lsd0001.xml (205085B)
1 <?xml version='1.0' encoding='utf-8'?> 2 <!DOCTYPE rfc [ 3 <!ENTITY nbsp " "> 4 <!ENTITY zwsp "​"> 5 <!ENTITY nbhy "‑"> 6 <!ENTITY wj "⁠"> 7 ]> 8 <rfc xmlns:xi="http://www.w3.org/2001/XInclude" 9 category="info" 10 docName="draft-schanzen-gns-28" 11 ipr="trust200902" 12 obsoletes="" 13 updates="" 14 sortRefs="false" 15 submissionType="independent" 16 symRefs="true" 17 tocDepth="3" 18 tocInclude="true" 19 xml:lang="en" 20 version="3"> 21 22 <!-- xml2rfc v2v3 conversion 2.26.0 --> 23 <front> 24 <title abbrev="The GNU Name System">The GNU Name System</title> 25 <seriesInfo name="LSD" value="0001"/> 26 <author fullname="Martin Schanzenbach" initials="M." surname="Schanzenbach"> 27 <organization>Fraunhofer AISEC</organization> 28 <address> 29 <postal> 30 <street>Lichtenbergstrasse 11</street> 31 <city>Garching</city> 32 <code>85748</code> 33 <country>Germany</country> 34 </postal> 35 <email>martin.schanzenbach@aisec.fraunhofer.de</email> 36 </address> 37 </author> 38 <author fullname="Christian Grothoff" initials="C." surname="Grothoff"> 39 <organization>Berner Fachhochschule</organization> 40 <address> 41 <postal> 42 <street>Hoeheweg 80</street> 43 <city>Biel/Bienne</city> 44 <code>2501</code> 45 <country>Switzerland</country> 46 </postal> 47 <email>christian.grothoff@bfh.ch</email> 48 </address> 49 </author> 50 <author fullname="Bernd Fix" initials="B." surname="Fix"> 51 <organization>GNUnet e.V.</organization> 52 <address> 53 <postal> 54 <street>Boltzmannstrasse 3</street> 55 <city>Garching</city> 56 <code>85748</code> 57 <country>Germany</country> 58 </postal> 59 <email>fix@gnunet.org</email> 60 </address> 61 </author> 62 <date month="November" year="2023"/> 63 <workgroup>GNUnet</workgroup> 64 <keyword>name systems</keyword> 65 66 <abstract> 67 <t> 68 This document provides the GNU Name System (GNS) technical 69 specification. 70 GNS is a decentralized and censorship-resistant domain name 71 resolution protocol that provides a privacy-enhancing alternative to the 72 Domain Name System (DNS) protocols. 73 </t> 74 <t> 75 This document defines the normative wire format of resource records, 76 resolution processes, cryptographic routines, and security and privacy 77 considerations for use by implementers. 78 </t> 79 <t> 80 This specification was developed outside the IETF and does not have 81 IETF consensus. It is published here to inform readers about the 82 function of GNS, guide future GNS implementations, and ensure 83 interoperability among implementations (for example, pre-existing 84 GNUnet implementations). 85 </t> 86 <t> 87 Additionally, this is the continued-maintenance version of RFC 9498 which 88 is being updated as the work progresses: The Living Standards Document 0001 (LSD0001). 89 </t> 90 </abstract> 91 </front> 92 <middle> 93 <section anchor="introduction"> 94 <name>Introduction</name> 95 <t> 96 This specification describes the GNU Name System (GNS), a 97 censorship-resistant, privacy-preserving, and decentralized 98 domain name resolution protocol. GNS cryptographically secures 99 the binding of names to arbitrary tokens, enabling it to double 100 in some respects as an alternative to some of today's public 101 key infrastructures. 102 </t> 103 <t> 104 Per Domain Name System (DNS) terminology <xref target="RFC1035"/>, GNS roughly follows the idea of a local 105 root zone deployment (see <xref target="RFC8806"/>), with the 106 difference that the design encourages alternative roots and 107 does not expect all deployments to use the same or any specific 108 root zone. In the GNS reference implementation, users can 109 autonomously and freely delegate control of names to zones 110 through their local configurations. 111 GNS expects each user to be in control of their setup. 112 By following the guidelines in <xref target="namespace_ambiguity"/>, 113 users should manage to avoid any confusion as to how names are 114 resolved. 115 </t> 116 <t> 117 Name resolution and zone dissemination are based on the 118 principle of a petname system where users can assign local 119 names to zones. The GNS has its roots in ideas from the Simple 120 Distributed Security Infrastructure <xref target="SDSI"/>, 121 enabling the decentralized mapping of secure identifiers to 122 memorable names. One of the first academic descriptions of the 123 cryptographic ideas behind GNS can be found in <xref target="GNS"/>. 124 </t> 125 <t> 126 This document defines the normative wire format of resource 127 records, resolution processes, cryptographic routines, and 128 security and privacy considerations for use by implementers. 129 </t> 130 <section> 131 <name>Requirements Notation</name> 132 <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", 133 "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", 134 "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", 135 "<bcp14>SHOULD NOT</bcp14>", 136 "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", 137 "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document 138 are to be interpreted as described in BCP 14 139 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only 140 when, they appear in all capitals, as shown here.</t> 141 </section> 142 </section> 143 <section> 144 <name>Terminology</name> 145 <dl newline="false"> 146 <dt>Apex Label:</dt> 147 <dd> 148 This type of label is used to publish resource 149 records in a zone that can be resolved without providing a specific 150 label. It is the GNS method for providing what is called the "zone apex" in DNS 151 <xref target="RFC4033"/>. 152 The apex label is represented using the character U+0040 ("@" without the quotes). 153 </dd> 154 <dt>Application:</dt> 155 <dd> 156 An application is a component that uses a GNS implementation 157 to resolve names into records and processes its contents. 158 </dd> 159 <dt>Blinded Zone Key:</dt> 160 <dd> 161 A blinded zone key is a key derived from a zone key and a label. 162 The zone key and any blinded zone key derived from it are unlinkable 163 without knowledge of the specific label used for the derivation. 164 </dd> 165 <dt>Extension Label:</dt> 166 <dd> 167 This type of label is used to refer to the authoritative zone that the record is in. 168 The primary use for the extension label is in redirections where the redirection 169 target is defined relative to the authoritative zone of the redirection 170 record (see <xref target="gnsrecords_redirect"/>). 171 The extension label is represented using the character U+002B ("+" without the quotes). 172 </dd> 173 <dt>Label Separator:</dt> 174 <dd> 175 Labels in a name are separated using the label separator U+002E 176 ("." without the quotes). 177 In GNS, except for zone Top-Level Domains (zTLDs) 178 (see below) and boxed records (see <xref target="gnsrecords_box"/>), 179 every label separator in a name indicates delegation to another zone. 180 </dd> 181 <dt>Label:</dt> 182 <dd> 183 A GNS label is a label as defined in <xref target="RFC8499"/>. 184 Labels are UTF-8 strings in Unicode 185 Normalization Form C (NFC) <xref target="Unicode-UAX15"/>. 186 The apex label and the extension label have 187 special purposes in the resolution protocol that are defined 188 in the rest of this document. 189 Zone administrators <bcp14>MAY</bcp14> disallow certain labels that 190 might be easily confused with other labels through registration policies 191 (see also <xref target="security_abuse"/>). 192 </dd> 193 <dt>Name:</dt> 194 <dd> 195 A name in GNS is a domain name as defined in <xref target="RFC8499"/>: 196 names are UTF-8 strings <xref target="RFC3629"/> consisting of an 197 ordered list of labels concatenated with a label separator. 198 Names are resolved starting from the rightmost label. 199 GNS does not impose length restrictions on names or labels. 200 However, applications <bcp14>MAY</bcp14> ensure that name and label lengths are 201 compatible with DNS and, in particular, Internationalized Domain Names for 202 Applications (IDNA) <xref target="RFC5890"/>. 203 In the spirit of <xref target="RFC5895"/>, applications <bcp14>MAY</bcp14> preprocess 204 names and labels to ensure compatibility with DNS or support 205 specific user expectations -- for example, according to 206 <xref target="Unicode-UTS46"/>. 207 A GNS name may be indistinguishable from a DNS name, and care must 208 be taken by applications and implementers when handling GNS names 209 (see <xref target="namespace_ambiguity"/>). 210 In order to avoid misinterpretation of example domains with (reserved) 211 DNS domains, this document uses the suffix ".gns.alt" in compliance with 212 <xref target="RFC9476"/>. ".gns.alt" is also registered in the GANA ".alt Subdomains" registry 213 <xref target="GANA"/>. 214 </dd> 215 <dt>Resolver:</dt> 216 <dd> 217 In this document, a resolver is the component of a GNS implementation that provides 218 the recursive name resolution logic defined in 219 <xref target="resolution"/>. 220 </dd> 221 <dt>Resource Record:</dt> 222 <dd> 223 A GNS resource record is the information associated with a label in a 224 GNS zone. 225 A GNS resource record contains information as defined by its 226 resource record type. 227 </dd> 228 <dt>Start Zone:</dt> 229 <dd> 230 In order to resolve any given GNS name, an initial Start Zone must be 231 determined for this name. 232 The Start Zone can be explicitly defined as part of the name using a 233 zTLD. 234 Otherwise, it is determined through a local suffix-to-zone mapping 235 (see <xref target="governance"/>). 236 </dd> 237 <dt>Top-Level Domain (TLD):</dt> 238 <dd> 239 The rightmost part of a GNS name is a GNS TLD. 240 A GNS TLD can consist of one or more labels. 241 Unlike DNS TLDs (defined in <xref target="RFC8499"/>), 242 GNS does not expect all users to use the same global root zone. Instead, 243 with the exception of zTLDs (see <xref target="zTLD"/>), 244 GNS TLDs are typically part of the configuration of the local resolver 245 (see <xref target="governance"/>) and thus might not be globally unique. 246 </dd> 247 <dt>Zone:</dt> 248 <dd> 249 A GNS zone contains authoritative information (resource records). 250 A zone is uniquely identified by its zone key. Unlike DNS zones, 251 a GNS zone does not need to have an SOA record under the apex label. 252 </dd> 253 <dt>Zone Key:</dt> 254 <dd> 255 The zone key is a key that uniquely identifies a zone. 256 It is usually a public key of an asymmetric key pair. 257 However, the established technical term "public key" is misleading, 258 as in GNS a zone key may be a shared secret 259 that should not be disclosed to unauthorized parties. 260 </dd> 261 <dt>Zone Key Derivation Function:</dt> 262 <dd> 263 The zone key derivation function (ZKDF) blinds a zone key using a label. 264 </dd> 265 <dt>Zone Publisher:</dt> 266 <dd> 267 The zone publisher is the component of a GNS implementation that provides 268 local zone management and publication as defined in 269 <xref target="publish"/>. 270 </dd> 271 <dt>Zone Owner:</dt> 272 <dd> 273 The zone owner is the holder of the secret (typically a private key), 274 which (together with a label and a value to sign) allows the creation of zone 275 signatures that can be validated against the respective blinded zone key. 276 </dd> 277 <dt>Zone Top-Level Domain (zTLD):</dt> 278 <dd> 279 A GNS zTLD is a sequence of GNS labels at 280 the end of a GNS name. The zTLD encodes a zone type and 281 zone key of a zone (see <xref target="zTLD"/>). 282 Due to the statistical uniqueness of zone keys, zTLDs are also globally unique. 283 A zTLD label sequence can only be distinguished from ordinary TLD label sequences 284 by attempting to decode the labels into a zone type and zone key. 285 </dd> 286 <dt>Zone Type:</dt> 287 <dd> 288 The type of a GNS zone determines the cipher system and binary encoding 289 format of the zone key, blinded zone keys, and cryptographic signatures. 290 </dd> 291 </dl> 292 </section> 293 <section anchor="overview"> 294 <name>Overview</name> 295 <t> 296 GNS exhibits the three properties that are commonly used to describe 297 a petname system: 298 </t> 299 <dl newline="true"> 300 <dt> 301 Global names through the concept of zTLDs:</dt><dd>As zones can be uniquely identified by their zone keys 302 and are statistically unique, zTLDs are globally unique mappings to zones. 303 Consequently, GNS domain names with a zTLD suffix are also globally unique. 304 Names with zTLD suffixes are not memorable.</dd> 305 <dt> 306 Memorable petnames for zones:</dt> 307 <dd>Users can configure local, memorable references to zones. 308 Such petnames serve as zTLD monikers that provide 309 convenient names for zones to the local operator. 310 The petnames may also be published as suggestions for other 311 users searching for a good label to use when referencing the 312 respective zone.</dd> 313 <dt> 314 A secure mapping from names to records:</dt> 315 <dd>GNS allows zone owners to map labels to resource records or to 316 delegate authority of names in the subdomain induced by a label to other zones. 317 Zone owners may choose to publish this information to make it 318 available to other users. 319 Mappings are encrypted and signed 320 using keys derived from the respective label before being published in remote storage. 321 When names are resolved, signatures on resource records, 322 including delegations, are verified by the recursive resolver.</dd> 323 </dl> 324 <t> 325 In the remainder of this document, the "implementer" refers to the developer building 326 a GNS implementation that includes the resolver, zone publisher, and 327 supporting configuration such as Start Zones (see <xref target="governance"/>). 328 </t> 329 <section anchor="names"> 330 <name>Names and Zones</name> 331 <t> 332 It follows from the above that GNS does not support names that are 333 simultaneously global, secure, and memorable. 334 Instead, names are either global and not memorable or not globally 335 unique and memorable. 336 An example for a global name pointing to the record "example" in 337 a zone is as follows: 338 </t> 339 <sourcecode> 340 example.000G006K2TJNMD9VTCYRX7BRVV3HAEPS15E6NHDXKPJA1KAJJEG9AFF884 341 </sourcecode> 342 <t> 343 Now consider the case where a user locally configured the petname 344 "pet.gns.alt" for the zone with the "example" record of the name 345 above. 346 The name "example.pet.gns.alt" would then point to the same record as the 347 globally unique name above, but name resolution would only 348 work on the local system where the "pet.gns.alt" petname is 349 configured. 350 </t> 351 <t> 352 The delegation of petnames and subsequent resolution of delegation 353 build on ideas from the Simple Distributed Security Infrastructure 354 <xref target="SDSI"/>. 355 In GNS, any user can create and manage any number of zones 356 (see <xref target="zones"/>) if their system provides a zone publisher implementation. 357 For each zone, the zone type determines the respective set of cryptographic operations 358 and the wire formats for encrypted data, public keys, and signatures. 359 A zone can be populated with mappings from labels to resource records 360 (see <xref target="rrecords"/>) by its owner. 361 A label can be mapped to a delegation record; this results in the 362 corresponding subdomain being delegated to another zone. Circular 363 delegations are explicitly allowed, including delegating a subdomain 364 to its immediate parent zone. In 365 order to support (legacy) applications as well as to facilitate the use 366 of petnames, GNS defines auxiliary record types in addition to 367 supporting existing DNS records. 368 </t> 369 </section> 370 <section anchor="publishing"> 371 <name>Publishing Binding Information</name> 372 <t> 373 Zone contents are encrypted and signed 374 before being published in remote key-value storage (see <xref target="publish"/>), 375 as illustrated in <xref target="figure_arch_publish"/>. 376 In this process, unique zone identification is hidden from the network 377 through the use of key blinding. 378 Key blinding allows the creation of signatures for zone contents 379 using a blinded public/private key pair. 380 This blinding is realized using a deterministic key 381 derivation from 382 the original zone key and corresponding private key using record label values 383 as inputs from which blinding factors are derived. 384 Specifically, the zone owner can derive blinded private keys for each record 385 set published under a label, and a 386 resolver can derive the corresponding blinded public keys. 387 It is expected that GNS implementations use decentralized remote 388 storage entities, such as distributed hash tables (DHTs), in order to facilitate 389 availability within a network without the need for dedicated infrastructure. 390 The specification of such a distributed or decentralized storage entity is out of 391 scope for this document, but possible existing implementations include those 392 based on <xref target="RFC7363"/>, <xref target="Kademlia"/>, or 393 <xref target="R5N"/>. 394 </t> 395 <figure anchor="figure_arch_publish"> 396 <name>An Example Diagram of Two Hosts Publishing GNS Zones</name> 397 <artwork name="" type="" alt=""> 398 Host A | Remote | Host B 399 | Storage | 400 | | 401 | +---------+ | 402 | / /| | 403 Publish | +---------+ | | Publish 404 +-----------+ Records | | | | | Records +-----------+ 405 | Zone |----------|->| Record | |<-|----------| Zone | 406 | Publisher | | | Storage | | | | Publisher | 407 +-----------+ | | |/ | +-----------+ 408 A | +---------+ | A 409 | | | | 410 +---------+ | | +---------+ 411 / | /| | | / | /| 412 +---------+ | | | +---------+ | 413 | | | | | | | | 414 | Local | | | | | Local | | 415 | Zones | | | | | Zones | | 416 | |/ | | | |/ 417 +---------+ | | +---------+ 418 </artwork> 419 </figure> 420 <t> 421 A zone publisher implementation <bcp14>SHOULD</bcp14> be provided as 422 part of a GNS implementation to enable users to create and manage zones. 423 If this functionality is not implemented, names can still be resolved 424 if zone keys for the initial step in the name resolution have been 425 configured (see <xref target="resolution"/>) or if the names end with a 426 zTLD suffix. 427 </t> 428 </section> 429 <section anchor="resolving"> 430 <name>Resolving Names</name> 431 <t> 432 Applications use the resolver to look up GNS names. 433 Starting from a configurable Start Zone, names are resolved by following zone 434 delegations recursively, as illustrated in <xref target="figure_arch_resolv"/>. 435 For each label in a name, the recursive GNS resolver 436 fetches the respective record set from the storage layer (see <xref target="resolution"/>). 437 Without knowledge of the label values and the zone keys, the 438 different derived keys are unlinkable to both the original zone key and each 439 other. 440 This prevents zone enumeration (except via expensive online 441 brute-force attacks): to confirm the affiliation of a 442 query or the corresponding encrypted record set with a 443 specific zone requires knowledge of both the zone key and the label, 444 neither of which is disclosed to remote storage by the protocol. 445 At the same time, the blinded zone key and digital signatures 446 associated with each encrypted record set allow resolvers and oblivious remote 447 storage to verify the integrity of the published information 448 without disclosing anything about the originating zone or the record sets. 449 </t> 450 <figure anchor="figure_arch_resolv"> 451 <name>High-Level View of the GNS Resolution Process</name> 452 <artwork name="" type="" alt=""> 453 Local Host | Remote 454 | Storage 455 | 456 | +---------+ 457 | / /| 458 | +---------+ | 459 +-----------+ Name +----------+ Recursive | | | | 460 | | Lookup | | Resolution | | Record | | 461 |Application|--------->| Resolver |-------------|->| Storage | | 462 | |<---------| |<------------|--| |/ 463 +-----------+ Results +----------+ Intermediate| +---------+ 464 A Results | 465 | | 466 +---------+ | 467 / | /| | 468 +---------+ | | 469 | | | | 470 | Start | | | 471 | Zones | | | 472 | |/ | 473 +---------+ | 474 </artwork> 475 </figure> 476 </section> 477 </section> 478 <section anchor="zones"> 479 <name>Zones</name> 480 <t> 481 A zone in GNS is uniquely identified by its zone type (ztype) and zone key. 482 Each zone can be referenced by its zTLD 483 (see <xref target="zTLD"/>), which is a string that encodes the zone type and zone key. 484 The ztype is a unique 32-bit number that corresponds to 485 a resource record type number identifying a delegation record type 486 in the GANA "GNS Record Types" registry <xref target="GANA"/>. 487 The ztype is a unique identifier for the set cryptographic functions 488 of the zone and the format of the delegation record type. 489 Any ztype registration <bcp14>MUST</bcp14> define the following set of cryptographic functions: 490 </t> 491 <dl newline="true"> 492 <dt>KeyGen() -> d, zkey</dt> 493 <dd> 494 A function for generating a new private key d and 495 the corresponding public zone key zkey. 496 </dd> 497 <dt>ZKDF(zkey, label) -> zkey'</dt> 498 <dd> 499 A ZKDF that blinds a zone key zkey 500 using a label. zkey and zkey' must be unlinkable. Furthermore, 501 blinding zkey with different values for the label must result 502 in different, unlinkable zkey' values. 503 </dd> 504 <dt>S-Encrypt(zkey, label, expiration, plaintext) -> ciphertext</dt> 505 <dd> 506 A symmetric encryption function that encrypts the plaintext 507 to derive ciphertext based on key material derived from the zone key zkey, 508 a label, and an expiration timestamp. 509 In order to leverage performance-enhancing caching features of certain 510 underlying storage entities -- in particular, DHTs -- a deterministic encryption 511 scheme is recommended. 512 </dd> 513 <dt>S-Decrypt(zkey, label, expiration, ciphertext) -> plaintext</dt> 514 <dd> 515 A symmetric decryption function that decrypts the ciphertext 516 into plaintext based on key material derived from the zone key, 517 a label, and an expiration timestamp. 518 </dd> 519 <dt>Sign(d, message) -> signature</dt> 520 <dd> 521 A function for signing a message using the private 522 key d, yielding an unforgeable cryptographic signature. 523 In order to leverage performance-enhancing caching features of certain 524 underlying storage entities -- in particular, DHTs -- a deterministic signature 525 scheme is recommended. 526 </dd> 527 <dt>Verify(zkey, message, signature) -> boolean</dt> 528 <dd> 529 A function for verifying that the signature was created using 530 the private key d corresponding to the zone key zkey 531 where d,zkey := KeyGen(). 532 The function returns a boolean value of "TRUE" if the signature is valid 533 and "FALSE" otherwise. 534 </dd> 535 <dt>SignDerived(d, label, message) -> signature</dt> 536 <dd> 537 A function for signing a message (typically encrypted record data) that 538 can be verified using the derived zone key zkey' := ZKDF(zkey, label). 