diff options
author | Christian Grothoff <christian@grothoff.org> | 2020-10-04 20:14:06 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2020-10-04 20:14:06 +0200 |
commit | 3508a078cc14b2e922eba766ad63df42c5787295 (patch) | |
tree | 34f6fa479b6cfb5569d5c15d28aee68f719afd85 | |
parent | 7a39b7ffa27f9a5a2424ad3b929f08d6b98bcbb9 (diff) | |
download | lsd0001-3508a078cc14b2e922eba766ad63df42c5787295.tar.gz lsd0001-3508a078cc14b2e922eba766ad63df42c5787295.zip |
massive revision of zone type description
-rw-r--r-- | draft-schanzen-gns.xml | 822 |
1 files changed, 481 insertions, 341 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 6769d75..1b08d16 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -134,61 +134,60 @@ | |||
134 | <section anchor="zones" numbered="true" toc="default"> | 134 | <section anchor="zones" numbered="true" toc="default"> |
135 | <name>Zones</name> | 135 | <name>Zones</name> |
136 | <t> | 136 | <t> |
137 | A zone in GNS is defined by a public/private key pair (d,zk), | 137 | A zone in GNS is defined by a zone type "ztype" that identifies |
138 | where d is the private key and zk the corresponding public key. | 138 | a cryptosystem and a public/private key pair "(d,zk)", |
139 | where "d" is the private key and "zk" the corresponding public key | ||
140 | in the public key cipher identified by the "ztype". | ||
139 | The contents of a zone are cryptographically signed before | 141 | The contents of a zone are cryptographically signed before |
140 | being published a Distributed Hash Table (DHT). | 142 | being published a distributed hash table (DHT). |
141 | Records are grouped by their label and encrypted (<xref target="recordencryption"/>) | 143 | Records are grouped by their label and encrypted (<xref target="recordencryption"/>) |
142 | using an encryption key derived from the label and the zone public key. | 144 | using an encryption key derived from the label and the zone public key. |
143 | Instead of the zone private key "d", the signature MUST | 145 | Instead of the zone private key "d", the signature MUST |
144 | be created using a blinded public/private key pair d' and zk'. | 146 | be created using a blinded public/private key pair "d'" and "zk'". |
145 | This blinding is realized using a Hierarchical Deterministic Key | 147 | This blinding is realized using a hierarchical deterministic key |
146 | Derivation (HDKD) scheme. | 148 | derivation (HDKD) scheme. |
147 | Such a scheme allows the zone owner to derive a private d' and a | 149 | Such a scheme allows the deterministic derivation of keys from |
148 | resolver to derive the corresponding public key zk' in a deterministic | 150 | the original public and private zone keys using "label" values. |
149 | manner from the original public and private zone keys as well as a | 151 | Specifically, the zone owner can derive private keys "d'", and a |
150 | label. This feature prevents zone enumeration and requires knowledge | 152 | resolver to derive the corresponding public keys "zk'". Using |
151 | of both "zk" and the queried label to confirm affiliation with a | 153 | different "label" values in the derivation results in different |
154 | keys. Without knowledge of the "label" values, the different | ||
155 | derivations are unlinkable both to the original key and to each | ||
156 | other. | ||
157 | This prevents zone enumeration and requires knowledge | ||
158 | of both "zk" and the "label" to confirm affiliation with a | ||
152 | specific zone. At the same time, the blinded "zk'" provides nodes | 159 | specific zone. At the same time, the blinded "zk'" provides nodes |
153 | with the ability to verifiy the integrity of the published information | 160 | with the ability to verifiy the integrity of the published information |
154 | without disclosing the originating zone. | 161 | without disclosing the originating zone. |
155 | </t> | 162 | </t> |
156 | <t> | 163 | <t> |
157 | The following primitives define a zone in GNS: | 164 | The following variables are associated with a zone in GNS: |
158 | </t> | 165 | </t> |
159 | <dl> | 166 | <dl> |
160 | <dt>d</dt> | 167 | <dt>ztype</dt> |
161 | <dd> | 168 | <dd> |
162 | is the private zone key. | 169 | is the unique type of the zone type as registered in the |
170 | GNUnet Assigned Numbers Authority <xref target="GANA" />. | ||
171 | The zone type determines which cryptosystem is used for the | ||
172 | asymmetric and symmetric key operations of the zone. A 32-bit number. | ||
163 | </dd> | 173 | </dd> |
164 | <dt>zk</dt> | 174 | <dt>d</dt> |
165 | <dd> | 175 | <dd> |
166 | is the public zone key. | 176 | is the private zone key. The specific format depends on the zone type. |
167 | </dd> | 177 | </dd> |
168 | <dt>ztype</dt> | 178 | <dt>zk</dt> |
169 | <dd> | 179 | <dd> |
170 | is the unique type of the zone type as registered in | 180 | is the public zone key. The specific format depends on the zone type. |
171 | GANA. A 32-bit number. | ||
172 | </dd> | 181 | </dd> |
173 | <dt>zid</dt> | 182 | <dt>zid</dt> |
174 | <dd> | 183 | <dd> |
175 | is the unique identifier of a zone. It consists of the "ztype" | 184 | is the unique public identifier of a zone. It consists of the "ztype" |
176 | and the public zone key "zk". | 185 | and the public zone key "zk". |
177 | </dd> | 186 | </dd> |
178 | <dt>HDKD-Private(d) -> d'</dt> | ||
179 | <dd> | ||
180 | is an HDKD function which blinds a private zone key of the | ||
181 | respective type. | ||
182 | </dd> | ||
183 | <dt>HDKD-Public(zk) -> zk'</dt> | ||
184 | <dd> | ||
185 | is a HDKD function which blinds a public zone key "zk" of the | ||
186 | respective type. | ||
187 | </dd> | ||
188 | <dt>zTLD</dt> | 187 | <dt>zTLD</dt> |
189 | <dd> | 188 | <dd> |
190 | is a string which encodes the "ztype" as well as the zone | 189 | is a string which encodes the "ztype" as well as the zone |
191 | key "zk" into one or more labels. The "zTLD" is used as a | 190 | key "zk" into a domain name. The "zTLD" is used as a |
192 | globally unique reference to a specific namespace in the | 191 | globally unique reference to a specific namespace in the |
