diff options
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r-- | draft-schanzen-gns.xml | 40 |
1 files changed, 31 insertions, 9 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index e0b38de..50f71cd 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -14,6 +14,7 @@ | |||
14 | <!ENTITY RFC5869 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml"> | 14 | <!ENTITY RFC5869 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml"> |
15 | <!ENTITY RFC5890 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml"> | 15 | <!ENTITY RFC5890 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml"> |
16 | <!ENTITY RFC5895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5895.xml"> | 16 | <!ENTITY RFC5895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5895.xml"> |
17 | <!ENTITY RFC6066 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6066.xml"> | ||
17 | <!ENTITY RFC6234 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6234.xml"> | 18 | <!ENTITY RFC6234 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6234.xml"> |
18 | <!ENTITY RFC6761 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6761.xml"> | 19 | <!ENTITY RFC6761 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6761.xml"> |
19 | <!ENTITY RFC6895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml"> | 20 | <!ENTITY RFC6895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml"> |
@@ -450,8 +451,8 @@ | |||
450 | <section anchor="zones" numbered="true" toc="default"> | 451 | <section anchor="zones" numbered="true" toc="default"> |
451 | <name>Zones</name> | 452 | <name>Zones</name> |
452 | <t> | 453 | <t> |
453 | A zone master implementation <bcp14>SHOULD</bcp14> enable the user to | 454 | A zone master implementation <bcp14>SHOULD</bcp14> enable the zone |
454 | create and manage zones. | 455 | owners to create and manage zones. |
455 | If this functionality is not implemented, names can still be resolved | 456 | If this functionality is not implemented, names can still be resolved |
456 | if zone keys for the initial step in the name resolution are available | 457 | if zone keys for the initial step in the name resolution are available |
457 | (see <xref target="resolution"/>). | 458 | (see <xref target="resolution"/>). |
@@ -535,6 +536,8 @@ | |||
535 | document. | 536 | document. |
536 | All ztypes <bcp14>MUST</bcp14> be registered as dedicated zone delegation | 537 | All ztypes <bcp14>MUST</bcp14> be registered as dedicated zone delegation |
537 | record types in the GNU Name System Record Types registry (see <xref target="gana"/>). | 538 | record types in the GNU Name System Record Types registry (see <xref target="gana"/>). |
539 | When defining new record types the cryptographic security considerations | ||
540 | of this document apply, in particular <xref target="security_cryptography"/>. | ||
538 | </t> | 541 | </t> |
539 | <section anchor="zTLD" numbered="true" toc="default"> | 542 | <section anchor="zTLD" numbered="true" toc="default"> |
540 | <name>Zone Top-Level Domain</name> | 543 | <name>Zone Top-Level Domain</name> |
@@ -568,7 +571,10 @@ | |||
568 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 571 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
569 | zTLD := Base32GNS-Encode(ztype||zkey) | 572 | zTLD := Base32GNS-Encode(ztype||zkey) |
570 | ztype||zkey := Base32GNS-Decode(zTLD) | 573 | ztype||zkey := Base32GNS-Decode(zTLD) |
571 | ]]></artwork> | 574 | ]]></artwork> |
575 | <t> | ||
576 | where "||" is the concatenation operator. | ||
577 | </t> | ||
572 | <t> | 578 | <t> |
573 | The zTLD can be used as-is as a rightmost label in a GNS name. | 579 | The zTLD can be used as-is as a rightmost label in a GNS name. |
574 | If an application wants to ensure DNS compatibility of the name, | 580 | If an application wants to ensure DNS compatibility of the name, |
@@ -589,7 +595,7 @@ ztype||zkey := Base32GNS-Decode(zTLD) | |||
589 | <!-- FIXME: Is this really really necessary? Really? --> | 595 | <!-- FIXME: Is this really really necessary? Really? --> |
590 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 596 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
591 | zTLD[126..129].zTLD[63..125].zTLD[0..62] | 597 | zTLD[126..129].zTLD[63..125].zTLD[0..62] |
592 | ]]></artwork> | 598 | ]]></artwork> |
593 | </section> | 599 | </section> |
594 | <section anchor="revocation" numbered="true" toc="default"> | 600 | <section anchor="revocation" numbered="true" toc="default"> |
595 | <name>Zone Revocation</name> | 601 | <name>Zone Revocation</name> |