539 In order to leverage performance-enhancing caching features of certain 540 underlying storage entities -- in particular, DHTs -- a deterministic signature 541 scheme is recommended. 542 </dd> 543 <dt>VerifyDerived(zkey', message, signature) -> boolean</dt> 544 <dd> 545 A function for verifying the signature using the derived zone key 546 zkey' := ZKDF(zkey, label). The function returns a boolean value 547 of "TRUE" if the signature is valid and "FALSE" otherwise. Depending 548 on the signature scheme used, this function can be identical to 549 the Verify() function. 550 </dd> 551 </dl> 552 <t> 553 The cryptographic functions of the default ztypes are specified with 554 their corresponding delegation records as discussed in <xref target="gnsrecords_delegation"/>. 555 In order to support cryptographic agility, additional ztypes <bcp14>MAY</bcp14> 556 be defined in the future that replace or update the default ztypes defined in this 557 document. 558 All ztypes <bcp14>MUST</bcp14> be registered as dedicated zone delegation 559 record types in the GANA "GNS Record Types" registry (see <xref target="GANA"/>). 560 When defining new record types, the cryptographic security considerations 561 of this document -- in particular, <xref target="security_cryptography"/> -- apply. 562 </t> 563 <section anchor="zTLD"> 564 <name>Zone Top-Level Domain (zTLD)</name> 565 <t> 566 A zTLD is a string that encodes the 567 zone type and zone key into a domain name suffix. 568 A zTLD is used as a globally unique reference to a 569 zone in the process of name resolution. 570 It is created by encoding a binary concatenation of the zone type and 571 zone key (see <xref target="figure_zid"/>). 572 The used encoding is a variation of the Crockford Base32 encoding 573 <xref target="CrockfordB32"/> called Base32GNS. 574 The encoding and decoding symbols for Base32GNS, including this 575 variation, are defined in <xref target="CrockfordB32Encode"/>, found in <xref target="app-c"/>. 576 The functions for encoding and decoding based on <xref target="CrockfordB32Encode"/> are called 577 Base32GNS-Encode and Base32GNS-Decode, respectively. 578 </t> 579 <figure anchor="figure_zid"> 580 <name>The Binary Representation of the zTLD</name> 581 <artwork name="" type="" alt=""> 582 0 8 16 24 32 40 48 56 583 +-----+-----+-----+-----+-----+-----+-----+-----+ 584 | ZONE TYPE | ZONE KEY / 585 +-----+-----+-----+-----+ / 586 / / 587 / / 588 +-----+-----+-----+-----+-----+-----+-----+-----+ 589 </artwork> 590 </figure> 591 <t> 592 The ZONE TYPE <bcp14>MUST</bcp14> be encoded in network byte order. The format 593 of the ZONE KEY depends entirely on the ZONE TYPE. 594 </t> 595 <t> 596 Consequently, a zTLD is encoded and decoded as follows: 597 </t> 598 <artwork name="" type="" alt=""> 599 zTLD := Base32GNS-Encode(ztype||zkey) 600 ztype||zkey := Base32GNS-Decode(zTLD) 601 </artwork> 602 <t> 603 where "||" is the concatenation operator. 604 </t> 605 <t> 606 The zTLD can be used "as is" as a rightmost label in a GNS name. 607 If an application wants to ensure DNS compatibility of the name, 608 it <bcp14>MAY</bcp14> also represent the zTLD as follows: 609 if the zTLD is less than or equal to 63 characters, it can 610 be used as a zTLD as is. 611 If the zTLD is longer than 63 characters, the 612 zTLD is divided into smaller labels separated by the label separator. 613 Here, the most significant bytes of the "ztype||zkey" concatenation 614 must be contained in the rightmost label of the resulting string and 615 the least significant bytes in the leftmost label of the resulting string. This allows the 616 resolver to determine the ztype and zTLD length from the rightmost 617 label and to subsequently determine how many labels the zTLD should span. 618 A GNS implementation <bcp14>MUST</bcp14> support the division of zTLDs 619 in DNS-compatible label lengths. 620 For example, assuming a zTLD of 130 characters, the division is as follows: 621 </t> 622 <artwork name="" type="" alt=""> 623 zTLD[126..129].zTLD[63..125].zTLD[0..62] 624 </artwork> 625 </section> 626 <section anchor="revocation"> 627 <name>Zone Revocation</name> 628 <t> 629 In order to revoke a zone key, a signed revocation message <bcp14>MUST</bcp14> be 630 published. 631 This message <bcp14>MUST</bcp14> be signed using the private key of the zone. 632 The revocation message is broadcast to the network. 633 The specification of the broadcast mechanism is out of scope for this 634 document. 635 A possible broadcast mechanism for efficient flooding in a distributed 636 network is implemented in <xref target="GNUnet"/>. 637 Alternatively, revocation messages could also be distributed via a 638 distributed ledger or a trusted central server. 639 To prevent 640 flooding attacks, the revocation message <bcp14>MUST</bcp14> contain a proof of work 641 (PoW). 642 The revocation message, including the PoW, <bcp14>MAY</bcp14> be calculated 643 ahead of time to support timely revocation. 644 </t> 645 <t> 646 For all occurrences below, "Argon2id" is the password-based key 647 derivation function as defined in <xref target="RFC9106"/>. For the 648 PoW calculations, the algorithm is instantiated with the 649 following parameters: 650 </t> 651 <dl newline="false"> 652 <dt>S:</dt> 653 <dd>The salt. Fixed 16-byte string: "GnsRevocationPow"</dd> 654 <dt>t:</dt> 655 <dd>Number of iterations: 3</dd> 656 <dt>m:</dt> 657 <dd>Memory size in KiB: 1024</dd> 658 <dt>T:</dt> 659 <dd>Output length of hash in bytes: 64</dd> 660 <dt>p:</dt> 661 <dd>Parallelization parameter: 1</dd> 662 <dt>v:</dt> 663 <dd>Algorithm version: 0x13</dd> 664 <dt>y:</dt> 665 <dd>Algorithm type (Argon2id): 2</dd> 666 <dt>X:</dt> 667 <dd>Unused</dd> 668 <dt>K:</dt> 669 <dd>Unused</dd> 670 </dl> 671 <t> 672 <xref target="figure_revocation"/> illustrates the format 673 of the data "P" on which the PoW is calculated. 674 </t> 675 <figure anchor="figure_revocation"> 676 <name>The Format of the PoW Data</name> 677 <artwork name="" type="" alt=""> 678 0 8 16 24 32 40 48 56 679 +-----+-----+-----+-----+-----+-----+-----+-----+ 680 | POW | 681 +-----------------------------------------------+ 682 | TIMESTAMP | 683 +-----------------------------------------------+ 684 | ZONE TYPE | ZONE KEY / 685 +-----+-----+-----+-----+ / 686 / / 687 / / 688 +-----+-----+-----+-----+-----+-----+-----+-----+ 689 </artwork> 690 </figure> 691 <dl newline="false"> 692 <dt>POW:</dt> 693 <dd> 694 A 64-bit value that is a solution to the PoW. In network byte order. 695 </dd> 696 <dt>TIMESTAMP:</dt> 697 <dd> 698 Denotes the absolute 64-bit date when the revocation was computed. 699 In microseconds since midnight (0 hour), January 1, 1970 UTC in network 700 byte order. 701 </dd> 702 <dt>ZONE TYPE:</dt> 703 <dd> 704 The 32-bit zone type in network byte order. 705 </dd> 706 <dt>ZONE KEY:</dt> 707 <dd> 708 The 256-bit public key zkey of the zone that is being revoked. 709 The wire format of this value is defined by the ZONE TYPE. 710 </dd> 711 </dl> 712 <t> 713 Usually, PoW schemes require that one POW value be found, such that 714 a specific number of leading zeroes are found in the hash result. 715 This number is then referred to as the difficulty of the PoW. 716 In order to reduce the variance in time it takes to calculate the 717 PoW, a valid GNS revocation requires that a number of different PoWs (Z, as defined below) 718 must be found that on average have at least D leading zeroes. 719 </t> 720 <t> 721 Given an average difficulty of D, the proofs have an 722 expiration time of EPOCH. Applications <bcp14>MAY</bcp14> calculate proofs 723 with a difficulty that is higher than D by providing POW 724 values where there are (on average) more than D bits of leading zeroes. 725 With each additional bit of difficulty, the 726 lifetime of the proof is prolonged by another EPOCH. 727 Consequently, by calculating a more difficult PoW, the lifetime of the 728 proof -- and thus the persistence of the revocation message -- 729 can be increased on demand by the zone owner. 730 </t> 731 <t> 732 The parameters are defined as follows: 733 </t> 734 <dl newline="false"> 735 <dt>Z:</dt> 736 <dd>The number of PoWs that are required. Its value is fixed at 32.</dd> 737 <dt>D:</dt> 738 <dd>The lower limit of the average difficulty. Its value is fixed at 22.</dd> 739 <dt>EPOCH:</dt> 740 <dd>A single epoch. Its value is fixed at 365 days in microseconds.</dd> 741 </dl> 742 <t> 743 The revocation message wire format is illustrated in 744 <xref target="figure_revocationdata"/>. 745 </t> 746 <figure anchor="figure_revocationdata"> 747 <name>The Revocation Message Wire Format</name> 748 <artwork name="" type="" alt=""> 749 0 8 16 24 32 40 48 56 750 +-----+-----+-----+-----+-----+-----+-----+-----+ 751 | TIMESTAMP | 752 +-----+-----+-----+-----+-----+-----+-----+-----+ 753 | TTL | 754 +-----+-----+-----+-----+-----+-----+-----+-----+ 755 | POW_0 | 756 +-----+-----+-----+-----+-----+-----+-----+-----+ 757 | ... | 758 +-----+-----+-----+-----+-----+-----+-----+-----+ 759 | POW_(Z-1) | 760 +-----------------------------------------------+ 761 | ZONE TYPE | ZONE KEY / 762 +-----+-----+-----+-----+ / 763 / / 764 / / 765 +-----+-----+-----+-----+-----+-----+-----+-----+ 766 / SIGNATURE / 767 / / 768 / / 769 / / 770 +-----+-----+-----+-----+-----+-----+-----+-----+ 771 </artwork> 772 </figure> 773 <dl newline="false"> 774 <dt>TIMESTAMP:</dt> 775 <dd> 776 Denotes the absolute 64-bit date when the revocation was computed. 777 In microseconds since midnight (0 hour), January 1, 1970 UTC in network 778 byte order. This is the same value as the timestamp used in the 779 individual PoW calculations. 780 </dd> 781 <dt>TTL:</dt> 782 <dd> 783 Denotes the relative 64-bit time to live of the record in 784 microseconds in network byte order. 785 The field <bcp14>SHOULD</bcp14> be set to EPOCH * 1.1. 786 Given an average number of leading zeroes D', then the field value 787 <bcp14>MAY</bcp14> be increased up to (D'-D+1) * EPOCH * 1.1. 788 Validators <bcp14>MAY</bcp14> reject messages with lower or higher 789 values when received. 790 </dd> 791 <dt>POW_i:</dt> 792 <dd> 793 The values calculated as part of the PoW, in network byte order. 794 Each POW_i <bcp14>MUST</bcp14> be unique in the set of POW values. 795 To facilitate fast verification 796 of uniqueness, the POW values <bcp14>MUST</bcp14> be given in strictly 797 monotonically increasing order in the message. 798 </dd> 799 <dt>ZONE TYPE:</dt> 800 <dd> 801 The 32-bit zone type corresponding to the zone key in network byte order. 802 </dd> 803 <dt>ZONE KEY:</dt> 804 <dd> 805 The public key zkey of the zone that is being revoked and 806 the key to be used to verify SIGNATURE. 807 </dd> 808 <dt>SIGNATURE:</dt> 809 <dd> 810 A signature over a timestamp and the zone zkey of the zone 811 that is revoked and corresponds to the key used in the PoW. 812 The signature is created using the Sign() function of 813 the cryptosystem of the zone and the private key 814 (see <xref target="zones"/>). 815 </dd> 816 </dl> 817 <t> 818 The signature in the revocation message covers a 32-bit header 819 prefixed to the TIMESTAMP, ZONE TYPE, and ZONE KEY fields. 820 The header includes the key length and signature purpose. 821 The wire format is illustrated 822 in <xref target="figure_revsigwithpseudo"/>. 823 </t> 824 <figure anchor="figure_revsigwithpseudo"> 825 <name>The Wire Format of the Revocation Data for Signing</name> 826 <artwork name="" type="" alt=""> 827 0 8 16 24 32 40 48 56 828 +-----+-----+-----+-----+-----+-----+-----+-----+ 829 | SIZE | PURPOSE (0x03) | 830 +-----+-----+-----+-----+-----+-----+-----+-----+ 831 | TIMESTAMP | 832 +-----+-----+-----+-----+-----+-----+-----+-----+ 833 | ZONE TYPE | ZONE KEY / 834 +-----+-----+-----+-----+ / 835 / / 836 / / 837 +-----+-----+-----+-----+-----+-----+-----+-----+ 838 </artwork> 839 </figure> 840 <dl newline="false"> 841 <dt>SIZE:</dt> 842 <dd> 843 A 32-bit value containing the length of the signed data in bytes 844 in network byte order. 845 </dd> 846 <dt>PURPOSE:</dt> 847 <dd> 848 A 32-bit signature purpose flag. 849 The value of this field <bcp14>MUST</bcp14> be 3. 850 The value is encoded in network byte order. 851 It defines the context in which 852 the signature is created so that it cannot be reused in other parts 853 of the protocol that might include possible future extensions. 854 The value of this field corresponds to an entry in the 855 GANA "GNUnet Signature Purposes" registry <xref target="GANA"/>. 856 </dd> 857 <dt>TIMESTAMP:</dt> 858 <dd> 859 Field as defined in the revocation message above. 860 </dd> 861 <dt>ZONE TYPE:</dt> 862 <dd> 863 Field as defined in the revocation message above. 864 </dd> 865 <dt>ZONE KEY:</dt> 866 <dd>Field as defined in the revocation message above.</dd> 867 </dl> 868 <t> 869 In order to validate a revocation, the following steps <bcp14>MUST</bcp14> be taken: 870 </t> 871 <ol> 872 <li>The signature <bcp14>MUST</bcp14> be verified against the zone key.</li> 873 <li>The set of POW values <bcp14>MUST NOT</bcp14> contain duplicates; this <bcp14>MUST</bcp14> be checked by verifying that the values are strictly monotonically increasing.</li> 874 <li>The average number of leading zeroes D' resulting from the provided 875 POW values <bcp14>MUST</bcp14> be greater than or equal to D. Implementers 876 <bcp14>MUST NOT</bcp14> use an integer data type to calculate or represent D'.</li> 877 </ol> 878 <t> 879 The TTL field in the revocation message is informational. 880 A revocation <bcp14>MAY</bcp14> be discarded without checking the POW 881 values or the signature if the TTL (in combination with TIMESTAMP) 882 indicates that the revocation has already expired. 883 The actual validity period of the 884 revocation <bcp14>MUST</bcp14> be determined by examining the leading 885 zeroes in the POW values. 886 </t> 887 <t> 888 The validity period of the revocation is calculated as 889 (D'-D+1) * EPOCH * 1.1. The EPOCH is extended by 890 10% in order to deal with poorly synchronized clocks. 891 The validity period added on top of the TIMESTAMP yields the 892 expiration date. 893 If the current time is after the expiration date, the 894 revocation is considered stale. 895 </t> 896 <t> 897 Verified revocations <bcp14>MUST</bcp14> be stored locally. 898 The implementation <bcp14>MAY</bcp14> discard stale revocations and 899 evict them from the local store at any time. 900 </t> 901 <t> 902 It is important that implementations broadcast received revocations 903 if they are valid and not stale. 904 Should the calculated validity period differ from the TTL field value, 905 the calculated value <bcp14>MUST</bcp14> be used as the TTL field value 906 when forwarding the revocation message. 907 Systems might disagree on the current time, so implementations 908 <bcp14>MAY</bcp14> use stale but otherwise valid 909 revocations but <bcp14>SHOULD NOT</bcp14> broadcast them. 910 Forwarded stale revocations <bcp14>MAY</bcp14> be discarded by the receiver. 911 </t> 912 <t> 913 Any locally stored revocation <bcp14>MUST</bcp14> be considered during 914 delegation record processing (see <xref target="delegation_processing"/>). 915 </t> 916 </section> 917 </section> 918 <section anchor="rrecords"> 919 <name>Resource Records</name> 920 <t> 921 A GNS implementation <bcp14>SHOULD</bcp14> provide a mechanism for creating and managing local 922 zones as well as a persistence mechanism (such as a local database) for resource 923 records. 924 A new local zone is established by selecting a zone type and creating a 925 zone key pair. 926 If this mechanism is not implemented, 927 no zones can be published in storage (see <xref target="publish"/>) 928 and name resolution is limited to non-local Start Zones 929 (see <xref target="governance"/>). 930 </t> 931 <t> 932 A GNS resource record holds the data of a specific record in a zone. 933 The resource record format is illustrated in 934 <xref target="figure_gnsrecord"/>. 935 </t> 936 <figure anchor="figure_gnsrecord"> 937 <name>The Resource Record Wire Format</name> 938 <artwork name="" type="" alt=""> 939 0 8 16 24 32 40 48 56 940 +-----+-----+-----+-----+-----+-----+-----+-----+ 941 | EXPIRATION | 942 +-----+-----+-----+-----+-----+-----+-----+-----+ 943 | SIZE | FLAGS | TYPE | 944 +-----+-----+-----+-----+-----+-----+-----+-----+ 945 | DATA / 946 / / 947 / / 948 </artwork> 949 </figure> 950 <dl newline="false"> 951 <dt>EXPIRATION:</dt> 952 <dd> 953 Denotes the absolute 64-bit expiration date of the record. 954 In microseconds since midnight (0 hour), January 1, 1970 UTC in network 955 byte order. 956 </dd> 957 <dt>SIZE:</dt> 958 <dd> 959 Denotes the 16-bit size of the DATA field in bytes in network byte 960 order. 961 </dd> 962 <dt>FLAGS:</dt> 963 <dd> 964 A 16-bit field indicating special properties of the resource record. 965 The semantics of the different bits are defined below. 966 </dd> 967 <dt>TYPE:</dt> 968 <dd> 969 The 32-bit resource record type in 970 network byte order. This type can be one of the GNS resource 971 records as defined in <xref target="rrecords"/>, a DNS record 972 type as defined in <xref target="RFC1035"/>, or any of the 973 complementary standardized DNS resource record types. 974 Note that values 975 below 2<sup>16</sup> are reserved for 16-bit DNS resource record types allocated by IANA <xref target="RFC6895"/>. 976 Values above 2<sup>16</sup> are allocated by the 977 GANA "GNS Record Types" registry <xref target="GANA"/>. 978 </dd> 979 <dt>DATA:</dt> 980 <dd> 981 The variable-length resource record data payload. The content is defined 982 by the 983 respective type of the resource record. 984 </dd> 985 </dl> 986 <t> 987 The FLAGS field is used to indicate special properties of the resource record. 988 An application creating resource records <bcp14>MUST</bcp14> set all bits 989 in FLAGS to 0 unless it specifically understands and 990 wants to set the respective flag. 991 As additional flags can be defined in future protocol versions, 992 if an application or implementation encounters a flag that it does not 993 recognize, the flag <bcp14>MUST</bcp14> be ignored. However, all implementations 994 <bcp14>MUST</bcp14> understand the SHADOW and CRITICAL flags defined below. 995 Any combination of the flags specified below is valid. 996 <xref target="figure_flag"/> 997 illustrates the flag distribution in the 16-bit FLAGS field of a 998 resource record: 999 </t> 1000 <figure anchor="figure_flag"> 1001 <name>The Resource Record Flag Wire Format</name> 1002 <artwork name="" type="" alt=""> 1003 0 13 14 15 1004 +--------...+-------------+-------+---------+ 1005 | Reserved |SUPPLEMENTAL |SHADOW |CRITICAL | 1006 +--------...+-------------+-------+---------+ 1007 </artwork> 1008 </figure> 1009 <dl newline="false"> 1010 <dt>CRITICAL:</dt> 1011 <dd> 1012 If this flag is set, it indicates that processing is critical. 1013 Implementations that do not support the record type or are otherwise 1014 unable to process the record <bcp14>MUST</bcp14> abort resolution upon encountering 1015 the record in the resolution process. 1016 </dd> 1017 <dt>SHADOW:</dt> 1018 <dd> 1019 If this flag is set, this record <bcp14>MUST</bcp14> be ignored by resolvers unless all (other) 1020 records of the same record type have expired. Used to allow zone publishers to 1021 facilitate good performance when records change by allowing them to put future 1022 values of records into storage. 1023 This way, future values can propagate and can be 1024 cached before the transition becomes active. 1025 </dd> 1026 <dt>SUPPLEMENTAL:</dt> 1027 <dd> 1028 This is a supplemental record. It is provided in addition to the 1029 other records. This flag indicates that this record is not explicitly 1030 managed alongside the other records under the respective name but 1031 might be useful for the application. 1032 </dd> 1033 </dl> 1034 <section anchor="gnsrecords_delegation"> 1035 <name>Zone Delegation Records</name> 1036 <t> 1037 This section defines the initial set of zone delegation record types. 1038 Any implementation <bcp14>SHOULD</bcp14> support all zone types defined here and 1039 <bcp14>MAY</bcp14> support any number of additional delegation records defined in 1040 the GANA "GNS Record Types" registry (see <xref target="GANA"/>). 1041 Not supporting some zone types will result in resolution failures if 1042 the respective zone type is encountered. 1043 This can be a valid choice if some zone delegation record types have been 1044 determined to be cryptographically insecure. 1045 Zone delegation records <bcp14>MUST NOT</bcp14> be stored or published 1046 under the apex label. 1047 A zone delegation record type value is the same as the respective ztype 1048 value. 1049 The ztype defines the cryptographic primitives for the zone that is 1050 being delegated to. 1051 A zone delegation record payload contains the public key of 1052 the zone to delegate to. 1053 A zone delegation record <bcp14>MUST</bcp14> have the CRITICAL flag set 1054 and <bcp14>MUST</bcp14> be the only non-supplemental record under a label. 1055 There <bcp14>MAY</bcp14> be inactive records of the same type that have 1056 the SHADOW flag set in order to facilitate smooth key rollovers. 1057 </t> 1058 <t> 1059 In the following, "||" is the concatenation operator of two byte strings. 1060 The algorithm specification uses character strings such as GNS labels or 1061 constant values. 1062 When used in concatenations or as input to functions, the 1063 zero terminator of the character strings <bcp14>MUST NOT</bcp14> be 1064 included. 1065 </t> 1066 <section anchor="gnsrecords_pkey"> 1067 <name>PKEY</name> 1068 <t> 1069 In GNS, a delegation of a label to a zone of type "PKEY" is 1070 represented through a PKEY record. The PKEY DATA entry wire format is illustrated in <xref target="figure_pkeyrecord"/>. 1071 </t> 1072 <figure anchor="figure_pkeyrecord"> 1073 <name>The PKEY Wire Format</name> 1074 <artwork name="" type="" alt=""> 1075 0 8 16 24 32 40 48 56 1076 +-----+-----+-----+-----+-----+-----+-----+-----+ 1077 | PUBLIC KEY | 1078 | | 1079 | | 1080 | | 1081 +-----+-----+-----+-----+-----+-----+-----+-----+ 1082 </artwork> 1083 </figure> 1084 <dl newline="false"> 1085 <dt>PUBLIC KEY:</dt> 1086 <dd> 1087 A 256-bit Ed25519 public key. 1088 </dd> 1089 </dl> 1090 <t> 1091 For PKEY zones, the zone key material is derived using the 1092 curve parameters of the twisted Edwards representation 1093 of Curve25519 <xref target="RFC7748"/> (the reasoning behind choosing 1094 this curve can be found in <xref target="security_cryptography"/>) 1095 with the ECDSA scheme <xref target="RFC6979"/>. 1096 The following naming convention is used for the cryptographic primitives of PKEY zones: 1097 </t> 1098 <dl newline="false"> 1099 <dt>d:</dt> 1100 <dd> 1101 A 256-bit Ed25519 private key (clamped private scalar). 1102 </dd> 1103 <dt>zkey:</dt> 1104 <dd> 1105 The Ed25519 public zone key corresponding to d. 1106 </dd> 1107 <dt>p:</dt> 1108 <dd> 1109 The prime of edwards25519 as defined in <xref target="RFC7748"/>, i.e., 1110 2<sup>255</sup> - 19. 