193 | process of name resolution. | 192 | process of name resolution. |
194 | </dd> | 193 | </dd> |
@@ -216,236 +215,87 @@ zkl := <Base32(zid)> | |||
216 | <t> | 215 | <t> |
217 | If "zkl" is less than 63 characters, it is also the "zTLD". | 216 | If "zkl" is less than 63 characters, it is also the "zTLD". |
218 | If the resulting "zkl" should be longer than 63 characters, the | 217 | If the resulting "zkl" should be longer than 63 characters, the |
219 | String must be divided into smaller labels separated by the label | 218 | string must be divided into smaller labels separated by the label |
220 | separator ".". Where the most significant bytes of the "zid" be contained | 219 | separator ".". Here, the most significant bytes of the "zid" must be contained |
221 | in the rightmost label of the resulting string and the least significant | 220 | in the rightmost label of the resulting string and the least significant |
222 | bytes in the leftmost label of the resulting string. For example, | 221 | bytes in the leftmost label of the resulting string. For example, |
223 | assuming a "zkl" of 130 characters: | 222 | assuming a "zkl" of 130 characters, the encoding would be: |
224 | </t> | 223 | </t> |
225 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 224 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
226 | zTLD := zkl[126:129].zkl[63:125].zkl[0:62] | 225 | zTLD := zkl[126:129].zkl[63:125].zkl[0:62] |
227 | ]]></artwork> | 226 | ]]></artwork> |
228 | <!-- FIXME: We probably want to define more things here such as | 227 | </section> |
229 | how zone types are registered and identified ? --> | 228 | <section anchor="zone_types" numbered="true" toc="default"> |
230 | <section anchor="zone_types" numbered="true" toc="default"> | 229 | <name>Zone Types</name> |
231 | <name>Zone Types</name> | 230 | <t> |
232 | <t> | 231 | A zone type identifies a family of eight functions: |
233 | In the following, we define two instantiations of GNS | 232 | </t> |
234 | zone types with different cryptographic primitives. | 233 | <dl> |
235 | Additional zone types may be defined in the future and require | 234 | <dt>Private-KeyGen() -> d</dt> |
236 | registration in the GANA zone type registry. | 235 | <dd> |
237 | Implementations MAY support any subset of zone types. | 236 | is a function to generate a fresh private key "d". |
238 | Implementations MUST NOT allow multiple different zone type | 237 | </dd> |
239 | delegations under a single label. | 238 | <dt>Public-KeyGen(d) -> zk</dt> |
240 | <!-- FIXME: Are the below types mandatory? --> | 239 | <dd> |
241 | </t> | 240 | is a function to derive a public key "zk" from a private key "d". |
242 | <section anchor="zone_type_pkey" numbered="true" toc="default"> | 241 | </dd> |
243 | <name>PKEY Zone</name> | 242 | <dt>HDKD-Private(d,label) -> d'</dt> |
244 | <t> | 243 | <dd> |
245 | For PKEY zones the zone key material is derived using the | 244 | is an HDKD function which blinds a private zone key "d" |
246 | curve parameters of the twisted edwards representation | 245 | using "label", resulting in another private key which |
247 | of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519) | 246 | can be used to create cryptographic signatures. |
248 | with the ECDSA scheme (<xref target="RFC6979" />). | 247 | </dd> |
249 | Consequently , we use the following naming convention for our | 248 | <dt>S-Encrypt(zk,label,nonce,expiration,rdata) -> bdata</dt> |
250 | cryptographic primitives for PKEY zones: | 249 | <dd> |
251 | </t> | 250 | is a deterministic symmetric encryption function which encrypts the record |
252 | <dl> | 251 | data "rdata" based on key material derived from "zk", "label", |
253 | <dt>d</dt> | 252 | "nonce" and "expiration". |
254 | <dd> | 253 | A deterministic encryption scheme is |
255 | is a 256-bit ECDSA private zone key. | 254 | required to improve performance by leveraging caching features |
256 | </dd> | 255 | of DHTs. |
257 | <dt>zk</dt> | 256 | </dd> |
258 | <dd> | 257 | <dt>Sign(d',bdata) -> sig</dt> |
259 | is the ECDSA public zone key corresponding to d. It is defined in | 258 | <dd> |
260 | <xref target="RFC6979" /> as the curve point d*B where B is the group | 259 | is a function to sign "bdata" using the (blinded) private key |
261 | generator of the elliptic curve. The public key is used to uniquely | 260 | "d'", yielding an unforgable cryptographic signature "sig". |
262 | identify a GNS zone and is referred to as the "zone key". | 261 | </dd> |
263 | </dd> | 262 | <dt>HDKD-Public(zk,label) -> zk'</dt> |
264 | <dt>ztype</dt> | 263 | <dd> |
265 | <dd> | 264 | is a HDKD function which blinds a public zone key "zk" |
266 | is registered with the value "0" in GANA. | 265 | using "label". "zk" and "zk'" must be unlinkable. Furthermore, |
267 | </dd> | 266 | blinding "zk" with different values for "label" must result |
268 | <dt>p</dt> | 267 | in unlinkable different resulting values for "zk'". |
269 | <dd> | 268 | </dd> |
270 | is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e. | 269 | <dt>Verify(zk',bdata,sig) -> valid</dt> |
271 | 2^255 - 19. | 270 | <dd> |
272 | </dd> | 271 | is a function to verify the signature "sig" was created by |
273 | <dt>B</dt> | 272 | the a private key "d'" derived from "d" and "label" if |
274 | <dd> | 273 | "zk'" was derived from the corresponding to |
275 | is the group generator (X(P),Y(P)) of edwards25519 as defined in | 274 | "zk := Public-Keygen(d)" and "label". |
276 | <xref target="RFC7748" />. | 275 | The function returns "true" if the signature is valid, |
277 | </dd> | 276 | and otherwise "false". |
278 | <dt>L</dt> | 277 | </dd> |
279 | <dd> | 278 | <dt>S-Decrypt(zk,label,nonce,expiration,bdata) -> rdata</dt> |
280 | is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | 279 | <dd> |
281 | </dd> | 280 | is a symmetric encryption function which decrypts the encrypted record |
282 | </dl> | 281 | data "bdata" based on key material derived from "zk", "label", |
283 | <t> | 282 | "nonce" and "expiration". |
