diff options
author | Martin Schanzenbach <schanzen@gnunet.org> | 2022-02-21 13:13:23 +0100 |
---|---|---|
committer | Martin Schanzenbach <schanzen@gnunet.org> | 2022-02-21 13:13:23 +0100 |
commit | 118c58412c3c34832eb304618c922ade8241b090 (patch) | |
tree | a4164829735c30e7bf87d651d05a2253be581fe9 /draft-schanzen-gns.xml | |
parent | d7fe59a9f4f8253e42ecf785cdf176455d54461d (diff) | |
download | lsd0001-118c58412c3c34832eb304618c922ade8241b090.tar.gz lsd0001-118c58412c3c34832eb304618c922ade8241b090.zip |
fixes
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r-- | draft-schanzen-gns.xml | 66 |
1 files changed, 32 insertions, 34 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 8ab4adc..147a94c 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -227,9 +227,7 @@ | |||
227 | </dd> | 227 | </dd> |
228 | <dt>Extension Label</dt> | 228 | <dt>Extension Label</dt> |
229 | <dd> | 229 | <dd> |
230 | If a name ends with the extension label the rest of the name | 230 | The primary use for the extension label is in redirections where the redirection |
231 | <bcp14>MUST</bcp14> be interpreted relative to the current zone in the resolution process. | ||
232 | The primary use for this is in redirections where the redirection | ||
233 | target is defined relative to the authoritative zone of the redirection | 231 | target is defined relative to the authoritative zone of the redirection |
234 | record (<xref target="gnsrecords_redirect"/>). | 232 | record (<xref target="gnsrecords_redirect"/>). |
235 | The extension label is represented using the character U+002B ("+" | 233 | The extension label is represented using the character U+002B ("+" |
@@ -373,17 +371,15 @@ | |||
373 | <section anchor="zones" numbered="true" toc="default"> | 371 | <section anchor="zones" numbered="true" toc="default"> |
374 | <name>Zones</name> | 372 | <name>Zones</name> |
375 | <t> | 373 | <t> |
376 | A zone in GNS is uniquely identified by its zone type and zone key. | ||
377 | Each zone can be represented by a Zone Top-Level Domain (zTLD) string. | ||
378 | </t> | ||
379 | <t> | ||
380 | An implementation <bcp14>SHOULD</bcp14> enable the user to create and manage zones. | 374 | An implementation <bcp14>SHOULD</bcp14> enable the user to create and manage zones. |
381 | If this functionality is not implemented, names can still be resolved | 375 | If this functionality is not implemented, names can still be resolved |
382 | if zone keys for the initial step in the name resolution are available | 376 | if zone keys for the initial step in the name resolution are available |
383 | (see <xref target="resolution"/>). | 377 | (see <xref target="resolution"/>). |
384 | </t> | 378 | </t> |
385 | <t> | 379 | <t> |
386 | Each zone type (ztype) is a unique 32-bit number. | 380 | A zone in GNS is uniquely identified by its zone type and zone key. |
381 | Each zone can be represented by a Zone Top-Level Domain (zTLD) string. | ||
382 | A zone type (ztype) is a unique 32-bit number. | ||
387 | This number corresponds to a resource record type number | 383 | This number corresponds to a resource record type number |
388 | identifying a delegation record type | 384 | identifying a delegation record type |
389 | in the GNUnet Assigned Numbers Authority <xref target="GANA" />. | 385 | in the GNUnet Assigned Numbers Authority <xref target="GANA" />. |
@@ -676,9 +672,8 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62] | |||
676 | denotes the relative 64-bit time to live of the record in | 672 | denotes the relative 64-bit time to live of the record in |
677 | microseconds also in network byte order. | 673 | microseconds also in network byte order. |
678 | The field <bcp14>SHOULD</bcp14> be set to EPOCH * 1.1. | 674 | The field <bcp14>SHOULD</bcp14> be set to EPOCH * 1.1. |
