path: root/draft-schanzen-gns.txt

Independent Stream                                       M. Schanzenbach
Internet-Draft                                               GNUnet e.V.
Intended status: Informational                               C. Grothoff
Expires: 13 May 2020                               Berner Fachhochschule
                                                                  B. Fix
                                                             GNUnet e.V.
                                                        10 November 2019


                   The GNU Name System Specification
                         draft-schanzen-gns-00

Abstract

   This document contains the GNU Name System (GNS) technical
   specification.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 13 May 2020.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.




Schanzenbach, et al.       Expires 13 May 2020                  [Page 1]

Internet-Draft             The GNU Name System             November 2019


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Resource Records  . . . . . . . . . . . . . . . . . . . . . .   4
     3.1.  Record Types  . . . . . . . . . . . . . . . . . . . . . .   5
     3.2.  PKEY  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
     3.3.  GNS2DNS . . . . . . . . . . . . . . . . . . . . . . . . .   6
     3.4.  LEHO  . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.5.  NICK  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     3.6.  BOX . . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     3.7.  VPN . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.  Publishing Records  . . . . . . . . . . . . . . . . . . . . .  10
     4.1.  Key Derivations . . . . . . . . . . . . . . . . . . . . .  10
     4.2.  Resource Records Block  . . . . . . . . . . . . . . . . .  11
     4.3.  Record Data Encryption and Decryption . . . . . . . . . .  13
   5.  Internationalization and Character Encoding . . . . . . . . .  15
   6.  Name Resolution . . . . . . . . . . . . . . . . . . . . . . .  15
     6.1.  Recursion . . . . . . . . . . . . . . . . . . . . . . . .  16
     6.2.  Record Processing . . . . . . . . . . . . . . . . . . . .  16
       6.2.1.  PKEY  . . . . . . . . . . . . . . . . . . . . . . . .  17
       6.2.2.  GNS2DNS . . . . . . . . . . . . . . . . . . . . . . .  17
       6.2.3.  CNAME . . . . . . . . . . . . . . . . . . . . . . . .  18
       6.2.4.  BOX . . . . . . . . . . . . . . . . . . . . . . . . .  18
       6.2.5.  VPN . . . . . . . . . . . . . . . . . . . . . . . . .  18
   7.  Zone Revocation . . . . . . . . . . . . . . . . . . . . . . .  19
   8.  Determining the Root Zone and Zone Governance . . . . . . . .  19
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  21
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  21
   11. Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  21
   12. Normative References  . . . . . . . . . . . . . . . . . . . .  23
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  24

1.  Introduction

   The Domain Name System (DNS) is a unique distributed database and a
   vital service for most Internet applications.  While DNS is
   distributed, it relies on centralized, trusted registrars to provide
   globally unique names.  As the awareness of the central role DNS
   plays on the Internet rises, various institutions are using their
   power (including legal means) to engage in attacks on the DNS, thus
   threatening the global availability and integrity of information on
   the Internet.

   DNS was not designed with security as a goal.  This makes it very
   vulnerable, especially to attackers that have the technical
   capabilities of an entire nation state at their disposal.  This
   specification describes a censorship-resistant, privacy-preserving



Schanzenbach, et al.       Expires 13 May 2020                  [Page 2]

Internet-Draft             The GNU Name System             November 2019


   and decentralized name system: The GNU Name System (GNS).  It is
   designed to provide a secure alternative to DNS, especially when
   censorship or manipulation is encountered.  GNS can bind names to any
   kind of cryptographically secured token, enabling it to double in
   some respects as even as an alternative to some of today's Public Key
   Infrastructures, in particular X.509 for the Web.

   This document contains the GNU Name System (GNS) technical
   specification of the GNU Name System (GNS), a fully decentralized and
   censorship-resistant name system.  GNS provides a privacy-enhancing
   alternative to the Domain Name System (DNS).  The design of GNS
   incorporates the capability to integrate and coexist with DNS.  GNS
   is based on the principle of a petname system and builds on ideas
   from the Simple Distributed Security Infrastructure (SDSI),
   addressing a central issue with the decentralized mapping of secure
   identifiers to memorable names: namely the impossibility of providing
   a global, secure and memorable mapping without a trusted authority.
   GNS uses the transitivity in the SDSI design to replace the trusted
   root with secure delegation of authority thus making petnames useful
   to other users while operating under a very strong adversary model.

   This document defines the normative wire format of resource records,
   resolution processes, cryptographic routines and security
   considerations for use by implementors.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].


2.  Zones

   A zone in GNS is defined by a public/private ECDSA key pair (d,zk),
   where d is the private key and zk the corresponding public key.  GNS
   employs the curve parameters of the twisted edwards representation of
   Curve25519 [RFC7748] (a.k.a. edwards25519) with the ECDSA scheme
   ([RFC6979]).  In the following, we use the following naming
   convention for our cryptographic primitives:

   d  is a 256-bit ECDSA private key.  In GNS, records are signed using
      a key derived from "d" as described in Section 4.

   p  is the prime of edwards25519 as defined in [RFC7748], i.e.  2^255
      - 19.