284 | Given a label, the output of the HDKD-Private function for zone | 283 | </dd> |
285 | key blinding is calculated as follows for PKEY zones: | 284 | </dl> |
286 | </t> | 285 | <t> |
287 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 286 | Zone types are identified by a 32-bit resource record type number. |
288 | zk := d * B | 287 | Resource record types are discussed in the next section. |
289 | PRK_h := HKDF-Extract ("key-derivation", zk) | 288 | </t> |
290 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
291 | d' := h * d mod L | ||
292 | ]]></artwork> | ||
293 | <t> | ||
294 | Equally, given a label, the output of the HDKD-Public function is | ||
295 | calculated as follows for PKEY zones: | ||
296 | </t> | ||
297 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
298 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
299 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
300 | zk' := h mod L * zk | ||
301 | ]]></artwork> | ||
302 | <t> | ||
303 | We use a hash-based key derivation function (HKDF) as defined in | ||
304 | <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction | ||
305 | phase and HMAC-SHA256 for the expansion phase. | ||
306 | "PRK_h" is key material retrieved using an HKDF using the string | ||
307 | "key-derivation" as salt and the public zone key "zk" as initial | ||
308 | keying material. | ||
309 | "h" is the 512-bit HKDF expansion result. The expansion info input is | ||
310 | a concatenation of the label and string "gns". | ||
311 | "label" is a UTF-8 string under which the resource records are | ||
312 | published. | ||
313 | </t> | ||
314 | <t> | ||
315 | We point out that the multiplication of "zk" with "h" is a point multiplication, | ||
316 | while the multiplication of "d" with "h" is a scalar multiplication. | ||
317 | Signatures for PKEY zones are 512-bit ECDSA deterministic | ||
318 | signatures compliant with <xref target="RFC6979" />. | ||
319 | </t> | ||
320 | <t> | ||
321 | The "zid" of a PKEY is 32 + 4 bytes in length. This means that | ||
322 | a Base32-encoded "zTLD" will always fit into a single label and does | ||
323 | not need any further conversion. | ||
324 | </t> | ||
325 | </section> | ||
326 | <section anchor="zone_type_edkey" numbered="true" toc="default"> | ||
327 | <name>EDKEY Zone</name> | ||
328 | <t> | ||
329 | For EDKEY zones the zone key material is derived using the | ||
330 | curve parameters of the twisted edwards representation | ||
331 | of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519) | ||
332 | with the Ed25519-SHA-512 scheme <xref target="ed25519" />. | ||
333 | Consequently , we use the following naming convention for our | ||
334 | cryptographic primitives for EDKEY zones: | ||
335 | </t> | ||
336 | <dl> | ||
337 | <dt>d</dt> | ||
338 | <dd> | ||
339 | is a 256-bit EdDSA private zone key. | ||
340 | </dd> | ||
341 | <dt>a</dt> | ||
342 | <dd> | ||
343 | is is an integer derived from d using the SHA512 hash function | ||
344 | as defined in <xref target="ed25519" />. | ||
345 | </dd> | ||
346 | <dt>zk</dt> | ||
347 | <dd> | ||
348 | is the EdDSA public zone key corresponding to d. It is defined in | ||
349 | <xref target="ed25519" /> as the curve point a*B where B is the | ||
350 | group generator of the elliptic curve and a is an integer | ||
351 | derived from d using the SHA512 hash function. | ||
352 | The public key is used to uniquely identify a GNS zone and is | ||
353 | referred to as the "zone key". | ||
354 | </dd> | ||
355 | <dt>ztype</dt> | ||
356 | <dd> | ||
357 | is registered with the value "1" in GANA. | ||
358 | </dd> | ||
359 | <dt>p</dt> | ||
360 | <dd> | ||
361 | is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e. | ||
362 | 2^255 - 19. | ||
363 | </dd> | ||
364 | <dt>B</dt> | ||
365 | <dd> | ||
366 | is the group generator (X(P),Y(P)) of edwards25519 as defined in | ||
367 | <xref target="RFC7748" />. | ||
368 | </dd> | ||
369 | <dt>L</dt> | ||
370 | <dd> | ||
371 | is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | ||
372 | </dd> | ||
373 | </dl> | ||
374 | <t> | ||
375 | Given a label, the output of the HDKD-Private function for zone | ||
376 | key blinding is calculated as follows for EDKEY zones: | ||
377 | </t> | ||
378 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
379 | zk := a * B | ||
380 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
381 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
382 | h[0] &= 248; | ||
383 | h[31] &= 127; | ||
384 | h[31] |= 64; | ||
385 | a' := h * a mod L | ||
386 | ]]></artwork> | ||
387 | <t> | ||
388 | Equally, given a label, the output of the HDKD-Public function is | ||
389 | calculated as follows for PKEY zones: | ||
390 | </t> | ||
391 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
392 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
393 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
394 | h[0] &= 248; | ||
395 | h[31] &= 127; | ||
396 | h[31] |= 64; | ||
397 | zk' := h mod L * zk | ||
398 | ]]></artwork> | ||
399 | <t> | ||
400 | We use a hash-based key derivation function (HKDF) as defined in | ||
401 | <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction | ||
402 | phase and HMAC-SHA256 for the expansion phase. | ||
403 | "PRK_h" is key material retrieved using an HKDF using the string | ||
404 | "key-derivation" as salt and the public zone key "zk" as initial | ||
405 | keying material. | ||
406 | "h" is the 512-bit HKDF expansion result. The expansion info input is | ||
407 | a concatenation of the label and string "gns". | ||
408 | The result of the HKDF must be clamped. | ||
409 | "a" is the 256-bit integer correspinding to the 256-bit private zone | ||
410 | key d as defined in <xref target="zone_type_edkey" />. | ||
411 | "label" is a UTF-8 string under which the resource records are | ||
412 | published. | ||
413 | </t> | ||
414 | <t> | ||
415 | We point out that the multiplication of "zk" with "h" is a point multiplication, | ||
416 | while the multiplication of "a" with "h" is a scalar multiplication. | ||