679 | If the average number of leading zeros D' is larger than | 675 | Given an average number of leading zeros D', then the field value |
680 | D, then the field value <bcp14>MAY</bcp14> be increased up to | 676 | <bcp14>MAY</bcp14> be increased up to (D'-D) * EPOCH * 1.1. |
681 | (D'-D) * EPOCH * 1.1. | ||
682 | The EPOCH is extended by | 677 | The EPOCH is extended by |
683 | 10% in order to deal with unsynchronized clocks. | 678 | 10% in order to deal with unsynchronized clocks. |
684 | This field is informational for a verifier. | 679 | This field is informational for a verifier. |
@@ -774,7 +769,7 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62] | |||
774 | <li>The set of POW values <bcp14>MUST</bcp14> NOT contain duplicates which <bcp14>MUST</bcp14> be checked by verifying that the values are strictly monotonically increasing.</li> | 769 | <li>The set of POW values <bcp14>MUST</bcp14> NOT contain duplicates which <bcp14>MUST</bcp14> be checked by verifying that the values are strictly monotonically increasing.</li> |
775 | <li>The average number of leading zeroes D' resulting from the provided | 770 | <li>The average number of leading zeroes D' resulting from the provided |
776 | POW values <bcp14>MUST</bcp14> be greater than and not equal to D. Implementers | 771 | POW values <bcp14>MUST</bcp14> be greater than and not equal to D. Implementers |
777 | <bcp14>MUST</bcp14> NOT use an integer data type to calculate or represent D'.</li> | 772 | <bcp14>MUST NOT</bcp14> use an integer data type to calculate or represent D'.</li> |
778 | <li> | 773 | <li> |
779 | The validity period of the revocation is calculated as | 774 | The validity period of the revocation is calculated as |
780 | (D'-D) * EPOCH * 1.1. The EPOCH is extended by | 775 | (D'-D) * EPOCH * 1.1. The EPOCH is extended by |
@@ -785,8 +780,11 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62] | |||
785 | the TTL field value, the verifier <bcp14>MUST</bcp14> continue and | 780 | the TTL field value, the verifier <bcp14>MUST</bcp14> continue and |
786 | use the calculated value when forwarding the revocation. | 781 | use the calculated value when forwarding the revocation. |
787 | </li> | 782 | </li> |
788 | <li>The current time <bcp14>SHOULD</bcp14> be between TIMESTAMP and | 783 | <li> |
789 | TIMESTAMP + validity period. Implementations <bcp14>MAY</bcp14> process the revocation without validating this.</li> | 784 | The current time <bcp14>SHOULD</bcp14> be between TIMESTAMP and |
785 | TIMESTAMP + validity period. | ||
786 | Implementations <bcp14>MAY</bcp14> process the revocation without validating this. | ||
787 | </li> | ||
790 | </ol> | 788 | </ol> |
791 | </section> | 789 | </section> |
792 | 790 | ||
@@ -859,9 +857,9 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62] | |||
859 | </dl> | 857 | </dl> |
860 | <t> | 858 | <t> |
861 | Flags indicate metadata surrounding the resource record. | 859 | Flags indicate metadata surrounding the resource record. |
862 | Applications creating resource records <bcp14>MUST</bcp14> set all bits which are | 860 | An application creating resource records <bcp14>MUST</bcp14> set all bits |
863 | not defined as a flag to 0. Additional flags may be defined in | 861 | to 0 unless it wants to set the respective flag. |
864 | future protocol versions. | 862 | Additional flags may be defined in future protocol versions, |
865 | If an application or implementation encounters a flag which it does not | 863 | If an application or implementation encounters a flag which it does not |
866 | recognize, it <bcp14>MUST</bcp14> be ignored. | 864 | recognize, it <bcp14>MUST</bcp14> be ignored. |
867 | Any combination of the flags specified below are valid. | 865 | Any combination of the flags specified below are valid. |