1111 </dd> 1112 <dt>G:</dt> 1113 <dd> 1114 The group generator (X(P),Y(P)). With X(P),Y(P) of edwards25519 as defined in 1115 <xref target="RFC7748"/>. 1116 </dd> 1117 <dt>L:</dt> 1118 <dd> 1119 The order of the prime-order subgroup of edwards25519 as defined in <xref target="RFC7748"/>. 1120 </dd> 1121 <dt>KeyGen():</dt> 1122 <dd>The generation of the private 1123 scalar d and the curve point zkey := d*G (where G is the group generator 1124 of the elliptic curve) as defined in <xref target="RFC6979" sectionFormat="of" section="2.2"/> represents the KeyGen() function. 1125 </dd> 1126 </dl> 1127 <t> 1128 The zone type and zone key of a PKEY are 4 + 32 bytes in length. This means that 1129 a zTLD will always fit into a single label and does 1130 not need any further conversion. 1131 Given a label, the output zkey' of the ZKDF(zkey, label) function is 1132 calculated as follows for PKEY zones: 1133 </t> 1134 <artwork name="" type="" alt=""> 1135 ZKDF(zkey, label): 1136 PRK_h := HKDF-Extract("key-derivation", zkey) 1137 h := HKDF-Expand(PRK_h, label || "gns", 512 / 8) 1138 zkey' := (h mod L) * zkey 1139 return zkey' 1140 </artwork> 1141 <t> 1142 The PKEY cryptosystem uses an HMAC-based key derivation function (HKDF) as defined in 1143 <xref target="RFC5869"/>, using SHA-512 <xref target="RFC6234"/> for the extraction 1144 phase and SHA-256 <xref target="RFC6234"/> for the expansion phase. 1145 PRK_h is key material retrieved using an HKDF that uses the string 1146 "key-derivation" as the salt and the zone key as the initial 1147 keying material. 1148 h is the 512-bit HKDF expansion result and must be interpreted in 1149 network byte order. The expansion information input is 1150 a concatenation of the label and the string "gns". 1151 The multiplication of zkey with h in ZKDF() is a point multiplication, 1152 while the multiplication of d with h in SignDerived() below is a scalar multiplication. 1153 </t> 1154 <t> 1155 The Sign() and Verify() functions 1156 for PKEY zones are implemented using 512-bit ECDSA deterministic 1157 signatures as specified in <xref target="RFC6979"/>. 1158 The same functions can be used for derived keys: 1159 </t> 1160 <artwork name="" type="" alt=""> 1161 SignDerived(d, label, message): 1162 zkey := d * G 1163 PRK_h := HKDF-Extract("key-derivation", zkey) 1164 h := HKDF-Expand(PRK_h, label || "gns", 512 / 8) 1165 d' := (h * d) mod L 1166 return Sign(d', message) 1167 </artwork> 1168 <t> 1169 A signature is valid for the derived public key zkey' := ZKDF(zkey, label) if the following holds: 1170 </t> 1171 <artwork name="" type="" alt=""> 1172 VerifyDerived(zkey', message, signature): 1173 return Verify(zkey', message, signature) 1174 </artwork> 1175 <t> 1176 The S-Encrypt() and S-Decrypt() functions use AES in counter mode 1177 as defined in <xref target="MODES"/> (CTR-AES256): 1178 </t> 1179 <artwork name="" type="" alt=""> 1180 S-Encrypt(zkey, label, expiration, plaintext): 1181 PRK_k := HKDF-Extract("gns-aes-ctx-key", zkey) 1182 PRK_n := HKDF-Extract("gns-aes-ctx-iv", zkey) 1183 K := HKDF-Expand(PRK_k, label, 256 / 8) 1184 NONCE := HKDF-Expand(PRK_n, label, 32 / 8) 1185 BLOCK_COUNTER := 0x0000000000000001 1186 IV := NONCE || expiration || BLOCK_COUNTER 1187 return CTR-AES256(K, IV, plaintext) 1188 1189 S-Decrypt(zkey, label, expiration, ciphertext): 1190 PRK_k := HKDF-Extract("gns-aes-ctx-key", zkey) 1191 PRK_n := HKDF-Extract("gns-aes-ctx-iv", zkey) 1192 K := HKDF-Expand(PRK_k, label, 256 / 8) 1193 NONCE := HKDF-Expand(PRK_n, label, 32 / 8) 1194 BLOCK_COUNTER := 0x0000000000000001 1195 IV := NONCE || expiration || BLOCK_COUNTER 1196 return CTR-AES256(K, IV, ciphertext) 1197 </artwork> 1198 <t> 1199 The key K and counter Initialization Vector (IV) are derived from 1200 the record label and the zone key zkey, using an HKDF as defined in <xref target="RFC5869"/>. 1201 SHA-512 <xref target="RFC6234"/> is used for the 1202 extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase. 1203 The output keying material is 32 bytes (256 bits) for the symmetric 1204 key and 4 bytes (32 bits) for the NONCE. 1205 The symmetric key K is a 256-bit AES key <xref target="RFC3826"/>. 1206 </t> 1207 <t> 1208 The nonce is combined with a 64-bit IV and a 1209 32-bit block counter as defined in <xref target="RFC3686"/>. 1210 The block counter begins with a value of 1, and it is incremented 1211 to generate subsequent portions of the key stream. 1212 The block counter is a 32-bit integer value in network byte order. 1213 The format of the counter IV used by the S-Encrypt() and S-Decrypt() 1214 functions is illustrated in 1215 <xref target="figure_hkdf_ivs_pkey"/>. 1216 </t> 1217 <figure anchor="figure_hkdf_ivs_pkey"> 1218 <name>Structure of the Counter IV as Used in S-Encrypt() and 1219 S-Decrypt()</name> 1220 <artwork name="" type="" alt=""> 1221 0 8 16 24 32 1222 +-----+-----+-----+-----+ 1223 | NONCE | 1224 +-----+-----+-----+-----+ 1225 | EXPIRATION | 1226 | | 1227 +-----+-----+-----+-----+ 1228 | BLOCK COUNTER | 1229 +-----+-----+-----+-----+ 1230 </artwork> 1231 </figure> 1232 </section> 1233 <section anchor="gnsrecords_edkey"> 1234 <name>EDKEY</name> 1235 <t> 1236 In GNS, a delegation of a label to a zone of type "EDKEY" is 1237 represented through an EDKEY record. 1238 The EDKEY DATA entry wire format 1239 is illustrated in <xref target="figure_edkeyrecord"/>. 1240 </t> 1241 <figure anchor="figure_edkeyrecord"> 1242 <name>The EDKEY DATA Wire Format</name> 1243 <artwork name="" type="" alt=""> 1244 0 8 16 24 32 40 48 56 1245 +-----+-----+-----+-----+-----+-----+-----+-----+ 1246 | PUBLIC KEY | 1247 | | 1248 | | 1249 | | 1250 +-----+-----+-----+-----+-----+-----+-----+-----+ 1251 </artwork> 1252 </figure> 1253 <dl newline="false"> 1254 <dt>PUBLIC KEY:</dt> 1255 <dd> 1256 A 256-bit EdDSA zone key. 1257 </dd> 1258 </dl> 1259 <t> 1260 For EDKEY zones, the zone key material is derived using the 1261 curve parameters of the twisted Edwards representation 1262 of Curve25519 <xref target="RFC7748"/> (a.k.a. Ed25519) 1263 with the Ed25519 scheme <xref target="ed25519"/> as specified in 1264 <xref target="RFC8032"/>. 1265 The following naming convention is used for the 1266 cryptographic primitives of EDKEY zones: 1267 </t> 1268 <dl newline="false"> 1269 <dt>d:</dt> 1270 <dd> 1271 A 256-bit EdDSA private key. 1272 </dd> 1273 <dt>a:</dt> 1274 <dd> 1275 An integer derived from d using the SHA-512 hash function 1276 as defined in <xref target="RFC8032"/>. 1277 </dd> 1278 <dt>zkey:</dt> 1279 <dd> 1280 The EdDSA public key corresponding to d. It is defined 1281 as the curve point a*G where G is the 1282 group generator of the elliptic curve 1283 as defined in <xref target="RFC8032"/>. 1284 </dd> 1285 <dt>p:</dt> 1286 <dd> 1287 The prime of edwards25519 as defined in <xref target="RFC8032"/>, i.e., 1288 2<sup>255</sup> - 19. 1289 </dd> 1290 <dt>G:</dt> 1291 <dd> 1292 The group generator (X(P),Y(P)). With X(P),Y(P) of edwards25519 as defined in 1293 <xref target="RFC8032"/>. 1294 </dd> 1295 <dt>L:</dt> 1296 <dd> 1297 The order of the prime-order subgroup of edwards25519 as defined in <xref target="RFC8032"/>. 1298 </dd> 1299 <dt>KeyGen():</dt> 1300 <dd> 1301 The generation of the private key d and the associated public 1302 key zkey := a*G (where G is the 1303 group generator of the elliptic curve and a is an integer 1304 derived from d using the SHA-512 hash function) 1305 as defined 1306 in <xref target="RFC8032" sectionFormat="of" section="5.1.5"/> 1307 represents the KeyGen() 1308 function. 1309 </dd> 1310 </dl> 1311 <t> 1312 The zone type and zone key of an EDKEY are 4 + 32 bytes in length. This means that 1313 a zTLD will always fit into a single label and does 1314 not need any further conversion. 1315 </t> 1316 <t> 1317 The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>. 1318 As noted above for KeyGen(), a is calculated from d using the 1319 SHA-512 hash function as defined in <xref target="RFC8032" sectionFormat="of" section="5.1.5"/>. 1320 Given a label, the output of the ZKDF function is 1321 calculated as follows: 1322 </t> 1323 <artwork name="" type="" alt=""> 1324 ZKDF(zkey, label): 1325 /* Calculate the blinding factor */ 1326 PRK_h := HKDF-Extract("key-derivation", zkey) 1327 h := HKDF-Expand(PRK_h, label || "gns", 512 / 8) 1328 /* Ensure that h == h mod L */ 1329 h := h mod L 1330 1331 zkey' := h * zkey 1332 return zkey' 1333 </artwork> 1334 <t> 1335 Implementers <bcp14>SHOULD</bcp14> employ a constant-time scalar 1336 multiplication for the constructions above to protect against 1337 timing attacks. Otherwise, timing attacks could leak private key 1338 material if an attacker can predict when a system starts the 1339 publication process. 1340 </t> 1341 <t> 1342 The EDKEY cryptosystem uses an HKDF as defined in 1343 <xref target="RFC5869"/>, using SHA-512 <xref target="RFC6234"/> for the extraction 1344 phase and HMAC-SHA-256 <xref target="RFC6234"/> for the expansion phase. 1345 PRK_h is key material retrieved using an HKDF that uses the string 1346 "key-derivation" as the salt and the zone key as the initial 1347 keying material. 1348 The blinding factor h is the 512-bit HKDF expansion result. 1349 The expansion information input is 1350 a concatenation of the label and the string "gns". 1351 The result of the HKDF must be clamped and interpreted in network 1352 byte order. 1353 a is the 256-bit integer corresponding to the 256-bit private 1354 key d. 1355 The multiplication of zkey with h is a point multiplication. 1356 </t> 1357 <t> 1358 The Sign(d, message) and Verify(zkey, message, signature) procedures <bcp14>MUST</bcp14> 1359 be implemented as defined in <xref target="RFC8032"/>. 1360 </t> 1361 <t> 1362 Signatures for EDKEY zones use a derived private scalar d'; 1363 this is not compliant with <xref target="RFC8032"/>. 1364 As the private key that corresponds to the derived private scalar 1365 is not known, it is not possible to deterministically derive the 1366 signature part R according to <xref target="RFC8032"/>. 1367 Instead, signatures <bcp14>MUST</bcp14> be generated as follows for any given 1368 message and private zone key: 1369 a nonce is calculated from the highest 32 bytes of the 1370 expansion of the private key d and the blinding factor h. 1371 The nonce is then hashed with the message to r. 1372 This way, the full derivation path is included in the calculation 1373 of the R value of the signature, ensuring that it is never reused 1374 for two different derivation paths or messages. 1375 </t> 1376 <artwork name="" type="" alt=""> 1377 SignDerived(d, label, message): 1378 /* Key expansion */ 1379 dh := SHA-512(d) 1380 /* EdDSA clamping */ 1381 a := dh[0..31] 1382 a[0] := a[0] & 248 1383 a[31] := a[31] & 127 1384 a[31] := a[31] | 64 1385 /* Calculate zkey corresponding to d */ 1386 zkey := a * G 1387 1388 /* Calculate blinding factor */ 1389 PRK_h := HKDF-Extract("key-derivation", zkey) 1390 h := HKDF-Expand(PRK_h, label || "gns", 512 / 8) 1391 /* Ensure that h == h mod L */ 1392 h := h mod L 1393 1394 d' := (h * a) mod L 1395 nonce := SHA-256(dh[32..63] || h) 1396 r := SHA-512(nonce || message) 1397 R := r * G 1398 S := r + SHA-512(R || zkey' || message) * d' mod L 1399 return (R,S) 1400 </artwork> 1401 <t> 1402 A signature (R,S) is valid for the derived public key zkey' := 1403 ZKDF(zkey, label) if the following holds: 1404 </t> 1405 <artwork name="" type="" alt=""> 1406 VerifyDerived(zkey', message, signature): 1407 (R,S) := signature 1408 return S * G == R + SHA-512(R, zkey', message) * zkey' 1409 </artwork> 1410 <t> 1411 The S-Encrypt() and S-Decrypt() functions use XSalsa20 1412 as defined in <xref target="XSalsa20"/> 1413 and use the XSalsa20-Poly1305 encryption function: 1414 </t> 1415 <artwork name="" type="" alt=""> 1416 S-Encrypt(zkey, label, expiration, plaintext): 1417 PRK_k := HKDF-Extract("gns-xsalsa-ctx-key", zkey) 1418 PRK_n := HKDF-Extract("gns-xsalsa-ctx-iv", zkey) 1419 K := HKDF-Expand(PRK_k, label, 256 / 8) 1420 NONCE := HKDF-Expand(PRK_n, label, 128 / 8) 1421 IV := NONCE || expiration 1422 return XSalsa20-Poly1305(K, IV, plaintext) 1423 1424 S-Decrypt(zkey, label, expiration, ciphertext): 1425 PRK_k := HKDF-Extract("gns-xsalsa-ctx-key", zkey) 1426 PRK_n := HKDF-Extract("gns-xsalsa-ctx-iv", zkey) 1427 K := HKDF-Expand(PRK_k, label, 256 / 8) 1428 NONCE := HKDF-Expand(PRK_n, label, 128 / 8) 1429 IV := NONCE || expiration 1430 return XSalsa20-Poly1305(K, IV, ciphertext) 1431 </artwork> 1432 <t> 1433 The result of the XSalsa20-Poly1305 encryption function is the encrypted 1434 ciphertext followed by the 128-bit authentication 1435 tag. 1436 Accordingly, the length of encrypted data equals the length of the 1437 data plus the 16 bytes of the authentication tag. 1438 </t> 1439 <t> 1440 The key K and counter IV are derived from 1441 the record label and the zone key zkey using an HKDF as defined in 1442 <xref target="RFC5869"/>. 1443 SHA-512 <xref target="RFC6234"/> is used for the 1444 extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase. 1445 The output keying material is 32 bytes (256 bits) for the symmetric 1446 key and 16 bytes (128 bits) for the NONCE. 1447 The symmetric key K is a 256-bit XSalsa20 key 1448 <xref target="XSalsa20"/>. 1449 No additional authenticated data (AAD) is used. 1450 </t> 1451 <t> 1452 The nonce is combined with an 8-byte IV. 1453 The IV is the expiration time of the 1454 resource record block in network byte order. 1455 The resulting counter (IV) wire format is illustrated in 1456 <xref target="figure_hkdf_ivs_edkey"/>. 1457 </t> 1458 <figure anchor="figure_hkdf_ivs_edkey"> 1459 <name>The Counter Block Initialization Vector</name> 1460 <artwork name="" type="" alt=""> 1461 0 8 16 24 32 40 48 56 1462 +-----+-----+-----+-----+-----+-----+-----+-----+ 1463 | NONCE | 1464 | | 1465 +-----+-----+-----+-----+-----+-----+-----+-----+ 1466 | EXPIRATION | 1467 +-----+-----+-----+-----+-----+-----+-----+-----+ 1468 </artwork> 1469 </figure> 1470 </section> 1471 </section> 1472 <section anchor="gnsrecords_redirect"> 1473 <name>Redirection Records</name> 1474 <t> 1475 Redirection records are used to redirect resolution. 1476 Any implementation <bcp14>SHOULD</bcp14> support all redirection record types defined here 1477 and <bcp14>MAY</bcp14> support any number of additional redirection records defined in 1478 the GANA "GNS Record Types" registry <xref target="GANA"/>. 1479 Redirection records <bcp14>MUST</bcp14> have the CRITICAL flag set. 1480 Not supporting some record types can result in resolution failures. 1481 This can be a valid choice if some redirection record types have been 1482 determined to be insecure, or if an application has reasons to not 1483 support redirection to DNS for reasons such as complexity or security. 1484 Redirection records <bcp14>MUST NOT</bcp14> be stored or published under the apex label. 1485 </t> 1486 <section anchor="gnsrecords_rdr"> 1487 <name>REDIRECT</name> 1488 <t> 1489 A REDIRECT record is the GNS equivalent of a CNAME record in DNS. 1490 A REDIRECT record <bcp14>MUST</bcp14> be the only non-supplemental 1491 record under a label. 1492 There <bcp14>MAY</bcp14> be inactive records of the same type that have 1493 the SHADOW flag set in order to facilitate smooth changes of redirection 1494 targets. 1495 No other records are allowed. 1496 Details on the processing of this record are provided in <xref target="redirect_processing"/>. 1497 1498 A REDIRECT DATA entry is illustrated in <xref target="figure_redirectrecord"/>. 1499 </t> 1500 <figure anchor="figure_redirectrecord"> 1501 <name>The REDIRECT DATA Wire Format</name> 1502 <artwork name="" type="" alt=""> 1503 0 8 16 24 32 40 48 56 1504 +-----+-----+-----+-----+-----+-----+-----+-----+ 1505 | REDIRECT NAME | 1506 / / 1507 / / 1508 | | 1509 +-----+-----+-----+-----+-----+-----+-----+-----+ 1510 </artwork> 1511 </figure> 1512 <dl newline="false"> 1513 <dt>REDIRECT NAME:</dt> 1514 <dd> 1515 The name to continue with. 1516 This value can be a regular name or a relative 1517 name. 1518 Relative GNS names are indicated by an extension label (U+002B ("+")) 1519 as the rightmost label. 1520 The string is UTF-8 encoded and zero terminated. 1521 </dd> 1522 </dl> 1523 </section> 1524 <section anchor="gnsrecords_gns2dns"> 1525 <name>GNS2DNS</name> 1526 <t> 1527 A GNS2DNS record delegates resolution to DNS. 1528 The resource record contains a DNS name for the resolver to continue with 1529 in DNS followed by a DNS server. Both names are in the format defined in 1530 <xref target="RFC1034"/> for DNS names. 1531 There <bcp14>MAY</bcp14> be multiple GNS2DNS records under a label. 1532 There <bcp14>MAY</bcp14> also be DNSSEC DS records or any other records used to 1533 secure the connection with the DNS servers under the same label. 1534 There <bcp14>MAY</bcp14> be inactive records of the same type or types that have 1535 the SHADOW flag set in order to facilitate smooth changes of redirection 1536 targets. 1537 No other non-supplemental record types are allowed in the same record set. 1538 A GNS2DNS DATA entry is illustrated in <xref target="figure_gns2dnsrecord"/>.</t> 1539 <figure anchor="figure_gns2dnsrecord"> 1540 <name>The GNS2DNS DATA Wire Format</name> 1541 <artwork name="" type="" alt=""> 1542 0 8 16 24 32 40 48 56 1543 +-----+-----+-----+-----+-----+-----+-----+-----+ 1544 | NAME | 1545 / / 1546 / / 1547 | | 1548 +-----+-----+-----+-----+-----+-----+-----+-----+ 1549 | DNS SERVER NAME | 1550 / / 1551 / / 1552 | | 1553 +-----------------------------------------------+ 1554 </artwork> 1555 </figure> 1556 <dl newline="false"> 1557 <dt>NAME:</dt> 1558 <dd> 1559 The name to continue with in DNS. The value is UTF-8 encoded and 1560 zero terminated. 1561 </dd> 1562 <dt>DNS SERVER NAME:</dt> 1563 <dd> 1564 The DNS server to use. This value can be an IPv4 address in dotted-decimal 1565 form, an IPv6 address in colon-hexadecimal form, or a DNS name. 1566 It can also be a relative GNS name ending with a 1567 "+" as the rightmost label. 1568 The implementation <bcp14>MUST</bcp14> check the string syntactically for 1569 an IP address in the respective notation before checking for a 1570 relative GNS name. 1571 If all three checks fail, the name <bcp14>MUST</bcp14> be treated as a DNS name. 1572 The value is UTF-8 encoded and zero terminated. 1573 </dd> 1574 </dl> 1575 <t> 1576 NOTE: If an application uses DNS names obtained from GNS2DNS records 1577 in a DNS request, they <bcp14>MUST</bcp14> first be converted to an IDNA-compliant 1578 representation <xref target="RFC5890"/>. 1579 </t> 1580 </section> 1581 </section> 1582 <section anchor="gnsrecords_other"> 1583 <name>Auxiliary Records</name> 1584 <t> 1585 This section defines the initial set of auxiliary GNS record types. Any 1586 implementation <bcp14>SHOULD</bcp14> be able to process the specified record types 1587 according to <xref target="record_processing"/>. 1588 </t> 1589 <section anchor="gnsrecords_leho"> 1590 <name>LEHO</name> 1591 <t> 1592 The LEHO (LEgacy HOstname) record is used to provide a hint for legacy hostnames: 1593 applications can use the GNS to look up IPv4 or IPv6 addresses of 1594 Internet services. 1595 However, connecting to such services sometimes not only requires 1596 the knowledge of an IP address and port but also requires the canonical 1597 DNS name of the service to be transmitted over the transport protocol. 1598 In GNS, legacy hostname records provide applications the DNS name that 1599 is required to establish a connection to such a service. 1600 The most common use case is HTTP virtual hosting and TLS Server Name 1601 Indication <xref target="RFC6066"/>, where a DNS name must 1602 be supplied in the HTTP "Host"-header and the TLS handshake, 1603 respectively. 1604 Using a GNS name in those cases might not work, as 1605 it might not be globally unique. Furthermore, even if uniqueness is 1606 not an issue, the legacy service might not even be aware of GNS. 1607 </t> 1608 <t> 1609 A LEHO resource record is expected to be found together with A or AAAA 1610 resource records with IPv4 or IPv6 addresses. 1611 A LEHO DATA entry is illustrated in <xref target="figure_lehorecord"/>. 1612 </t> 1613 <figure anchor="figure_lehorecord"> 1614 <name>The LEHO DATA Wire Format</name> 1615 <artwork name="" type="" alt=""> 1616 0 8 16 24 32 40 48 56 1617 +-----+-----+-----+-----+-----+-----+-----+-----+ 1618 | LEGACY HOSTNAME | 1619 / / 1620 / / 1621 | | 1622 +-----+-----+-----+-----+-----+-----+-----+-----+ 1623 </artwork> 1624 </figure> 1625 <dl newline="false"> 1626 <dt>LEGACY HOSTNAME:</dt> 1627 <dd> 1628 A UTF-8 string (which is not zero terminated) representing the legacy hostname. 1629 </dd> 1630 </dl> 1631 <t> 1632 NOTE: If an application uses a LEHO value in an HTTP request header 1633 (e.g., a "Host"-header), it <bcp14>MUST</bcp14> be converted to an IDNA-compliant representation 1634 <xref target="RFC5890"/>. 1635 </t> 1636 </section> 1637 <section anchor="gnsrecords_nick"> 1638 <name>NICK</name> 1639 <t> 1640 Nickname records can be used by zone administrators to publish a 1641 label that a zone prefers to have used when it is referred to. 1642 This is a suggestion for other zones regarding what label to use when creating a 1643 delegation record (<xref target="gnsrecords_delegation"/>) containing 1644 this zone key. 1645 This record <bcp14>SHOULD</bcp14> only be stored locally 1646 under the apex label "@" but <bcp14>MAY</bcp14> be 1647 returned with record sets under any label as a supplemental record. 1648 <xref target="nick_processing"/> details how a resolver must process 1649 supplemental and non-supplemental NICK records. 1650 A NICK DATA entry is illustrated in <xref target="figure_nickrecord"/>. 1651 </t> 1652 <figure anchor="figure_nickrecord"> 1653 <name>The NICK DATA Wire Format</name> 1654 <artwork name="" type="" alt=""> 1655 0 8 16 24 32 40 48 56 1656 +-----+-----+-----+-----+-----+-----+-----+-----+ 1657 | NICKNAME | 1658 / / 1659 / / 1660 | | 1661 +-----+-----+-----+-----+-----+-----+-----+-----+ 1662 </artwork> 1663 </figure> 1664 <dl newline="false"> 1665 <dt>NICKNAME:</dt> 1666 <dd> 1667 A UTF-8 string (which is not zero terminated) representing the preferred 1668 label of the zone. This string <bcp14>MUST</bcp14> be a valid GNS label. 1669 </dd> 1670 </dl> 1671 </section> 1672 <section anchor="gnsrecords_box"> 1673 <name>BOX</name> 1674 <t> 1675 GNS lookups are expected to return all of the required useful 1676 information in one record set. This avoids unnecessary additional 1677 lookups and cryptographically ties together information that belongs 1678 together, making it impossible for an adversarial storage entity to provide 1679 partial answers that might omit information critical for security. 