417 | </t> | ||
418 | <t> | ||
419 | Signatures for EDKEY zones using the derived private key a' | ||
420 | are NOT compliant with <xref target="ed25519" />. | ||
421 | Instead, signatures MUST be generated as follows for any given | ||
422 | message M and deterministic random-looking r: | ||
423 | </t> | ||
424 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
425 | R := r * B | ||
426 | S := r + SHA512(R, zk', M) * a' mod L | ||
427 | ]]></artwork> | ||
428 | <t> | ||
429 | A signature (R,S) is valid if the following holds: | ||
430 | </t> | ||
431 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
432 | SB == R + SHA512(R, zk', M) * A' | ||
433 | ]]></artwork> | ||
434 | <t> | ||
435 | The "zid" of an EDKEY is 32 + 4 bytes in length. This means that | ||
436 | a Base32-encoded "zTLD" will always fit into a single label and does | ||
437 | not need any further conversion. | ||
438 | </t> | ||
439 | |||
440 | </section> | ||
441 | </section> | ||
442 | </section> | 289 | </section> |
443 | <section anchor="rrecords" numbered="true" toc="default"> | 290 | <section anchor="rrecords" numbered="true" toc="default"> |
444 | <name>Resource Records</name> | 291 | <name>Resource Records</name> |
445 | <t> | 292 | <t> |
446 | A GNS implementor MUST provide a mechanism to create and manage resource | 293 | A GNS implementor MUST provide a mechanism to create and manage resource |
447 | records for local zones. A local zone is established by creating a zone | 294 | records for local zones. A local zone is established by selecting a |
448 | key pair. Records may be added to each zone, hence a (local) persistency | 295 | zone type and creating a zone |
296 | key pair. Implementations SHOULD select a secure zone type automatically | ||
297 | and not leave the zone type selection to the user. | ||
298 | Records may be added to each zone, hence a (local) persistency | ||
449 | mechanism for resource records and zones must be provided. | 299 | mechanism for resource records and zones must be provided. |
450 | This local zone database is used by the GNS resolver implementation | 300 | This local zone database is used by the GNS resolver implementation |
451 | and to publish record information. | 301 | and to publish record information. |
@@ -489,7 +339,9 @@ SB == R + SHA512(R, zk', M) * A' | |||
489 | type as defined in <xref target="RFC1035" /> or any of the | 339 | type as defined in <xref target="RFC1035" /> or any of the |
490 | complementary standardized DNS resource record types. This value must be | 340 | complementary standardized DNS resource record types. This value must be |
491 | stored in network byte order. Note that values | 341 | stored in network byte order. Note that values |
492 | below 2^16 are reserved for allocation via IANA (<xref target="RFC6895" />). | 342 | below 2^16 are reserved for allocation via IANA (<xref target="RFC6895" />), |
343 | while values above 2^16 are allocated by the | ||
344 | GNUnet Assigned Numbers Authority <xref target="GANA" />. | ||
493 | </dd> | 345 | </dd> |
494 | <dt>FLAGS</dt> | 346 | <dt>FLAGS</dt> |
495 | <dd> | 347 | <dd> |
@@ -554,22 +406,25 @@ SB == R + SHA512(R, zk', M) * A' | |||
554 | regular records when resolving labels in local zones. | 406 | regular records when resolving labels in local zones. |
555 | </dd> | 407 | </dd> |
556 | </dl> | 408 | </dl> |
557 | <section anchor="gnsrecords_numbers" numbered="true" toc="default"> | 409 | </section> |
558 | <name>Record Types</name> | 410 | <section anchor="gnsrecords_numbers" numbered="true" toc="default"> |
559 | <t> | 411 | <name>Record Types</name> |
560 | A registry of GNS Record Types is described in <xref target="gana"/>. The | 412 | <t> |
561 | registration policy for this registry is "First Come First Served", as | 413 | A registry of GNS Record Types is described in <xref target="gana"/>. The |
562 | described in <xref target="RFC8126"/>. | 414 | registration policy for this registry is "First Come First Served", as |
563 | <!--When requesting new entries, careful | 415 | described in <xref target="RFC8126"/>. |
564 | consideration of the following criteria is strongly advised:FIXME what considerations?--> | 416 | <!--When requesting new entries, careful |
565 | </t> | 417 | consideration of the following criteria is strongly advised:FIXME what considerations?--> |
566 | </section> | 418 | </t> |
567 | <section anchor="gnsrecords_pkey" numbered="true" toc="default"> | 419 | <section anchor="gnsrecords_pkey" numbered="true" toc="default"> |
568 | <name>PKEY</name> | 420 | <name>PKEY</name> |
569 | <t>In GNS, a delegation of a label to a zone of type "PKEY" is | 421 | <t>In GNS, a delegation of a label to a zone of type "PKEY" is |
570 | represented through a PKEY record. | 422 | represented through a PKEY record. The PKEY number is a zone |
423 | type and thus also implies the cryptosystem for the zone that | ||
424 | is being delegated to. | ||
571 | A PKEY resource record contains the public key of the zone to | 425 | A PKEY resource record contains the public key of the zone to |
572 | delegate to. A PKEY record MUST be the only record under a label. No other | 426 | delegate to. |
427 | A PKEY record MUST be the only record under a label. No other | ||
573 | records are allowed. A PKEY DATA entry has the following format:</t> | 428 | records are allowed. A PKEY DATA entry has the following format:</t> |
574 | <figure anchor="figure_pkeyrecord"> | 429 | <figure anchor="figure_pkeyrecord"> |
575 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 430 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
@@ -592,8 +447,332 @@ SB == R + SHA512(R, zk', M) * A' | |||
592 | A 256-bit ECDSA zone key. | 447 | A 256-bit ECDSA zone key. |
593 | </dd> | 448 | </dd> |
594 | </dl> | 449 | </dl> |
450 | |||
451 | <t> | ||
452 | For PKEY zones the zone key material is derived using the | ||
453 | curve parameters of the twisted edwards representation | ||
454 | of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519) | ||
455 | with the ECDSA scheme (<xref target="RFC6979" />). | ||