   B  is the group generator (X(P),Y(P)) of edwards25519 as defined in
      [RFC7748].




Schanzenbach, et al.       Expires 13 May 2020                  [Page 3]

Internet-Draft             The GNU Name System             November 2019


   L  is the prime-order subgroup of edwards25519 in [RFC7748].

   zk  is the ECDSA public key corresponding to d.  It is defined in
      [RFC6979] as the curve point d*B where B is the group generator of
      the elliptic curve.  The public key is used to uniquely identify a
      GNS zone and is referred to as the "zone key".

3.  Resource Records

   A GNS implementor MUST provide a mechanism to create and manage
   resource records for local zones.  A local zone is established by
   creating a zone key pair.  Records may be added to each zone, hence a
   (local) persistency mechanism for resource records and zones must be
   provided.  This local zone database is used by the GNS resolver
   implementation and to publish record information.

   A GNS resource record holds the data of a specific record in a zone.
   The resource record format is defined as follows:

            0     8     16    24    32    40    48    56
            +-----+-----+-----+-----+-----+-----+-----+-----+
            |                   EXPIRATION                  |
            +-----+-----+-----+-----+-----+-----+-----+-----+
            |       DATA SIZE       |          TYPE         |
            +-----+-----+-----+-----+-----+-----+-----+-----+
            |           FLAGS       |        DATA           /
            +-----+-----+-----+-----+                       /
            /                                               /
            /                                               /

                                  Figure 1

   where:

   EXPIRATION  denotes the absolute 64-bit expiration date of the
      record.  In microseconds since midnight (0 hour), January 1, 1970
      in network byte order.

   DATA SIZE  denotes the 32-bit size of the DATA field in bytes and in
      network byte order.

   TYPE  is the 32-bit resource record type.  This type can be one of
      the GNS resource records as defined in Section 3 or a DNS record
      type as defined in [RFC1035] or any of the complementary
      standardized DNS resource record types.  This value must be stored
      in network byte order.  Note that values below 2^16 are reserved
      for allocation via IANA ([RFC6895]).




Schanzenbach, et al.       Expires 13 May 2020                  [Page 4]

Internet-Draft             The GNU Name System             November 2019


   FLAGS  is a 32-bit resource record flags field (see below).

   DATA  the variable-length resource record data payload.  The contents
      are defined by the respective type of the resource record.

   Flags indicate metadata surrounding the resource record.  A flag
   value of 0 indicates that all flags are unset.  The following
   illustrates the flag distribution in the 32-bit flag value of a
   resource record:

            ... 5       4         3        2        1        0
            ------+--------+--------+--------+--------+--------+
            / ... | SHADOW | EXPREL |   /    | PRIVATE|    /   |
            ------+--------+--------+--------+--------+--------+

                                  Figure 2

   where:

   SHADOW  If this flag is set, this record should be ignored by
      resolvers unless all (other) records of the same record type have
      expired.  Used to allow zone publishers to facilitate good
      performance when records change by allowing them to put future
      values of records into the DHT.  This way, future values can
      propagate and may be cached before the transition becomes active.

   EXPREL  The expiration time value of the record is a relative time
      (still in microseconds) and not an absolute time.  This flag
      should never be encountered by a resolver for records obtained
      from the DHT, but might be present when a resolver looks up
      private records of a zone hosted locally.

   PRIVATE  This is a private record of this peer and it should thus not
      be published in the DHT.  Thus, this flag should never be
      encountered by a resolver for records obtained from the DHT.
      Private records should still be considered just like regular
      records when resolving labels in local zones.

3.1.  Record Types

   GNS-specific record type numbers start at 2^16, i.e. after the record
   type numbers for DNS.  The following is a list of defined and
   reserved record types in GNS:








Schanzenbach, et al.       Expires 13 May 2020                  [Page 5]

Internet-Draft             The GNU Name System             November 2019


              Number                | Type            | Comment
              ------------------------------------------------------------
              65536                 | PKEY            | GNS delegation
              65537                 | NICK            | GNS zone nickname
              65538                 | LEHO            | Legacy hostname
              65539                 | VPN             | Virtual private network
              65540                 | GNS2DNS         | DNS delegation
              65541                 | BOX             | Boxed record (for TLSA/SRV)
              65542 up to 2^24 - 1  | -               | Reserved
              2^24 up to 2^32 - 1   | -               | Unassigned / For private use

                                  Figure 3

3.2.  PKEY

   In GNS, a delegation of a label to a zone is represented through a
   PKEY record.  A PKEY resource record contains the public key of the
   zone to delegate to.  A PKEY record MUST be the only record under a
   label.  No other records are allowed.  A PKEY DATA entry has the
   following format:

              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                   PUBLIC KEY                  |
              |                                               |
              |                                               |
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 4

   where:

   PUBLIC KEY  A 256-bit ECDSA zone key.