@@ -1016,6 +1022,14 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62] | |||
1016 | There <bcp14>MAY</bcp14> be inactive records of the same type which have | 1022 | There <bcp14>MAY</bcp14> be inactive records of the same type which have |
1017 | the SHADOW flag set in order to facilitate smooth key rollovers. | 1023 | the SHADOW flag set in order to facilitate smooth key rollovers. |
1018 | </t> | 1024 | </t> |
1025 | <t> | ||
1026 | In the following, "||" is the concatenation operator of two byte strings. | ||
1027 | The algorithm specification uses character strings such as GNS labels or | ||
1028 | constant values. | ||
1029 | When used in concatenations or as input to functions the | ||
1030 | null-terminator of the character strings <bcp14>MUST NOT</bcp14> be | ||
1031 | included. | ||
1032 | </t> | ||
1019 | <section anchor="gnsrecords_pkey" numbered="true" toc="default"> | 1033 | <section anchor="gnsrecords_pkey" numbered="true" toc="default"> |
1020 | <name>PKEY</name> | 1034 | <name>PKEY</name> |
1021 | <t> | 1035 | <t> |
@@ -1557,9 +1571,11 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1557 | DNS name of the service to be transmitted over the transport protocol. | 1571 | DNS name of the service to be transmitted over the transport protocol. |
1558 | In GNS, legacy host name records provide applications the DNS name that | 1572 | In GNS, legacy host name records provide applications the DNS name that |
1559 | is required to establish a connection to such a service. | 1573 | is required to establish a connection to such a service. |
1560 | The most common use case is HTTP virtual hosting, where a DNS name must | 1574 | The most common use case is HTTP virtual hosting and TLS Server Name |
1561 | be supplied in the HTTP "Host"-header. | 1575 | Indication <xref target="RFC6066"/>, where a DNS name must |
1562 | Using a GNS name for the "Host"-header might not work as | 1576 | be supplied in the HTTP "Host"-header and the TLS handshake, |
1577 | respectively. | ||
1578 | Using a GNS name in those cases might not work as | ||
1563 | it might not be globally unique. Furthermore, even if uniqueness is | 1579 | it might not be globally unique. Furthermore, even if uniqueness is |
1564 | not an issue, the legacy service might not even be aware of GNS. | 1580 | not an issue, the legacy service might not even be aware of GNS. |
1565 | </t> | 1581 | </t> |
@@ -1688,7 +1704,7 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1688 | </section> | 1704 | </section> |
1689 | </section> | 1705 | </section> |
1690 | <section anchor="publish" numbered="true" toc="default"> | 1706 | <section anchor="publish" numbered="true" toc="default"> |
1691 | <name>Record Storage</name> | 1707 | <name>Record Encoding</name> |
1692 | <t> | 1708 | <t> |
1693 | Any API which allows storing a value under a 512-bit key and retrieving | 1709 | Any API which allows storing a value under a 512-bit key and retrieving |
1694 | one or more values from the key can be used by an implementation for record storage. | 1710 | one or more values from the key can be used by an implementation for record storage. |
@@ -2451,6 +2467,12 @@ NICK: john (Supplemental) | |||
2451 | <section anchor="security_cryptography" numbered="true" toc="default"> | 2467 | <section anchor="security_cryptography" numbered="true" toc="default"> |
2452 | <name>Cryptography</name> | 2468 | <name>Cryptography</name> |
2453 | <t> | 2469 | <t> |
2470 | The following considerations provide background on the design choices | ||
2471 | of the ztypes specified in this document. | ||
2472 | When specifying new ztypes as per <xref target="zones"/>, the same | ||
2473 | considerations apply. | ||
2474 | </t> | ||
2475 | <t> | ||
2454 | GNS PKEY zone keys use ECDSA over Ed25519. | 2476 | GNS PKEY zone keys use ECDSA over Ed25519. |
2455 | This is an unconventional choice, | 2477 | This is an unconventional choice, |
2456 | as ECDSA is usually used with other curves. However, standardized | 2478 | as ECDSA is usually used with other curves. However, standardized |
@@ -2934,7 +2956,7 @@ Purpose | Name | References | Comment | |||
2934 | <references> | 2956 | <references> |
2935 | <name>Informative References</name> | 2957 | <name>Informative References</name> |
2936 | &RFC4033; | 2958 | &RFC4033; |
2937 | <!-- &RFC6781; --> | 2959 | &RFC6066; |
2938 | &RFC7363; | 2960 | &RFC7363; |
2939 | &RFC8324; | 2961 | &RFC8324; |
2940 | &RFC8806; | 2962 | &RFC8806; |