456 | Consequently , we use the following naming convention for our | ||
457 | cryptographic primitives for PKEY zones: | ||
458 | </t> | ||
459 | <dl> | ||
460 | <dt>d</dt> | ||
461 | <dd> | ||
462 | is a 256-bit ECDSA private zone key. | ||
463 | </dd> | ||
464 | <dt>zk</dt> | ||
465 | <dd> | ||
466 | is the ECDSA public zone key corresponding to d. It is defined in | ||
467 | <xref target="RFC6979" /> as the curve point d*G where G is the group | ||
468 | generator of the elliptic curve. The public key is used to uniquely | ||
469 | identify a GNS zone and is referred to as the "zone key". | ||
470 | </dd> | ||
471 | <dt>p</dt> | ||
472 | <dd> | ||
473 | is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e. | ||
474 | 2^255 - 19. | ||
475 | </dd> | ||
476 | <dt>G</dt> | ||
477 | <dd> | ||
478 | is the group generator (X(P),Y(P)) of edwards25519 as defined in | ||
479 | <xref target="RFC7748" />. | ||
480 | </dd> | ||
481 | <dt>L</dt> | ||
482 | <dd> | ||
483 | is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | ||
484 | </dd> | ||
485 | </dl> | ||
486 | <t> | ||
487 | The "zid" of a PKEY is 32 + 4 bytes in length. This means that | ||
488 | a Base32-encoded "zTLD" will always fit into a single label and does | ||
489 | not need any further conversion. | ||
490 | </t> | ||
491 | <t> | ||
492 | Given a label, the output d' of the HDKD-Private(d,label) function for zone | ||
493 | key blinding is calculated as follows for PKEY zones: | ||
494 | </t> | ||
495 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
496 | zk := d * G | ||
497 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
498 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
499 | d' := h * d mod L | ||
500 | ]]></artwork> | ||
501 | <t> | ||
502 | Equally, given a label, the output zk' of the HDKD-Public(zk,label) function is | ||
503 | calculated as follows for PKEY zones: | ||
504 | </t> | ||
505 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
506 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
507 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
508 | zk' := h mod L * zk | ||
509 | ]]></artwork> | ||
510 | <t> | ||
511 | The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in | ||
512 | <xref target="RFC5869" />, using HMAC-SHA512 for the extraction | ||
513 | phase and HMAC-SHA256 for the expansion phase. | ||
514 | "PRK_h" is key material retrieved using an HKDF using the string | ||
515 | "key-derivation" as salt and the public zone key "zk" as initial | ||
516 | keying material. | ||
517 | "h" is the 512-bit HKDF expansion result. The expansion info input is | ||
518 | a concatenation of the label and string "gns". | ||
519 | "label" is a UTF-8 string under which the resource records are | ||
520 | published. | ||
521 | </t> | ||
522 | <t> | ||
523 | We point out that the multiplication of "zk" with "h" is a point multiplication, | ||
524 | while the multiplication of "d" with "h" is a scalar multiplication. | ||
525 | </t> | ||
526 | <t> | ||
527 | The Sign() and Verify() functions | ||
528 | for PKEY zones are implemented using 512-bit ECDSA deterministic | ||
529 | signatures as specified in <xref target="RFC6979" />. | ||
530 | </t> | ||
531 | <t> | ||
532 | The S-Encrypt() and S-Decrypt() functions use AES in counter mode | ||
533 | as defined in <xref target="MODES" /> (CTR-AES-256): | ||
534 | </t> | ||
535 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
536 | RDATA := CTR-AES256(K, IV, BDATA) | ||
537 | BDATA := CTR-AES256(K, IV, RDATA) | ||
538 | ]]></artwork> | ||
539 | <t> | ||
540 | The key "K" and counter "IV" are derived from | ||
541 | the record "label" and the zone key "zk" as follows: | ||
542 | </t> | ||
543 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
544 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | ||
545 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
546 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
547 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
548 | ]]></artwork> | ||
549 | <t> | ||
550 | HKDF is a hash-based key derivation function as defined in | ||
551 | <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the | ||
552 | extraction phase and HMAC-SHA256 for the expansion phase. | ||
553 | The output keying material is 32 octets (256 bits) for the symmetric | ||
554 | key and 4 octets (32 bits) for the nonce. | ||
555 | The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key: | ||
556 | </t> | ||
557 | <t> | ||
558 | The nonce is combined with a 64-bit initialization vector and a | ||
559 | 32-bit block counter as defined in <xref target="RFC3686" />. | ||
560 | The block counter begins with the value of 1, and it is incremented | ||
561 | to generate subsequent portions of the key stream. | ||
562 | The block counter is a 32-bit integer value in network byte order. | ||
563 | The initialization vector is the expiration time of the | ||
564 | resource record block in network byte order. | ||
565 | The resulting counter ("IV") wire format is as follows: | ||
566 | </t> | ||
567 | <figure anchor="figure_hkdf_ivs_pkey"> | ||
568 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
569 | 0 8 16 24 32 | ||
570 | +-----+-----+-----+-----+ | ||
571 | | NONCE | | ||
572 | +-----+-----+-----+-----+ | ||
573 | | EXPIRATION | | ||
574 | | | | ||
575 | +-----+-----+-----+-----+ | ||
576 | | BLOCK COUNTER | | ||
577 | +-----+-----+-----+-----+ | ||
578 | ]]></artwork> | ||
579 | </figure> | ||
595 | </section> | 580 | </section> |
596 | <section anchor="gnsrecords_gns2dns" numbered="true" toc="default"> | 581 | |
582 | <section anchor="gnsrecords_edkey" numbered="true" toc="default"> | ||
583 | <name>EDKEY</name> | ||
584 | <t>In GNS, a delegation of a label to a zone of type "EDKEY" is | ||
585 | represented through a EDKEY record. The EDKEY number is a zone | ||
586 | type and thus also implies the cryptosystem for the zone that | ||
587 | is being delegated to. | ||
588 | An EDKEY resource record contains the public key of the zone to | ||
589 | delegate to. | ||