1680 </t> 1681 <t> 1682 This general strategy is incompatible with the 1683 special labels used by DNS for SRV and TLSA records. Thus, GNS 1684 defines the BOX record format to box up SRV and TLSA records and 1685 include them in the record set of the label they are associated 1686 with. For example, a 1687 TLSA record for "_https._tcp.example.org" will be stored in the record set of 1688 "example.org" as a BOX record with service (SVC) 443 (https), protocol (PROTO) 6 1689 (tcp), and record TYPE "TLSA". 1690 For reference, see also <xref target="RFC2782"/>. 1691 A BOX DATA entry is illustrated in <xref target="figure_boxrecord"/>. 1692 </t> 1693 <figure anchor="figure_boxrecord"> 1694 <name>The BOX DATA Wire Format</name> 1695 <artwork name="" type="" alt=""> 1696 0 8 16 24 32 40 48 56 1697 +-----+-----+-----+-----+-----+-----+-----+-----+ 1698 | PROTO | SVC | TYPE | 1699 +-----------+-----------------------------------+ 1700 | RECORD DATA | 1701 / / 1702 / / 1703 | | 1704 +-----+-----+-----+-----+-----+-----+-----+-----+ 1705 </artwork> 1706 </figure> 1707 <dl newline="false"> 1708 <dt>PROTO:</dt> 1709 <dd> 1710 The 16-bit protocol number in network byte order. 1711 Values 1712 below 2<sup>8</sup> are reserved for 8-bit Internet Protocol numbers allocated by IANA <xref target="RFC5237"/> 1713 (e.g., 6 for TCP). 1714 Values above 2<sup>8</sup> are allocated by the 1715 GANA "GNUnet Overlay Protocols" registry <xref target="GANA"/>. 1716 </dd> 1717 <dt>SVC:</dt> 1718 <dd> 1719 The 16-bit service value of the boxed record in network byte order. In the case of 1720 TCP and UDP, it is the port number. 1721 </dd> 1722 <dt>TYPE:</dt> 1723 <dd> 1724 The 32-bit record type of the boxed record in network byte order. 1725 </dd> 1726 <dt>RECORD DATA:</dt> 1727 <dd> 1728 A variable-length field containing the "DATA" format of TYPE as 1729 defined for the respective TYPE. Thus, for TYPE values below 2<sup>16</sup>, the 1730 format is the same as the respective record type's binary format in DNS. 1731 </dd> 1732 </dl> 1733 </section> 1734 </section> 1735 </section> 1736 <section anchor="publish"> 1737 <name>Record Encoding for Remote Storage</name> 1738 <t> 1739 Any API that allows storing a block under a 512-bit key and retrieving 1740 one or more blocks from a key can be used by an implementation for remote storage. 1741 To be useful, and to be able to support the defined zone delegation 1742 record encodings, the API <bcp14>MUST</bcp14> permit storing blocks of size 1743 176 bytes or more and <bcp14>SHOULD</bcp14> allow blocks of size 1024 bytes 1744 or more. 1745 In the following, it is assumed that an implementation realizes two 1746 procedures on top of storage: 1747 </t> 1748 <artwork name="" type="" alt=""> 1749 PUT(key, block) 1750 GET(key) -> block 1751 </artwork> 1752 <t> 1753 A GNS implementation publishes blocks 1754 in accordance with the properties and recommendations of the underlying 1755 remote storage. This can include a periodic refresh operation to preserve the 1756 availability of published blocks. 1757 </t> 1758 <t> 1759 There is no mechanism for explicitly deleting individual blocks from remote storage. 1760 However, blocks include an EXPIRATION field, which guides remote 1761 storage implementations to decide when to delete blocks. Given multiple blocks 1762 for the same key, remote storage implementations <bcp14>SHOULD</bcp14> try 1763 to preserve and return the block with the largest EXPIRATION value. 1764 </t> 1765 <t> 1766 All resource records from the same zone sharing the same label are 1767 encrypted and published together in a single resource record block 1768 (RRBLOCK) in the remote storage under a key q, as illustrated 1769 in <xref target="figure_storage_publish"/>. 1770 A GNS implementation <bcp14>MUST NOT</bcp14> include expired resource 1771 records in blocks. 1772 An implementation <bcp14>MUST</bcp14> use the PUT storage procedure 1773 when record sets change to update the zone contents. Implementations 1774 <bcp14>MUST</bcp14> ensure that the EXPIRATION fields of RRBLOCKs 1775 increase strictly monotonically for every change, even if the smallest 1776 expiration time of records in the block does not increase. 1777 </t> 1778 <figure anchor="figure_storage_publish"> 1779 <name>Management and Publication of Local Zones in Distributed Storage</name> 1780 <artwork name="" type="" alt=""> 1781 Local Host | Remote 1782 | Storage 1783 | 1784 | +---------+ 1785 | / /| 1786 | +---------+ | 1787 +-----------+ | | | | 1788 | | +-----------+PUT(q, RRBLOCK) | | Record | | 1789 | User | | Zone |----------------|->| Storage | | 1790 | | | Publisher | | | |/ 1791 +-----------+ +-----------+ | +---------+ 1792 | A | 1793 | | Zone records | 1794 | | grouped by label | 1795 | | | 1796 | +---------+ | 1797 |Create / Delete / | /| | 1798 |and Update +---------+ | | 1799 |Local Zones | | | | 1800 | | Local | | | 1801 +-------------->| Zones | | | 1802 | |/ | 1803 +---------+ | 1804 </artwork> 1805 </figure> 1806 <t> 1807 Storage key derivation and record 1808 block creation are specified in the following sections and 1809 illustrated in <xref target="figure_storage_derivations"/>. 1810 </t> 1811 <figure anchor="figure_storage_derivations"> 1812 <name>Storage Key and Record Block Creation Overview</name> 1813 <artwork name="" type="" alt=""> 1814 +----------+ +-------+ +------------+ +-------------+ 1815 | Zone Key | | Label | | Record Set | | Private Key | 1816 +----------+ +-------+ +------------+ +-------------+ 1817 | | | | 1818 | | v | 1819 | | +-----------+ | 1820 | +---------->| S-Encrypt | | 1821 +----------|---------->+-----------+ | 1822 | | | | | 1823 | | | v v 1824 | | | +-------------+ 1825 | +---------------|-->| SignDerived | 1826 | | | +-------------+ 1827 | | | | 1828 | v v v 1829 | +------+ +--------------+ 1830 +----->| ZKDF |------->| Record Block | 1831 +------+ +--------------+ 1832 | 1833 v 1834 +------+ +-------------+ 1835 | Hash |------->| Storage Key | 1836 +------+ +-------------+ 1837 </artwork> 1838 </figure> 1839 <section anchor="blinding"> 1840 <name>The Storage Key</name> 1841 <t> 1842 The storage key is derived from the zone key and the respective 1843 label of the contained records. 1844 The required knowledge of both the zone key and the label in combination 1845 with the similarly derived symmetric secret keys and blinded zone keys 1846 ensures query privacy (see <xref target="RFC8324" sectionFormat="comma" section="3.5"/>). 1847 </t> 1848 <t> 1849 Given a label, the storage key q is derived as follows: 1850 </t> 1851 <artwork name="" type="" alt=""> 1852 q := SHA-512(ZKDF(zkey, label)) 1853 </artwork> 1854 <dl newline="false"> 1855 <dt>label:</dt> 1856 <dd>A UTF-8 string under which the resource records are published. 1857 </dd> 1858 <dt>zkey:</dt> 1859 <dd> 1860 The zone key. 1861 </dd> 1862 <dt>q:</dt> 1863 <dd> 1864 The 512-bit storage key under which the resource record block is 1865 published. 1866 It is the SHA-512 hash <xref target="RFC6234"/> over the derived zone key. 1867 </dd> 1868 </dl> 1869 </section> 1870 <section anchor="rdata"> 1871 <name>Plaintext Record Data (RDATA)</name> 1872 <t> 1873 GNS records from a zone are grouped by their labels such that all 1874 records under the same label are published together as a single 1875 block in storage. Such grouped record sets <bcp14>MAY</bcp14> be paired with 1876 supplemental records. 1877 </t> 1878 <t> 1879 Record data (RDATA) is the format used to encode such a group of GNS records. 1880 The binary format of RDATA is illustrated in 1881 <xref target="figure_rdata"/>. 1882 </t> 1883 <figure anchor="figure_rdata"> 1884 <name>The RDATA Wire Format</name> 1885 <artwork name="" type="" alt=""> 1886 0 8 16 24 32 40 48 56 1887 +-----+-----+-----+-----+-----+-----+-----+-----+ 1888 | EXPIRATION | 1889 +-----+-----+-----+-----+-----+-----+-----+-----+ 1890 | SIZE | FLAGS | TYPE | 1891 +-----+-----+-----+-----+-----+-----+-----+-----+ 1892 | DATA / 1893 / / 1894 / / 1895 +-----+-----+-----+-----+-----+-----+-----+-----+ 1896 | EXPIRATION | 1897 +-----+-----+-----+-----+-----+-----+-----+-----+ 1898 | SIZE | FLAGS | TYPE | 1899 +-----+-----+-----+-----+-----+-----+-----+-----+ 1900 | DATA / 1901 / / 1902 +-----+-----+-----+-----+-----+-----+-----+-----+ 1903 | PADDING / 1904 / / 1905 +-----+-----+-----+-----+-----+-----+-----+-----+ 1906 </artwork> 1907 </figure> 1908 <dl newline="false"> 1909 <dt>EXPIRATION, SIZE, TYPE, FLAGS, and DATA:</dt> 1910 <dd> 1911 Definitions for these fields are provided below <xref target="figure_gnsrecord"/> 1912 in <xref target="rrecords"/>. 1913 </dd> 1914 <dt>PADDING:</dt> 1915 <dd> 1916 When serializing records into RDATA, a GNS implementation <bcp14>MUST</bcp14> ensure that 1917 the size of the RDATA is a power of two 1918 using this field. The field <bcp14>MUST</bcp14> be set to zero and <bcp14>MUST</bcp14> be 1919 ignored on receipt. 1920 As a special exception, record sets with (only) a zone delegation 1921 record type are never padded. 1922 </dd> 1923 </dl> 1924 </section> 1925 <section anchor="records_block"> 1926 <name>The Resource Record Block</name> 1927 <t> 1928 The resource records grouped in an RDATA are encrypted using the S-Encrypt() 1929 function defined by the zone type of the zone to which the resource records belong 1930 and prefixed with metadata into a resource record block (RRBLOCK) for remote storage. 1931 The GNS RRBLOCK wire format is illustrated in 1932 <xref target="figure_record_block"/>. 1933 </t> 1934 <figure anchor="figure_record_block"> 1935 <name>The RRBLOCK Wire Format</name> 1936 <artwork name="" type="" alt=""> 1937 0 8 16 24 32 40 48 56 1938 +-----+-----+-----+-----+-----+-----+-----+-----+ 1939 | SIZE | ZONE TYPE | 1940 +-----+-----+-----+-----+-----+-----+-----+-----+ 1941 | ZONE KEY / 1942 / (BLINDED) / 1943 | | 1944 +-----+-----+-----+-----+-----+-----+-----+-----+ 1945 | SIGNATURE | 1946 / / 1947 / / 1948 | | 1949 +-----+-----+-----+-----+-----+-----+-----+-----+ 1950 | EXPIRATION | 1951 +-----+-----+-----+-----+-----+-----+-----+-----+ 1952 | BDATA | 1953 / / 1954 / / 1955 +-----+-----+-----+-----+-----+-----+-----+-----+ 1956 </artwork> 1957 </figure> 1958 <dl newline="false"> 1959 <dt>SIZE:</dt> 1960 <dd> 1961 A 32-bit value containing the length of the block in bytes in network byte order. 1962 Despite the message format's use of a 32-bit value, 1963 implementations <bcp14>MAY</bcp14> refuse to publish blocks beyond a certain 1964 size significantly below the theoretical block size limit of 4 GB. 1965 </dd> 1966 <dt>ZONE TYPE:</dt> 1967 <dd> 1968 The 32-bit ztype in network byte order. 1969 </dd> 1970 <dt>ZONE KEY (BLINDED):</dt> 1971 <dd> 1972 The blinded zone key "ZKDF(zkey, label)" 1973 to be used to verify SIGNATURE. 1974 The length and format of the blinded public key depend on the ztype. 1975 </dd> 1976 <dt>SIGNATURE:</dt> 1977 <dd> 1978 The signature is computed over the EXPIRATION and BDATA fields 1979 as shown in <xref target="figure_rrsigwithpseudo"/>. 1980 The length and format of the signature depend on the ztype. 1981 The signature is created using the SignDerived() function of 1982 the cryptosystem of the zone (see <xref target="zones"/>). 1983 </dd> 1984 <dt>EXPIRATION:</dt> 1985 <dd> 1986 Specifies when the RRBLOCK expires and the encrypted block 1987 <bcp14>SHOULD</bcp14> be removed from storage and caches, as it is likely stale. 1988 However, applications <bcp14>MAY</bcp14> continue to use non-expired individual 1989 records until they expire. The RRBLOCK expiration value <bcp14>MUST</bcp14> be computed by first determining for each record type present in the RRBLOCK the maximum expiration time of all records of that type, including shadow 1990 records. Then, the minimum of all of these expiration times is taken. The final expiration time is then the larger value of (1) the previous EXPIRATION value of a previous RRBLOCK for the same storage key plus one (if any) and (2) the computed minimum expiration time across the contained record types. This ensures strict monotonicity (see <xref target="security_cryptography"/>). 1991 This is a 64-bit absolute date in microseconds since midnight 1992 (0 hour), January 1, 1970 UTC in network byte order. 1993 </dd> 1994 <dt>BDATA:</dt> 1995 <dd> 1996 The encrypted RDATA computed using S-Encrypt() with the 1997 zone key, label, and expiration time as additional inputs. 1998 Its ultimate size and content are determined by 1999 the S-Encrypt() function of the ztype. 2000 </dd> 2001 </dl> 2002 <t> 2003 The signature over the public key covers a 32-bit pseudo header 2004 conceptually prefixed to the EXPIRATION and BDATA fields. 2005 The wire format is illustrated 2006 in <xref target="figure_rrsigwithpseudo"/>. 2007 </t> 2008 <figure anchor="figure_rrsigwithpseudo"> 2009 <name>The Wire Format Used for Creating the Signature of the RRBLOCK</name> 2010 <artwork name="" type="" alt=""> 2011 0 8 16 24 32 40 48 56 2012 +-----+-----+-----+-----+-----+-----+-----+-----+ 2013 | SIZE | PURPOSE (0x0F) | 2014 +-----+-----+-----+-----+-----+-----+-----+-----+ 2015 | EXPIRATION | 2016 +-----+-----+-----+-----+-----+-----+-----+-----+ 2017 | BDATA | 2018 / / 2019 / / 2020 +-----+-----+-----+-----+-----+-----+-----+-----+ 2021 </artwork> 2022 </figure> 2023 <dl newline="false"> 2024 <dt>SIZE:</dt> 2025 <dd> 2026 A 32-bit value containing the length of the signed data in bytes 2027 in network byte order. 2028 </dd> 2029 <dt>PURPOSE:</dt> 2030 <dd> 2031 A 32-bit signature purpose flag in network byte order. The value of this 2032 field <bcp14>MUST</bcp14> be 15. It defines the context in which 2033 the signature is created so that it cannot be reused in other parts 2034 of the protocol that might include possible future extensions. 2035 The value of this field corresponds to an entry in the 2036 GANA "GNUnet Signature Purposes" registry <xref target="GANA"/>. 2037 </dd> 2038 <dt>EXPIRATION:</dt> 2039 <dd> 2040 Field as defined in the RRBLOCK message above. 2041 </dd> 2042 <dt>BDATA:</dt> 2043 <dd>Field as defined in the RRBLOCK message above.</dd> 2044 </dl> 2045 </section> 2046 </section> 2047 <section anchor="resolution"> 2048 <name>Name Resolution</name> 2049 <t> 2050 Names in GNS are resolved by recursively querying the record storage. 2051 Recursive in this context means that a resolver does not provide 2052 intermediate results for a query to the application. 2053 Instead, it <bcp14>MUST</bcp14> respond to a resolution request with either the 2054 requested resource record or an error message if resolution 2055 fails. 2056 <xref target="figure_resolution"/> illustrates how an application 2057 requests the lookup of a GNS name (1). 2058 The application <bcp14>MAY</bcp14> provide a desired record type to the resolver. 2059 Subsequently, a Start Zone is determined (2) and the recursive 2060 resolution process started. 2061 This is where the desired record type is used to guide processing. 2062 For example, if a zone delegation record type is requested, the 2063 resolution of the apex label in that zone must be skipped, as 2064 the desired record is already found. 2065 Details on how the resolution process is initiated and each iterative 2066 result (3a,3b) in the resolution is processed are provided in the sections below. 2067 The results of the lookup are eventually returned to the application (4). 2068 The implementation <bcp14>MUST NOT</bcp14> filter the returned resource 2069 record sets according to the desired record type. 2070 Filtering of record sets is typically done by the application. 2071 </t> 2072 <figure anchor="figure_resolution"> 2073 <name>The Recursive GNS Resolution Process</name> 2074 <artwork name="" type="" alt=""> 2075 Local Host | Remote 2076 | Storage 2077 | 2078 | +---------+ 2079 | / /| 2080 | +---------+ | 2081 +-----------+ (1) Name +----------+ | | | | 2082 | | Lookup | | (3a) GET(q) | | Record | | 2083 |Application|----------| Resolver |---------------|->| Storage | | 2084 | |<---------| |<--------------|--| |/ 2085 +-----------+ (4) +----------+ (3b) RRBLOCK | +---------+ 2086 Records A | 2087 | | 2088 (2) Determination of | | 2089 Start Zone | | 2090 | | 2091 +---------+ | 2092 / | /| | 2093 +---------+ | | 2094 | | | | 2095 | Start | | | 2096 | Zones | | | 2097 | |/ | 2098 +---------+ | 2099 </artwork> 2100 </figure> 2101 <section anchor="governance"> 2102 <name>Start Zones</name> 2103 <t> 2104 The resolution of a GNS name starts by identifying the Start Zone 2105 suffix. Once the Start Zone suffix is identified, recursive resolution 2106 of the remainder of the name is initiated (see <xref target="recursion"/>). 2107 There are two types of Start Zone suffixes: zTLDs and local 2108 suffix-to-zone mappings. 2109 The choice of available suffix-to-zone mappings is at the sole 2110 discretion of the local system administrator or user. 2111 This property addresses the issue of a single hierarchy with a 2112 centrally controlled root and the related issue of distribution and 2113 management of root servers in DNS (see Sections <xref target="RFC8324" section="3.12" 2114 sectionFormat="bare"/> and <xref target="RFC8324" section="3.10" 2115 sectionFormat="bare"/> of <xref target="RFC8324"/>, respectively). 2116 </t> 2117 <t> 2118 For names ending with a zTLD, the Start Zone is explicitly given in the 2119 suffix of the name to resolve. 2120 In order to ensure uniqueness of names with zTLDs, any 2121 implementation <bcp14>MUST</bcp14> use the given zone as the Start Zone. 2122 An implementation <bcp14>MUST</bcp14> first try to interpret the rightmost label of 2123 the given name as the beginning of a zTLD (see <xref target="zTLD"/>). 2124 If the rightmost label cannot be (partially) decoded or if it does not 2125 indicate a supported ztype, the name is treated as a normal name and 2126 Start Zone discovery <bcp14>MUST</bcp14> continue with finding a local suffix-to-zone 2127 mapping. 2128 If a valid ztype can be found in the rightmost label, the 2129 implementation <bcp14>MUST</bcp14> try to synthesize and decode the zTLD to retrieve 2130 the Start Zone key according to <xref target="zTLD"/>. 2131 If the zTLD cannot be synthesized or decoded, the resolution of 2132 the name fails and an error is returned to the application. 2133 Otherwise, the zone key <bcp14>MUST</bcp14> be used as the Start Zone: 2134 </t> 2135 <artwork name="" type="" alt=""> 2136 Example name: www.example.<zTLD> 2137 => Start Zone: zkey of type ztype 2138 => Name to resolve from Start Zone: www.example 2139 </artwork> 2140 <t> 2141 For names not ending with a zTLD, the resolver <bcp14>MUST</bcp14> determine the Start 2142 Zone through a local suffix-to-zone mapping. 2143 Suffix-to-zone mappings <bcp14>MUST</bcp14> be configurable through a local 2144 configuration file or database by the user or system administrator. 2145 A suffix <bcp14>MAY</bcp14> consist of multiple GNS labels concatenated with a 2146 label separator. 2147 If multiple suffixes match the name to resolve, the longest 2148 matching suffix <bcp14>MUST</bcp14> be used. The suffix length of two results 2149 <bcp14>MUST NOT</bcp14> be equal. This indicates a misconfiguration, and the 2150 implementation <bcp14>MUST</bcp14> return an error. 2151 The following is a non-normative example mapping of Start Zones: 2152 </t> 2153 <artwork name="" type="" alt=""> 2154 Example name: www.example.xyz.gns.alt 2155 Local suffix mappings: 2156 xyz.gns.alt = zTLD0 := Base32GNS(ztype0||zkey0) 2157 example.xyz.gns.alt = zTLD1 := Base32GNS(ztype1||zkey1) 2158 example.com.gns.alt = zTLD2 := Base32GNS(ztype2||zkey2) 2159 ... 2160 => Start Zone: zkey1 2161 => Name to resolve from Start Zone: www 2162 </artwork> 2163 <t> 2164 The process given above <bcp14>MAY</bcp14> be supplemented with other mechanisms if 2165 the particular application requires a different process. 2166 If no Start Zone can be identified, resolution <bcp14>MUST</bcp14> fail and an 2167 error <bcp14>MUST</bcp14> be returned to the application. 2168 </t> 2169 </section> 2170 <section anchor="recursion"> 2171 <name>Recursion</name> 2172 <t> 2173 In each step of the recursive name resolution, there is an 2174 authoritative zone zkey and a name to resolve. 2175 The name <bcp14>MAY</bcp14> be empty. 2176 If the name is empty, it is interpreted as the apex label "@". 2177 Initially, the authoritative zone is the Start Zone. 2178 </t> 2179 <t> 2180 From here, the following steps are recursively executed, in order: 2181 </t> 2182 <ol> 2183 <li>Extract the rightmost label from the name to look up.</li> 2184 <li>Calculate q using the label and zkey as defined in 2185 <xref target="blinding"/>.</li> 2186 <li>Perform a storage query GET(q) to retrieve the RRBLOCK.</li> 2187 <li>Check that (a) the block is not expired, (b) the SHA-512 hash 2188 of the derived authoritative zone key zkey' from the RRBLOCK matches 2189 the query q, and (c) the signature is valid. If any of these 2190 tests fail, the RRBLOCK <bcp14>MUST</bcp14> 2191 be ignored and, if applicable, the storage lookup GET(q) 2192 <bcp14>MUST</bcp14> continue to look for other RRBLOCKs.</li> 2193 <li>Obtain the RDATA by decrypting the BDATA contained in the 2194 RRBLOCK using S-Decrypt() as defined by the zone type, effectively 2195 inverting the process described in <xref target="records_block"/>.</li> 2196 </ol> 2197 <t> 2198 Once a well-formed block has been decrypted, the records from 2199 RDATA are subjected to record processing. 2200 </t> 2201 </section> 2202 <section anchor="record_processing"> 2203 <name>Record Processing</name> 2204 <t> 2205 In record processing, only the valid records obtained are considered. 2206 To filter records by validity, the resolver 2207 <bcp14>MUST</bcp14> at least check the expiration time and the FLAGS field of the 2208 respective record. 2209 Specifically, the resolver <bcp14>MUST</bcp14> disregard expired records. 2210 Furthermore, SHADOW and 2211 SUPPLEMENTAL flags can also exclude records from being considered. 2212 If the resolver encounters a record with the CRITICAL flag set and 2213 does not support the record type, the resolution <bcp14>MUST</bcp14> be aborted 2214 and an error <bcp14>MUST</bcp14> be returned. Information indicating that the critical 2215 record could not be processed <bcp14>SHOULD</bcp14> be returned in the error 2216 description. The implementation <bcp14>MAY</bcp14> choose not to return the reason for the failure, 2217 merely complicating troubleshooting for the user. 2218 </t> 2219 <t> 2220 The next steps depend on the context of the name that is being 2221 resolved: 2222 </t> 2223 <dl newline="false"> 2224 <dt>Case 1:</dt> 2225 <dd>If the filtered record set consists of a single REDIRECT record, 2226 the remainder of the name is prepended to the REDIRECT DATA and the 2227 recursion is started again from the resulting name. 2228 Details are provided in <xref target="redirect_processing"/>.</dd> 2229 <dt>Case 2:</dt> 2230 <dd>If the filtered record set consists exclusively of one or more GNS2DNS records, 2231 resolution continues with DNS. 2232 Details are provided in <xref target="gns2dns_processing"/>.