diff options
| author | Martin Schanzenbach <schanzen@gnunet.org> | 2022-03-08 00:01:35 +0100 |
|---|---|---|
| committer | Martin Schanzenbach <schanzen@gnunet.org> | 2022-03-08 00:01:35 +0100 |
| commit | 8c9bed758a54b828682236b19b013b33b56040a0 (patch) | |
| tree | 2623a6635567d5605ce052e9d2cc44e61ec15c70 | |
| parent | 1f97560c26f81b9aba2e0492c1360061a4a95e79 (diff) | |
| download | lsd0001-8c9bed758a54b828682236b19b013b33b56040a0.tar.gz lsd0001-8c9bed758a54b828682236b19b013b33b56040a0.zip | |
dns name
| -rw-r--r-- | draft-schanzen-gns.xml | 47 |
1 files changed, 25 insertions, 22 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index bdea6a2..4ccddd0 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
| @@ -1460,7 +1460,7 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
| 1460 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1460 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
| 1461 | 0 8 16 24 32 40 48 56 | 1461 | 0 8 16 24 32 40 48 56 |
| 1462 | +-----+-----+-----+-----+-----+-----+-----+-----+ | 1462 | +-----+-----+-----+-----+-----+-----+-----+-----+ |
| 1463 | | DNS NAME | | 1463 | | NAME | |
| 1464 | / / | 1464 | / / |
| 1465 | / / | 1465 | / / |
| 1466 | | | | 1466 | | | |
| @@ -1473,7 +1473,7 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
| 1473 | ]]></artwork> | 1473 | ]]></artwork> |
| 1474 | </figure> | 1474 | </figure> |
| 1475 | <dl> | 1475 | <dl> |
| 1476 | <dt>DNS NAME</dt> | 1476 | <dt>NAME</dt> |
| 1477 | <dd> | 1477 | <dd> |
| 1478 | The name to continue with in DNS. The value is UTF-8 encoded and | 1478 | The name to continue with in DNS. The value is UTF-8 encoded and |
| 1479 | 0-terminated. | 1479 | 0-terminated. |
| @@ -2539,38 +2539,41 @@ NICK: john (Supplemental) | |||
| 2539 | </t> | 2539 | </t> |
| 2540 | </section> | 2540 | </section> |
| 2541 | <section> | 2541 | <section> |
| 2542 | <name>Name Leakage</name> | 2542 | <name>Namespace Ambiguity</name> |
| 2543 | <t> | 2543 | <t> |
| 2544 | GNS names are indistinguishable from DNS names or other special-use | 2544 | Some GNS names are indistinguishable from DNS names in their |
| 2545 | domain names <xref target="RFC6761"/>. | 2545 | respective common display format <xref target="RFC8499"/> or |
| 2546 | other special-use domain names <xref target="RFC6761"/>. | ||
| 2547 | Given such a name it is ambiguous which name system should be used | ||
| 2548 | by an application in order to resolve it. | ||
| 2546 | This poses a risk when trying to resolve a name through DNS when | 2549 | This poses a risk when trying to resolve a name through DNS when |
| 2547 | it is actually a GNS name. | 2550 | it is actually a GNS name. |
| 2548 | In such a case, the GNS name would be leaked as part of the DNS | 2551 | In such a case, the GNS name would be leaked as part of the DNS |
| 2549 | resolution. | 2552 | resolution. |
| 2550 | This risk is also present for special-use domain names which must be | ||
| 2551 | handled before starting a DNS resolution request by the application. | ||
| 2552 | </t> | 2553 | </t> |
| 2553 | <t> | 2554 | <t> |
| 2554 | Any application MUST take into consideration the user configuration | 2555 | In order to prevent disclosure of queried GNS names it is |
| 2555 | of resolution precedence when trying to resolve a name. | ||
| 2556 | One example of such a configuration which at the same time allows | ||
| 2557 | applications to delegate the resolution itself is the | ||
| 2558 | Name Service Switch (NSS) of Unix-like operating systems. | ||
| 2559 | It allows system administrators to configure host name resolution | ||
| 2560 | precedence and is integrated with the system resolver implementation. | ||
| 2561 | </t> | ||
| 2562 | <t> | ||
| 2563 | The order of resolution mechanisms to try is under the discretion | ||
| 2564 | of the user or system administrator. | ||
| 2565 | In the absence of an explicit configuration it is | ||
| 2566 | <bcp14>RECOMMENDED</bcp14> that applications try to resolve | 2556 | <bcp14>RECOMMENDED</bcp14> that applications try to resolve |
| 2567 | a given name in GNS before any other method in order to honor | 2557 | a given name in GNS before any other method in order to honor |
| 2568 | potential TLD overrides in GNS by the user. | 2558 | potential suffix-to-zone mappings in GNS by the user. |
| 2569 | If no suffix-to-zone mapping for the name exists, resolution | 2559 | If no suffix-to-zone mapping for the name exists, resolution |
| 2570 | <bcp14>MAY</bcp14> continue with other methods. | 2560 | <bcp14>MAY</bcp14> continue with other methods such as DNS. |
| 2571 | If a suffix-to-zone mapping exists for the name and the query | 2561 | If a suffix-to-zone mapping exists for the name and the query |
| 2572 | succeeds, fails or returns no results, resolution <bcp14>MUST NOT</bcp14> | 2562 | succeeds, fails or returns no results, resolution <bcp14>MUST NOT</bcp14> |
| 2573 | continue by other means. | 2563 | continue by any other means. |
| 2564 | </t> | ||
| 2565 | <t> | ||
| 2566 | Mechanisms such as the Name Service Switch (NSS) of Unix-like | ||
| 2567 | operating systems are an example of how such a resolution process | ||
| 2568 | can be implemented and used. | ||
| 2569 | It allows system administrators to configure host name resolution | ||
| 2570 | precedence and is integrated with the system resolver implementation. | ||
| 2571 | </t> | ||
| 2572 | <t> | ||
| 2573 | The user or system administrator <bcp14>MAY</bcp14> configure one or | ||
| 2574 | more unique suffixes for all suffix-to-zone mappings. | ||
| 2575 | In combination with a special-use domain name for GNS or an unreserved | ||
| 2576 | DNS TLD, this would prevent namespace ambiguity. | ||
| 2574 | </t> | 2577 | </t> |
| 2575 | </section> | 2578 | </section> |
| 2576 | </section> | 2579 | </section> |