3.3.  GNS2DNS

   It is possible to delegate a label back into DNS through a GNS2DNS
   record.  The resource record contains a DNS name for the resolver to
   continue with in DNS followed by a DNS server.  Both names are in the
   format defined in [RFC1034] for DNS names.  A GNS2DNS DATA entry has
   the following format:









Schanzenbach, et al.       Expires 13 May 2020                  [Page 6]

Internet-Draft             The GNU Name System             November 2019


              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                    DNS NAME                   |
              /                                               /
              /                                               /
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                 DNS SERVER NAME               |
              /                                               /
              /                                               /
              |                                               |
              +-----------------------------------------------+

                                  Figure 5

   where:

   DNS NAME  The name to continue with in DNS (0-terminated).

   DNS SERVER NAME  The DNS server to use.  May be an IPv4/IPv6 address
      in dotted decimal form or a DNS name.  It may also be a relative
      GNS name ending with a "+" top-level domain.  The value is UTF-8
      encoded (also for DNS names) and 0-terminated.

3.4.  LEHO

   Legacy hostname records can be used by applications that are expected
   to supply a DNS name on the application layer.  The most common use
   case is HTTP virtual hosting, which as-is would not work with GNS
   names as those may not be globally unique.  A LEHO resource record is
   expected to be found together in a single resource record with an
   IPv4 or IPv6 address.  A LEHO DATA entry has the following format:

              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                 LEGACY HOSTNAME               |
              /                                               /
              /                                               /
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 6

   where:

   LEGACY HOSTNAME  A UTF-8 string (which is not 0-terminated)
      representing the legacy hostname.




Schanzenbach, et al.       Expires 13 May 2020                  [Page 7]

Internet-Draft             The GNU Name System             November 2019


   NOTE: If an application uses a LEHO value in an HTTP request header
   (e.g.  "Host:" header) it must be converted to a punycode
   representation [RFC5891].

3.5.  NICK

   Nickname records can be used by zone administrators to publish an
   indication on what label this zone prefers to be referred to.  This
   is a suggestion to other zones what label to use when creating a PKEY
   Section 3.2 record containing this zone's public zone key.  This
   record SHOULD only be stored under the empty label "@" but MAY be
   returned with record sets under any label.  A NICK DATA entry has the
   following format:

              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                  NICKNAME                     |
              /                                               /
              /                                               /
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 7

   where:

   NICKNAME  A UTF-8 string (which is not 0-terminated) representing the
      preferred label of the zone.  This string MUST NOT include a "."
      character.

3.6.  BOX

   In GNS, every "." in a name delegates to another zone, and GNS
   lookups are expected to return all of the required useful information
   in one record set.  This is incompatible with the special labels used
   by DNS for SRV and TLSA records.  Thus, GNS defines the BOX record
   format to box up SRV and TLSA records and include them in the record
   set of the label they are associated with.  For example, a TLSA
   record for "_https._tcp.foo.gnu" will be stored in the record set of
   "foo.gnu" as a BOX record with service (SVC) 443 (https) and protocol
   (PROTO) 6 (tcp) and record TYPE "TLSA".  For reference, see also
   [RFC2782].  A BOX DATA entry has the following format:









Schanzenbach, et al.       Expires 13 May 2020                  [Page 8]

Internet-Draft             The GNU Name System             November 2019


              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |   PROTO   |    SVC    |       TYPE            |
              +-----------+-----------------------------------+
              |                 RECORD DATA                   |
              /                                               /
              /                                               /
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 8

   where:

   PROTO  the 16-bit protocol number, e.g. 6 for tcp.  In network byte
      order.

   SVC  the 16-bit service value of the boxed record, i.e. the port
      number.  In network byte order.

   TYPE  is the 32-bit record type of the boxed record.  In network byte
      order.

   RECORD DATA  is a variable length field containing the "DATA" format
      of TYPE as defined for the respective TYPE in DNS.

3.7.  VPN

   A VPN DATA entry has the following format:

              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |          HOSTING PEER PUBLIC KEY              |
              |                (256 bits)                     |
              |                                               |
              |                                               |
              +-----------+-----------------------------------+
              |   PROTO   |    SERVICE  NAME                  |
              +-----------+                                   +
              /                                               /
              /                                               /
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 9

   where:




Schanzenbach, et al.       Expires 13 May 2020                  [Page 9]

Internet-Draft             The GNU Name System             November 2019


   HOSTING PEER PUBLIC KEY  is a 256-bit EdDSA public key identifying
      the peer hosting the service.

   PROTO  the 16-bit protocol number, e.g. 6 for TCP.  In network byte
      order.

   SERVICE NAME  a shared secret used to identify the service at the
      hosting peer, used to derive the port number requird to connect to
      the service.  The service name MUST be a 0-terminated UTF-8
      string.

4.  Publishing Records

   GNS resource records are published in a distributed hash table (DHT).
   We assume that a DHT provides two functions: GET(key) and
   PUT(key,value).  In GNS, resource records are grouped by their
   respective labels, encrypted and published together in a single
   resource records block (RRBLOCK) in the DHT under a key "q": PUT(q,
   RRBLOCK).  The key "q" which is derived from the zone key "zk" and
   the respective label of the contained records.

