aboutsummaryrefslogtreecommitdiff
path: root/draft-schanzen-gns.xml
blob: 7f99a2b52b544cb7aac83d0a05e90ed614153628 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
<!ENTITY RFC1034 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml">
<!ENTITY RFC1035 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
<!ENTITY RFC1928 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1928.xml">
<!ENTITY RFC2119 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!--<!ENTITY RFC2693 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2693.xml">-->
<!ENTITY RFC2782 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2782.xml">
<!ENTITY RFC3629 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3629.xml">
<!ENTITY RFC3686 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3686.xml">
<!ENTITY RFC3826 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3826.xml">
<!ENTITY RFC4033 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml">
<!ENTITY RFC5237 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5237.xml">
<!--<!ENTITY RFC3912 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3912.xml">-->
<!ENTITY RFC5869 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml">
<!ENTITY RFC5890 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml">
<!ENTITY RFC5895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5895.xml">
<!ENTITY RFC6066 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6066.xml">
<!ENTITY RFC6234 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6234.xml">
<!ENTITY RFC6761 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6761.xml">
<!ENTITY RFC6895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml">
<!ENTITY RFC6979 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6979.xml">
<!ENTITY RFC7363 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7363.xml">
<!ENTITY RFC8806 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8806.xml">
<!ENTITY RFC7748 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7748.xml">
<!ENTITY RFC8032 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8032.xml">
<!ENTITY RFC8126 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8126.xml">
<!ENTITY RFC8174 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC8324 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8324.xml">
<!ENTITY RFC8499 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8499.xml">
<!ENTITY RFC9106 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9106.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info" docName="draft-schanzen-gns-20" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" xml:lang="en" version="3">
 <!-- xml2rfc v2v3 conversion 2.26.0 -->
 <front>
  <title abbrev="The GNU Name System">
   The GNU Name System
  </title>
  <seriesInfo name="Internet-Draft" value="draft-schanzen-gns-20"/>
  <author fullname="Martin Schanzenbach" initials="M." surname="Schanzenbach">
   <organization>Fraunhofer AISEC</organization>
   <address>
    <postal>
     <street>Lichtenbergstrasse 11</street>
     <city>Garching</city>
     <code>85748</code>
     <country>DE</country>
    </postal>
    <email>martin.schanzenbach@aisec.fraunhofer.de</email>
   </address>
  </author>
  <author fullname="Christian Grothoff" initials="C." surname="Grothoff">
   <organization>Berner Fachhochschule</organization>
   <address>
    <postal>
     <street>Hoeheweg 80</street>
     <city>Biel/Bienne</city>
     <code>2501</code>
     <country>CH</country>
    </postal>
    <email>grothoff@gnunet.org</email>
   </address>
  </author>
  <author fullname="Bernd Fix" initials="B." surname="Fix">
   <organization>GNUnet e.V.</organization>
   <address>
    <postal>
     <street>Boltzmannstrasse 3</street>
     <city>Garching</city>
     <code>85748</code>
     <country>DE</country>
    </postal>
    <email>fix@gnunet.org</email>
   </address>
  </author>

  <!-- Meta-data Declarations -->
  <area>General</area>
  <workgroup>Independent Stream</workgroup>
  <keyword>name systems</keyword>
  <abstract>
    <t>
      This document contains the GNU Name System (GNS) technical
      specification.
      GNS is a decentralized and censorship-resistant domain name
      resolution protocol that provides a privacy-enhancing alternative to the
      Domain Name System (DNS) protocols.
    </t>
    <t>
      This document defines the normative wire format of resource records,
      resolution processes, cryptographic routines and security
      considerations for use by implementers.
    </t>
    <t>
      This specification was developed outside the IETF and does not have
      IETF consensus.  It is published here to inform readers about the
      function of GNS, guide future GNS implementations, and ensure
      interoperability among implementations including with the pre-existing
      GNUnet implementation.
    </t>
  </abstract>
 </front>
 <middle>
   <section anchor="introduction" numbered="true" toc="default">
     <name>Introduction</name>
     <t>
       The Domain Name System (DNS) <xref target="RFC1035" /> is a unique
       distributed database and a vital service for most Internet applications.
       However, it was not designed with security in mind. This makes it very
       vulnerable, especially to attackers that have the technical capabilities
       of an entire nation state at their disposal.
     </t>
     <t>
       This specification describes a censorship-resistant, privacy-preserving
       and decentralized domain name resolution protocol:
       The GNU Name System (GNS), a development continuation of
       previous academic work on secure name systems <xref target="GNS" />.
       GNS can bind names to any kind of
       cryptographically secured token, enabling it to double in some respects as
       an alternative to some of today’s Public Key Infrastructures, in
       particular X.509 for the Web.
     </t>
     <t>
       In DNS terminology, GNS roughly follows the idea of a local
       root zone deployment (see <xref target="RFC8806"/>), with the difference
       that the protocol does not mandate that all deployments use the same
       or any specific root zone.
       Users can autonomously and freely delegate control of names to
       zones through their local configurations.
     </t>
     <t>
       Name resolution and zone dissemination is based on the principle of a
       petname system where users can assign local names to zones.
       It builds on ideas from the Simple Distributed Security
       Infrastructure <xref target="SDSI" />, enabling the decentralized
       mapping of secure identifiers to memorable names.
     </t>
     <t>
       This document defines the normative wire format of resource records, resolution processes,
       cryptographic routines and security considerations for use by implementers.
     </t>
     <t>
       This specification was developed outside the IETF and does not have
       IETF consensus.  It is published here to guide implementation of GNS
       and to ensure interoperability among implementations.
     </t>
     <section numbered="true" toc="default">
       <name>Requirements Notation</name>
       <t>
         The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
         "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
         "OPTIONAL" in this document are to be interpreted as described in
         BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
         when, they appear in all capitals, as shown here.
       </t>
     </section>
   </section>
   <section>
     <name>Terminology</name>
     <dl>
       <dt>Apex Label</dt>
       <dd>
         This type of label is used to publish resource
         records in a zone that can be resolved without providing a specific
         label. It is the GNS method to provide what is the "zone apex" in DNS
         <xref target="RFC4033"/>.
         The apex label is represented using the character U+0040 ("@" without
         the quotes).
       </dd>
       <dt>Application</dt>
       <dd>
         A component which uses a GNS implementation
         to resolve names into records and processes its contents.
       </dd>
       <dt>Blinded Zone Key</dt>
       <dd>
         The key derived from a zone key and a label.
         The zone key and the blinded zone key are unlinkable without knowledge of the label.
       </dd>