590 | A EDKEY record MUST be the only record under a label. No other | ||
591 | records are allowed. A EDKEY DATA entry has the following format:</t> | ||
592 | <figure anchor="figure_edkeyrecord"> | ||
593 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
594 | 0 8 16 24 32 40 48 56 | ||
595 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
596 | | PUBLIC KEY | | ||
597 | | | | ||
598 | | | | ||
599 | | | | ||
600 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
601 | ]]></artwork> | ||
602 | <!-- <postamble>which is a very simple example.</postamble>--> | ||
603 | </figure> | ||
604 | <t> | ||
605 | where: | ||
606 | </t> | ||
607 | <dl> | ||
608 | <dt>PUBLIC KEY</dt> | ||
609 | <dd> | ||
610 | A 256-bit EdDSA zone key. | ||
611 | </dd> | ||
612 | </dl> | ||
613 | <t> | ||
614 | For EDKEY zones the zone key material is derived using the | ||
615 | curve parameters of the twisted edwards representation | ||
616 | of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519) | ||
617 | with the Ed25519-SHA-512 scheme <xref target="ed25519" />. | ||
618 | Consequently , we use the following naming convention for our | ||
619 | cryptographic primitives for EDKEY zones: | ||
620 | </t> | ||
621 | <dl> | ||
622 | <dt>d</dt> | ||
623 | <dd> | ||
624 | is a 256-bit EdDSA private zone key. | ||
625 | </dd> | ||
626 | <dt>a</dt> | ||
627 | <dd> | ||
628 | is is an integer derived from "d" using the SHA512 hash function | ||
629 | as defined in <xref target="ed25519" />. | ||
630 | </dd> | ||
631 | <dt>zk</dt> | ||
632 | <dd> | ||
633 | is the EdDSA public zone key corresponding to "d". It is defined in | ||
634 | <xref target="ed25519" /> as the curve point "a*G" where "G" is the | ||
635 | group generator of the elliptic curve and "a" is an integer | ||
636 | derived from "d" using the SHA512 hash function. | ||
637 | The public key is used to uniquely identify a GNS zone and is | ||
638 | referred to as the "zone key". | ||
639 | </dd> | ||
640 | <dt>p</dt> | ||
641 | <dd> | ||
642 | is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e. | ||
643 | 2^255 - 19. | ||
644 | </dd> | ||
645 | <dt>G</dt> | ||
646 | <dd> | ||
647 | is the group generator (X(P),Y(P)) of edwards25519 as defined in | ||
648 | <xref target="RFC7748" />. | ||
649 | </dd> | ||
650 | <dt>L</dt> | ||
651 | <dd> | ||
652 | is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | ||
653 | </dd> | ||
654 | </dl> | ||
655 | <t> | ||
656 | The "zid" of an EDKEY is 32 + 4 bytes in length. This means that | ||
657 | a Base32-encoded "zTLD" will always fit into a single label and does | ||
658 | not need any further conversion. | ||
659 | </t> | ||
660 | <t> | ||
661 | Given a label, the output of the HDKD-Private function for zone | ||
662 | key blinding is calculated as follows for EDKEY zones: | ||
663 | </t> | ||
664 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
665 | zk := a * G | ||
666 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
667 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
668 | h[0] &= 248; | ||
669 | h[31] &= 127; | ||
670 | h[31] |= 64; | ||
671 | a' := h * a mod L | ||
672 | ]]></artwork> | ||
673 | <t> | ||
674 | Equally, given a label, the output of the HDKD-Public function is | ||
675 | calculated as follows for PKEY zones: | ||
676 | </t> | ||
677 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
678 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
679 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
680 | h[0] &= 248; | ||
681 | h[31] &= 127; | ||
682 | h[31] |= 64; | ||
683 | zk' := h mod L * zk | ||
684 | ]]></artwork> | ||
685 | <t> | ||
686 | The EDKEY cryptosystem uses a | ||
687 | hash-based key derivation function (HKDF) as defined in | ||
688 | <xref target="RFC5869" />, using HMAC-SHA512 for the extraction | ||
689 | phase and HMAC-SHA256 for the expansion phase. | ||
690 | "PRK_h" is key material retrieved using an HKDF using the string | ||
691 | "key-derivation" as salt and the public zone key "zk" as initial | ||
692 | keying material. | ||
693 | "h" is the 512-bit HKDF expansion result. The expansion info input is | ||
694 | a concatenation of the label and string "gns". | ||
695 | The result of the HKDF must be clamped. | ||
696 | "a" is the 256-bit integer corresponding to the 256-bit private zone | ||
697 | key "d". | ||
698 | "label" is a UTF-8 string under which the resource records are | ||
699 | published. | ||
700 | </t> | ||
701 | <t> | ||
702 | We point out that the multiplication of "zk" with "h" is a point multiplication, | ||
703 | while the multiplication of "a" with "h" is a scalar multiplication. | ||
704 | </t> | ||
705 | <t> | ||
706 | Signatures for EDKEY zones using the derived private key "a'" | ||
707 | are NOT compliant with <xref target="ed25519" />. | ||
708 | Instead, signatures MUST be generated as follows for any given | ||
709 | message M and deterministic random-looking "r": | ||
710 | </t> | ||
711 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
712 | R := r * G | ||
713 | S := r + SHA512(R, zk', M) * a' mod L | ||
714 | ]]></artwork> | ||
715 | <t> | ||
716 | A signature (R,S) is valid if the following holds: | ||
717 | </t> | ||
718 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
719 | SB == R + SHA512(R, zk', M) * A' | ||
720 | ]]></artwork> | ||
721 | <t> | ||
722 | <!-- FIXME: here we SHOULD consider standardizing AES-GCM | ||
723 | instead. Please review this choice when implementing | ||
724 | EDKEY support! --> | ||
725 | The S-Encrypt() and S-Decrypt() functions use AES in counter mode | ||
726 | as defined in <xref target="MODES" /> (CTR-AES-256): | ||
727 | </t> | ||
728 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
729 | RDATA := CTR-AES256(K, IV, BDATA) | ||
730 | BDATA := CTR-AES256(K, IV, RDATA) | ||
731 | ]]></artwork> | ||
732 | <t> | ||
733 | The key "K" and counter "IV" are derived from | ||
734 | the record "label" and the zone key "zk" as follows: | ||
735 | </t> | ||
736 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
