From a000871fddb6d29af43f532fde21fe743fd17251 Mon Sep 17 00:00:00 2001 From: Martin Schanzenbach Date: Tue, 8 Feb 2022 20:21:23 +0100 Subject: try to fix signatures --- draft-schanzen-gns.xml | 115 ++++++++++++++++++++++++++----------------------- 1 file changed, 62 insertions(+), 53 deletions(-) diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index df41a8e..2c54320 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml @@ -192,8 +192,10 @@ A GNS label is a label as defined in . Within this document, labels are always assumed to be strings of UTF-8 characters with a maximum length of - 63 bytes. Labels MUST be canonicalized using - Normalization Form C (NFC) . + 63 bytes for compatibility with applications enforcing DNS legacy + limitations. + Labels MUST be canonicalized using + Normalization Form C (NFC) .
Apex Label
@@ -201,7 +203,7 @@ quotes). The apex label is used to publish resource records in a zone that can be resolved without providing a specific - name. It is the GNS method to provide what is the "zone apex" in DNS + label. It is the GNS method to provide what is the "zone apex" in DNS .
Name
@@ -269,17 +271,10 @@ A GNS resource record contains information as defined by its resource record type. -
Client
-
- The client is an implementation component which facilitates - zone management and name resolution. - It enables the user to manage zones () and - resolve names (). -
Application
An application refers to a component which uses a GNS implementation - to resolve records from the network and (usually) processes its contents. + to resolve names into records and processes its contents.
@@ -358,8 +353,7 @@ Each zone can be represented by a Zone Top-Level Domain (zTLD) string. - - A client implementation SHOULD enable the user to create and manage zones. + A implementation SHOULD enable the user to create and manage zones. If this functionality is not implemented, names can still be resolved if zone keys for the initial step in the name resolution are available (see ). @@ -419,7 +413,7 @@ data based on key material derived from the zone key, a label, and an expiration timestamp. -
Sign(d,message) -> signature, Sign(d',message) -> signature
+
Sign(d,message) -> signature, SignDerived(d,label,message) -> signature
is a function to sign a message (typically encrypted record data) using the (blinded) private key d (d'), yielding an unforgeable cryptographic signature. @@ -427,7 +421,7 @@ underlying storages, in particular DHTs, a deterministic signature scheme is recommended.
-
Verify(zk,message,signature) -> boolean, Verify(zk',message,signature) -> boolean
+
Verify(zk,message,signature) -> boolean, VerifyDerived(zk,label,message,signature) -> boolean
is a function to verify the signature was created by the private key d (or derived key d') corresponding to @@ -1040,8 +1034,21 @@ ZKDF-Public(zk,label) The Sign() and Verify() functions for PKEY zones are implemented using 512-bit ECDSA deterministic signatures as specified in . - The same functions can be used for derived keys. + The same functions can be used for derived keys: + + + A signature (R,S) is valid if the following holds: + + The S-Encrypt() and S-Decrypt() functions use AES in counter mode as defined in (CTR-AES-256): @@ -1191,22 +1198,24 @@ S-Decrypt(zk,label,expiration,ciphertext): The "EDKEY" ZKDF instantiation is based on . - For brevity, instead of using d as a parameter to the derivation, - we define the ZKDF-Private() procedure on the derived integer a. The calculation of a is defined in Section 5.1.5 of . Given a label, the output of the ZKDF-Private function for zone key blinding is calculated as follows for EDKEY zones: > 3 a2 := (h * a1) mod L - a' = a2 << 3 - return a' + d' := a2 << 3 + return d' ]]> Equally, given a label, the output of the ZKDF-Public function is @@ -1216,7 +1225,7 @@ ZKDF-Private(a,label): ZKDF-Public(zk,label): PRK_h := HKDF-Extract ("key-derivation", zk) h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) - h[31] &= 7 // Implies h mod L == h + h[31] &= 7 zk' := h * zk return zk' ]]> @@ -1256,9 +1265,9 @@ ZKDF-Public(zk,label): be implemented as defined in . - Signatures for EDKEY zones using the derived private key a' + Signatures for EDKEY zones using the derived private scalar d' are not compliant with . - As the corresponding private key to the derived private scalar a' + As the corresponding private key to the derived private scalar d' is not known, it is not possible to deterministically derive the signature part R according to . Instead, signatures MUST be generated as follows for any given @@ -1270,24 +1279,22 @@ ZKDF-Public(zk,label): of the R value of the signature, ensuring that it is never reused for two different derivation paths or messages. - A signature (R,S) is valid if the following holds: @@ -1410,6 +1417,8 @@ S-Decrypt(zk,label,expiration,ciphertext): in DNS followed by a DNS server. Both names are in the format defined in for DNS names. There MAY be multiple GNS2DNS records under a label. + There MAY also be DNSSEC DS records or any other records used to + secure the connection with the DNS servers under the same label. No other record types are allowed in the same record set. A GNS2DNS DATA entry is illustrated in .