4.1.  Key Derivations

   Given a label, the DHT key "q" is derived as follows:

            PRK_h := HKDF-Extract ("key-derivation", zk)
            h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
            d_h := h * d mod L
            zk_h := h mod L * zk
            q := SHA512 (zk_h)

   We use a hash-based key derivation function (HKDF) as defined in
   [RFC5869].  We use HMAC-SHA512 for the extraction phase and HMAC-
   SHA256 for the expansion phase.

   PRK_h  is key material retrieved using an HKDF using the string "key-
      derivation" as salt and the public zone key "zk" as initial keying
      material.

   h  is the 512-bit HKDF expansion result.  The expansion info input is
      a concatenation of the label and string "gns".

   d  is the 256-bit private zone key as defined in Section 2.

   label  is a UTF-8 string under which the resource records are
      published.





Schanzenbach, et al.       Expires 13 May 2020                 [Page 10]

Internet-Draft             The GNU Name System             November 2019


   d_h  is a 256-bit private key derived from the "d" using the keying
      material "h".

   zk_h  is a 256-bit public key derived from the zone key "zk" using
      the keying material "h".

   L  is the prime-order subgroup as defined in Section 2.

   q  Is the 512-bit DHT key under which the resource records block is
      published.  It is the SHA512 hash over the public key "zk_h"
      corresponding to the derived private key "d_h".

   We point out that the multiplication of "zk" with "h" is a point
   multiplication, while the multiplication of "d" with "h" is a scalar
   multiplication.

4.2.  Resource Records Block

   GNS records are grouped by their labels and published as a single
   block in the DHT.  The contained resource records are encrypted using
   a symmetric encryption scheme.  A GNS implementation must publish
   RRBLOCKs in accordance to the properties and recommendations of the
   underlying DHT.  This may include a periodic refresh publication.  A
   GNS RRBLOCK has the following format:



























Schanzenbach, et al.       Expires 13 May 2020                 [Page 11]

Internet-Draft             The GNU Name System             November 2019


              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                   SIGNATURE                   |
              |                                               |
              |                                               |
              |                                               |
              |                                               |
              |                                               |
              |                                               |
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                  PUBLIC KEY                   |
              |                                               |
              |                                               |
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |         SIZE          |       PURPOSE         |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                   EXPIRATION                  |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                    BDATA                      /
              /                                               /
              /                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 10

   where:

   SIGNATURE  A 512-bit ECDSA deterministic signature compliant with
      [RFC6979].  The signature is computed over the data following the
      PUBLIC KEY field.  The signature is created using the derived
      private key "d_h" (see Section 4).

   PUBLIC KEY  is the 256-bit public key "zk_h" to be used to verify
      SIGNATURE.  The wire format of this value is defined in [RFC8032],
      Section 5.1.5.

   SIZE  A 32-bit value containing the length of the signed data
      following the PUBLIC KEY field in network byte order.  This value
      always includes the length of the fields SIZE (4), PURPOSE (4) and
      EXPIRATION (8) in addition to the length of the BDATA.  While a
      32-bit value is used, implementations MAY refuse to publish blocks
      beyond a certain size significantly below 4 GB.  However, a
      minimum block size of 62 kilobytes MUST be supported.

   PURPOSE  A 32-bit signature purpose flag.  This field MUST be 15 (in
      network byte order).



Schanzenbach, et al.       Expires 13 May 2020                 [Page 12]

Internet-Draft             The GNU Name System             November 2019


   EXPIRATION  Specifies when the RRBLOCK expires and the encrypted
      block SHOULD be removed from the DHT and caches as it is likely
      stale.  However, applications MAY continue to use non-expired
      individual records until they expire.  The value MUST be set to
      the expiration time of the resource record contained within this
      block with the smallest expiration time.  If a records block
      includes shadow records, then the maximum expiration time of all
      shadow records with matching type and the expiration times of the
      non-shadow records is considered.  This is a 64-bit absolute date
      in microseconds since midnight (0 hour), January 1, 1970 in
      network byte order.

   BDATA  The encrypted resource records with a total size of SIZE - 16.

4.3.  Record Data Encryption and Decryption

   A symmetric encryption scheme is used to encrypt the resource records
   set RDATA into the BDATA field of a GNS RRBLOCK.  The wire format of
   the RDATA looks as follows:

              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |     RR COUNT          |        EXPIRA-        /
              +-----+-----+-----+-----+-----+-----+-----+-----+
              /         -TION         |       DATA SIZE       |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |         TYPE          |          FLAGS        |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                      DATA                     /
              /                                               /
              /                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                   EXPIRATION                  |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |       DATA SIZE       |          TYPE         |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |           FLAGS       |        DATA           /
              +-----+-----+-----+-----+                       /
              /                       +-----------------------/
              /                       |                       /
              +-----------------------+                       /
              /                     PADDING                   /
              /                                               /

                                 Figure 11

   where:




Schanzenbach, et al.       Expires 13 May 2020                 [Page 13]

Internet-Draft             The GNU Name System             November 2019


   RR COUNT  A 32-bit value containing the number of variable-length
      resource records which are following after this field in network
      byte order.