</dd> 2233 <dt>Case 3:</dt> 2234 <dd>If the remainder of the name to be resolved is of the format 2235 "_SERVICE._PROTO" and the record set contains one or more matching BOX 2236 records, the records in the BOX records are the final result and the recursion 2237 is concluded as described in <xref target="box_processing"/>.</dd> 2238 <dt>Case 4:</dt> 2239 <dd>If the current record set 2240 consists of a single delegation record, 2241 resolution of the remainder of the name is delegated to 2242 the target zone as described in <xref target="delegation_processing"/>.</dd> 2243 <dt>Case 5:</dt> 2244 <dd>If the remainder of the name to resolve is empty, 2245 the record set is the final result. 2246 If any NICK records are in the final result set, they <bcp14>MUST</bcp14> 2247 first be processed according to <xref target="nick_processing"/>. 2248 Otherwise, the record result set is directly returned as the final result.</dd> 2249 </dl> 2250 <t>Finally, if none of the above cases are applicable, resolution fails and the 2251 resolver <bcp14>MUST</bcp14> return an empty record set.</t> 2252 2253 <section anchor="redirect_processing"> 2254 <name>REDIRECT</name> 2255 <t> 2256 If the remaining name is empty and the desired record type is 2257 REDIRECT, the resolution concludes with the REDIRECT record. 2258 If the rightmost label of the REDIRECT NAME is the extension label 2259 (U+002B ("+")), 2260 resolution continues in GNS with the new name in the 2261 current zone. 2262 Otherwise, the resulting name is resolved via the 2263 default operating system name resolution process. 2264 This can in turn trigger a GNS name resolution process, depending 2265 on the system configuration. 2266 If resolution continues in DNS, the name <bcp14>MUST</bcp14> first be 2267 converted to an IDNA-compliant representation <xref target="RFC5890"/>. 2268 </t> 2269 <t> 2270 In order to prevent infinite loops, the resolver <bcp14>MUST</bcp14> 2271 implement loop detection or limit the number of recursive 2272 resolution steps. 2273 The loop detection <bcp14>MUST</bcp14> be effective even 2274 if a REDIRECT found in GNS triggers subsequent GNS lookups via 2275 the default operating system name resolution process. 2276 </t> 2277 </section> 2278 <section anchor="gns2dns_processing"> 2279 <name>GNS2DNS</name> 2280 <t> 2281 A resolver returns GNS2DNS records when all of the following 2282 conditions are met: 2283 </t> 2284 <ol> 2285 <li>The resolver encounters one or more GNS2DNS records;</li> 2286 <li>The remaining name is empty; and</li> 2287 <li>The desired record type is GNS2DNS.</li> 2288 </ol> 2289 <t> 2290 Otherwise, it is expected that the resolver first resolves the 2291 IP addresses of the specified DNS name servers. 2292 The DNS name <bcp14>MUST</bcp14> be converted to an IDNA-compliant 2293 representation <xref target="RFC5890"/> for resolution in DNS. 2294 GNS2DNS records <bcp14>MAY</bcp14> 2295 contain numeric IPv4 or IPv6 addresses, allowing the resolver to 2296 skip this step. 2297 The DNS server names might themselves be names in GNS or DNS. 2298 If the rightmost label of the DNS server name is the extension label 2299 (U+002B ("+")), the rest of the name is to be 2300 interpreted relative to the zone of the GNS2DNS record. 2301 If the DNS server name ends in a label representation of a 2302 zone key, the DNS server name is to be resolved against 2303 the GNS zone zkey. 2304 </t> 2305 <t> 2306 Multiple GNS2DNS records can be stored under the same label, 2307 in which case the resolver <bcp14>MUST</bcp14> try all of them. 2308 The resolver <bcp14>MAY</bcp14> try them in any order or even in parallel. 2309 If multiple GNS2DNS records are present, the DNS name <bcp14>MUST</bcp14> be 2310 identical for all of them. Otherwise, it is not clear which name 2311 the resolver is supposed to follow. If different DNS names are 2312 present, the resolution fails and an 2313 appropriate error <bcp14>SHOULD</bcp14> be returned to the application. 2314 </t> 2315 <t> 2316 If there are DNSSEC DS records or any other records used to 2317 secure the connection with the DNS servers stored under the label, 2318 the DNS resolver <bcp14>SHOULD</bcp14> use them to secure the connection with 2319 the DNS server. 2320 </t> 2321 <t> 2322 Once the IP addresses of the DNS servers have been determined, 2323 the DNS name from the GNS2DNS record is appended 2324 to the remainder of the name to be resolved and is 2325 resolved by querying the DNS name server(s). 2326 The synthesized name has to be converted to an IDNA-compliant 2327 representation <xref target="RFC5890"/> for resolution in DNS. 2328 If such a conversion is not possible, the resolution <bcp14>MUST</bcp14> be aborted 2329 and an error <bcp14>MUST</bcp14> be returned. Information indicating that the critical 2330 record could not be processed <bcp14>SHOULD</bcp14> be returned in the error 2331 description. The implementation <bcp14>MAY</bcp14> choose not to return the reason for the failure, 2332 merely complicating troubleshooting for the user. 2333 </t> 2334 <t> 2335 As the DNS servers 2336 specified are possibly authoritative DNS servers, the GNS resolver <bcp14>MUST</bcp14> 2337 support recursive DNS resolution and <bcp14>MUST NOT</bcp14> delegate this to the 2338 authoritative DNS servers. 2339 The first successful recursive name resolution result 2340 is returned to the application. 2341 In addition, the resolver <bcp14>SHOULD</bcp14> return the queried DNS name as a 2342 supplemental LEHO record (see <xref target="gnsrecords_leho"/>) with a 2343 relative expiration time of one hour. 2344 </t> 2345 <t> 2346 Once the transition from GNS to DNS is made through a 2347 GNS2DNS record, there is no "going back". 2348 The (possibly recursive) resolution of the DNS name <bcp14>MUST NOT</bcp14> 2349 delegate back into GNS and should only follow the DNS specifications. 2350 For example, names contained in DNS CNAME records <bcp14>MUST NOT</bcp14> be 2351 interpreted by resolvers that support both DNS and GNS as GNS names. 2352 </t> 2353 <t> 2354 GNS resolvers <bcp14>SHOULD</bcp14> offer a configuration 2355 option to disable DNS processing to avoid information leakage 2356 and provide a consistent security profile for all name resolutions. 2357 Such resolvers would return an empty record set upon encountering 2358 a GNS2DNS record during the recursion. However, if GNS2DNS records 2359 are encountered in the record set for the apex label and a GNS2DNS record 2360 is explicitly requested by the application, such records <bcp14>MUST</bcp14> 2361 still be returned, even if DNS support is disabled by the 2362 GNS resolver configuration. 2363 </t> 2364 </section> 2365 <section anchor="box_processing"> 2366 <name>BOX</name> 2367 <t> 2368 When a BOX record is received, a GNS resolver must unbox it if the 2369 name to be resolved continues with "_SERVICE._PROTO". 2370 Otherwise, the BOX record is to be left untouched. This way, TLSA 2371 (and SRV) records do not require a separate network request, and 2372 TLSA records become inseparable from the corresponding address 2373 records. 2374 </t> 2375 </section> 2376 <section anchor="delegation_processing"> 2377 <name>Zone Delegation Records</name> 2378 <t> 2379 When the resolver encounters a record of a supported 2380 zone delegation record type (such as PKEY or EDKEY) 2381 and the remainder of the name is not empty, resolution continues 2382 recursively with the remainder of the name in the 2383 GNS zone specified in the delegation record. 2384 </t> 2385 <t> 2386 Whenever a resolver encounters a new GNS zone, it <bcp14>MUST</bcp14> 2387 check against the local revocation list (see <xref target="revocation"/>) to see 2388 whether the respective 2389 zone key has been revoked. If the zone key was revoked, the 2390 resolution <bcp14>MUST</bcp14> fail with an empty result set. 2391 </t> 2392 <t> 2393 Implementations <bcp14>MUST NOT</bcp14> allow multiple different zone 2394 delegations under a single label (except if some are shadow records). 2395 Implementations <bcp14>MAY</bcp14> support any subset of ztypes. 2396 Implementations <bcp14>MUST NOT</bcp14> process zone delegation records 2397 stored under the apex label ("@"). If a zone delegation record is encountered under 2398 the apex label, resolution fails and an error <bcp14>MUST</bcp14> be returned. The 2399 implementation <bcp14>MAY</bcp14> choose not to return the reason for the failure, 2400 merely impacting troubleshooting information for the user. 2401 </t> 2402 <t> 2403 If the remainder of the name to resolve is empty and a record set was 2404 received containing only a single delegation record, the recursion is 2405 continued with the record value as the authoritative zone and the 2406 apex label "@" as the remaining name. The exception is the case 2407 where the desired record type as specified by the application is 2408 equal to the ztype, in which case the delegation record is returned. 2409 </t> 2410 </section> 2411 <section anchor="nick_processing"> 2412 <name>NICK</name> 2413 <t> 2414 NICK records are only relevant to the recursive resolver 2415 if the record set in question is the final result, which is to 2416 be returned to the application. The encountered NICK records can be either 2417 supplemental (see <xref target="rrecords"/>) or 2418 non-supplemental. 2419 If the NICK record is supplemental, the resolver only returns the 2420 record set if one of the non-supplemental records matches the 2421 queried record type. 2422 It is possible that one record set contains both supplemental 2423 and non-supplemental NICK records. 2424 </t> 2425 <t> 2426 The differentiation between a supplemental and non-supplemental 2427 NICK record allows the application to match the record to the 2428 authoritative zone. Consider the following example: 2429 </t> 2430 <artwork name="" type="" alt=""> 2431 Query: alice.example.gns.alt (type=A) 2432 Result: 2433 A: 192.0.2.1 2434 NICK: eve (non-supplemental) 2435 </artwork> 2436 <t> 2437 In this example, the returned NICK record is non-supplemental. 2438 For the application, this means that the NICK belongs to the zone 2439 "alice.example.gns.alt" and is published under the apex label along with an A 2440 record. The NICK record is interpreted as follows: the zone defined by 2441 "alice.example.gns.alt" wants to be referred to as "eve". 2442 In contrast, consider the following: 2443 </t> 2444 <artwork name="" type="" alt=""> 2445 Query: alice.example.gns.alt (type=AAAA) 2446 Result: 2447 AAAA: 2001:db8::1 2448 NICK: john (supplemental) 2449 </artwork> 2450 <t> 2451 In this case, the NICK record is marked as supplemental. This means that 2452 the NICK record belongs to the zone "example.gns.alt" and is published under the 2453 label "alice" along with a AAAA record. Here, the NICK record should be 2454 interpreted as follows: the zone defined by "example.gns.alt" wants to be referred to as 2455 "john". This distinction is likely useful for other records published as 2456 supplemental. 2457 </t> 2458 </section> 2459 </section> 2460 </section> 2461 <section anchor="encoding"> 2462 <name>Internationalization and Character Encoding</name> 2463 <t> 2464 All names in GNS are encoded in UTF-8 <xref target="RFC3629"/>. 2465 Labels <bcp14>MUST</bcp14> be canonicalized using 2466 Normalization Form C (NFC) <xref target="Unicode-UAX15"/>. 2467 This does not include any DNS names found in DNS records, such as CNAME 2468 record data, which is internationalized through the IDNA specifications; 2469 see <xref target="RFC5890"/>. 2470 </t> 2471 </section> 2472 <section anchor="security"> 2473 <name>Security and Privacy Considerations</name> 2474 <section anchor="security_availability"> 2475 <name>Availability</name> 2476 <t> 2477 In order to ensure availability of records beyond their 2478 absolute expiration times, implementations <bcp14>MAY</bcp14> allow 2479 relative expiration time values of records to be locally defined. 2480 Records can then be published recurringly with updated 2481 absolute expiration times by the implementation. 2482 </t> 2483 <t> 2484 Implementations <bcp14>MAY</bcp14> allow users to manage private records in 2485 their zones that are not published in storage. 2486 Private records are treated just like 2487 regular records when resolving labels in local zones, 2488 but their data is completely unavailable to non-local users. 2489 </t> 2490 </section> 2491 <section anchor="security_agility"> 2492 <name>Agility</name> 2493 <t> 2494 The security of cryptographic systems depends on both the strength of 2495 the cryptographic algorithms chosen and the strength of the keys used 2496 with those algorithms. This security also depends on the engineering 2497 of the protocol used by the system to ensure that there are no 2498 non-cryptographic ways to bypass the security of the overall system. 2499 This is why developers of applications managing GNS zones <bcp14>SHOULD</bcp14> 2500 select a default ztype considered secure at the time of 2501 releasing the software. 2502 For applications targeting end users that are not expected to 2503 understand cryptography, the application developer <bcp14>MUST NOT</bcp14> leave 2504 the ztype selection of new zones to end users. 2505 </t> 2506 <t> 2507 This document concerns itself with the selection of cryptographic 2508 algorithms used in GNS. 2509 The algorithms identified in this document are not known to be 2510 broken (in the cryptographic sense) at the current time, and 2511 cryptographic research so far leads us to believe that they are 2512 likely to remain secure into the foreseeable future. However, this 2513 is not necessarily forever, and it is expected that new revisions of 2514 this document will be issued from time to time to reflect the current 2515 best practices in this area. 2516 </t> 2517 <t> 2518 In terms of crypto-agility, whenever the need for an updated cryptographic 2519 scheme arises to, for example, replace ECDSA over Ed25519 for 2520 PKEY records, it can simply be introduced 2521 through a new record type. 2522 Zone administrators can then replace 2523 the delegation record type for future records. 2524 The old record type remains, 2525 and zones can iteratively migrate to the updated zone keys. 2526 To ensure that implementations correctly generate an error message 2527 when encountering a ztype that they do not support, 2528 current and future delegation records must always have the 2529 CRITICAL flag set. 2530 </t> 2531 </section> 2532 <section anchor="security_cryptography"> 2533 <name>Cryptography</name> 2534 <t> 2535 The following considerations provide background on the design choices 2536 of the ztypes specified in this document. 2537 When specifying new ztypes as per <xref target="zones"/>, the same 2538 considerations apply. 2539 </t> 2540 <t> 2541 GNS PKEY zone keys use ECDSA over Ed25519. 2542 This is an unconventional choice, 2543 as ECDSA is usually used with other curves. However, standardized 2544 ECDSA curves are problematic for a range of reasons, as described in 2545 the Curve25519 and EdDSA papers <xref target="RFC7748"/> <xref target="ed25519"/>. 2546 Using EdDSA directly is also 2547 not possible, as a hash function is used on the private key and 2548 will destroy the linearity that the key blinding in GNS depends upon. 2549 We are not aware of anyone suggesting that using Ed25519 instead 2550 of another common curve of similar size would lower the security of 2551 ECDSA. GNS uses 256-bit curves; that way, the encoded (public) 2552 keys fit into a single DNS label, which is good for usability. 2553 </t> 2554 <t> 2555 In order to ensure ciphertext indistinguishability, care must be 2556 taken with respect to the IV in the counter 2557 block. In our design, the IV always includes the expiration time of the 2558 record block. 2559 When applications store records with relative expiration times, 2560 monotonicity is implicitly 2561 ensured because each time a block is published in storage, its IV is 2562 unique, as the expiration time is calculated dynamically and increases 2563 monotonically with the system time. Still, 2564 an implementation <bcp14>MUST</bcp14> ensure that when relative expiration times 2565 are decreased, the expiration time of the next record block <bcp14>MUST</bcp14> 2566 be after the last published block. 2567 For records where an absolute expiration time is used, the implementation 2568 <bcp14>MUST</bcp14> ensure that the expiration time is always increased when the record 2569 data changes. For example, the expiration time on the wire could be increased 2570 by a single microsecond even if the user did not request a change. 2571 In the case of deletion of all resource records under a label, the 2572 implementation <bcp14>MUST</bcp14> keep track of the last absolute expiration time 2573 of the last published resource block. Implementations <bcp14>MAY</bcp14> define 2574 and use a special record type as a tombstone that preserves the last 2575 absolute expiration time but then <bcp14>MUST</bcp14> take care to not publish a 2576 block with such a tombstone record. 2577 When new records are added under this label later, the implementation 2578 <bcp14>MUST</bcp14> ensure that the expiration times are after the last published 2579 block. 2580 Finally, in order to ensure monotonically increasing expiration times, 2581 the implementation <bcp14>MUST</bcp14> keep a local record of the last time obtained 2582 from the system clock, so as to construct a monotonic clock if 2583 the system clock jumps backwards. 2584 </t> 2585 </section> 2586 <section anchor="security_abuse"> 2587 <name>Abuse Mitigation</name> 2588 <t> 2589 GNS names are UTF-8 strings. Consequently, GNS faces issues 2590 with respect to name spoofing similar to those for DNS with respect to internationalized 2591 domain names. 2592 In DNS, attackers can register similar-sounding or similar-looking 2593 names (see above) in order to execute phishing attacks. 2594 GNS zone administrators must take into account this attack vector and 2595 incorporate rules in order to mitigate it. 2596 </t> 2597 <t> 2598 Further, DNS can be used to combat illegal content on the Internet 2599 by having the respective domains seized by authorities. 2600 However, the same mechanisms can also be abused in order to impose 2601 state censorship. 2602 Avoiding that possibility is one of the motivations behind GNS. 2603 In GNS, TLDs are not enumerable. By design, the Start Zone of 2604 the resolver is defined locally, and hence such a seizure is 2605 difficult and ineffective in GNS. 2606 </t> 2607 </section> 2608 <section anchor="security_keymanagement"> 2609 <name>Zone Management</name> 2610 <t> 2611 In GNS, zone administrators need to manage and protect their zone 2612 keys. Once a private zone key is lost, it cannot be recovered, and 2613 the zone revocation message cannot be computed anymore. 2614 Revocation messages can be precalculated if revocation is 2615 required in cases where a private zone key is lost. 2616 Zone administrators, and for GNS this includes end users, are 2617 required to responsibly and diligently protect their cryptographic 2618 keys. 2619 GNS supports signing records in advance ("offline") in order to 2620 support processes (such as air gaps) that aim to protect private keys. 2621 </t> 2622 <t> 2623 Similarly, users are required to manage their local Start Zone configuration. 2624 In order to ensure the integrity and availability of names, users must 2625 ensure that their local Start Zone information is not compromised or 2626 outdated. 2627 It can be expected that the processing of zone revocations and an 2628 initial Start Zone are provided with a GNS implementation 2629 ("drop shipping"). 2630 Shipping an initial Start Zone configuration effectively establishes 2631 a root zone. 2632 Extension and customization of the zone are at the full discretion of 2633 the user. 2634 </t> 2635 <t> 2636 While implementations following this specification will be 2637 interoperable, if two implementations connect to different remote storage entities, 2638 they are mutually unreachable. 2639 This can lead to a state where a record exists in the global 2640 namespace for a particular name, but the implementation is not 2641 communicating with the remote storage entity that contains the respective 2642 block and is hence unable to resolve it. 2643 This situation is similar to a split-horizon DNS configuration. 2644 The remote storage entity used will most likely depend on the specific application 2645 context using GNS resolution. 2646 For example, one application is the resolution of hidden services 2647 within the Tor network <xref target="TorRendSpec"/>, which would suggest using Tor routers for remote storage. 2648 Implementations of "aggregated" remote storage entities are conceivable but 2649 are expected to be the exception. 2650 </t> 2651 </section> 2652 <section anchor="security_dht"> 2653 <name>DHTs as Remote Storage</name> 2654 <t> 2655 This document does not specify the properties of the underlying 2656 remote storage, which is required by any GNS implementation. 2657 It is important to note that the properties of the underlying 2658 remote storage are directly inherited by the 2659 GNS implementation. This includes both security and 2660 other non-functional properties such as scalability and performance. 2661 Implementers should take great care when selecting or implementing 2662 a DHT for use as remote storage in a GNS implementation. 2663 DHTs with reasonable security and performance properties exist 2664 <xref target="R5N"/>. 2665 It should also be taken into consideration that GNS implementations 2666 that build upon different DHT overlays are unlikely to be 2667 mutually reachable. 2668 </t> 2669 </section> 2670 <section anchor="security_rev"> 2671 <name>Revocations</name> 2672 <t> 2673 Zone administrators are advised to pregenerate zone revocations 2674 and to securely store the revocation information if the zone 2675 key is lost, compromised, or replaced in the future. 2676 Precalculated revocations can cease to be valid due to expirations 2677 or protocol changes such as epoch adjustments. 2678 Consequently, implementers and users must take precautions in order 2679 to manage revocations accordingly. 2680 </t> 2681 <t> 2682 Revocation payloads do not include a "new" key for key replacement. 2683 Inclusion of such a key would have two major disadvantages: 2684 </t> 2685 <ol> 2686 <li> 2687 If a revocation is published after a private key was compromised, 2688 allowing key replacement would be dangerous: if an 2689 adversary took over the private key, the adversary could then 2690 broadcast a revocation with a key replacement. For the replacement, 2691 the compromised owner would have no chance to issue a 2692 revocation. Thus, allowing a revocation message to replace a private 2693 key makes dealing with key compromise situations worse. 