@@ -1592,7 +1601,8 @@ S-Decrypt(zk,label,expiration,ciphertext):
SVC
- the 16-bit service value of the boxed record, i.e. the port number. + the 16-bit service value of the boxed record. In case of + TCP and UDP it is the port number. In network byte order.
TYPE
@@ -1869,21 +1879,14 @@ q := SHA-512 (ZKDF-Public(zk, label)) . - - The client implementation MAY allow the user to provide a desired - record type for the resolver. + The application MAY provide a desired record type to the resolver. The desired record type is used to guide processing. - For example, if zone delegation record type is requested, the - resolution of the apex label in that zone may not be necessary, as + For example, if a zone delegation record type is requested, the + resolution of the apex label in that zone must be skipped, as the desired record is already found. - The resolver implementation MUST NOT filter results according to the desired record type. - Filtering of record sets MAY still be done by the client which - could be a stub resolver. + Filtering of record sets is typically done by the application.
Start Zones @@ -1892,7 +1895,7 @@ q := SHA-512 (ZKDF-Public(zk, label)) or only the client? Because the resolver needs to know the zones for redirects, for example --> The resolution of a GNS name starts in an initial start zone. - The local resolver may have one or more local start zones configured + The resolver may have one or more local start zones configured which point to local or remote zone keys. A resolver may also determine the start zone from the suffix of the name given for resolution, or using information @@ -1908,9 +1911,9 @@ q := SHA-512 (ZKDF-Public(zk, label)) management of root servers in DNS (see , Section 3.10 and 3.12). - In the following, we give examples how a local client SHOULD + In the following, we give examples how a resolver SHOULD discover the start zone. The process given is not exhaustive and - clients MAY supplement it with other mechanisms or ignore it if the + resolvers MAY supplement it with other mechanisms or ignore it if the particular application requires a different process. @@ -2106,6 +2109,12 @@ example.com = zk2 identical for all of them, if not the resolution fails and an appropriate error is SHOULD be returned to the application. + + If there are DNSSEC DS records or any other records used to + secure the connection with the DNS servers stored under the label, + the DNS resolver SHOULD use them to secure the connection with + the DNS server. + Once the IP addresses of the DNS servers have been determined, the DNS name from the GNS2DNS record is appended @@ -2115,7 +2124,7 @@ example.com = zk2 support recursive DNS resolution and MUST NOT delegate this to the authoritative DNS servers. The first successful recursive name resolution result - is returned to the client. + is returned to the application. In addition, the resolver SHOULD return the queried DNS name as a supplemental LEHO record (see ) with a relative expiration time of one hour. @@ -2139,7 +2148,7 @@ example.com = zk2 still be returned, even if DNS support is disabled by the GNS resolver configuration. - +
BOX @@ -2176,7 +2185,7 @@ example.com = zk2 recursion is continued with the record value as authoritative zone and the apex label "@" as remaining name. Except in the case where the desired record type as specified by - the client is equal to the ztype, in which case the delegation + the application is equal to the ztype, in which case the delegation record is returned.
@@ -2185,7 +2194,7 @@ example.com = zk2 NICK records are only relevant to the recursive resolver if the record set in question is the final result which is to - be returned to the client. The encountered NICK records may either + be returned to the application. The encountered NICK records may either be supplemental (see ) or non-supplemental. If the NICK record is supplemental, the resolver only returns the @@ -2196,7 +2205,7 @@ example.com = zk2 The differentiation between a supplemental and non-supplemental - NICK record allows the client to match the record to the + NICK record allows the application to match the record to the authoritative zone. Consider the following example: In this example, the returned NICK record is non-supplemental. - For the client, this means that the NICK belongs to the zone + For the application, this means that the NICK belongs to the zone "alice.example" and is published under the apex label along with an A record. The NICK record should be interpreted as: The zone defined by "alice.example" wants to be referred to as "eve". @@ -2596,7 +2605,7 @@ Purpose | Name | References | Comment is an active deployment of GNS on top of its DHT. The implementation uses this deployment by building on top of the GNUnet DHT services available on any - GNUnet peer. It shows how GNS implementations and client resolvers + GNUnet peer. It shows how GNS implementations can attach to this existing deployment and participate in name resolution as well as zone publication. -- cgit v1.2.3