   EXPIRATION, DATA SIZE, TYPE, FLAGS and DATA  These fields were defined in
      the resource record format in Section 3.  There MUST be a total of
      RR COUNT of these resource records present.

   PADDING  The padding MUST contain the value 0 in all octets.  The
      padding MUST ensure that the size of the RDATA WITHOUT the RR
      COUNT field is a power of two.  As a special exception, record
      sets with (only) a PKEY record type are never padded.  Note that a
      record set with a PKEY record MUST NOT contain other records.

   The symmetric keys and initialization vectors are derived from the
   record label and the zone key "zk".  For decryption of the resource
   records block payload, the key material "K" and initialization vector
   "IV" for the symmetric cipher are derived as follows:

            PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
            PRK_iv := HKDF-Extract ("gns-aes-ctx-iv", zk)
            K := HKDF-Expand (PRK_k, label, 512 / 8);
            IV := HKDF-Expand (PRK_iv, label, 256 / 8)

   HKDF is a hash-based key derivation function as defined in [RFC5869].
   Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-
   SHA256 for the expansion phase.  The output keying material is 64
   octets (512 bit) for the symmetric keys and 32 octets (256 bit) for
   the initialization vectors.  We divide the resulting keying material
   "K" into a 256-bit AES [RFC3826] key and a 256-bit TWOFISH [TWOFISH]
   key:

              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                    AES KEY                    |
              |                                               |
              |                                               |
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                  TWOFISH KEY                  |
              |                                               |
              |                                               |
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 12





Schanzenbach, et al.       Expires 13 May 2020                 [Page 14]

Internet-Draft             The GNU Name System             November 2019


   Similarly, we divide "IV" into a 128-bit initialization vector and a
   128-bit initialization vector:

              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                    AES IV                     |
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                  TWOFISH IV                   |
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 13

   The keys and IVs are used for a CFB128-AES-256 and CFB128-TWOFISH-256
   chained symmetric cipher.  Both ciphers are used in Cipher FeedBack
   (CFB) mode [RFC3826].

            RDATA := AES(AES KEY, AES IV, TWOFISH(TWOFISH KEY, TWOFISH IV, BDATA))
            BDATA := TWOFISH(TWOFISH KEY, TWOFISH IV, AES(AES KEY, AES IV, RDATA))

5.  Internationalization and Character Encoding

   All labels in GNS are encoded in UTF-8 [RFC3629].  This does not
   include any DNS names found in DNS records, such as CNAME records,
   which are internationalized through the IDNA specifications
   [RFC5890].

6.  Name Resolution

   Names in GNS are resolved by recursively querying the DHT record
   storage.  In the following, we define how resolution is initiated and
   each iteration in the resolution is processed.

   GNS resolution of a name must start in a given starting zone
   indicated using a zone public key.  Details on how the starting zone
   may be determined is discussed in Section 8.

   When GNS name resolution is requested, a desired record type MAY be
   provided by the client.  The GNS resolver will use the desired record
   type to guide processing, for example by providing conversion of VPN
   records to A or AAAA records, if that is desired.  However, filtering
   of record sets according to the required record types MUST still be
   done by the client after the resource record set is retrieved.







Schanzenbach, et al.       Expires 13 May 2020                 [Page 15]

Internet-Draft             The GNU Name System             November 2019


6.1.  Recursion

   In each step of the recursive name resolution, there is an
   authoritative zone zk and a name to resolve.  The name may be empty.
   Initially, the authoritative zone is the start zone.  If the name is
   empty, it is interpreted as the apex label "@".

   From here, the following steps are recursively executed, in order:

   1.  Extract the right-most label from the name to look up.

   2.  Calculate q using the label and zk as defined in Section 4.1.

   3.  Perform a DHT query GET(q) to retrieve the RRBLOCK.

   4.  Verify and process the RRBLOCK and decrypt the BDATA contained in
       it as defined in Section 4.3.

   Upon receiving the RRBLOCK from the DHT, apart from verifying the
   provided signature, the resolver MUST check that the authoritative
   zone key was used to sign the record: The derived zone key "h*zk"
   MUST match the public key provided in the RRBLOCK, otherwise the
   RRBLOCK MUST be ignored and the DHT lookup GET(q) MUST continue.

6.2.  Record Processing

   Record processing occurs at the end of a single recursion.  We assume
   that the RRBLOCK has been cryptographically verified and decrypted.
   At this point, we must first determine if we have received a valid
   record set in the context of the name we are trying to resolve:

   1.  Case 1: If the remainder of the name to resolve is empty and the
       record set does not consist of a PKEY, CNAME or DNS2GNS record,
       the record set is the result and the recursion is concluded.

   2.  Case 2: If the name to be resolved is of the format
       "_SERVICE._PROTO" and the record set contains one or more
       matching BOX records, the records in the BOX records are the
       result and the recusion is concluded (Section 6.2.4).

