| Internet-Draft | The GNU Name System | November 2019 |
| Schanzenbach, et al. | Expires 13 May 2020 | [Page] |
This document contains the GNU Name System (GNS) technical specification.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 13 May 2020.¶
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
The Domain Name System (DNS) is a unique distributed database and a vital service for most Internet applications. While DNS is distributed, it relies on centralized, trusted registrars to provide globally unique names. As the awareness of the central role DNS plays on the Internet rises, various institutions are using their power (including legal means) to engage in attacks on the DNS, thus threatening the global availability and integrity of information on the Internet.¶
DNS was not designed with security as a goal. This makes it very vulnerable, especially to attackers that have the technical capabilities of an entire nation state at their disposal. This specification describes a censorship-resistant, privacy-preserving and decentralized name system: The GNU Name System (GNS). It is designed to provide a secure alternative to DNS, especially when censorship or manipulation is encountered. GNS can bind names to any kind of cryptographically secured token, enabling it to double in some respects as even as an alternative to some of today's Public Key Infrastructures, in particular X.509 for the Web.¶
This document contains the GNU Name System (GNS) technical specification of the GNU Name System (GNS), a fully decentralized and censorship-resistant name system. GNS provides a privacy-enhancing alternative to the Domain Name System (DNS). The design of GNS incorporates the capability to integrate and coexist with DNS. GNS is based on the principle of a petname system and builds on ideas from the Simple Distributed Security Infrastructure (SDSI), addressing a central issue with the decentralized mapping of secure identifiers to memorable names: namely the impossibility of providing a global, secure and memorable mapping without a trusted authority. GNS uses the transitivity in the SDSI design to replace the trusted root with secure delegation of authority thus making petnames useful to other users while operating under a very strong adversary model.¶
This document defines the normative wire format of resource records, resolution processes, cryptographic routines and security considerations for use by implementors.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
A zone in GNS is defined by a public/private ECDSA key pair (d,zk), where d is the private key and zk the corresponding public key. GNS employs the curve parameters of the twisted edwards representation of Curve25519 [RFC7748] (a.k.a. edwards25519) with the ECDSA scheme ([RFC6979]). In the following, we use the following naming convention for our cryptographic primitives:¶
A GNS implementor MUST provide a mechanism to create and manage resource records for local zones. A local zone is established by creating a zone key pair. Records may be added to each zone, hence a (local) persistency mechanism for resource records and zones must be provided. This local zone database is used by the GNS resolver implementation and to publish record information.¶
A GNS resource record holds the data of a specific record in a zone. The resource record format is defined as follows:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| EXPIRATION |
+-----+-----+-----+-----+-----+-----+-----+-----+
| DATA SIZE | TYPE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| FLAGS | DATA /
+-----+-----+-----+-----+ /
/ /
/ /
where:¶
Flags indicate metadata surrounding the resource record. A flag value of 0 indicates that all flags are unset. The following illustrates the flag distribution in the 32-bit flag value of a resource record:¶
... 5 4 3 2 1 0
------+--------+--------+--------+--------+--------+
/ ... | SHADOW | EXPREL | / | PRIVATE| / |
------+--------+--------+--------+--------+--------+
where:¶
GNS-specific record type numbers start at 2^16, i.e. after the record type numbers for DNS. The following is a list of defined and reserved record types in GNS:¶
Number | Type | Comment
------------------------------------------------------------
65536 | PKEY | GNS delegation
65537 | NICK | GNS zone nickname
65538 | LEHO | Legacy hostname
65539 | VPN | Virtual private network
65540 | GNS2DNS | DNS delegation
65541 | BOX | Boxed record (for TLSA/SRV)
65542 up to 2^24 - 1 | - | Reserved
2^24 up to 2^32 - 1 | - | Unassigned / For private use
In GNS, a delegation of a label to a zone is represented through a PKEY record. A PKEY resource record contains the public key of the zone to delegate to. A PKEY record MUST be the only record under a label. No other records are allowed. A PKEY DATA entry has the following format:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
where:¶
It is possible to delegate a label back into DNS through a GNS2DNS record. The resource record contains a DNS name for the resolver to continue with in DNS followed by a DNS server. Both names are in the format defined in [RFC1034] for DNS names. A GNS2DNS DATA entry has the following format:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| DNS NAME |