2694 </li> 2695 <li> 2696 Sometimes, key revocations are used with the objective of changing 2697 cryptosystems. Migration to another cryptosystem by replacing keys 2698 via a revocation message would only be secure as long as both 2699 cryptosystems are still secure against forgery. Such a planned, 2700 non-emergency migration to another cryptosystem should be done by 2701 running zones for both cipher systems in parallel for a while. The 2702 migration would conclude by revoking the legacy zone key only when 2703 it is deemed no longer secure and, hopefully, after most users have 2704 migrated to the replacement. 2705 </li> 2706 </ol> 2707 </section> 2708 <section anchor="privacy_labels"> 2709 <name>Zone Privacy</name> 2710 <t> 2711 GNS does not support authenticated denial of existence of names 2712 within a zone. 2713 Record data is published in encrypted form using keys derived from the 2714 zone key and record label. Zone administrators should 2715 carefully consider whether (1) a label and zone key are public or 2716 (2) one or both of these should be used as a shared secret to restrict access 2717 to the corresponding record data. 2718 Unlike public zone keys, low-entropy labels can be guessed by an attacker. If an attacker 2719 knows the public zone key, the use of well-known or guessable 2720 labels effectively threatens the disclosure of the corresponding records. 2721 </t> 2722 <t> 2723 It should be noted that the guessing attack on labels only applies if the 2724 zone key is somehow disclosed to the adversary. GNS itself 2725 does not disclose it during a lookup or when resource records are 2726 published (as only the blinded zone keys are used on the network). 2727 However, zone keys do become public during revocation. 2728 </t> 2729 <t> 2730 It is thus <bcp14>RECOMMENDED</bcp14> to use a 2731 label with sufficient entropy to prevent guessing attacks 2732 if any data in a resource record set is sensitive. 2733 </t> 2734 </section> 2735 <section anchor="sec_governance"> 2736 <name>Zone Governance</name> 2737 <t> 2738 While DNS is distributed, in practice it 2739 relies on centralized, trusted registrars to provide globally unique 2740 names. As awareness of the central role DNS plays on the Internet 2741 increases, various institutions are using their power (including legal means) 2742 to engage in attacks on the DNS, thus threatening the global availability 2743 and integrity of information on the Internet. 2744 While a wider discussion of this issue is out of scope for this document, 2745 analyses and investigations can be found in recent academic research 2746 works, including <xref target="SecureNS"/>. 2747 </t> 2748 <t> 2749 GNS is designed to provide a secure, privacy-enhancing alternative to the 2750 DNS name resolution protocol, especially when censorship or manipulation 2751 is encountered. 2752 In particular, it directly addresses concerns in DNS with respect to 2753 query privacy. 2754 However, depending on the governance of the root zone, any deployment 2755 will likely suffer from the issue of a 2756 single hierarchy with a centrally controlled root and the 2757 related issue of distribution and management of root servers in DNS, as 2758 raised in Sections <xref target="RFC8324" section="3.12" 2759 sectionFormat="bare"/> and <xref target="RFC8324" section="3.10" 2760 sectionFormat="bare"/> of <xref target="RFC8324"/>, respectively. 2761 In DNS, those issues directly result from the centralized root 2762 zone governance at the Internet Corporation for Assigned Names and 2763 Numbers (ICANN), which allows it to provide globally unique names. 2764 </t> 2765 <t> 2766 In GNS, Start Zones give users local authority over their preferred 2767 root zone governance. 2768 It enables users to replace or enhance a trusted root zone 2769 configuration provided by a third party (e.g., the implementer or a 2770 multi-stakeholder governance body like ICANN) with secure delegation of 2771 authority using local petnames while operating under a 2772 very strong adversary model. 2773 In combination with zTLDs, this provides users of GNS with a global, 2774 secure, and memorable mapping without a trusted authority. 2775 </t> 2776 <t> 2777 Any GNS implementation <bcp14>MAY</bcp14> provide a default 2778 governance model in the form of an initial Start Zone mapping. 2779 </t> 2780 </section> 2781 <section anchor="namespace_ambiguity"> 2782 <name>Namespace Ambiguity</name> 2783 <t> 2784 Technically, the GNS protocol can be used to resolve names in the 2785 namespace of the global DNS. 2786 However, this would require the respective governance bodies and 2787 stakeholders (e.g., the IETF and ICANN) to standardize the use of GNS for this particular use 2788 case. 2789 </t> 2790 <t> 2791 This capability implies that GNS names may be 2792 indistinguishable from DNS names in their 2793 respective common display format <xref target="RFC8499"/> or 2794 other special-use domain names <xref target="RFC6761"/> if 2795 a local Start Zone configuration maps suffixes from the 2796 global DNS to GNS zones. 2797 For applications, which name system should be 2798 used in order to resolve a given name will then be ambiguous. 2799 This poses a risk when trying to resolve a name through DNS when 2800 it is actually a GNS name, as discussed in <xref target="RFC8244"/>. 2801 In such a case, the GNS name is likely to be leaked as part of the DNS 2802 resolution. 2803 </t> 2804 <t> 2805 In order to prevent disclosure of queried GNS names, it is 2806 <bcp14>RECOMMENDED</bcp14> that GNS-aware applications try to resolve 2807 a given name in GNS before any other method, taking into account 2808 potential suffix-to-zone mappings and zTLDs. 2809 Suffix-to-zone mappings are expected to be configured by the user or 2810 local administrator, and as such the resolution in GNS is 2811 in line with user expectations even if the name could also be resolved 2812 through DNS. 2813 If no suffix-to-zone mapping for the name exists and no zTLD is found, 2814 resolution <bcp14>MAY</bcp14> continue with other methods such as DNS. 2815 If a suffix-to-zone mapping for the name exists or the name ends with 2816 a zTLD, it <bcp14>MUST</bcp14> be resolved using GNS, and 2817 resolution <bcp14>MUST NOT</bcp14> continue by any other means 2818 independent of the GNS resolution result. 2819 </t> 2820 <t> 2821 Mechanisms such as the Name Service Switch (NSS) of UNIX-like 2822 operating systems are an example of how such a resolution process 2823 can be implemented and used. 2824 The NSS allows system administrators to configure hostname resolution 2825 precedence and is integrated with the system resolver implementation. 2826 </t> 2827 <t> 2828 For use cases where GNS names may be confused with names 2829 of other name resolution mechanisms (in particular, DNS), the 2830 ".gns.alt" domain <bcp14>SHOULD</bcp14> be used. 2831 For use cases like implementing sinkholes to block 2832 malware sites or serving DNS domains via GNS to bypass censorship, 2833 GNS <bcp14>MAY</bcp14> be deliberately used in ways that interfere 2834 with resolution of another name system. 2835 </t> 2836 </section> 2837 </section> 2838 <section anchor="gana"> 2839 <name>GANA Considerations</name> 2840 <section anchor="gana_gnunet-sig-purposes"> 2841 <name>GNUnet Signature Purposes Registry</name> 2842 <t> 2843 GANA <xref target="GANA"/> has assigned signature purposes in its 2844 "GNUnet Signature Purposes" registry as listed in 2845 <xref target="tab_purposenums"/>. 2846 </t> 2847 2848 <table anchor="tab_purposenums"> 2849 <name>The GANA GNUnet Signature Purposes Registry</name> 2850 <thead> 2851 <tr> 2852 <th>Purpose</th> 2853 <th>Name</th> 2854 <th>References</th> 2855 <th>Comment</th> 2856 </tr> 2857 </thead> 2858 <tbody> 2859 <tr> 2860 <td>3</td> 2861 <td>GNS_REVOCATION</td> 2862 <td>RFC 9498</td> 2863 <td>GNS zone key revocation</td> 2864 </tr> 2865 <tr> 2866 <td>15</td> 2867 <td>GNS_RECORD_SIGN</td> 2868 <td>RFC 9498</td> 2869 <td>GNS record set signature</td> 2870 </tr> 2871 </tbody> 2872 </table> 2873 </section> 2874 <section anchor="gana_gnsrr"> 2875 <name>GNS Record Types Registry</name> 2876 <t> 2877 GANA <xref target="GANA"/> 2878 manages the "GNS Record Types" registry. 2879 </t> 2880 <t>Each entry has the following format: 2881 </t> 2882 <dl newline="false"> 2883 <dt>Name:</dt><dd>The name of the record type (case-insensitive ASCII 2884 string, restricted to alphanumeric characters). For zone delegation 2885 records, the assigned number represents the ztype value of the zone.</dd> 2886 <dt>Number:</dt><dd>A 32-bit number above 65535.</dd> 2887 <dt>Comment:</dt><dd>Optionally, brief English text describing the purpose of 2888 the record type (in UTF-8).</dd> 2889 <dt>Contact:</dt><dd>Optionally, the contact information for a person to contact for 2890 further information.</dd> 2891 <dt>References:</dt><dd>Optionally, references (such as an RFC) describing the record type.</dd> 2892 </dl> 2893 <t> 2894 The registration policy for this registry is "First Come First 2895 Served". This policy is modeled on that described in <xref target="RFC8126"/> 2896 and describes the actions taken by GANA: 2897 </t> 2898 <ul> 2899 <li> 2900 Adding new entries is possible after review by any authorized 2901 GANA contributor, using a 2902 first-come-first-served policy for unique name allocation. 2903 Reviewers are responsible for ensuring that the chosen "Name" is 2904 appropriate for the record type. 2905 The registry will define a unique number for the entry. 2906 </li> 2907 <li> 2908 Authorized GANA contributors for review of new entries are reachable at 2909 <gns-registry@gnunet.org>. 2910 </li> 2911 <li> 2912 Any request <bcp14>MUST</bcp14> contain a unique name and a point of contact. 2913 The contact information <bcp14>MAY</bcp14> be added to the registry, with the consent 2914 of the requester. 2915 The request <bcp14>MAY</bcp14> optionally also contain relevant references as well 2916 as a descriptive comment, as defined above. 2917 </li> 2918 </ul> 2919 <t> 2920 GANA has assigned numbers for the record types defined in this 2921 specification in the "GNS Record Types" registry as listed in 2922 <xref target="tab_rrtypenums"/>. 2923 </t> 2924 2925 <table anchor="tab_rrtypenums"> 2926 <name>The GANA GNS Record Types Registry</name> 2927 <thead> 2928 <tr> 2929 <th>Number</th> 2930 <th>Name</th> 2931 <th>Contact</th> 2932 <th>References</th> 2933 <th>Comment</th> 2934 </tr> 2935 </thead> 2936 <tbody> 2937 <tr> 2938 <td>65536</td> 2939 <td>PKEY</td> 2940 <td>(*)</td> 2941 <td>RFC 9498</td> 2942 <td>GNS zone delegation (PKEY)</td> 2943 </tr> 2944 <tr> 2945 <td>65537</td> 2946 <td>NICK</td> 2947 <td>(*)</td> 2948 <td>RFC 9498</td> 2949 <td>GNS zone nickname</td> 2950 </tr> 2951 <tr> 2952 <td>65538</td> 2953 <td>LEHO</td> 2954 <td>(*)</td> 2955 <td>RFC 9498</td> 2956 <td>GNS legacy hostname</td> 2957 </tr> 2958 <tr> 2959 <td>65540</td> 2960 <td>GNS2DNS</td> 2961 <td>(*)</td> 2962 <td>RFC 9498</td> 2963 <td>Delegation to DNS</td> 2964 </tr> 2965 <tr> 2966 <td>65541</td> 2967 <td>BOX</td> 2968 <td>(*)</td> 2969 <td>RFC 9498</td> 2970 <td>Box records</td> 2971 </tr> 2972 <tr> 2973 <td>65551</td> 2974 <td>REDIRECT</td> 2975 <td>(*)</td> 2976 <td>RFC 9498</td> 2977 <td>Redirection record</td> 2978 </tr> 2979 <tr> 2980 <td>65556</td> 2981 <td>EDKEY</td> 2982 <td>(*)</td> 2983 <td>RFC 9498</td> 2984 <td>GNS zone delegation (EDKEY)</td> 2985 </tr> 2986 </tbody> 2987 <tfoot> 2988 <tr> 2989 <td align="left" colspan="5">(*): gns-registry@gnunet.org</td> 2990 </tr> 2991 </tfoot> 2992 </table> 2993 </section> 2994 <section anchor="gana_alt"> 2995 <name>.alt Subdomains Registry</name> 2996 <t> 2997 GANA <xref target="GANA"/> 2998 manages the ".alt Subdomains" registry. This GANA-operated .alt registry 2999 may or may not be taken into account by any particular implementer, and 3000 it is not in any way associated with or sanctioned by the IETF or ICANN. 3001 </t> 3002 <t>Each entry has the following format: 3003 </t> 3004 <dl newline="false"> 3005 <dt>Label:</dt><dd>The label of the subdomain (in DNS "letters, digits, hyphen" (LDH) format as defined in <xref target="RFC5890" sectionFormat="of" section="2.3.1"/>).</dd> 3006 <dt>Description:</dt><dd>Optionally, brief English text describing the purpose of 3007 the subdomain (in UTF-8).</dd> 3008 <dt>Contact:</dt><dd>Optionally, the contact information for a person to contact for 3009 further information.</dd> 3010 <dt>References:</dt><dd>Optionally, references (such as an RFC) describing the record type.</dd> 3011 </dl> 3012 <t> 3013 The registration policy for this registry is "First Come First 3014 Served". This policy is modeled on that described in <xref target="RFC8126"/> 3015 and describes the actions taken by GANA: 3016 </t> 3017 <ul> 3018 <li> 3019 Adding new entries is possible after review by any authorized 3020 GANA contributor, using a 3021 first-come-first-served policy for unique subdomain allocation. 3022 Reviewers are responsible for ensuring that the chosen "Subdomain" is 3023 appropriate for the purpose. 3024 </li> 3025 <li> 3026 Authorized GANA contributors for review of new entries are reachable at 3027 <alt-registry@gnunet.org>. 3028 </li> 3029 <li> 3030 Any request <bcp14>MUST</bcp14> contain a unique subdomain and a point of contact. 3031 The contact information <bcp14>MAY</bcp14> be added to the registry, with the consent 3032 of the requester. 3033 The request <bcp14>MAY</bcp14> optionally also contain relevant references as well 3034 as a descriptive comment, as defined above. 3035 </li> 3036 </ul> 3037 <t> 3038 GANA has assigned the subdomain defined in this 3039 specification in the ".alt Subdomains" registry 3040 as listed in <xref target="tab_altsubdomains"/>. 3041 </t> 3042 <table anchor="tab_altsubdomains"> 3043 <name>The GANA .alt Subdomains Registry</name> 3044 <thead> 3045 <tr> 3046 <th>Label</th> 3047 <th>Contact</th> 3048 <th>References</th> 3049 <th>Description</th> 3050 </tr> 3051 </thead> 3052 <tbody> 3053 <tr> 3054 <td>gns</td> 3055 <td>(*)</td> 3056 <td>RFC 9498</td> 3057 <td>The .alt subdomain for GNS</td> 3058 </tr> 3059 </tbody> 3060 <tfoot> 3061 <tr> 3062 <td align="left" colspan="4">(*): alt-registry@gnunet.org</td> 3063 </tr> 3064 </tfoot> 3065 </table> 3066 3067 </section> 3068 </section> 3069 <section> 3070 <name>IANA Considerations</name> 3071 <t> 3072 This document has no IANA actions. 3073 </t> 3074 </section> 3075 <section> 3076 <name>Implementation and Deployment Status</name> 3077 <t> 3078 There are two implementations conforming to this specification, written 3079 in C and Go, respectively. The C implementation as part of GNUnet 3080 <xref target="GNUnetGNS"/> represents the original 3081 and reference implementation. The Go implementation 3082 <xref target="GoGNS"/> demonstrates how two implementations of GNS are 3083 interoperable if they are built on top of the same underlying 3084 DHT storage. 3085 </t> 3086 <t> 3087 Currently, the GNUnet peer-to-peer network <xref target="GNUnet"/> 3088 is an active deployment of GNS on top of its DHT <xref target="R5N"/>. The Go implementation <xref target="GoGNS"/> uses this deployment 3089 by building on top of the GNUnet DHT services available on any 3090 GNUnet peer. It shows how GNS implementations 3091 can attach to this existing deployment and participate in name 3092 resolution as well as zone publication. 3093 </t> 3094 <t> 3095 The self-sovereign identity system re:claimID <xref target="reclaim"/> 3096 is using GNS in order to selectively share identity attributes and 3097 attestations with third parties. 3098 </t> 3099 <t> 3100 The Ascension tool <xref target="Ascension"/> facilitates the migration of DNS zones to 3101 GNS zones by translating information retrieved from a DNS zone 3102 transfer into a GNS zone. 3103 </t> 3104 </section> 3105 </middle> 3106 <back> 3107 <references> 3108 <name>References</name> 3109 <references> 3110 <name>Normative References</name> 3111 3112 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/> 3113 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/> 3114 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2782.xml"/> 3115 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> 3116 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3629.xml"/> 3117 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3686.xml"/> 3118 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3826.xml"/> 3119 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5237.xml"/> 3120 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"/> 3121 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5890.xml"/> 3122 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5895.xml"/> 3123 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml"/> 3124 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6895.xml"/> 3125 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml"/> 3126 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"/> 3127 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml"/> 3128 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> 3129 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> 3130 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8499.xml"/> 3131 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9106.xml"/> 3132 3133 <reference anchor="GANA" target="https://gana.gnunet.org/"> 3134 <front> 3135 <title>GNUnet Assigned Numbers Authority (GANA)</title> 3136 <author> 3137 <organization>GNUnet e.V.</organization> 3138 </author> 3139 <date year="2023"/> 3140 </front> 3141 </reference> 3142 3143 <reference anchor="MODES" target="https://doi.org/10.6028/NIST.SP.800-38A"> 3144 <front> 3145 <title>Recommendation for Block Cipher Modes of Operation: Methods and Techniques</title> 3146 <author initials="M." surname="Dworkin" fullname="Morris Dworkin"> 3147 <organization>NIST</organization> 3148 </author> 3149 <date year="2001" month="December"/> 3150 </front> 3151 <refcontent>NIST Special Publication 800-38A</refcontent> 3152 <seriesInfo name="DOI" value="10.6028/NIST.SP.800-38A"/> 3153 </reference> 3154 <reference anchor="CrockfordB32" target="https://www.crockford.com/base32.html"> 3155 <front> 3156 <title>Base 32</title> 3157 <author initials="D." surname="Crockford" fullname="Douglas Crockford"> 3158 </author> 3159 <date year="2019" month="March"/> 3160 </front> 3161 </reference> 3162 3163 <reference anchor="XSalsa20" target="https://cr.yp.to/papers.html#xsalsa"> 3164 <front> 3165 <title>Extending the Salsa20 nonce</title> 3166 <author initials="D. J." surname="Bernstein" fullname="Daniel Bernstein"> 3167 <organization>University of Illinois at Chicago</organization> 3168 </author> 3169 <date year="2011"/> 3170 </front> 3171 </reference> 3172 3173 <reference anchor="Unicode-UAX15" target="https://www.unicode.org/reports/tr15/tr15-31.html"> 3174 <front> 3175 <title>Unicode Standard Annex #15: Unicode Normalization Forms</title> 3176 <author initials="M." surname="Davis" fullname="Mark Davis"> 3177 <organization/> 3178 </author> 3179 <author initials="K." surname="Whistler" fullname="Ken Whistler"> 3180 <organization/> 3181 </author> 3182 <author initials="M." surname="Dürst" fullname="Martin Dürst"> 3183 <organization/> 3184 </author> 3185 <date year="2009" month="September"/> 3186 </front> 3187 <refcontent>Revision 31, The Unicode Consortium, Mountain View</refcontent> 3188 </reference> 3189 3190 <reference anchor="Unicode-UTS46" target="https://www.unicode.org/reports/tr46"> 3191 <front> 3192 <title>Unicode Technical Standard #46: Unicode IDNA Compatibility Processing</title> 3193 <author initials="M." surname="Davis" fullname="Mark Davis"> 3194 <organization/> 3195 </author> 3196 <author initials="M." surname="Suignard" fullname="Michel Suignard"> 3197 <organization/> 3198 </author> 3199 <date year="2023" month="September"/> 3200 </front> 3201 <refcontent>Revision 31, The Unicode Consortium, Mountain View</refcontent> 3202 </reference> 3203 </references> 3204 <references> 3205 <name>Informative References</name> 3206 3207 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1928.xml"/> 3208 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4033.xml"/> 3209 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6066.xml"/> 3210 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7363.xml"/> 3211 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8324.xml"/> 3212 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8806.xml"/> 3213 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6761.xml"/> 3214 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8244.xml"/> 3215 3216 <!