   3.  Case 3: If the remainder of the name to resolve is not empty and
       does not match the "_SERVICE._PROTO" syntax, then the current
       record set MUST consist of a single PKEY record (Section 6.2.1),
       a single CNAME record (Section 6.2.3), or one or more GNS2DNS
       records (Section 6.2.2), which are processed as described in the
       respective sections below.  Otherwise, resolution fails and the
       resolver MUST return an empty record set.  Finally, after the
       recursion terminates, the client preferences for the record type



Schanzenbach, et al.       Expires 13 May 2020                 [Page 16]

Internet-Draft             The GNU Name System             November 2019


       SHOULD be considered.  If a VPN record is found and the client
       requests an A or AAAA record, the VPN record SHOULD be converted
       (Section 6.2.5) if possible.

6.2.1.  PKEY

   When the resolver encounters a PKEY record and the remainder of the
   name is not empty, resolution continues recursively with the
   remainder of the name in the GNS zone specified in the PKEY record.

   If the remainder of the name to resolve is empty and we have received
   a record set containing only a single PKEY record, the recursion is
   continued with the PKEY as authoritative zone and the empty apex
   label "@" as remaining name, except in the case where the desired
   record type is PKEY, in which case the PKEY record is returned and
   the resolution is concluded without resolving the empty apex label.

6.2.2.  GNS2DNS

   When a resolver encounters one or more GNS2DNS records and the
   remaining name is empty and the desired record type is GNS2DNS, the
   GNS2DNS records are returned.

   Otherwise, it is expected that the resolver first resolves the IP(s)
   of the specified DNS name server(s).  GNS2DNS records MAY contain
   numeric IPv4 or IPv6 addresses, allowing the resolver to skip this
   step.  The DNS server names may themselves be names in GNS or DNS.
   If the DNS server name ends in ".+", the rest of the name is to be
   interpreted relative to the zone of the GNS2DNS record.  If the DNS
   server name ends in ".<Base32(zk)>", the DNS server name is to be
   resolved against the GNS zone zk.

   Multiple GNS2DNS records may be stored under the same label, in which
   case the resolver MUST try all of them.  The resolver MAY try them in
   any order or even in parallel.  If multiple GNS2DNS records are
   present, the DNS name MUST be identical for all of them, if not the
   resolution fails and an emtpy record set is returned as the record
   set is invalid.

   Once the IP addresses of the DNS servers have been determined, the
   DNS name from the GNS2DNS record is appended to the remainder of the
   name to be resolved, and resolved by querying the DNS name server(s).
   As the DNS servers specified are possibly authoritative DNS servers,
   the GNS resolver MUST support recursive resolution and MUST NOT
   delegate this to the authoritative DNS servers.  The first successful
   recursive name resolution result is returned to the client.  In
   addition, the resolver returns the queried DNS name as a LEHO record
   (Section 3.4) with a relative expiration time of one hour.



Schanzenbach, et al.       Expires 13 May 2020                 [Page 17]

Internet-Draft             The GNU Name System             November 2019


   GNS resolvers SHOULD offer a configuration option to disable DNS
   processing to avoid information leakage and provide a consistent
   security profile for all name resolutions.  Such resolvers would
   return an empty record set upon encountering a GNS2DNS record during
   the recursion.  However, if GNS2DNS records are encountered in the
   record set for the apex and a GNS2DNS record is expicitly requested
   by the application, such records MUST still be returned, even if DNS
   support is disabled by the GNS resolver configuration.

6.2.3.  CNAME

   If a CNAME record is encountered, the canonical name is appended to
   the remaining name, except if the remaining name is empty and the
   desired record type is CNAME, in which case the resolution concludes
   with the CNAME record.  If the canonical name ends in ".+",
   resolution continues in GNS with the new name in the current zone.
   Otherwise, the resulting name is resolved via the default operating
   system name resolution process.  This may in turn again trigger a GNS
   resolution process depending on the system configuration.

   The recursive DNS resolution process may yield a CNAME as well which
   in turn may either point into the DNS or GNS namespace (if it ends in
   a ".<Base32(zk)>").  In order to prevent infinite loops, the resolver
   MUST implement loop detections or limit the number of recursive
   resolution steps.

6.2.4.  BOX

   When a BOX record is received, a GNS resolver must unbox it if the
   name to be resolved continues with "_SERVICE._PROTO".  Otherwise, the
   BOX record is to be left untouched.  This way, TLSA (and SRV) records
   do not require a separate network request, and TLSA records become
   inseparable from the corresponding address records.

6.2.5.  VPN

   At the end of the recursion, if the queried record type is either A
   or AAAA and the retrieved record set contains at least one VPN
   record, the resolver SHOULD open a tunnel and return the IPv4 or IPv6
   tunnel address, respectively.  The type of tunnel depends on the
   contents of the VPN record data.  The VPN record MUST be returned if
   the resolver implementation does not support setting up a tunnnel.