@@ -913,7 +911,7 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62] | |||
913 | the respective zone type is encountered. | 911 | the respective zone type is encountered. |
914 | This may be a valid choice if some zone delegation record types have been | 912 | This may be a valid choice if some zone delegation record types have been |
915 | determined to be cryptographically insecure. | 913 | determined to be cryptographically insecure. |
916 | Zone delegation records <bcp14>MUST</bcp14> NOT be stored and published | 914 | Zone delegation records <bcp14>MUST NOT</bcp14> be stored and published |
917 | under the apex label. | 915 | under the apex label. |
918 | A zone delegation record type value is the same as the respective ztype | 916 | A zone delegation record type value is the same as the respective ztype |
919 | value. | 917 | value. |
@@ -921,8 +919,8 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62] | |||
921 | being delegated to. | 919 | being delegated to. |
922 | A zone delegation record payload contains the public key of | 920 | A zone delegation record payload contains the public key of |
923 | the zone to delegate to. | 921 | the zone to delegate to. |
924 | A zone delegation record <bcp14>MUST</bcp14> have the CRTITICAL flag set. | 922 | A zone delegation record <bcp14>MUST</bcp14> have the CRTITICAL flag set |
925 | A zone delegation record <bcp14>MUST</bcp14> be the only record under a label. | 923 | and <bcp14>MUST</bcp14> be the only record under a label. |
926 | No other records are allowed. | 924 | No other records are allowed. |
927 | </t> | 925 | </t> |
928 | <section anchor="gnsrecords_pkey" numbered="true" toc="default"> | 926 | <section anchor="gnsrecords_pkey" numbered="true" toc="default"> |
@@ -1378,11 +1376,11 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1378 | and <bcp14>MAY</bcp14> support any number of additional redirection records defined in | 1376 | and <bcp14>MAY</bcp14> support any number of additional redirection records defined in |
1379 | the GNU Name System Record Types registry (see Section <xref target="gana"/>). | 1377 | the GNU Name System Record Types registry (see Section <xref target="gana"/>). |
1380 | Redirection records <bcp14>MUST</bcp14> have the CRTITICAL flag set. | 1378 | Redirection records <bcp14>MUST</bcp14> have the CRTITICAL flag set. |
1381 | Not supporting some record types <bcp14>MAY</bcp14> result in resolution failures. | 1379 | Not supporting some record types may consequently result in resolution failures. |
1382 | This <bcp14>MAY</bcp14> BE a valid choice if some redirection record types have been | 1380 | This may be a valid choice if some redirection record types have been |
1383 | determined to be insecure, or if an application has reasons to not | 1381 | determined to be insecure, or if an application has reasons to not |
1384 | support redirection to DNS for reasons such as complexity or security. | 1382 | support redirection to DNS for reasons such as complexity or security. |
1385 | Redirection records <bcp14>MUST</bcp14> NOT be stored and published under the apex label. | 1383 | Redirection records <bcp14>MUST NOT</bcp14> be stored and published under the apex label. |
1386 | </t> | 1384 | </t> |
1387 | <section anchor="gnsrecords_rdr" numbered="true" toc="default"> | 1385 | <section anchor="gnsrecords_rdr" numbered="true" toc="default"> |
1388 | <name>REDIRECT</name> | 1386 | <name>REDIRECT</name> |
@@ -1639,7 +1637,7 @@ GET(key) -> value | |||
1639 | record would require a revocation of the record. | 1637 | record would require a revocation of the record. |
1640 | In GNS, zones can only be revoked as a whole. Records automatically | 1638 | In GNS, zones can only be revoked as a whole. Records automatically |