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| DNS SERVER NAME |
/ /
/ /
| |
+-----------------------------------------------+
where:¶
Legacy hostname records can be used by applications that are expected to supply a DNS name on the application layer. The most common use case is HTTP virtual hosting, which as-is would not work with GNS names as those may not be globally unique. A LEHO resource record is expected to be found together in a single resource record with an IPv4 or IPv6 address. A LEHO DATA entry has the following format:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| LEGACY HOSTNAME |
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
where:¶
NOTE: If an application uses a LEHO value in an HTTP request header (e.g. "Host:" header) it must be converted to a punycode representation [RFC5891].¶
Nickname records can be used by zone administrators to publish an indication on what label this zone prefers to be referred to. This is a suggestion to other zones what label to use when creating a PKEY Section 3.2 record containing this zone's public zone key. This record SHOULD only be stored under the empty label "@" but MAY be returned with record sets under any label. A NICK DATA entry has the following format:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| NICKNAME |
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
where:¶
In GNS, every "." in a name delegates to another zone, and GNS lookups are expected to return all of the required useful information in one record set. This is incompatible with the special labels used by DNS for SRV and TLSA records. Thus, GNS defines the BOX record format to box up SRV and TLSA records and include them in the record set of the label they are associated with. For example, a TLSA record for "_https._tcp.foo.gnu" will be stored in the record set of "foo.gnu" as a BOX record with service (SVC) 443 (https) and protocol (PROTO) 6 (tcp) and record TYPE "TLSA". For reference, see also [RFC2782]. A BOX DATA entry has the following format:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| PROTO | SVC | TYPE |
+-----------+-----------------------------------+
| RECORD DATA |
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
where:¶
A VPN DATA entry has the following format:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| HOSTING PEER PUBLIC KEY |
| (256 bits) |
| |
| |
+-----------+-----------------------------------+
| PROTO | SERVICE NAME |
+-----------+ +
/ /
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
where:¶
GNS resource records are published in a distributed hash table (DHT). We assume that a DHT provides two functions: GET(key) and PUT(key,value). In GNS, resource records are grouped by their respective labels, encrypted and published together in a single resource records block (RRBLOCK) in the DHT under a key "q": PUT(q, RRBLOCK). The key "q" which is derived from the zone key "zk" and the respective label of the contained records.¶
Given a label, the DHT key "q" is derived as follows:¶
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
d_h := h * d mod L
zk_h := h mod L * zk
q := SHA512 (zk_h)
¶
We use a hash-based key derivation function (HKDF) as defined in [RFC5869]. We use HMAC-SHA512 for the extraction phase and HMAC-SHA256 for the expansion phase.¶
We point out that the multiplication of "zk" with "h" is a point multiplication, while the multiplication of "d" with "h" is a scalar multiplication.¶
GNS records are grouped by their labels and published as a single block in the DHT. The contained resource records are encrypted using a symmetric encryption scheme. A GNS implementation must publish RRBLOCKs in accordance to the properties and recommendations of the underlying DHT. This may include a periodic refresh publication. A GNS RRBLOCK has the following format:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| SIGNATURE |
| |
| |
| |
| |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| SIZE | PURPOSE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| EXPIRATION |
+-----+-----+-----+-----+-----+-----+-----+-----+
| BDATA /
/ /
/ |
+-----+-----+-----+-----+-----+-----+-----+-----+
where:¶
A symmetric encryption scheme is used to encrypt the resource records set RDATA into the BDATA field of a GNS RRBLOCK. The wire format of the RDATA looks as follows:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| RR COUNT | EXPIRA- /
+-----+-----+-----+-----+-----+-----+-----+-----+
/ -TION | DATA SIZE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| TYPE | FLAGS |
+-----+-----+-----+-----+-----+-----+-----+-----+
| DATA /
/ /
/ |
+-----+-----+-----+-----+-----+-----+-----+-----+
| EXPIRATION |
+-----+-----+-----+-----+-----+-----+-----+-----+
| DATA SIZE | TYPE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| FLAGS | DATA /
+-----+-----+-----+-----+ /
/ +-----------------------/
/ | /
+-----------------------+ /
/ PADDING /
/ /
where:¶