Schanzenbach, et al.       Expires 13 May 2020                 [Page 18]

Internet-Draft             The GNU Name System             November 2019


7.  Zone Revocation

   Whenever a recursive resolver encounters a new GNS zone, it MUST
   check against the local revocation list whether the respective zone
   key has been revoked.  If the zone key was revoked, the resolution
   MUST fail with an empty result set.

   In order to revoke a zone key, a signed revocation object SHOULD be
   published.  This object MUST be signed using the private zone key.
   The revocation object is flooded in the overlay network.  To prevent
   flooding attacks, the revocation message MUST contain a proof-of-
   work.  The revocation message including the proof-of-work MAY be
   calculated ahead of time to support timely revocation.

   The following the the basic data "REVDAT" on which the proof-of work
   is calculated:

              0     8     16    24    32    40    48    56
              +-----+-----+-----+-----+-----+-----+-----+-----+
              |                     NONCE                     |
              +-----------------------------------------------|
              |                  PUBLIC KEY                   |
              |                                               |
              |                                               |
              |                                               |
              +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 14

   A single pass in the proof-of-work algorithm is defined as follows:

            skey := kdf_scrypt (salt="gnunet-revocation-proof-of-work", REVDAT)
            skey_iv := iv_derive (salt="gnunet-revocation-proof-of-work", "gnunet-proof-of-work-iv", skey)
            enc := AES (skey, skey_iv, REVDAT)
            REV := kdf_scrypt(salt="gnunet-revocation-proof-of-work", enc)

                                 Figure 15

   The above function is called with different values for the "NONCE" in
   "REVDAT" until the amount of leading zeroes is greater or equal 25.

8.  Determining the Root Zone and Zone Governance

   The resolution of a GNS name must start in a given start zone
   indicated to the resolver using any public zone key.  The local
   resolver may have a local start zone configured/hard-coded which
   points to a local or remote start zone key.  A resolver client may
   also determine the start zone from the suffix of the name given for



Schanzenbach, et al.       Expires 13 May 2020                 [Page 19]

Internet-Draft             The GNU Name System             November 2019


   resolution or using information retrieved out of band.  The
   governance model of any zone is at the sole discretion of the zone
   owner.  However, the choice of start zone(s) is at the sole
   discretion of the local system administrator or user.

   This is an important distinguishing factor from the Domain Name
   System where root zone governance is centralized at the Internet
   Corporation for Assigned Names and Numbers (ICANN).  In DNS
   terminology, GNS roughly follows the idea of a hyper-hyper local root
   zone deployment, with the difference that it is not expected that all
   deployments use the same local root zone.

   In the following, we give examples how a local client resolver SHOULD
   discover the start zone.  The process given is not exhaustive and
   clients MAY suppliement it with other mechanisms or ignore it if the
   particular application requires a different process.

   GNS clients SHOULD first try to interpret the top-level domain of a
   GNS name as a zone key.  For example. if the top-level domain is a
   Base32-encoded public zone key "zk", the root zone of the resolution
   process is implicitly given by the name:

            Example name: www.example.<Base32(zk)>
            => Root zone: zk
            => Name to resolve from root zone: www.example

   In GNS, users MAY own and manage their own zones.  Each local zone
   SHOULD be associated with a single GNS label, but users MAY choose to
   use longer names consisting of multiple labels.  If the name of a
   locally managed zone matches the suffix of the name to be resolved,
   resolution SHOULD start from the respective local zone:

            Example name: www.example.gnu
            Local zones:
            fr = (d0,zk0)
            gnu = (d1,zk1)
            com = (d2,zk2)
            ...
            => Entry zone: zk1
            => Name to resolve from entry zone: www.example

   Finally, additional "suffix to zone" mappings MAY be configured.
   Suffix to zone key mappings SHOULD be configurable through a local
   configuration file or database by the user or system administrator.
   The suffix MAY consist of multiple GNS labels concatenated with a
   ".".  If multiple suffixes match the name to resolve, the longest
   matching suffix MUST BE used.  The suffix length of two results
   cannot be equal, as this would indicate a misconfiguration.  If both



Schanzenbach, et al.       Expires 13 May 2020                 [Page 20]

Internet-Draft             The GNU Name System             November 2019


   a locally managed zone and a configuration entry exist for the same
   suffix, the locally managed zone MUST have priority.