-- draft-ietf-dnsop-alt-tld (RFC 9476; published) --> 3217 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9476.xml"/> 3218 3219 <reference anchor="TorRendSpec" target="https://github.com/torproject/torspec/blob/main/rend-spec-v3.txt"> 3220 <front> 3221 <title>Tor Rendezvous Specification - Version 3</title> 3222 <author> 3223 <organization>Tor Project</organization> 3224 </author> 3225 <date month="June" year="2023"/> 3226 </front> 3227 <refcontent>commit b345ca0</refcontent> 3228 </reference> 3229 3230 <reference anchor="Tor224" target="https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n2135"> 3231 <front> 3232 <title>Next-Generation Hidden Services in Tor</title> 3233 <author initials="D." surname="Goulet" fullname="David Goulet"> 3234 </author> 3235 <author initials="G." surname="Kadianakis" fullname="George Kadianakis"> 3236 </author> 3237 <author initials="N." surname="Mathewson" fullname="Nick Mathewson"> 3238 </author> 3239 <date year="2013" month="November"/> 3240 </front> 3241 <refcontent>Appendix A.2 ("Tor's key derivation scheme")</refcontent> 3242 </reference> 3243 3244 <reference anchor="SDSI" target="https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=3837e0206bf73e5e8f0ba6db767a2f714ea7c367"> 3245 <front> 3246 <title>SDSI - A Simple Distributed Security Infrastructure</title> 3247 <author initials="R. L." surname="Rivest" fullname="Ron L. Rivest"> 3248 </author> 3249 <author initials="B." surname="Lampson" fullname="Butler Lampson"> 3250 </author> 3251 <date year="1996" month="October"/> 3252 </front> 3253 </reference> 3254 3255 <reference anchor="Kademlia" target="https://css.csail.mit.edu/6.824/2014/papers/kademlia.pdf"> 3256 <front> 3257 <title>Kademlia: A Peer-to-peer Information System Based on the XOR Metric</title> 3258 <author initials="P." surname="Maymounkov" fullname="Petar Maymounkov"> 3259 </author> 3260 <author initials="D." surname="Mazières" fullname="David Mazières"> 3261 </author> 3262 <date year="2002"/> 3263 </front> 3264 <seriesInfo name="DOI" value="10.1007/3-540-45748-8_5"/> 3265 </reference> 3266 3267 <reference anchor="ed25519" target="https://ed25519.cr.yp.to/ed25519-20110926.pdf"> 3268 <front> 3269 <title>High-speed high-security signatures</title> 3270 <author initials="D. J." surname="Bernstein" fullname="Daniel Bernstein"> 3271 <organization>University of Illinois at Chicago</organization> 3272 </author> 3273 <author initials="N." surname="Duif" fullname="Niels Duif"> 3274 <organization>Technische Universiteit Eindhoven</organization> 3275 </author> 3276 <author initials="T." surname="Lange" fullname="Tanja Lange"> 3277 <organization>Technische Universiteit Eindhoven</organization> 3278 </author> 3279 <author initials="P." surname="Schwabe" fullname="Peter Schwabe"> 3280 <organization>National Taiwan University</organization> 3281 </author> 3282 <author initials="B-Y." surname="Yang" fullname="Bo-Yin Yang"> 3283 <organization>Academia Sinica</organization> 3284 </author> 3285 <date year="2011"/> 3286 </front> 3287 <seriesInfo name="DOI" value="10.1007/s13389-012-0027-1"/> 3288 </reference> 3289 3290 <reference anchor="GNS" target="https://sci-hub.st/10.1007/978-3-319-12280-9_9"> 3291 <front> 3292 <title>A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System</title> 3293 <author initials="M." surname="Wachs" fullname="Matthias Wachs"> 3294 <organization>Technische Universität München</organization> 3295 </author> 3296 <author initials="M." surname="Schanzenbach" fullname="Martin Schanzenbach"> 3297 <organization>Technische Universität München</organization> 3298 </author> 3299 <author initials="C." surname="Grothoff" fullname="Christian Grothoff"> 3300 <organization>Technische Universität München</organization> 3301 </author> 3302 <date month="October" year="2014"/> 3303 </front> 3304 <refcontent>13th International Conference on Cryptology and Network Security (CANS)</refcontent> 3305 <seriesInfo name="DOI" value="10.13140/2.1.4642.3044"/> 3306 </reference> 3307 <reference anchor="R5N" target="https://sci-hub.st/10.1109/ICNSS.2011.6060022"> 3308 <front> 3309 <title>R5N: Randomized Recursive Routing for Restricted-Route Networks</title> 3310 <author initials="N. S." surname="Evans" fullname="Nathan S. Evans"> 3311 <organization>Technische Universität München</organization> 3312 </author> 3313 <author initials="C." surname="Grothoff" fullname="Christian Grothoff"> 3314 <organization>Technische Universität München</organization> 3315 </author> 3316 <date month="September" year="2011"/> 3317 </front> 3318 <refcontent>5th International Conference on Network and System Security (NSS)</refcontent> 3319 <seriesInfo name="DOI" value="10.1109/ICNSS.2011.6060022"/> 3320 </reference> 3321 3322 <reference anchor="SecureNS" target="https://sci-hub.st/https://doi.org/10.1016/j.cose.2018.01.018"> 3323 <front> 3324 <title>Toward secure name resolution on the Internet</title> 3325 <author initials="C." surname="Grothoff" fullname="Christian Grothoff"> 3326 <organization>Bern University of Applied Sciences</organization> 3327 </author> 3328 <author initials="M." surname="Wachs" fullname="Matthias Wachs"> 3329 <organization>Technische Universität München</organization> 3330 </author> 3331 <author initials="M." surname="Ermert" fullname="Monika Ermert"> 3332 </author> 3333 <author initials="J." surname="Appelbaum" fullname="Jacob Appelbaum"> 3334 <organization>TU Eindhoven</organization> 3335 </author> 3336 <date month="August" year="2018"/> 3337 </front> 3338 <refcontent>Computers and Security, Volume 77, Issue C, pp. 694-708</refcontent> 3339 <seriesInfo name="DOI" value="10.1016/j.cose.2018.01.018"/> 3340 </reference> 3341 3342 <reference anchor="GNUnetGNS" target="https://git.gnunet.org/gnunet.git"> 3343 <front> 3344 <title>gnunet.git - GNUnet core repository</title> 3345 <author> 3346 <organization>GNUnet e.V.</organization> 3347 </author> 3348 <date year="2023"/> 3349 </front> 3350 </reference> 3351 3352 <reference anchor="Ascension" target="https://git.gnunet.org/ascension.git"> 3353 <front> 3354 <title>ascension.git - DNS zones to GNS migrating using incremental zone 3355 transfer (AXFR/IXFR)</title> 3356 <author> 3357 <organization>GNUnet e.V.</organization> 3358 </author> 3359 <date year="2023"/> 3360 </front> 3361 </reference> 3362 3363 <reference anchor="GNUnet" target="https://gnunet.org"> 3364 <front> 3365 <title>The GNUnet Project (Home Page)</title> 3366 <author> 3367 <organization>GNUnet e.V.</organization> 3368 </author> 3369 <date year="2023"/> 3370 </front> 3371 </reference> 3372 3373 <reference anchor="reclaim" target="https://reclaim.gnunet.org"> 3374 <front> 3375 <title>re:claimID - Self-sovereign, Decentralised Identity Management and Personal Data Sharing</title> 3376 <author> 3377 <organization>GNUnet e.V.</organization> 3378 </author> 3379 <date year="2023"/> 3380 </front> 3381 </reference> 3382 3383 <reference anchor="GoGNS" target="https://github.com/bfix/gnunet-go/tree/master/src/gnunet/service/gns"> 3384 <front> 3385 <title>gnunet-go (Go GNS)</title> 3386 <author initials="B." surname="Fix" fullname="Bernd Fix"> 3387 </author> 3388 <date month="July" year="2023"/> 3389 </front> 3390 <refcontent>commit 5c815ba</refcontent> 3391 </reference> 3392 3393 <reference anchor="nsswitch" target="https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html"> 3394 <front> 3395 <title>System Databases and Name Service Switch (Section 29)</title> 3396 <author> 3397 <organization>GNU Project</organization> 3398 </author> 3399 </front> 3400 </reference> 3401 </references> 3402 </references> 3403 <section> 3404 <name>Usage and Migration</name> 3405 <t> 3406 This section outlines a number of specific use cases that may 3407 help readers of this technical specification better understand the protocol. 3408 The considerations below are not meant to be normative for the 3409 GNS protocol in any way. 3410 Instead, they are provided in order to give context and to provide 3411 some background on what the intended use of the protocol is 3412 by its designers. 3413 Further, this section provides pointers to migration paths. 3414 </t> 3415 <section anchor="day_in_zoneowner"> 3416 <name>Zone Dissemination</name> 3417 <t> 3418 In order to become a zone owner, it is sufficient to generate 3419 a zone key and a corresponding secret key using a GNS implementation. 3420 At this point, the zone owner can manage GNS resource records in a 3421 local zone database. 3422 The resource records can then be published by a GNS implementation 3423 as defined in <xref target="publish"/>. 3424 For other users to resolve the resource records, the respective 3425 zone information must be disseminated first. 3426 The zone owner may decide to make the zone key and labels known 3427 to a selected set of users only or to make this information available 3428 to the general public. 3429 </t> 3430 <t> 3431 Sharing zone information directly with specific users not only allows 3432 an implementation to potentially preserve zone and record privacy but also allows 3433 the zone owner and the user to establish strong trust relationships. 3434 For example, a bank may send a customer letter with a QR code that 3435 contains the GNS zone of the bank. 3436 This allows the user to scan the QR code and establish a strong 3437 link to the zone of the bank and with it, for example, the IP address 3438 of the online banking web site. 3439 </t> 3440 <t> 3441 Most Internet services likely want to make their zones available 3442 to the general public in the most efficient way possible. 3443 First, it is reasonable to assume that zones that are commanding 3444 high levels of reputation and trust are likely included in the 3445 default suffix-to-zone mappings of implementations. 3446 Hence, dissemination of a zone through delegation under such zones 3447 can be a viable path in order to disseminate a zone publicly. 3448 For example, it is conceivable that organizations such as ICANN 3449 or country-code TLD registrars also manage GNS zones 3450 and offer registration or delegation services. 3451 </t> 3452 <t> 3453 Following best practices, particularly those related to 3454 security and abuse mitigation, are methods that allow zone owners 3455 and aspiring registrars to gain a good reputation and, eventually, 3456 trust. 3457 This includes, of course, diligent protection of private zone key 3458 material. 3459 Formalizing such best practices is out of scope for this 3460 specification and should be addressed in a separate document that takes 3461 <xref target="security"/> of this document into account. 3462 </t> 3463 </section> 3464 <section> 3465 <name>Start Zone Configuration</name> 3466 <t> 3467 A user is expected to install a GNS implementation if it is not already 3468 provided through other means such as the operating system 3469 or the browser. 3470 It is likely that the implementation ships with a 3471 default Start Zone configuration. 3472 This means that the user is able to resolve GNS names ending on a 3473 zTLD or ending on any suffix-to-name mapping that is part of the 3474 default Start Zone configuration. 3475 At this point, the user may delete or otherwise modify the 3476 implementation's default configuration: 3477 </t> 3478 <ul> 3479 <li> 3480 Deletion of suffix-to-zone mappings may become necessary if the 3481 zone owner referenced by the mapping has lost the trust of the user. 3482 For example, this could be due to lax registration policies resulting 3483 in phishing activities. 3484 Modification and addition of new mappings are means to heal the 3485 namespace perforation that would occur in the case of a deletion 3486 or to simply establish a strong direct trust relationship. 3487 However, this requires the user's knowledge of the respective zone 3488 keys. 3489 This information must be retrieved out of band, as illustrated in 3490 <xref target="day_in_zoneowner"/>: 3491 a bank may send the user a letter with a QR code that contains the 3492 GNS zone of the bank. 3493 The user scans the QR code and adds a new suffix-to-name mapping 3494 using a chosen local name for their bank. 3495 Other examples include scanning zone information off the device of 3496 a friend, from a storefront, or from an advertisement. 3497 The level of trust in the respective zone is contextual and likely 3498 varies from user to user. 3499 Trust in a zone provided through a letter from a bank that 3500 may also include a credit card is certainly different from a zone 3501 found on a random advertisement on the street. 3502 However, this trust is immediately tangible to the user and can 3503 be reflected in the local naming as well. 3504 </li> 3505 <li> 3506 Users that are also clients should facilitate the modification of the Start Zone 3507 configuration -- for example, by providing a QR code reader or other 3508 import mechanisms. 3509 Implementations are ideally implemented 3510 according to best practices and addressing applicable points 3511 from <xref target="security"/>. 3512 Formalizing such best practices is out of scope for this 3513 specification. 3514 </li> 3515 </ul> 3516 </section> 3517 <section anchor="uc_virthost"> 3518 <name>Globally Unique Names and the Web</name> 3519 <t> 3520 HTTP virtual hosting and TLS Server Name Indication (SNI) are common 3521 use cases on the Web. 3522 HTTP clients supply a DNS name in the HTTP 3523 "Host"-header or as part of the TLS handshake, respectively. 3524 This allows the HTTP server to serve the indicated virtual host 3525 with a matching TLS certificate. 3526 The global uniqueness of DNS names is a prerequisite of those use cases. 3527 </t> 3528 <t> 3529 Not all GNS names are globally unique. 3530 However, any resource record in GNS can be represented as a 3531 concatenation of a GNS label and the zTLD of the zone. 3532 While not memorable, this globally unique GNS name can be 3533 leveraged in order to facilitate the same use cases. 3534 Consider the GNS name "www.example.gns.alt" entered in a GNS-aware 3535 HTTP client. 3536 At first, "www.example.gns.alt" is resolved using GNS, yielding a record 3537 set. 3538 Then, the HTTP client determines the virtual host as follows: 3539 </t> 3540 <t> 3541 If there is a LEHO record (<xref target="gnsrecords_leho"/>) 3542 containing "www.example.com" in the record set, then the HTTP 3543 client uses this as the value of the 3544 "Host"-header field of the HTTP request: 3545 </t> 3546 <sourcecode name="" type="http-message"><![CDATA[ 3547 GET / HTTP/1.1 3548 Host: www.example.com 3549 ]]></sourcecode> 3550 <t> 3551 In the absence of a LEHO record, an additional GNS resolution is 3552 required to check whether "www.example.gns.alt" itself points to a 3553 zone delegation record, which implies that the record set that was 3554 originally resolved is published under the apex label. 3555 </t> 3556 <t> 3557 If it does, the unique GNS name is simply the zTLD representation of 3558 the delegated zone: 3559 </t> 3560 <sourcecode name="" type="http-message"><![CDATA[ 3561 GET / HTTP/1.1 3562 Host: 000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W 3563 ]]></sourcecode> 3564 <t> 3565 On the other hand, if there is no zone delegation record for 3566 "www.example.gns.alt", then the unique GNS name is the concatenation of 3567 the leftmost label (e.g., "www") and the zTLD representation of the zone: 3568 </t> 3569 <sourcecode name="" type="http-message"><![CDATA[ 3570 GET / HTTP/1.1 3571 Host: www.000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W 3572 ]]></sourcecode> 3573 <t> 3574 Note that this second GNS resolution does not require any additional 3575 network operation, as only the local record processing differs as per 3576 the exception mentioned in the last sentence of <xref target="delegation_processing"/>. 3577 </t> 3578 <t> 3579 If the HTTP client is a browser, the use of a unique GNS name 3580 for virtual hosting or TLS SNI does not necessarily have to be 3581 shown to the user. 3582 For example, the name in the URL bar may remain as "www.example.gns.alt" 3583 even if the used unique name in the "Host"-header differs. 3584 </t> 3585 </section> 3586 <section> 3587 <name>Migration Paths</name> 3588 <t> 3589 DNS resolution is built into a variety of existing software 3590 components -- most significantly, operating systems and HTTP clients. 3591 This section illustrates possible migration paths for both in order 3592 to enable legacy applications to resolve GNS names. 3593 </t> 3594 <t> 3595 One way to efficiently facilitate the resolution of GNS names 3596 is via GNS-enabled DNS server implementations. 3597 Local DNS queries are thereby either rerouted or explicitly configured 3598 to be resolved by a "DNS-to-GNS" server that runs locally. 3599 This DNS server tries to interpret any incoming query for a name 3600 as a GNS resolution request. 3601 If no Start Zone can be found for the name and it does not end in 3602 a zTLD, the server tries to resolve the name in DNS. 3603 Otherwise, the name is resolved in GNS. 3604 In the latter case, the resulting record set is converted to a DNS 3605 answer packet and is returned accordingly. 3606 An implementation of a DNS-to-GNS server can be found in 3607 <xref target="GNUnet"/>. 3608 </t> 3609 <t> 3610 A similar approach is to use operating system extensions such as 3611 the NSS <xref target="nsswitch"/>. 3612 It allows the system administrator to configure plugins 3613 that are used for hostname resolution. 3614 A GNS nsswitch plugin can be used in a fashion similar to 3615 that used for the DNS-to-GNS server. 3616 An implementation of a glibc-compatible nsswitch plugin for GNS 3617 can be found in <xref target="GNUnet"/>. 3618 </t> 3619 <t> 3620 The methods above are usually also effective for HTTP client 3621 software. 3622 However, HTTP clients are commonly used in combination with 3623 TLS. 3624 TLS certificate validation, and SNI in particular, require additional logic in HTTP clients when GNS names are 3625 in play (<xref target="uc_virthost"/>). 3626 In order to transparently enable this functionality for migration 3627 purposes, a local GNS-aware SOCKS5 proxy <xref target="RFC1928"/> 3628 can be configured to resolve domain names. 3629 The SOCKS5 proxy, similar to the DNS-to-GNS server, is capable 3630 of resolving both GNS and DNS names. 3631 In the event of a TLS connection request with a GNS name, the SOCKS5 3632 proxy can terminate the TLS connection 3633 and establish a secure connection against the requested host. 3634 In order to establish a secure connection, the proxy may use LEHO 3635 and TLSA records stored in the record set under the GNS name. 3636 The proxy must provide a locally trusted certificate for the GNS 3637 name to the HTTP client; this usually requires the generation and 3638 configuration of a local trust anchor in the browser. 3639 An implementation of this SOCKS5 proxy can be found in 3640 <xref target="GNUnet"/>. 3641 </t> 3642 </section> 3643 </section> 3644 <section> 3645 <name>Example Flows</name> 3646 <section> 3647 <name>AAAA Example Resolution</name> 3648 <figure anchor="figure_resolution_ex_aaaa"> 3649 <name>Example Resolution of an IPv6 Address</name> 3650 <artwork name="" type="" alt=""> 3651 Local Host | Remote 3652 | Storage 3653 | 3654 | +---------+ 3655 | / /| 3656 | +---------+ | 3657 +-----------+ (1) +----------+ | | | | 3658 | | | | (4,6) | | Record | | 3659 |Application|----------| Resolver |---------------|->| Storage | | 3660 | |<---------| |<--------------|--| |/ 3661 +-----------+ (8) +----------+ (5,7) | +---------+ 3662 A | 3663 | | 3664 (2,3) | | 3665 | | 3666 | | 3667 +---------+ | 3668 / v /| | 3669 +---------+ | | 3670 | | | | 3671 | Start | | | 3672 | Zones | | | 3673 | |/ | 3674 +---------+ | 3675 </artwork> 3676 </figure> 3677 <ol> 3678 <li>Look up AAAA record for name: "www.example.gnu.gns.alt".</li> 3679 <li>Determine Start Zone for "www.example.gnu.gns.alt".</li> 3680 <li>Start Zone: zkey0 - Remainder: "www.example".</li> 3681 <li>Calculate q0=SHA512(ZKDF(zkey0, "example")) and initiate GET(q0).</li> 3682 <li>Retrieve and decrypt RRBLOCK consisting of a single PKEY record containing zkey1.</li> 3683 <li>Calculate q1=SHA512(ZKDF(zkey1, "www")) and initiate GET(q1).</li> 3684 <li>Retrieve RRBLOCK consisting of a single AAAA record containing the IPv6 address 2001:db8::1.</li> 3685 <li>Return record set to application.</li> 3686 </ol> 3687 </section> 3688 <section> 3689 <name>REDIRECT Example Resolution</name> 3690 <figure anchor="figure_resolution_ex_redir"> 3691 <name>Example Resolution of an IPv6 Address with Redirect</name> 3692 <artwork name="" type="" alt=""> 3693 Local Host | Remote 3694 | Storage 3695 | 3696 | +---------+ 3697 | / /| 3698 | +---------+ | 3699 +-----------+ (1) +----------+ | | | | 3700 | | | | (4,6,8) | | Record | | 3701 |Application|----------| Resolver |----------------|->| Storage | | 3702 | |<---------| |<---------------|--| |/ 3703 +-----------+ (10) +----------+ (5,7,9) | +---------+ 3704 A | 3705 | | 3706 (2,3) | | 3707 | | 3708 | | 3709 +---------+ | 3710 / v /| | 3711 +---------+ | | 3712 | | | | 3713 | Start | | | 3714 | Zones | | | 3715 | |/ | 3716 +---------+ | 3717 </artwork> 3718 </figure> 3719 <ol> 3720 <li>Look up AAAA record for name: "www.example.tld.gns.alt".</li> 3721 <li>Determine Start Zone for "www.example.tld.gns.alt".</li> 3722 <li>Start Zone: zkey0 - Remainder: "www.example".</li> 3723 <li>Calculate q0=SHA512(ZKDF(zkey0, "example")) and initiate GET(q0).</li> 3724 <li>Retrieve and decrypt RRBLOCK consisting of a single PKEY record containing zkey1.</li> 3725 <li>Calculate q1=SHA512(ZKDF(zkey1, "www")) and initiate GET(q1).</li> 3726 <li>Retrieve and decrypt RRBLOCK consisting of a single REDIRECT record containing "www2.+".</li> 3727 <li>Calculate q2=SHA512(ZKDF(zkey1, "www2")) and initiate GET(q2).</li> 3728 <li>Retrieve and decrypt RRBLOCK consisting of a single AAAA record containing the IPv6 address 2001:db8::1.</li> 3729 <li>Return record set to application.</li> 3730 </ol> 3731 </section> 3732 <section> 3733 <name>GNS2DNS Example Resolution</name> 3734 <figure anchor="figure_resolution_ex_gnsdns"> 3735 <name>Example Resolution of an IPv6 Address with DNS Handover</name> 3736 <artwork name="" type="" alt=""> 3737 Local Host | Remote 3738 | Storage 3739 | 3740 | +---------+ 3741 | / /| 3742 | +---------+ | 3743 +-----------+ (1) +----------+ | | | | 3744 | | | | (4) | | Record | | 3745 |Application|----------| Resolver |------------------|->| Storage | | 3746 | |<---------| |<-----------------|--| |/ 3747 +-----------+ (8) +----------+ (5) | +---------+ 3748 A A | 3749 | | (6,7) | 3750 (2,3) | +----------+ | 3751 | | | 3752 | v | 3753 +---------+ +------------+ | 3754 / v /| | System DNS | | 3755 +---------+ | | Resolver | | 3756 | | | +------------+ | 3757 | Start | | | 3758 | Zones | | | 3759 | |/ | 3760 +---------+ | 3761 </artwork> 3762 </figure> 3763 <ol> 3764 <li>Look up AAAA record for name: "www.example.gnu.gns.alt".</li> 3765 <li>Determine Start Zone for "www.example.gnu.gns.alt".</li> 3766 <li>Start Zone: zkey0 - Remainder: "www.example".</li> 3767 <li>Calculate q0=SHA512(ZKDF(zkey0, "example")) and initiate GET(q0).</li> 3768 <li>Retrieve and decrypt RRBLOCK consisting of a single GNS2DNS record containing the name "example.com" and the DNS server IPv4 address 192.0.2.1.</li> 3769 <li>Use system resolver to look up a AAAA record for the DNS name "www.example.com".</li> 3770 <li>Retrieve a DNS reply consisting of a single AAAA record containing the IPv6 address 2001:db8::1.</li> 3771 <li>Return record set to application.</li> 3772 </ol> 3773 </section> 3774 </section> 3775 <section anchor="app-c"> 3776 <name>Base32GNS</name> 3777 <t> 3778 Encoding converts a byte array into a string of symbols. 3779 Decoding converts a string of symbols into a byte array. 3780 Decoding fails if the input string has symbols outside the defined set. 3781 </t> 3782 <t> 3783 <xref target="CrockfordB32Encode"/> defines the encoding and decoding symbols for a given 3784 symbol value. 3785 Each symbol value encodes 5 bits. 3786 It can be used to implement the encoding by reading it as follows: 3787 a symbol "A" or "a" is decoded to a 5-bit value 10 when decoding. 3788 A 5-bit block with a value of 18 is encoded to the character "J" when encoding. 3789 If the bit length of the byte string to encode is not a multiple of 5, 3790 it is padded to the next multiple with zeroes. 