1 files changed, 57 insertions, 39 deletions

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 35cbd49..94942c2 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -89,10 +89,9 @@
     <t>
       This document contains the GNU Name System (GNS) technical
       specification.
-      GNS is a decentralized and censorship-resistant name
-      system that provides a privacy-enhancing alternative to the Domain
-      Name System (DNS).
-      <!-- GNS is more. it is also extensible and more flexible -->
+      GNS is a decentralized and censorship-resistant domain name
+      resolution protocol that provides a privacy-enhancing alternative to the
+      Domain Name System (DNS) protocols.
     </t>
     <t>
       This document defines the normative wire format of resource records,
@@ -114,57 +113,36 @@
      <t>
        The Domain Name System (DNS) <xref target="RFC1035" /> is a unique
        distributed database and a vital service for most Internet applications.
-       While DNS is distributed, in practice it
-       relies on centralized, trusted registrars to provide globally unique
-       names. As the awareness of the central role DNS plays on the Internet
-       rises, various institutions are using their power (including legal means)
-       to engage in attacks on the DNS, thus threatening the global availability
-       and integrity of information on the Internet.
-     </t>
-     <t>
-       DNS was not designed with security in mind. This makes it very
+       However, it was not designed with security in mind. This makes it very
        vulnerable, especially to attackers that have the technical capabilities
        of an entire nation state at their disposal.
-       While a wider discussion of this issue is out of scope for this document,
-       analyses and investigations can be found in recent academic research
-       works including <xref target="SecureNS"/>.
      </t>
      <t>
        This specification describes a censorship-resistant, privacy-preserving
-       and decentralized name system: The GNU Name System (GNS) <xref target="GNS" />.
-       It is designed to provide a secure, privacy-enhancing alternative to
-       DNS, especially when censorship or manipulation is encountered.
-       In particular, it directly addresses concerns in DNS with respect to "Query
-       Privacy", the "Single Hierarchy with a Centrally Controlled Root" and
-       "Distribution and Management of Root Servers" as raised in
-       <xref target="RFC8324"/>.
+       and decentralized domain name resolution protocol:
+       The GNU Name System (GNS), a development continuation of
+       previous academic work on secure name systems <xref target="GNS" />.
        GNS can bind names to any kind of
        cryptographically secured token, enabling it to double in some respects as
        an alternative to some of today’s Public Key Infrastructures, in
        particular X.509 for the Web.
      </t>
      <t>
-       The design of GNS incorporates the capability to integrate and
-       coexist with DNS.
-       GNS is based on the principle of a petname system where users can assign
+       The design of GNS incorporates the capability to interoperate with the
+       DNS protocol.
+       It is based on the principle of a petname system where users can assign
        names to zones.
        It builds on ideas from the Simple Distributed Security
-       Infrastructure <xref target="SDSI" />, addressing a central issue with the decentralized
-       mapping of secure identifiers to memorable names: namely the impossibility
-       of providing a global, secure and memorable mapping without a trusted
-       authority. GNS uses the transitivity in the SDSI design to replace the
-       trusted root with secure delegation of authority thus making petnames
-       useful to other users while operating under a very strong adversary model.
+       Infrastructure <xref target="SDSI" />, enabling the decentralized
+       mapping of secure identifiers to memorable names.
      </t>
      <t>
-       This is an important distinguishing factor from the Domain Name System
-       where root zone governance is centralized at the Internet Corporation
-       for Assigned Names and Numbers (ICANN).
        In DNS terminology, GNS roughly follows the idea of a local
-       root zone deployment (see <xref target="RFC8806"/>), with the difference that it is not
-       expected that all deployments use the same root zone,
-       and that users can easily delegate control of arbitrary domain names to
-       arbitrary zones.
+       root zone deployment (see <xref target="RFC8806"/>), with the difference
+       that the protocol defined here does not mandate that all deployments use
+       the same root zone.
+       Users can easily delegate control of arbitrary domain names to
+       arbitrary zones through their local configurations.
      </t>
      <t>
        This document defines the normative wire format of resource records, resolution processes,
@@ -2751,6 +2729,46 @@ NICK: john (Supplemental)
            zone keys do become public during revocation.
          </t>
        </section>
+       <section anchor="sec_governance">
+         <name>Zone Governance</name>
+         <t>
+           While DNS is distributed, in practice it
+           relies on centralized, trusted registrars to provide globally unique
+           names. As the awareness of the central role DNS plays on the Internet
+           rises, various institutions are using their power (including legal means)
+           to engage in attacks on the DNS, thus threatening the global availability
+           and integrity of information on the Internet.
+           While a wider discussion of this issue is out of scope for this document,
+           analyses and investigations can be found in recent academic research
+           works including <xref target="SecureNS"/>.
+         </t>
+         <t>
+           GNS is designed to provide a secure, privacy-enhancing alternative to the
+           DNS name resolution protocol, especially when censorship or manipulation
+           is encountered.
+           In particular, it directly addresses concerns in DNS with respect to
+           query privacy.
+           However, depending on the governance of the root zone, any deployment
+           will likely suffer from the issues of a
+           "Single Hierarchy with a Centrally Controlled Root" and
+           "Distribution and Management of Root Servers" as raised in
+           <xref target="RFC8324"/>.
+           In the Domain Name System root zone governance is centralized at the
+           Internet Corporation for Assigned Names and Numbers (ICANN).
+           GNS can be used to leverage the transitivity in the SDSI design to
+           replace the trusted root with secure delegation of authority thus
+           making petnames useful to other users while operating under a very
+           strong adversary model.
+           By building on the ideas from SDSI, GNS allows to address a central
+           issue with the decentralized mapping of secure identifiers to memorable
+           names: namely the impossiblity of providing a global, secure and
+           memorable mapping without a trusted authority.
+         </t>
+         <t>
+           Any GNS implementation <bcp14>MAY</bcp14> provide a default
+           governance model in the form of an initial start zone mapping.
+         </t>
+       </section>
        <section anchor="namespace_ambiguity">
          <name>Namespace Ambiguity</name>
          <t>