            Example name: www.example.gnu
            Local suffix mappings:
            gnu = zk0
            example.gnu = zk1
            example.com = zk2
            ...
            => Entry zone: zk1
            => Name to resolve from entry zone: www

9.  Security Considerations

   TODO

10.  IANA Considerations

   This will be fun

11.  Test Vectors

   The following represents a test vector for a record of type MX with a
   priority of 10 and the mail hostname mail.example.com.

            label := "mail"

            d :=
            71199f7b287cc77a
            0d21b5e40a77cb1d
            f89333903b284fe8
            1878bf47f3b39da0

            zk (public zone key) :=
            dff911496d025d7e
            0885c03d19153e99
            4f213f23ea719eca
            17fc32dc410e082e

            h :=
            2af3275a9cf90e54
            f2dbf7930be76fb9
            5e7c80b1416f8ca6
            dc50ce8e1fb759b9
            fedcdcf546c17e9b
            4c4f23632855c053
            6668e9f684f4dc33
            6d656b27392b0fee



Schanzenbach, et al.       Expires 13 May 2020                 [Page 21]

Internet-Draft             The GNU Name System             November 2019


            d_h :=
            01fb61f482c17633
            77611c4c2509e0f3
            81b0e7e4405c10bd
            0017c802f7d32e18

            q (query key) :=
            6fce4deddc5ad681
            f4e29a3310767e3b
            8b38bc1b276ce2ba
            9bf1b49df1e120a3
            20ecc9dffb68416f
            11729ad878ad3bdf
            d0b4db2626b620d7
            8e0604e4393c66a3

            AES_KEY :=
            afefd21a087a150d
            6757741a4eda02a5
            65df7ca86ba44b21
            3f8106c0071eaf01

            AES_IV :=
            a808b929bc9fad7a
            686bbe3432bed77a

            TWOFISH_KEY :=
            c9d0089df01d0bf4
            e4c8db4b2ccc7328
            3425e8a811ae59d2
            99e2747285d2a479

            TWOFISH_IV :=
            071be189a9d236f9
            b4a3654bb8c281d4

            RDATA :=
            0000000100059412 RR COUNT | EXPIRA-
            09ddea0f00000014  -TION    | DATA SIZE (20)
            0000000f00000000 TYPE (15=MX) | FLAGS (0)
            000a046d61696c07 Priority (10) |4 | mail | 7
            6578616d706c6503 example | 3
            636f6d0000000000 com | \0 | Followed by
            0000000000000000 24 bytes of padding to 2^6
            0000000000000000
            00000000





Schanzenbach, et al.       Expires 13 May 2020                 [Page 22]

Internet-Draft             The GNU Name System             November 2019


            RRBLOCK :=
            055cb070e05fe6de SIGNATURE
            ad694a50e5b4dedd
            b9fdcbdbae004f65
            afc99ba9c5a3bb54
            07e731a34680ee33
            ae0de7bfeda7d2b7
            8c6b854a008b1b54
            10df4f39f5ba9f46____________
            8cb514a56c0eaae0 zk_h
            56745158a63ee4dd
            76853cb9545e326e
            76d7fa920f818291____________
            000000540000000f SIZE (=84) | PURPOSE (=15)
            0005941209dde25b EXPIRATION
            d99d08fa123da096 BDATA
            66c2fb9bf020a85d
            e80818d0a84059a8
            5eee901a66459e5e
            3d1a10b29a5b8354
            1b58636781166b9a
            642920eee8e7a65a
            001fd19a6406a721
            713f0a0d

12.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
              <https://www.rfc-editor.org/info/rfc1034>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the location of services (DNS SRV)", RFC 2782,
              DOI 10.17487/RFC2782, February 2000,
              <https://www.rfc-editor.org/info/rfc2782>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <https://www.rfc-editor.org/info/rfc3629>.



Schanzenbach, et al.       Expires 13 May 2020                 [Page 23]

Internet-Draft             The GNU Name System             November 2019


   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826,
              DOI 10.17487/RFC3826, June 2004,
              <https://www.rfc-editor.org/info/rfc3826>.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC5891]  Klensin, J., "Internationalized Domain Names in
              Applications (IDNA): Protocol", RFC 5891,
              DOI 10.17487/RFC5891, August 2010,
              <https://www.rfc-editor.org/info/rfc5891>.

   [RFC6895]  Eastlake 3rd, D., "Domain Name System (DNS) IANA
              Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
              April 2013, <https://www.rfc-editor.org/info/rfc6895>.

   [RFC6979]  Pornin, T., "Deterministic Usage of the Digital Signature
              Algorithm (DSA) and Elliptic Curve Digital Signature
              Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
              2013, <https://www.rfc-editor.org/info/rfc6979>.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032,
              DOI 10.17487/RFC8032, January 2017,
              <https://www.rfc-editor.org/info/rfc8032>.

   [TWOFISH]  Schneier, B., "The Twofish Encryptions Algorithm: A
              128-Bit Block Cipher, 1st Edition", March 1999.

Authors' Addresses

   Martin Schanzenbach
   GNUnet e.V.
   Boltzmannstrasse 3
   85748 Garching



Schanzenbach, et al.       Expires 13 May 2020                 [Page 24]

Internet-Draft             The GNU Name System             November 2019


   Germany

   Email: schanzen@gnunet.org


   Christian Grothoff
   Berner Fachhochschule
   Hoeheweg 80
   CH-2501 Biel/Bienne
   Switzerland

   Email: schanzen@gnunet.org


   Bernd Fix
   GNUnet e.V.
   Boltzmannstrasse 3
   85748 Garching
   Germany

   Email: fix@gnunet.org






























Schanzenbach, et al.       Expires 13 May 2020                 [Page 25]