3791 In order to further increase tolerance for failures in character 3792 recognition, the letter "U" <bcp14>MUST</bcp14> be decoded to the same value as the 3793 letter "V" in Base32GNS. 3794 </t> 3795 <table anchor="CrockfordB32Encode"> 3796 <name>The Base32GNS Alphabet, Including the Additional Encoding Symbol "U"</name> 3797 <thead> 3798 <tr> 3799 <th>Symbol Value</th> 3800 <th>Decoding Symbol</th> 3801 <th>Encoding Symbol</th> 3802 </tr> 3803 </thead> 3804 <tbody> 3805 <tr> 3806 <td>0</td> 3807 <td>0 O o</td> 3808 <td>0</td> 3809 </tr> 3810 <tr> 3811 <td>1</td> 3812 <td>1 I i L l</td> 3813 <td>1</td> 3814 </tr> 3815 <tr> 3816 <td>2</td> 3817 <td>2</td> 3818 <td>2</td> 3819 </tr> 3820 <tr> 3821 <td>3</td> 3822 <td>3</td> 3823 <td>3</td> 3824 </tr> 3825 <tr> 3826 <td>4</td> 3827 <td>4</td> 3828 <td>4</td> 3829 </tr> 3830 <tr> 3831 <td>5</td> 3832 <td>5</td> 3833 <td>5</td> 3834 </tr> 3835 <tr> 3836 <td>6</td> 3837 <td>6</td> 3838 <td>6</td> 3839 </tr> 3840 <tr> 3841 <td>7</td> 3842 <td>7</td> 3843 <td>7</td> 3844 </tr> 3845 <tr> 3846 <td>8</td> 3847 <td>8</td> 3848 <td>8</td> 3849 </tr> 3850 <tr> 3851 <td>9</td> 3852 <td>9</td> 3853 <td>9</td> 3854 </tr> 3855 <tr> 3856 <td>10</td> 3857 <td>A a</td> 3858 <td>A</td> 3859 </tr> 3860 <tr> 3861 <td>11</td> 3862 <td>B b</td> 3863 <td>B</td> 3864 </tr> 3865 <tr> 3866 <td>12</td> 3867 <td>C c</td> 3868 <td>C</td> 3869 </tr> 3870 <tr> 3871 <td>13</td> 3872 <td>D d</td> 3873 <td>D</td> 3874 </tr> 3875 <tr> 3876 <td>14</td> 3877 <td>E e</td> 3878 <td>E</td> 3879 </tr> 3880 <tr> 3881 <td>15</td> 3882 <td>F f</td> 3883 <td>F</td> 3884 </tr> 3885 <tr> 3886 <td>16</td> 3887 <td>G g</td> 3888 <td>G</td> 3889 </tr> 3890 <tr> 3891 <td>17</td> 3892 <td>H h</td> 3893 <td>H</td> 3894 </tr> 3895 <tr> 3896 <td>18</td> 3897 <td>J j</td> 3898 <td>J</td> 3899 </tr> 3900 <tr> 3901 <td>19</td> 3902 <td>K k</td> 3903 <td>K</td> 3904 </tr> 3905 <tr> 3906 <td>20</td> 3907 <td>M m</td> 3908 <td>M</td> 3909 </tr> 3910 <tr> 3911 <td>21</td> 3912 <td>N n</td> 3913 <td>N</td> 3914 </tr> 3915 <tr> 3916 <td>22</td> 3917 <td>P p</td> 3918 <td>P</td> 3919 </tr> 3920 <tr> 3921 <td>23</td> 3922 <td>Q q</td> 3923 <td>Q</td> 3924 </tr> 3925 <tr> 3926 <td>24</td> 3927 <td>R r</td> 3928 <td>R</td> 3929 </tr> 3930 <tr> 3931 <td>25</td> 3932 <td>S s</td> 3933 <td>S</td> 3934 </tr> 3935 <tr> 3936 <td>26</td> 3937 <td>T t</td> 3938 <td>T</td> 3939 </tr> 3940 <tr> 3941 <td>27</td> 3942 <td>V v U u</td> 3943 <td>V</td> 3944 </tr> 3945 <tr> 3946 <td>28</td> 3947 <td>W w</td> 3948 <td>W</td> 3949 </tr> 3950 <tr> 3951 <td>29</td> 3952 <td>X x</td> 3953 <td>X</td> 3954 </tr> 3955 <tr> 3956 <td>30</td> 3957 <td>Y y</td> 3958 <td>Y</td> 3959 </tr> 3960 <tr> 3961 <td>31</td> 3962 <td>Z z</td> 3963 <td>Z</td> 3964 </tr> 3965 </tbody> 3966 </table> 3967 3968 </section> 3969 <section> 3970 <name>Test Vectors</name> 3971 <t> 3972 The following test vectors can be used by implementations to test 3973 for conformance with this specification. Unless indicated otherwise, 3974 the test vectors are provided as hexadecimal byte arrays. 3975 </t> 3976 <section> 3977 <name>Base32GNS Encoding/Decoding</name> 3978 <t> 3979 The following are test vectors for the Base32GNS encoding used for zTLDs. The input strings are encoded without the zero terminator. 3980 </t> 3981 <sourcecode name="" type="test-vectors"><![CDATA[ 3982 Base32GNS-Encode: 3983 Input string: "Hello World" 3984 Output string: "91JPRV3F41BPYWKCCG" 3985 3986 Input bytes: 474e55204e616d652053797374656d 3987 Output string: "8X75A82EC5PPA82KF5SQ8SBD" 3988 3989 Base32GNS-Decode: 3990 Input string: "91JPRV3F41BPYWKCCG" 3991 Output string: "Hello World" 3992 3993 Input string: "91JPRU3F41BPYWKCCG" 3994 Output string: "Hello World" 3995 ]]></sourcecode> 3996 3997 </section> 3998 <section> 3999 <name>Record Sets</name> 4000 <t> 4001 The test vectors include record sets with a variety 4002 of record types and flags for both PKEY and EDKEY zones. 4003 This includes labels with UTF-8 characters to demonstrate 4004 internationalized labels. 4005 </t> 4006 <t><strong>(1) PKEY zone with ASCII label and one delegation record</strong></t> 4007 <sourcecode name="" type="test-vectors"><![CDATA[ 4008 Zone private key (d, big-endian): 4009 50 d7 b6 52 a4 ef ea df 4010 f3 73 96 90 97 85 e5 95 4011 21 71 a0 21 78 c8 e7 d4 4012 50 fa 90 79 25 fa fd 98 4013 4014 Zone identifier (ztype|zkey): 4015 00 01 00 00 67 7c 47 7d 4016 2d 93 09 7c 85 b1 95 c6 4017 f9 6d 84 ff 61 f5 98 2c 4018 2c 4f e0 2d 5a 11 fe df 4019 b0 c2 90 1f 4020 4021 zTLD: 4022 000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W 4023 4024 Label: 4025 74 65 73 74 64 65 6c 65 4026 67 61 74 69 6f 6e 4027 4028 Number of records (integer): 1 4029 4030 Record #0 := ( 4031 EXPIRATION: 8143584694000000 us 4032 00 1c ee 8c 10 e2 59 80 4033 4034 DATA_SIZE: 4035 00 20 4036 4037 TYPE: 4038 00 01 00 00 4039 4040 FLAGS: 00 01 4041 4042 DATA: 4043 21 e3 b3 0f f9 3b c6 d3 4044 5a c8 c6 e0 e1 3a fd ff 4045 79 4c b7 b4 4b bb c7 48 4046 d2 59 d0 a0 28 4d be 84 4047 4048 ) 4049 4050 RDATA: 4051 00 1c ee 8c 10 e2 59 80 4052 00 20 00 01 00 01 00 00 4053 21 e3 b3 0f f9 3b c6 d3 4054 5a c8 c6 e0 e1 3a fd ff 4055 79 4c b7 b4 4b bb c7 48 4056 d2 59 d0 a0 28 4d be 84 4057 4058 Encryption NONCE|EXPIRATION|BLOCK COUNTER: 4059 e9 0a 00 61 00 1c ee 8c 4060 10 e2 59 80 00 00 00 01 4061 4062 Encryption key (K): 4063 86 4e 71 38 ea e7 fd 91 4064 a3 01 36 89 9c 13 2b 23 4065 ac eb db 2c ef 43 cb 19 4066 f6 bf 55 b6 7d b9 b3 b3 4067 4068 Storage key (q): 4069 4a dc 67 c5 ec ee 9f 76 4070 98 6a bd 71 c2 22 4a 3d 4071 ce 2e 91 70 26 c9 a0 9d 4072 fd 44 ce f3 d2 0f 55 a2 4073 73 32 72 5a 6c 8a fb bb 4074 b0 f7 ec 9a f1 cc 42 64 4075 12 99 40 6b 04 fd 9b 5b 4076 57 91 f8 6c 4b 08 d5 f4 4077 4078 ZKDF(zkey, label): 4079 18 2b b6 36 ed a7 9f 79 4080 57 11 bc 27 08 ad bb 24 4081 2a 60 44 6a d3 c3 08 03 4082 12 1d 03 d3 48 b7 ce b6 4083 4084 Derived private key (d', big-endian): 4085 0a 4c 5e 0f 00 63 df ce 4086 db c8 c7 f2 b2 2c 03 0c 4087 86 28 b2 c2 cb ac 9f a7 4088 29 aa e6 1f 89 db 3e 9c 4089 4090 BDATA: 4091 0c 1e da 5c c0 94 a1 c7 4092 a8 88 64 9d 25 fa ee bd 4093 60 da e6 07 3d 57 d8 ae 4094 8d 45 5f 4f 13 92 c0 74 4095 e2 6a c6 69 bd ee c2 34 4096 62 b9 62 95 2c c6 e9 eb 4097 4098 RRBLOCK: 4099 00 00 00 a0 00 01 00 00 4100 18 2b b6 36 ed a7 9f 79 4101 57 11 bc 27 08 ad bb 24 4102 2a 60 44 6a d3 c3 08 03 4103 12 1d 03 d3 48 b7 ce b6 4104 0a d1 0b c1 3b 40 3b 5b 4105 25 61 26 b2 14 5a 6f 60 4106 c5 14 f9 51 ff a7 66 f7 4107 a3 fd 4b ac 4a 4e 19 90 4108 05 5c b8 7e 8d 1b fd 19 4109 aa 09 a4 29 f7 29 e9 f5 4110 c6 ee c2 47 0a ce e2 22 4111 07 59 e9 e3 6c 88 6f 35 4112 00 1c ee 8c 10 e2 59 80 4113 0c 1e da 5c c0 94 a1 c7 4114 a8 88 64 9d 25 fa ee bd 4115 60 da e6 07 3d 57 d8 ae 4116 8d 45 5f 4f 13 92 c0 74 4117 e2 6a c6 69 bd ee c2 34 4118 62 b9 62 95 2c c6 e9 eb 4119 ]]></sourcecode> 4120 <t><strong>(2) PKEY zone with UTF-8 label and three records</strong></t> 4121 <sourcecode name="" type="test-vectors"><![CDATA[ 4122 Zone private key (d, big-endian): 4123 50 d7 b6 52 a4 ef ea df 4124 f3 73 96 90 97 85 e5 95 4125 21 71 a0 21 78 c8 e7 d4 4126 50 fa 90 79 25 fa fd 98 4127 4128 Zone identifier (ztype|zkey): 4129 00 01 00 00 67 7c 47 7d 4130 2d 93 09 7c 85 b1 95 c6 4131 f9 6d 84 ff 61 f5 98 2c 4132 2c 4f e0 2d 5a 11 fe df 4133 b0 c2 90 1f 4134 4135 zTLD: 4136 000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W 4137 4138 Label: 4139 e5 a4 a9 e4 b8 8b e7 84 4140 a1 e6 95 b5 4141 4142 Number of records (integer): 3 4143 4144 Record #0 := ( 4145 EXPIRATION: 8143584694000000 us 4146 00 1c ee 8c 10 e2 59 80 4147 4148 DATA_SIZE: 4149 00 10 4150 4151 TYPE: 4152 00 00 00 1c 4153 4154 FLAGS: 00 00 4155 4156 DATA: 4157 00 00 00 00 00 00 00 00 4158 00 00 00 00 de ad be ef 4159 4160 ) 4161 4162 Record #1 := ( 4163 EXPIRATION: 17999736901000000 us 4164 00 3f f2 aa 54 08 db 40 4165 4166 DATA_SIZE: 4167 00 06 4168 4169 TYPE: 4170 00 01 00 01 4171 4172 FLAGS: 00 00 4173 4174 DATA: 4175 e6 84 9b e7 a7 b0 4176 4177 ) 4178 4179 Record #2 := ( 4180 EXPIRATION: 11464693629000000 us 4181 00 28 bb 13 ff 37 19 40 4182 4183 DATA_SIZE: 4184 00 0b 4185 4186 TYPE: 4187 00 00 00 10 4188 4189 FLAGS: 00 04 4190 4191 DATA: 4192 48 65 6c 6c 6f 20 57 6f 4193 72 6c 64 4194 4195 ) 4196 4197 RDATA: 4198 00 1c ee 8c 10 e2 59 80 4199 00 10 00 00 00 00 00 1c 4200 00 00 00 00 00 00 00 00 4201 00 00 00 00 de ad be ef 4202 00 3f f2 aa 54 08 db 40 4203 00 06 00 00 00 01 00 01 4204 e6 84 9b e7 a7 b0 00 28 4205 bb 13 ff 37 19 40 00 0b 4206 00 04 00 00 00 10 48 65 4207 6c 6c 6f 20 57 6f 72 6c 4208 64 00 00 00 00 00 00 00 4209 00 00 00 00 00 00 00 00 4210 00 00 00 00 00 00 00 00 4211 00 00 00 00 00 00 00 00 4212 00 00 00 00 00 00 00 00 4213 00 00 00 00 00 00 00 00 4214 4215 Encryption NONCE|EXPIRATION|BLOCK COUNTER: 4216 ee 96 33 c1 00 1c ee 8c 4217 10 e2 59 80 00 00 00 01 4218 4219 Encryption key (K): 4220 fb 3a b5 de 23 bd da e1 4221 99 7a af 7b 92 c2 d2 71 4222 51 40 8b 77 af 7a 41 ac 4223 79 05 7c 4d f5 38 3d 01 4224 4225 Storage key (q): 4226 af f0 ad 6a 44 09 73 68 4227 42 9a c4 76 df a1 f3 4b 4228 ee 4c 36 e7 47 6d 07 aa 4229 64 63 ff 20 91 5b 10 05 4230 c0 99 1d ef 91 fc 3e 10 4231 90 9f 87 02 c0 be 40 43 4232 67 78 c7 11 f2 ca 47 d5 4233 5c f0 b5 4d 23 5d a9 77 4234 4235 ZKDF(zkey, label): 4236 a5 12 96 df 75 7e e2 75 4237 ca 11 8d 4f 07 fa 7a ae 4238 55 08 bc f5 12 aa 41 12 4239 14 29 d4 a0 de 9d 05 7e 4240 4241 Derived private key (d', big-endian): 4242 0a be 56 d6 80 68 ab 40 4243 e1 44 79 0c de 9a cf 4d 4244 78 7f 2d 3c 63 b8 53 05 4245 74 6e 68 03 32 15 f2 ab 4246 4247 BDATA: 4248 d8 c2 8d 2f d6 96 7d 1a 4249 b7 22 53 f2 10 98 b8 14 4250 a4 10 be 1f 59 98 de 03 4251 f5 8f 7e 7c db 7f 08 a6 4252 16 51 be 4d 0b 6f 8a 61 4253 df 15 30 44 0b d7 47 dc 4254 f0 d7 10 4f 6b 8d 24 c2 4255 ac 9b c1 3d 9c 6f e8 29 4256 05 25 d2 a6 d0 f8 84 42 4257 67 a1 57 0e 8e 29 4d c9 4258 3a 31 9f cf c0 3e a2 70 4259 17 d6 fd a3 47 b4 a7 94 4260 97 d7 f6 b1 42 2d 4e dd 4261 82 1c 19 93 4e 96 c1 aa 4262 87 76 57 25 d4 94 c7 64 4263 b1 55 dc 6d 13 26 91 74 4264 4265 RRBLOCK: 4266 00 00 00 f0 00 01 00 00 4267 a5 12 96 df 75 7e e2 75 4268 ca 11 8d 4f 07 fa 7a ae 4269 55 08 bc f5 12 aa 41 12 4270 14 29 d4 a0 de 9d 05 7e 4271 08 5b d6 5f d4 85 10 51 4272 ba ce 2a 45 2a fc 8a 7e 4273 4f 6b 2c 1f 74 f0 20 35 4274 d9 64 1a cd ba a4 66 e0 4275 00 ce d6 f2 d2 3b 63 1c 4276 8e 8a 0b 38 e2 ba e7 9a 4277 22 ca d8 1d 4c 50 d2 25 4278 35 8e bc 17 ac 0f 89 9e 4279 00 1c ee 8c 10 e2 59 80 4280 d8 c2 8d 2f d6 96 7d 1a 4281 b7 22 53 f2 10 98 b8 14 4282 a4 10 be 1f 59 98 de 03 4283 f5 8f 7e 7c db 7f 08 a6 4284 16 51 be 4d 0b 6f 8a 61 4285 df 15 30 44 0b d7 47 dc 4286 f0 d7 10 4f 6b 8d 24 c2 4287 ac 9b c1 3d 9c 6f e8 29 4288 05 25 d2 a6 d0 f8 84 42 4289 67 a1 57 0e 8e 29 4d c9 4290 3a 31 9f cf c0 3e a2 70 4291 17 d6 fd a3 47 b4 a7 94 4292 97 d7 f6 b1 42 2d 4e dd 4293 82 1c 19 93 4e 96 c1 aa 4294 87 76 57 25 d4 94 c7 64 4295 b1 55 dc 6d 13 26 91 74 4296 ]]></sourcecode> 4297 <t><strong>(3) EDKEY zone with ASCII label and one delegation record</strong></t> 4298 <sourcecode name="" type="test-vectors"><![CDATA[ 4299 Zone private key (d): 4300 5a f7 02 0e e1 91 60 32 4301 88 32 35 2b bc 6a 68 a8 4302 d7 1a 7c be 1b 92 99 69 4303 a7 c6 6d 41 5a 0d 8f 65 4304 4305 Zone identifier (ztype|zkey): 4306 00 01 00 14 3c f4 b9 24 4307 03 20 22 f0 dc 50 58 14 4308 53 b8 5d 93 b0 47 b6 3d 4309 44 6c 58 45 cb 48 44 5d 4310 db 96 68 8f 4311 4312 zTLD: 4313 000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW 4314 4315 Label: 4316 74 65 73 74 64 65 6c 65 4317 67 61 74 69 6f 6e 4318 4319 Number of records (integer): 1 4320 4321 Record #0 := ( 4322 EXPIRATION: 8143584694000000 us 4323 00 1c ee 8c 10 e2 59 80 4324 4325 DATA_SIZE: 4326 00 20 4327 4328 TYPE: 4329 00 01 00 00 4330 4331 FLAGS: 00 01 4332 4333 DATA: 4334 21 e3 b3 0f f9 3b c6 d3 4335 5a c8 c6 e0 e1 3a fd ff 4336 79 4c b7 b4 4b bb c7 48 4337 d2 59 d0 a0 28 4d be 84 4338 4339 ) 4340 4341 RDATA: 4342 00 1c ee 8c 10 e2 59 80 4343 00 20 00 01 00 01 00 00 4344 21 e3 b3 0f f9 3b c6 d3 4345 5a c8 c6 e0 e1 3a fd ff 4346 79 4c b7 b4 4b bb c7 48 4347 d2 59 d0 a0 28 4d be 84 4348 4349 Encryption NONCE|EXPIRATION: 4350 98 13 2e a8 68 59 d3 5c 4351 88 bf d3 17 fa 99 1b cb 4352 00 1c ee 8c 10 e2 59 80 4353 4354 Encryption key (K): 4355 85 c4 29 a9 56 7a a6 33 4356 41 1a 96 91 e9 09 4c 45 4357 28 16 72 be 58 60 34 aa 4358 e4 a2 a2 cc 71 61 59 e2 4359 4360 Storage key (q): 4361 ab aa ba c0 e1 24 94 59 4362 75 98 83 95 aa c0 24 1e 4363 55 59 c4 1c 40 74 e2 55 4364 7b 9f e6 d1 54 b6 14 fb 4365 cd d4 7f c7 f5 1d 78 6d 4366 c2 e0 b1 ec e7 60 37 c0 4367 a1 57 8c 38 4e c6 1d 44 4368 56 36 a9 4e 88 03 29 e9 4369 4370 ZKDF(zkey, label): 4371 9b f2 33 19 8c 6d 53 bb 4372 db ac 49 5c ab d9 10 49 4373 a6 84 af 3f 40 51 ba ca 4374 b0 dc f2 1c 8c f2 7a 1a 4375 4376 nonce := SHA-256(dh[32..63] || h): 4377 14 f2 c0 6b ed c3 aa 2d 4378 f0 71 13 9c 50 39 34 f3 4379 4b fa 63 11 a8 52 f2 11 4380 f7 3a df 2e 07 61 ec 35 4381 4382 Derived private key (d', big-endian): 4383 3b 1b 29 d4 23 0b 10 a8 4384 ec 4d a3 c8 6e db 88 ea 4385 cd 54 08 5c 1d db 63 f7 4386 a9 d7 3f 7c cb 2f c3 98 4387 4388 BDATA: 4389 57 7c c6 c9 5a 14 e7 04 4390 09 f2 0b 01 67 e6 36 d0 4391 10 80 7c 4f 00 37 2d 69 4392 8c 82 6b d9 2b c2 2b d6 4393 bb 45 e5 27 7c 01 88 1d 4394 6a 43 60 68 e4 dd f1 c6 4395 b7 d1 41 6f af a6 69 7c 4396 25 ed d9 ea e9 91 67 c3 4397 4398 RRBLOCK: 4399 00 00 00 b0 00 01 00 14 4400 9b f2 33 19 8c 6d 53 bb 4401 db ac 49 5c ab d9 10 49 4402 a6 84 af 3f 40 51 ba ca 4403 b0 dc f2 1c 8c f2 7a 1a 4404 9f 56 a8 86 ea 73 9d 59 4405 17 50 8f 9b 75 56 39 f3 4406 a9 ac fa ed ed ca 7f bf 4407 a7 94 b1 92 e0 8b f9 ed 4408 4c 7e c8 59 4c 9f 7b 4e 4409 19 77 4f f8 38 ec 38 7a 4410 8f 34 23 da ac 44 9f 59 4411 db 4e 83 94 3f 90 72 00 4412 00 1c ee 8c 10 e2 59 80 4413 57 7c c6 c9 5a 14 e7 04 4414 09 f2 0b 01 67 e6 36 d0 4415 10 80 7c 4f 00 37 2d 69 4416 8c 82 6b d9 2b c2 2b d6 4417 bb 45 e5 27 7c 01 88 1d 4418 6a 43 60 68 e4 dd f1 c6 4419 b7 d1 41 6f af a6 69 7c 4420 25 ed d9 ea e9 91 67 c3 4421 ]]></sourcecode> 4422 <t><strong>(4) EDKEY zone with UTF-8 label and three records</strong></t> 4423 <sourcecode name="" type="test-vectors"><![CDATA[ 4424 Zone private key (d): 4425 5a f7 02 0e e1 91 60 32 4426 88 32 35 2b bc 6a 68 a8 4427 d7 1a 7c be 1b 92 99 69 4428 a7 c6 6d 41 5a 0d 8f 65 4429 4430 Zone identifier (ztype|zkey): 4431 00 01 00 14 3c f4 b9 24 4432 03 20 22 f0 dc 50 58 14 4433 53 b8 5d 93 b0 47 b6 3d 4434 44 6c 58 45 cb 48 44 5d 4435 db 96 68 8f 4436 4437 zTLD: 4438 000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW 4439 4440 Label: 4441 e5 a4 a9 e4 b8 8b e7 84 4442 a1 e6 95 b5 4443 4444 Number of records (integer): 3 4445 4446 Record #0 := ( 4447 EXPIRATION: 8143584694000000 us 4448 00 1c ee 8c 10 e2 59 80 4449 4450 DATA_SIZE: 4451 00 10 4452 4453 TYPE: 4454 00 00 00 1c 4455 4456 FLAGS: 00 00 4457 4458 DATA: 4459 00 00 00 00 00 00 00 00 4460 00 00 00 00 de ad be ef 4461 4462 ) 4463 4464 Record #1 := ( 4465 EXPIRATION: 17999736901000000 us 4466 00 3f f2 aa 54 08 db 40 4467 4468 DATA_SIZE: 4469 00 06 4470 4471 TYPE: 4472 00 01 00 01 4473 4474 FLAGS: 00 00 4475 4476 DATA: 4477 e6 84 9b e7 a7 b0 4478 4479 ) 4480 4481 Record #2 := ( 4482 EXPIRATION: 11464693629000000 us 4483 00 28 bb 13 ff 37 19 40 4484 4485 DATA_SIZE: 4486 00 0b 4487 4488 TYPE: 4489 00 00 00 10 4490 4491 FLAGS: 00 04 4492 4493 DATA: 4494 48 65 6c 6c 6f 20 57 6f 4495 72 6c 64 4496 4497 ) 4498 4499 RDATA: 4500 00 1c ee 8c 10 e2 59 80 4501 00 10 00 00 00 00 00 1c 4502 00 00 00 00 00 00 00 00 4503 00 00 00 00 de ad be ef 4504 00 3f f2 aa 54 08 db 40 4505 00 06 00 00 00 01 00 01 4506 e6 84 9b e7 a7 b0 00 28 4507 bb 13 ff 37 19 40 00 0b 4508 00 04 00 00 00 10 48 65 4509 6c 6c 6f 20 57 6f 72 6c 4510 64 00 00 00 00 00 00 00 4511 00 00 00 00 00 00 00 00 4512 00 00 00 00 00 00 00 00 4513 00 00 00 00 00 00 00 00 4514 00 00 00 00 00 00 00 00 4515 00 00 00 00 00 00 00 00 4516 4517 Encryption NONCE|EXPIRATION: 4518 bb 0d 3f 0f bd 22 42 77 4519 50 da 5d 69 12 16 e6 c9 4520 00 1c ee 8c 10 e2 59 80 4521 4522 Encryption key (K): 4523 3d f8 05 bd 66 87 aa 14 4524 20 96 28 c2 44 b1 11 91 4525 88 c3 92 56 37 a4 1e 5d 4526 76 49 6c 29 45 dc 37 7b 4527 4528 Storage key (q): 4529 ba f8 21 77 ee c0 81 e0 4530 74 a7 da 47 ff c6 48 77 4531 58 fb 0d f0 1a 6c 7f bb 4532 52 fc 8a 31 be f0 29 af 4533 74 aa 0d c1 5a b8 e2 fa 4534 7a 54 b4 f5 f6 37 f6 15 4535 8f a7 f0 3c 3f ce be 78 4536 d3 f9 d6 40 aa c0 d1 ed 4537 4538 ZKDF(zkey, label): 4539 74 f9 00 68 f1 67 69 53 4540 52 a8 a6 c2 eb 98 48 98 4541 c5 3a cc a0 98 04 70 c6 4542 c8 12 64 cb dd 78 ad 11 4543 4544 nonce := SHA-256(dh[32..63] || h): 4545 f8 6a b5 33 8a 74 d7 a1 4546 d2 77 ea 11 ff 95 cb e8 4547 3a cf d3 97 3b b4 ab ca 4548 0a 1b 60 62 c3 7a b3 9c 4549 4550 Derived private key (d', big-endian): 4551 17 c0 68 a6 c3 f7 20 de 4552 0e 1b 69 ff 3f 53 e0 5d 4553 3f e5 c5 b0 51 25 7a 89 4554 a6 3c 1a d3 5a c4 35 58 4555 4556 BDATA: 4557 4e b3 5a 50 d4 0f e1 a4 4558 29 c7 f4 b2 67 a0 59 de 4559 4e 2c 8a 89 a5 ed 53 d3 4560 d4 92 58 59 d2 94 9f 7f 4561 30 d8 a2 0c aa 96 f8 81 4562 45 05 2d 1c da 04 12 49 4563 8f f2 5f f2 81 6e f0 ce 4564 61 fe 69 9b fa c7 2c 15 4565 dc 83 0e a9 b0 36 17 1c 4566 cf ca bb dd a8 de 3c 86 4567 ed e2 95 70 d0 17 4b 82 4568 82 09 48 a9 28 b7 f0 0e 4569 fb 40 1c 10 fe 80 bb bb 4570 02 76 33 1b f7 f5 1b 8d 4571 74 57 9c 14 14 f2 2d 50 4572 1a d2 5a e2 49 f5 bb f2 4573 a6 c3 72 59 d1 75 e4 40 4574 b2 94 39 c6 05 19 cb b1 4575 4576 RRBLOCK: 4577 00 00 01 00 00 01 00 14 4578 74 f9 00 68 f1 67 69 53 4579 52 a8 a6 c2 eb 98 48 98 4580 c5 3a cc a0 98 04 70 c6 4581 c8 12 64 cb dd 78 ad 11 4582 75 6d 2c 15 7a d2 ea 4f 4583 c0 b1 b9 1c 08 03 79 44 4584 61 d3 de f2 0d d1 63 6c 4585 fe dc 03 89 c5 49 d1 43 4586 6c c3 5b 4e 1b f8 89 5a 4587 64 6b d9 a6 f4 6b 83 48 4588 1d 9c 0e 91 d4 e1 be bb 4589 6a 83 52 6f b7 25 2a 06 4590 00 1c ee 8c 10 e2 59 80 4591 4e b3 5a 50 d4 0f e1 a4 4592 29 c7 f4 b2 67 a0 59 de 4593 4e 2c 8a 89 a5 ed 53 d3 4594 d4 92 58 59 d2 94 9f 7f 4595 30 d8 a2 0c aa 96 f8 81 4596 45 05 2d 1c da 04 12 49 4597 8f f2 5f f2 81 6e f0 ce 4598 61 fe 69 9b fa c7 2c 15 4599 dc 83 0e a9 b0 36 17 1c 4600 cf ca bb dd a8 de 3c 86 4601 ed e2 95 70 d0 17 4b 82 4602 82 09 48 a9 28 b7 f0 0e 4603 fb 40 1c 10 fe 80 bb bb 4604 02 76 33 1b f7 f5 1b 8d 4605 74 57 9c 14 14 f2 2d 50 4606 1a d2 5a e2 49 f5 bb f2 4607 a6 c3 72 59 d1 75 e4 40 4608 b2 94 39 c6 05 19 cb b1 4609 ]]></sourcecode> 4610 </section> 4611 <section> 4612 <name>Zone Revocation</name> 4613 <t> 4614 The following is an example revocation for a PKEY zone: 4615 </t> 4616 <sourcecode name="" type="test-vectors"><![CDATA[ 4617 Zone private key (d, big-endian): 4618 6f ea 32 c0 5a f5 8b fa 4619 97 95 53 d1 88 60 5f d5 4620 7d 8b f9 cc 26 3b 78 d5 4621 f7 47 8c 07 b9 98 ed 70 4622 4623 Zone identifier (ztype|zkey): 4624 00 01 00 00 2c a2 23 e8 4625 79 ec c4 bb de b5 da 17 4626 31 92 81 d6 3b 2e 3b 69 4627 55 f1 c3 77 5c 80 4a 98 4628 d5 f8 dd aa 4629 4630 zTLD: 4631 000G001CM8HYGYFCRJXXXDET2WRS50EP7CQ3PTANY71QEQ409ACDBY6XN8 4632 4633 Difficulty (5 base difficulty + 2 epochs): 7 4634 4635 Signed message: 4636 00 00 00 34 00 00 00 03 4637 00 05 ff 1c 56 e4 b2 68 4638 00 01 00 00 2c a2 23 e8 4639 79 ec c4 bb de b5 da 17 4640 31 92 81 d6 3b 2e 3b 69 4641 55 f1 c3 77 5c 80 4a 98 4642 d5 f8 dd aa 4643 4644 Proof: 4645 00 05 ff 1c 56 e4 b2 68 4646 00 00 39 5d 18 27 c0 00 4647 38 0b 54 aa 70 16 ac a2 4648 38 0b 54 aa 70 16 ad 62 4649 38 0b 54 aa 70 16 af 3e 4650 38 0b 54 aa 70 16 af 93 4651 38 0b 54 aa 70 16 b0 bf 4652 38 0b 54 aa 70 16 b0 ee 4653 38 0b 54 aa 70 16 b1 c9 4654 38 0b 54 aa 70 16 b1 e5 4655 38 0b 54 aa 70 16 b2 78 4656 38 0b 54 aa 70 16 b2 b2 4657 38 0b 54 aa 70 16 b2 d6 4658 38 0b 54 aa 70 16 b2 e4 4659 38 0b 54 aa 70 16 b3 2c 4660 38 0b 54 aa 70 16 b3 5a 4661 38 0b 54 aa 70 16 b3 9d 4662 38 0b 54 aa 70 16 b3 c0 4663 38 0b 54 aa 70 16 b3 dd 4664 38 0b 54 aa 70 16 b3 f4 4665 38 0b 54 aa 70 16 b4 42 4666 38 0b 54 aa 70 16 b4 76 4667 38 0b 54 aa 70 16 b4 8c 4668 38 0b 54 aa 70 16 b4 a4 4669 38 0b 54 aa 70 16 b4 c9 4670 38 0b 54 aa 70 16 b4 f0 4671 38 0b 54 aa 70 16 b4 f7 4672 38 0b 54 aa 70 16 b5 79 4673 38 0b 54 aa 70 16 b6 34 4674 38 0b 54 aa 70 16 b6 8e 4675 38 0b 54 aa 70 16 b7 b4 4676 38 0b 54 aa 70 16 b8 7e 4677 38 0b 54 aa 70 16 b8 f8 4678 38 0b 54 aa 70 16 b9 2a 4679 00 01 00 00 2c a2 23 e8 4680 79 ec c4 bb de b5 da 17 4681 31 92 81 d6 3b 2e 3b 69 4682 55 f1 c3 77 5c 80 4a 98 4683 d5 f8 dd aa 08 ca ff de 4684 3c 6d f1 45 f7 e0 79 81 4685 15 37 b2 b0 42 2d 5e 1f 4686 b2 01 97 81 ec a2 61 d1 4687 f9 d8 ea 81 0a bc 2f 33 4688 47 7f 04 e3 64 81 11 be 4689 71 c2 48 82 1a d6 04 f4 4690 94 e7 4d 0b f5 11 d2 c1 4691 62 77 2e 81 4692 ]]></sourcecode> 4693 <t> 4694 The following is an example revocation for an EDKEY zone: 4695 </t> 4696 <sourcecode name="" type="test-vectors"><![CDATA[ 4697 Zone private key (d): 4698 5a f7 02 0e e1 91 60 32 4699 88 32 35 2b bc 6a 68 a8 4700 d7 1a 7c be 1b 92 99 69 4701 a7 c6 6d 41 5a 0d 8f 65 4702 4703 Zone identifier (ztype|zkey): 4704 00 01 00 14 3c f4 b9 24 4705 03 20 22 f0 dc 50 58 14 4706 53 b8 5d 93 b0 47 b6 3d 4707 44 6c 58 45 cb 48 44 5d 4708 db 96 68 8f 4709 4710 zTLD: 4711 000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW 4712 4713 Difficulty (5 base difficulty + 2 epochs): 7 4714 4715 Signed message: 4716 00 00 00 34 00 00 00 03 4717 00 05 ff 1c 57 35 42 bd 4718 00 01 00 14 3c f4 b9 24 4719 03 20 22 f0 dc 50 58 14 4720 53 b8 5d 93 b0 47 b6 3d 4721 44 6c 58 45 cb 48 44 5d 4722 db 96 68 8f 4723 4724 Proof: 4725 00 05 ff 1c 57 35 42 bd 4726 00 00 39 5d 18 27 c0 00 4727 58 4c 93 3c b0 99 2a 08 4728 58 4c 93 3c b0 99 2d f7 4729 58 4c 93 3c b0 99 2e 21 4730 58 4c 93 3c b0 99 2e 2a 4731 58 4c 93 3c b0 99 2e 53 4732 58 4c 93 3c b0 99 2e 8e 4733 58 4c 93 3c b0 99 2f 13 4734 58 4c 93 3c b0 99 2f 2d 4735 58 4c 93 3c b0 99 2f 3c 4736 58 4c 93 3c b0 99 2f 41 4737 58 4c 93 3c b0 99 2f fd 4738 58 4c 93 3c b0 99 30 33 4739 58 4c 93 3c b0 99 30 82 4740 58 4c 93 3c b0 99 30 a2 4741 58 4c 93 3c b0 99 30 e1 4742 58 4c 93 3c b0 99 31 ce 4743 58 4c 93 3c b0 99 31 de 4744 58 4c 93 3c b0 99 32 12 4745 58 4c 93 3c b0 99 32 4e 4746 58 4c 93 3c b0 99 32 9f 4747 58 4c 93 3c b0 99 33 31 4748 58 4c 93 3c b0 99 33 87 4749 58 4c 93 3c b0 99 33 8c 4750 58 4c 93 3c b0 99 33 e5 4751 58 4c 93 3c b0 99 33 f3 4752 58 4c 93 3c b0 99 34 26 4753 58 4c 93 3c b0 99 34 30 4754 58 4c 93 3c b0 99 34 68 4755 58 4c 93 3c b0 99 34 88 4756 58 4c 93 3c b0 99 34 8a 4757 58 4c 93 3c b0 99 35 4c 4758 58 4c 93 3c b0 99 35 bd 4759 00 01 00 14 3c f4 b9 24 4760 03 20 22 f0 dc 50 58 14 4761 53 b8 5d 93 b0 47 b6 3d 4762 44 6c 58 45 cb 48 44 5d 4763 db 96 68 8f 04 ae 26 f7 4764 63 56 5a b7 aa ab 01 71 4765 72 4f 3c a8 bc c5 1a 98 4766 b7 d4 c9 2e a3 3c d9 34 4767 4c a8 b6 3e 04 53 3a bf 4768 1a 3c 05 49 16 b3 68 2c 4769 5c a8 cb 4d d0 f8 4c 3b 4770 77 48 7a ac 6e ce 38 48 4771 0b a9 d5 00 4772 ]]></sourcecode> 4773 </section> 4774 </section> 4775 <section numbered="false"> 4776 <name>Acknowledgements</name> 4777 <t> 4778 The authors thank all reviewers for their comments. In particular, 4779 we thank <contact fullname="D. J. Bernstein"/>, <contact fullname="S. Bortzmeyer"/>, <contact fullname="A. Farrel"/>, <contact fullname="E. Lear"/>, and <contact fullname="R. Salz"/> for their 4780 insightful and detailed technical reviews. We thank <contact fullname="J. Yao"/> and <contact fullname="J. Klensin"/> for the 4781 internationalization reviews. We thank <contact fullname="Dr. J. Appelbaum"/> for suggesting the name "GNU Name System" and <contact fullname="Dr. Richard Stallman"/> for approving its use. We thank <contact fullname="T. Lange"/> and <contact fullname="M. Wachs"/> for their earlier contributions to the design and implementation of GNS. We thank NLnet and NGI DISCOVERY for funding 4782 work on the GNU Name System. 4783 </t> 4784 </section> 4785 </back> 4786 4787 </rfc>