The symmetric keys and initialization vectors are derived from the record label and the zone key "zk". For decryption of the resource records block payload, the key material "K" and initialization vector "IV" for the symmetric cipher are derived as follows:¶
PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
PRK_iv := HKDF-Extract ("gns-aes-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 512 / 8);
IV := HKDF-Expand (PRK_iv, label, 256 / 8)
¶
HKDF is a hash-based key derivation function as defined in [RFC5869]. Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-SHA256 for the expansion phase. The output keying material is 64 octets (512 bit) for the symmetric keys and 32 octets (256 bit) for the initialization vectors. We divide the resulting keying material "K" into a 256-bit AES [RFC3826] key and a 256-bit TWOFISH [TWOFISH] key:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| AES KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| TWOFISH KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
Similarly, we divide "IV" into a 128-bit initialization vector and a 128-bit initialization vector:¶
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| AES IV |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| TWOFISH IV |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
The keys and IVs are used for a CFB128-AES-256 and CFB128-TWOFISH-256 chained symmetric cipher. Both ciphers are used in Cipher FeedBack (CFB) mode [RFC3826].¶
RDATA := AES(AES KEY, AES IV, TWOFISH(TWOFISH KEY, TWOFISH IV, BDATA))
BDATA := TWOFISH(TWOFISH KEY, TWOFISH IV, AES(AES KEY, AES IV, RDATA))
¶
All labels in GNS are encoded in UTF-8 [RFC3629]. This does not include any DNS names found in DNS records, such as CNAME records, which are internationalized through the IDNA specifications [RFC5890].¶
Names in GNS are resolved by recursively querying the DHT record storage. In the following, we define how resolution is initiated and each iteration in the resolution is processed.¶
GNS resolution of a name must start in a given starting zone indicated using a zone public key. Details on how the starting zone may be determined is discussed in Section 8.¶
When GNS name resolution is requested, a desired record type MAY be provided by the client. The GNS resolver will use the desired record type to guide processing, for example by providing conversion of VPN records to A or AAAA records, if that is desired. However, filtering of record sets according to the required record types MUST still be done by the client after the resource record set is retrieved.¶
In each step of the recursive name resolution, there is an authoritative zone zk and a name to resolve. The name may be empty. Initially, the authoritative zone is the start zone. If the name is empty, it is interpreted as the apex label "@".¶
From here, the following steps are recursively executed, in order:¶
Upon receiving the RRBLOCK from the DHT, apart from verifying the provided signature, the resolver MUST check that the authoritative zone key was used to sign the record: The derived zone key "h*zk" MUST match the public key provided in the RRBLOCK, otherwise the RRBLOCK MUST be ignored and the DHT lookup GET(q) MUST continue.¶
Record processing occurs at the end of a single recursion. We assume that the RRBLOCK has been cryptographically verified and decrypted. At this point, we must first determine if we have received a valid record set in the context of the name we are trying to resolve:¶
When the resolver encounters a PKEY record and the remainder of the name is not empty, resolution continues recursively with the remainder of the name in the GNS zone specified in the PKEY record.¶
If the remainder of the name to resolve is empty and we have received a record set containing only a single PKEY record, the recursion is continued with the PKEY as authoritative zone and the empty apex label "@" as remaining name, except in the case where the desired record type is PKEY, in which case the PKEY record is returned and the resolution is concluded without resolving the empty apex label.¶
When a resolver encounters one or more GNS2DNS records and the remaining name is empty and the desired record type is GNS2DNS, the GNS2DNS records are returned.¶
Otherwise, it is expected that the resolver first resolves the IP(s) of the specified DNS name server(s). GNS2DNS records MAY contain numeric IPv4 or IPv6 addresses, allowing the resolver to skip this step. The DNS server names may themselves be names in GNS or DNS. If the DNS server name ends in ".+", the rest of the name is to be interpreted relative to the zone of the GNS2DNS record. If the DNS server name ends in ".<Base32(zk)>", the DNS server name is to be resolved against the GNS zone zk.¶
Multiple GNS2DNS records may be stored under the same label, in which case the resolver MUST try all of them. The resolver MAY try them in any order or even in parallel. If multiple GNS2DNS records are present, the DNS name MUST be identical for all of them, if not the resolution fails and an emtpy record set is returned as the record set is invalid.¶