1641 | expire and it is under the discretion of the storage as to when to delete | 1639 | expire and it is under the discretion of the storage as to when to delete |
1642 | the record. The GNS implementation <bcp14>MUST</bcp14> NOT publish expired resource | 1640 | the record. The GNS implementation <bcp14>MUST NOT</bcp14> publish expired resource |
1643 | records. Any GNS resolver <bcp14>MUST</bcp14> discard expired records returned from | 1641 | records. Any GNS resolver <bcp14>MUST</bcp14> discard expired records returned from |
1644 | the storage. | 1642 | the storage. |
1645 | </t> | 1643 | </t> |
@@ -1856,7 +1854,7 @@ q := SHA-512 (ZKDF-Public(zk, label)) | |||
1856 | ignored on receipt. | 1854 | ignored on receipt. |
1857 | As a special exception, record sets with (only) a zone delegation | 1855 | As a special exception, record sets with (only) a zone delegation |
1858 | record type are never padded. | 1856 | record type are never padded. |
1859 | Note that a record set with a delegation record <bcp14>MUST</bcp14> NOT | 1857 | Note that a record set with a delegation record <bcp14>MUST NOT</bcp14> |
1860 | contain other records. If other records are encountered, the whole | 1858 | contain other records. If other records are encountered, the whole |
1861 | record block <bcp14>MUST</bcp14> be discarded. | 1859 | record block <bcp14>MUST</bcp14> be discarded. |
1862 | </dd> | 1860 | </dd> |
@@ -1881,7 +1879,7 @@ q := SHA-512 (ZKDF-Public(zk, label)) | |||
1881 | For example, if a zone delegation record type is requested, the | 1879 | For example, if a zone delegation record type is requested, the |
1882 | resolution of the apex label in that zone must be skipped, as | 1880 | resolution of the apex label in that zone must be skipped, as |
1883 | the desired record is already found. | 1881 | the desired record is already found. |
1884 | The resolver implementation <bcp14>MUST</bcp14> NOT filter results according to the desired | 1882 | The resolver implementation <bcp14>MUST NOT</bcp14> filter results according to the desired |
1885 | record type. | 1883 | record type. |
1886 | Filtering of record sets is typically done by the application. | 1884 | Filtering of record sets is typically done by the application. |
1887 | </t> | 1885 | </t> |
@@ -1931,7 +1929,7 @@ Example name: www.example.<zTLD> | |||
1931 | label separator. | 1929 | label separator. |
1932 | If multiple suffixes match the name to resolve, the longest | 1930 | If multiple suffixes match the name to resolve, the longest |
1933 | matching suffix <bcp14>MUST</bcp14> be used. The suffix length of two results | 1931 | matching suffix <bcp14>MUST</bcp14> be used. The suffix length of two results |
1934 | <bcp14>MUST</bcp14> NOT be equal. This indicates a misconfiguration and the | 1932 | <bcp14>MUST NOT</bcp14> be equal. This indicates a misconfiguration and the |
1935 | implementation <bcp14>MUST</bcp14> return an error. | 1933 | implementation <bcp14>MUST</bcp14> return an error. |
1936 | The following is a non-normative example mapping of start zones: | 1934 | The following is a non-normative example mapping of start zones: |
1937 | </t> | 1935 | </t> |
@@ -2118,7 +2116,7 @@ example.com = zTLD2 := Base32GNS(ztype2||zk2) | |||
2118 | <t> | 2116 | <t> |
2119 | As the DNS servers | 2117 | As the DNS servers |
2120 | specified are possibly authoritative DNS servers, the GNS resolver <bcp14>MUST</bcp14> | 2118 | specified are possibly authoritative DNS servers, the GNS resolver <bcp14>MUST</bcp14> |
2121 | support recursive DNS resolution and <bcp14>MUST</bcp14> NOT delegate this to the | 2119 | support recursive DNS resolution and <bcp14>MUST NOT</bcp14> delegate this to the |
2122 | authoritative DNS servers. | 2120 | authoritative DNS servers. |