737 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | ||
738 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
739 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
740 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
741 | ]]></artwork> | ||
742 | <t> | ||
743 | HKDF is a hash-based key derivation function as defined in | ||
744 | <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the | ||
745 | extraction phase and HMAC-SHA256 for the expansion phase. | ||
746 | The output keying material is 32 octets (256 bits) for the symmetric | ||
747 | key and 4 octets (32 bits) for the nonce. | ||
748 | The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key: | ||
749 | </t> | ||
750 | <t> | ||
751 | The nonce is combined with a 64-bit initialization vector and a | ||
752 | 32-bit block counter as defined in <xref target="RFC3686" />. | ||
753 | The block counter begins with the value of 1, and it is incremented | ||
754 | to generate subsequent portions of the key stream. | ||
755 | The block counter is a 32-bit integer value in network byte order. | ||
756 | The initialization vector is the expiration time of the | ||
757 | resource record block in network byte order. | ||
758 | The resulting counter ("IV") wire format is as follows: | ||
759 | </t> | ||
760 | <figure anchor="figure_hkdf_ivs_edkey"> | ||
761 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
762 | 0 8 16 24 32 | ||
763 | +-----+-----+-----+-----+ | ||
764 | | NONCE | | ||
765 | +-----+-----+-----+-----+ | ||
766 | | EXPIRATION | | ||
767 | | | | ||
768 | +-----+-----+-----+-----+ | ||
769 | | BLOCK COUNTER | | ||
770 | +-----+-----+-----+-----+ | ||
771 | ]]></artwork> | ||
772 | </figure> | ||
773 | </section> | ||
774 | |||
775 | <section anchor="gnsrecords_gns2dns" numbered="true" toc="default"> | ||
597 | <name>GNS2DNS</name> | 776 | <name>GNS2DNS</name> |
598 | <t>It is possible to delegate a label back into DNS through a GNS2DNS record. | 777 | <t>It is possible to delegate a label back into DNS through a GNS2DNS record. |
599 | The resource record contains a DNS name for the resolver to continue with | 778 | The resource record contains a DNS name for the resolver to continue with |
@@ -816,7 +995,7 @@ SB == R + SHA512(R, zk', M) * A' | |||
816 | encrypted and published together in a single resource records block | 995 | encrypted and published together in a single resource records block |
817 | (RRBLOCK) in the DHT under a key "q": PUT(q, RRBLOCK). | 996 | (RRBLOCK) in the DHT under a key "q": PUT(q, RRBLOCK). |
818 | The key "q" which is derived from the zone key "zk" and the respective | 997 | The key "q" which is derived from the zone key "zk" and the respective |
819 | label of the contained records. | 998 | "label" of the contained records. |
820 | </t> | 999 | </t> |
821 | <section anchor="blinding" numbered="true" toc="default"> | 1000 | <section anchor="blinding" numbered="true" toc="default"> |
822 | <name>DHT Key Derivations</name> | 1001 | <name>DHT Key Derivations</name> |
@@ -887,7 +1066,8 @@ q := SHA512 (HDKD-Public(zk, label)) | |||
887 | <dd> | 1066 | <dd> |
888 | The signature is computed over the data following | 1067 | The signature is computed over the data following |
889 | the PUBLIC KEY field. | 1068 | the PUBLIC KEY field. |
890 | The signature is created using the derived private key | 1069 | The signature is created using the Sign() function of |
1070 | the cryptosystem of the zone and the derived private key | ||
891 | "HDKD-Private(d, label)" (see <xref target="zone_types" />). | 1071 | "HDKD-Private(d, label)" (see <xref target="zone_types" />). |
892 | </dd> | 1072 | </dd> |
893 | <dt>ZONE TYPE</dt> | 1073 | <dt>ZONE TYPE</dt> |
@@ -995,78 +1175,7 @@ q := SHA512 (HDKD-Public(zk, label)) | |||
995 | Note that a record set with a delegation record MUST NOT | 1175 | Note that a record set with a delegation record MUST NOT |
996 | contain other records. | 1176 | contain other records. |
997 | </dd> | 1177 | </dd> |
998 | |||
999 | </dl> | 1178 | </dl> |
1000 | <t> | ||
1001 | DHTs often offer caching in oder to improve performance. | ||
1002 | In order to leverage this, a deterministic encryption scheme is | ||
1003 | required in order to leverage caching features. | ||
1004 | The symmetric keys and initialization vectors are derived from the | ||
1005 | record label and the zone key "zk". For decryption of the resource | ||
1006 | records block payload, the key material "K" and initialization vector | ||
1007 | "IV" for the symmetric cipher are derived as follows: | ||
1008 | </t> | ||
1009 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1010 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | ||
1011 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
1012 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
1013 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
1014 | ]]></artwork> | ||
1015 | <t> | ||
1016 | HKDF is a hash-based key derivation function as defined in | ||
1017 | <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the | ||
1018 | extraction phase and HMAC-SHA256 for the expansion phase. | ||
1019 | The output keying material is 32 octets (256 bits) for the symmetric | ||
1020 | key and 4 octets (32 bits) for the nonce. | ||
1021 | The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key: | ||
1022 | </t> | ||
1023 | <t> | ||
1024 | The nonce is combined with a 64-bit initialization vector and a | ||
1025 | 32-bit block counter as defined in <xref target="RFC3686" />. | ||
1026 | The block counter begins with the value of 1, and it is incremented | ||
1027 | to generate subsequent portions of the key stream. | ||
1028 | The block counter is a 32-bit integer value in network byte order. | ||
1029 | The initialization vector is the expiration time of the | ||
1030 | resource record block in network byte order. | ||
1031 | The resulting COUNTER wire format is as follows: | ||
1032 | </t> | ||
1033 | <figure anchor="figure_hkdf_ivs"> | ||
1034 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1035 | 0 8 16 24 32 | ||