Once the IP addresses of the DNS servers have been determined, the DNS name from the GNS2DNS record is appended to the remainder of the name to be resolved, and resolved by querying the DNS name server(s). As the DNS servers specified are possibly authoritative DNS servers, the GNS resolver MUST support recursive resolution and MUST NOT delegate this to the authoritative DNS servers. The first successful recursive name resolution result is returned to the client.¶
GNS resolvers SHOULD offer a configuration option to disable DNS processing to avoid information leakage and provide a consistent security profile for all name resolutions. Such resolvers would return an empty record set upon encountering a GNS2DNS record during the recursion. However, if GNS2DNS records are encountered in the record set for the apex and a GNS2DNS record is expicitly requested by the application, such records MUST still be returned, even if DNS support is disabled by the GNS resolver configuration.¶
If a CNAME record is encountered, the canonical name is appended to the remaining name, except if the remaining name is empty and the desired record type is CNAME, in which case the resolution concludes with the CNAME record. If the canonical name ends in ".+", resolution continues in GNS with the new name in the current zone. Otherwise, the resulting name is resolved via the default operating system name resolution process. This may in turn again trigger a GNS resolution process depending on the system configuration.¶
The recursive DNS resolution process may yield a CNAME as well which in turn may either point into the DNS or GNS namespace (if it ends in a ".<Base32(zk)>"). In order to prevent infinite loops, the resolver MUST implement loop detections or limit the number of recursive resolution steps.¶
When a BOX record is received, a GNS resolver must unbox it if the name to be resolved continues with "_SERVICE._PROTO". Otherwise, the BOX record is to be left untouched. This way, TLSA (and SRV) records do not require a separate network request, and TLSA records become inseparable from the corresponding address records.¶
At the end of the recursion, if the queried record type is either A or AAAA and the retrieved record set contains at least one VPN record, the resolver SHOULD open a tunnel and return the IPv4 or IPv6 tunnel address, respectively. The type of tunnel depends on the contents of the VPN record data. The VPN record MUST be returned if the resolver implementation does not support setting up a tunnnel.¶
Whenever a recursive resolver encounters a new GNS zone, it MUST check against the local revocation list whether the respective zone key has been revoked. If the zone key was revoked, the resolution MUST fail with an empty result set.¶
In order to revoke a zone key, a signed revocation object SHOULD be published. This object MUST be signed using the private zone key. The revocation object is flooded in the overlay network. To prevent flooding attacks, the revocation message MUST contain a proof-of-work. The revocation message including the proof-of-work MAY be calculated ahead of time to support timely revocation.¶
A revocation message is defined as follows:¶
The resolution of a GNS name must start in a given start zone indicated to the resolver using any public zone key. The local resolver may have a local start zone configured/hard-coded which points to a local or remote start zone key. A resolver client may also determine the start zone from the suffix of the name given for resolution or using information retrieved out of band. The governance model of any zone is at the sole discretion of the zone owner. However, the choice of start zone(s) is at the sole discretion of the local system administrator or user.¶
This is an important distinguishing factor from the Domain Name System where root zone governance is centralized at the Internet Corporation for Assigned Names and Numbers (ICANN). In DNS terminology, GNS roughly follows the idea of a hyper-hyper local root zone deployment, with the difference that it is not expected that all deployments use the same local root zone.¶
In the following, we give examples how a local client resolver SHOULD discover the start zone. The process given is not exhaustive and clients MAY suppliement it with other mechanisms or ignore it if the particular application requires a different process.¶
GNS clients SHOULD first try to interpret the top-level domain of a GNS name as a zone key. For example. if the top-level domain is a Base32-encoded public zone key "zk", the root zone of the resolution process is implicitly given by the name:¶
Example name: www.example.<Base32(zk)>
=> Root zone: zk
=> Name to resolve from root zone: www.example
¶
In GNS, users MAY own and manage their own zones. Each local zone SHOULD be associated with a single GNS label, but users MAY choose to use longer names consisting of multiple labels. If the name of a locally managed zone matches the suffix of the name to be resolved, resolution SHOULD start from the respective local zone:¶
Example name: www.example.gnu
Local zones:
fr = (d0,zk0)
gnu = (d1,zk1)
com = (d2,zk2)
...