2123 | The first successful recursive name resolution result | 2121 | The first successful recursive name resolution result |
2124 | is returned to the application. | 2122 | is returned to the application. |
@@ -2129,9 +2127,9 @@ example.com = zTLD2 := Base32GNS(ztype2||zk2) | |||
2129 | <t> | 2127 | <t> |
2130 | Once the transition from GNS into DNS is made through a | 2128 | Once the transition from GNS into DNS is made through a |
2131 | GNS2DNS record, there is no "going back". | 2129 | GNS2DNS record, there is no "going back". |
2132 | The (possibly recursive) resolution of the DNS name <bcp14>MUST</bcp14> NOT | 2130 | The (possibly recursive) resolution of the DNS name <bcp14>MUST NOT</bcp14> |
2133 | delegate back into GNS and should only follow the DNS specifications. | 2131 | delegate back into GNS and should only follow the DNS specifications. |
2134 | For example, names contained in DNS CNAME records <bcp14>MUST</bcp14> NOT be | 2132 | For example, names contained in DNS CNAME records <bcp14>MUST NOT</bcp14> be |
2135 | interpreted as GNS names. | 2133 | interpreted as GNS names. |
2136 | </t> | 2134 | </t> |
2137 | <t> | 2135 | <t> |
@@ -2174,11 +2172,11 @@ example.com = zTLD2 := Base32GNS(ztype2||zk2) | |||
2174 | resolution <bcp14>MUST</bcp14> fail with an empty result set. | 2172 | resolution <bcp14>MUST</bcp14> fail with an empty result set. |
2175 | </t> | 2173 | </t> |
2176 | <t> | 2174 | <t> |
2177 | Implementations <bcp14>MUST</bcp14> NOT allow multiple different zone | 2175 | Implementations <bcp14>MUST NOT</bcp14> allow multiple different zone |
2178 | delegations under a single label. | 2176 | delegations under a single label. |
2179 | Implementations <bcp14>MAY</bcp14> support any subset of ztypes. | 2177 | Implementations <bcp14>MAY</bcp14> support any subset of ztypes. |
2180 | Handling of | 2178 | Handling of |
2181 | Implementations <bcp14>MUST</bcp14> NOT process zone delegation for the apex | 2179 | Implementations <bcp14>MUST NOT</bcp14> process zone delegation for the apex |
2182 | label "@". Upon encountering a zone delegation record under | 2180 | label "@". Upon encountering a zone delegation record under |
2183 | this label, resolution fails and an error <bcp14>MUST</bcp14> be returned. The | 2181 | this label, resolution fails and an error <bcp14>MUST</bcp14> be returned. The |
2184 | implementation <bcp14>MAY</bcp14> choose not to return the reason for the failure, | 2182 | implementation <bcp14>MAY</bcp14> choose not to return the reason for the failure, |
@@ -2288,7 +2286,7 @@ NICK: john (Supplemental) | |||
2288 | select a default ztype considered secure at the time of | 2286 | select a default ztype considered secure at the time of |
2289 | releasing the software. | 2287 | releasing the software. |
2290 | For applications targeting end users that are not expected to | 2288 | For applications targeting end users that are not expected to |
2291 | understand cryptography, the application developer <bcp14>MUST</bcp14> NOT leave | 2289 | understand cryptography, the application developer <bcp14>MUST NOT</bcp14> leave |
2292 | the ztype selection of new zones to end users. | 2290 | the ztype selection of new zones to end users. |
2293 | </t> | 2291 | </t> |
2294 | <t> | 2292 | <t> |
@@ -2460,7 +2458,7 @@ NICK: john (Supplemental) | |||
2460 | to manage revocations accordingly. | 2458 | to manage revocations accordingly. |
2461 | </t> | 2459 | </t> |
2462 | <t> | 2460 | <t> |
2463 | Revocation payloads do NOT include a 'new' key for key replacement. | 2461 | Revocation payloads do not include a 'new' key for key replacement. |
2464 | Inclusion of such a key would have two major disadvantages: | 2462 | Inclusion of such a key would have two major disadvantages: |
2465 | </t> | 2463 | </t> |
2466 | <ol> | 2464 | <ol> |