1036 | +-----+-----+-----+-----+ | ||
1037 | | NONCE | | ||
1038 | +-----+-----+-----+-----+ | ||
1039 | | EXPIRATION | | ||
1040 | | | | ||
1041 | +-----+-----+-----+-----+ | ||
1042 | | BLOCK COUNTER | | ||
1043 | +-----+-----+-----+-----+ | ||
1044 | ]]></artwork> | ||
1045 | <!-- <postamble>which is a very simple example.</postamble>--> | ||
1046 | </figure> | ||
1047 | |||
1048 | <t> | ||
1049 | The key and counter block are used for the AES cipher in counter mode | ||
1050 | as defined in <xref target="MODES" /> (CTR-AES-256): | ||
1051 | </t> | ||
1052 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1053 | RDATA := CTR-AES256(K, COUNTER, BDATA) | ||
1054 | BDATA := CTR-AES256(K, COUNTER, RDATA) | ||
1055 | ]]></artwork> | ||
1056 | <t> | ||
1057 | In order to ensure ciphertext indistinguishability, care must be | ||
1058 | taken with respect to the initialization vector in the counter | ||
1059 | block. In our design, the IV is always the expiration time of the | ||
1060 | record block. | ||
1061 | For blocks with relative expiration times it is implicitly | ||
1062 | ensured that each time a block is published into the DHT, its IV is | ||
1063 | unique as the expiration time is calculated dynamically and increases | ||
1064 | monotonically. | ||
1065 | For blocks with absolute expiration times, the implementation | ||
1066 | MUST ensure that the expiration time is modified when the record | ||
1067 | data changes. For example. the expiration time may be increased | ||
1068 | by a single microsecond. | ||
1069 | </t> | ||
1070 | </section> | 1179 | </section> |
1071 | </section> | 1180 | </section> |
1072 | <section anchor="encoding" numbered="true" toc="default"> | 1181 | <section anchor="encoding" numbered="true" toc="default"> |
@@ -1172,12 +1281,19 @@ BDATA := CTR-AES256(K, COUNTER, RDATA) | |||
1172 | </li> | 1281 | </li> |
1173 | </ol> | 1282 | </ol> |
1174 | <section anchor="delegation_processing" numbered="true" toc="default"> | 1283 | <section anchor="delegation_processing" numbered="true" toc="default"> |
1175 | <name>PKEY</name> | 1284 | <name>Encountering zone delegation records</name> |
1176 | <t> | 1285 | <t> |
1177 | When the resolver encounters a PKEY record and the remainder of | 1286 | When the resolver encounters a record of a supported |
1287 | zone delegation record type (such as PKEY or EDKEY) | ||
1288 | and the remainder of | ||
1178 | the name is not empty, resolution continues | 1289 | the name is not empty, resolution continues |
1179 | recursively with the remainder of the name in the | 1290 | recursively with the remainder of the name in the |
1180 | GNS zone specified in the PKEY record. | 1291 | GNS zone specified in the delegation record. |
1292 | Implementations MUST NOT allow multiple different zone type | ||
1293 | delegations under a single label. | ||
1294 | Implementations MAY support any subset of zone types. If | ||
1295 | an unsupported zone type is encountered, resolution fails | ||
1296 | (NXDOMAIN). | ||
1181 | </t> | 1297 | </t> |
1182 | <t> | 1298 | <t> |
1183 | If the remainder of the name to resolve is empty and we have | 1299 | If the remainder of the name to resolve is empty and we have |
@@ -1718,6 +1834,20 @@ example.com = zk2 | |||
1718 | The old record type remains | 1834 | The old record type remains |
1719 | and zones can iteratively migrate to the updated zone keys. | 1835 | and zones can iteratively migrate to the updated zone keys. |
1720 | </t> | 1836 | </t> |
1837 | <t> | ||
1838 | In order to ensure ciphertext indistinguishability, care must be | ||
1839 | taken with respect to the initialization vector in the counter | ||
1840 | block. In our design, the IV is always the expiration time of the | ||
1841 | record block. | ||
1842 | For blocks with relative expiration times it is implicitly | ||
1843 | ensured that each time a block is published into the DHT, its IV is | ||
1844 | unique as the expiration time is calculated dynamically and increases | ||
1845 | monotonically. | ||
1846 | For blocks with absolute expiration times, the implementation | ||
1847 | MUST ensure that the expiration time is modified when the record | ||
1848 | data changes. For example. the expiration time may be increased | ||
1849 | by a single microsecond. | ||
1850 | </t> | ||
1721 | </section> | 1851 | </section> |
1722 | <section anchor="security_abuse" numbered="true" toc="default"> | 1852 | <section anchor="security_abuse" numbered="true" toc="default"> |
1723 | <name>Abuse mitigation</name> | 1853 | <name>Abuse mitigation</name> |
@@ -1822,7 +1952,8 @@ example.com = zk2 | |||
1822 | <section anchor="gana" numbered="true" toc="default"> | 1952 | <section anchor="gana" numbered="true" toc="default"> |
1823 | <name>GANA Considerations</name> | 1953 | <name>GANA Considerations</name> |
1824 | <t> | 1954 | <t> |
1825 | GANA is requested to create an "GNU Name System Record Types" registry. | 1955 | GANA <xref target="GANA" /> |
1956 | is requested to create an "GNU Name System Record Types" registry. | ||
1826 | The registry shall record for each entry: | 1957 | The registry shall record for each entry: |
1827 | </t> | 1958 | </t> |
1828 | <ul> | 1959 | <ul> |
@@ -2089,6 +2220,15 @@ ee83f0cc79c4c5ea | |||
2089 | &RFC8032; | 2220 | &RFC8032; |
2090 | &RFC8126; | 2221 | &RFC8126; |
2091 | 2222 | ||
2223 | <reference anchor="GANA" target="https://gana.gnunet.org/"> | ||
2224 | <front> | ||
2225 | <title>GNUnet Assigned Numbers Authority (GANA)</title> | ||
2226 | <author><organization>GNUnet e.V.</organization> | ||
2227 | </author> | ||
2228 | <date month="April" year="2020" /> | ||
2229 | </front> | ||
2230 | </reference> | ||
2231 | |||
2092 | <reference anchor="GNS" target="https://doi.org/10.1007/978-3-319-12280-9_9"> | 2232 | <reference anchor="GNS" target="https://doi.org/10.1007/978-3-319-12280-9_9"> |
2093 | <front> | 2233 | <front> |
2094 | <title>A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System</title> | 2234 | <title>A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System</title> |