blinding" />.</li>
<li>Perform a DHT query GET(q) to retrieve the RRBLOCK.</li>
<li>Verify and process the RRBLOCK and decrypt the BDATA contained
- in it.</li>
+ in it as defined in <xref target="recordencryption" />.</li>
</ol>
<t>
Upon receiving the RRBLOCK from the DHT, apart from verifying the
@@ -900,7 +901,7 @@
If the remainder of the name to resolve is not empty, the records
result MUST consist of a single PKEY record, CNAME record,
or one or more GNS2DNS records. Otherwise, resolution fails
- and GNS returns an empty record set.
+ and the resolver MUST return an empty record set.
</t>
<t>
If the remainder of the name to resolve is empty and the records set
@@ -916,12 +917,13 @@
GNS zone.
</t>
<t>
- If the remainder of the name to resolve is empty and we have received
- a record set containing only a single PKEY record, the recursion is
- continued with the PKEY as authoritative zone and the empty apex
- label "@" as remaining name, except in the case where the desired
- record type is PKEY, in which case the PKEY record is returned and
- the resolution is concluded without resolving the empty apex label.
+ If the remainder of the name to resolve is empty and we have
+ received a record set containing only a single PKEY record, the
+ recursion is continued with the PKEY as authoritative zone and
+ the empty apex label "@" as remaining name, except in the case
+ where the desired record type is PKEY, in which case the PKEY
+ record is returned and the resolution is concluded without
+ resolving the empty apex label.
</t>
</section>
<section anchor="gns2dns_processing" numbered="true" toc="default">