=> Entry zone: zk1
=> Name to resolve from entry zone: www.example
¶
Finally, additional "suffix to zone" mappings MAY be configured. Suffix to zone key mappings SHOULD be configurable through a local configuration file or database by the user or system administrator. The suffix MAY consist of multiple GNS labels concatenated with a ".". If multiple suffixes match the name to resolve, the longest matching suffix MUST BE used. The suffix length of two results cannot be equal, as this would indicate a misconfiguration. If both a locally managed zone and a configuration entry exist for the same suffix, the locally managed zone MUST have priority.¶
Example name: www.example.gnu
Local suffix mappings:
gnu = zk0
example.gnu = zk1
example.com = zk2
...
=> Entry zone: zk1
=> Name to resolve from entry zone: www
¶
This will be fun¶
The following represents a test vector for a record of type MX with a priority of 10 and the mail hostname mail.example.com.¶
label := "mail"
d :=
71199f7b287cc77a
0d21b5e40a77cb1d
f89333903b284fe8
1878bf47f3b39da0
zk (public zone key) :=
dff911496d025d7e
0885c03d19153e99
4f213f23ea719eca
17fc32dc410e082e
h :=
2af3275a9cf90e54
f2dbf7930be76fb9
5e7c80b1416f8ca6
dc50ce8e1fb759b9
fedcdcf546c17e9b
4c4f23632855c053
6668e9f684f4dc33
6d656b27392b0fee
d_h :=
01fb61f482c17633
77611c4c2509e0f3
81b0e7e4405c10bd
0017c802f7d32e18
q (query key) :=
6fce4deddc5ad681
f4e29a3310767e3b
8b38bc1b276ce2ba
9bf1b49df1e120a3
20ecc9dffb68416f
11729ad878ad3bdf
d0b4db2626b620d7
8e0604e4393c66a3
AES_KEY :=
afefd21a087a150d
6757741a4eda02a5
65df7ca86ba44b21
3f8106c0071eaf01
AES_IV :=
a808b929bc9fad7a
686bbe3432bed77a
TWOFISH_KEY :=
c9d0089df01d0bf4
e4c8db4b2ccc7328
3425e8a811ae59d2
99e2747285d2a479
TWOFISH_IV :=
071be189a9d236f9
b4a3654bb8c281d4
RDATA :=
0000000100059412 RR COUNT | EXPIRA-
09ddea0f00000014 -TION | DATA SIZE (20)
0000000f00000000 TYPE (15=MX) | FLAGS (0)
000a046d61696c07 Priority (10) |4 | mail | 7
6578616d706c6503 example | 3
636f6d0000000000 com | \0 | Followed by
0000000000000000 24 bytes of padding to 2^6
0000000000000000
00000000
RRBLOCK :=
055cb070e05fe6de SIGNATURE
ad694a50e5b4dedd
b9fdcbdbae004f65
afc99ba9c5a3bb54
07e731a34680ee33
ae0de7bfeda7d2b7
8c6b854a008b1b54
10df4f39f5ba9f46____________
8cb514a56c0eaae0 zk_h
56745158a63ee4dd
76853cb9545e326e
76d7fa920f818291____________
000000540000000f SIZE (=84) | PURPOSE (=15)
0005941209dde25b EXPIRATION
d99d08fa123da096 BDATA
66c2fb9bf020a85d
e80818d0a84059a8
5eee901a66459e5e
3d1a10b29a5b8354
1b58636781166b9a
642920eee8e7a65a
001fd19a6406a721
713f0a0d
¶