       <dt>Extension Label</dt>
       <dd>
         The primary use for the extension label is in redirections where the redirection
         target is defined relative to the authoritative zone of the redirection
         record (<xref target="gnsrecords_redirect"/>).
         The extension label is represented using the character U+002B ("+"
         without the quotes).
       </dd>
       <dt>Label Separator</dt>
       <dd>
         Labels in a name are separated using the label separator U+002E
         ("." without the quotes).
         In GNS, with the exceptions of zone Top-Level Domains
         (see below) and boxed records (see <xref target="gnsrecords_box"/>),
         every separator label in a name delegates to another zone.
       </dd>
       <dt>Label</dt>
       <dd>
         A GNS label is a label as defined in <xref target="RFC8499"/>.
         Labels are UTF-8 strings in Unicode
         Normalization Form C (NFC) <xref target="Unicode-UAX15"/>.
         The apex label, label separator and the extension label have
         special purposes in the resolution protocol which are defined
         in the rest of the document.
         Zone administrators <bcp14>MAY</bcp14> disallow certain labels that
         might be easily confused with other labels through registration policies
         (see also <xref target="security_abuse"/>).
       </dd>

       <dt>Name</dt>
       <dd>
         A name in GNS is a domain name as defined in  <xref target="RFC8499"/>
         as an ordered list of labels.
         Names are UTF-8 <xref target="RFC3629" /> strings consisting of the
         list of labels concatenated with a label separator.
         Names are resolved starting from the rightmost label.
         GNS does not impose length restrictions on names or labels.
         However, applications <bcp14>MAY</bcp14> ensure that name and label lengths are
         compatible with DNS and in particular IDNA <xref target="RFC5890"/>.
         In the spirit of <xref target="RFC5895"/>, applications <bcp14>MAY</bcp14> preprocess
         names and labels to ensure compatibility with DNS or support
         specific user expectations, for example according to
         <xref target="Unicode-UTS46"/>.
         A GNS name may be indistinguishable from a DNS name and care must
         be taken by applications and implementors when handling GNS names
         (see <xref target="namespace_ambiguity"/>).
       </dd>
       <dt>Resolver</dt>
       <dd>
         The component of a GNS implementation which provides
         the recursive name resolution logic defined in
         <xref target="resolution"/>.
       </dd>
       <dt>Resource Record</dt>
       <dd>
         A GNS resource record is the information associated with a label in a
         GNS zone.
         A GNS resource record contains information as defined by its
         resource record type.
       </dd>
       <dt>Start Zone</dt>
       <dd>
         In order to resolve any given GNS name an initial start zone must be
         determined for this name.
         The start zone can be explicitly defined through a zTLD.
         Otherwise, it is determined through a local suffix-to-zone mapping
         (see <xref target="governance"/>).
       </dd>

       <dt>Top-Level Domain</dt>
       <dd>
	       The rightmost part of a GNS name is a GNS Top-Level Domain (TLD).
         A GNS TLD can consist of one or more labels.
	 Unlike DNS Top-Level Domains (defined in <xref target="RFC8499"/>),
	 GNS does not expect all users to use the same global root zone. Instead,
         with the exception of Zone Top-Level Domains (see below),
         GNS TLDs are typically part of the configuration of the local resolver
         (see <xref target="governance"/>), and might thus not be globally unique.
       </dd>
       <dt>Zone</dt>
       <dd>
         A GNS zone contains authoritative information (resource records).
         A zone is uniquely identified by its zone key.  Unlike DNS zones,
         a GNS zone does not need to have a SOA record under the apex label.
       </dd>
       <dt>Zone Key</dt>
       <dd>
         A key which uniquely identifies a zone.
         It is usually a public key of an asymmetric key pair.
       </dd>
       <dt>Zone Key Derivation Function</dt>
       <dd>
         The zone key derivation function (ZKDF) blinds a zone key using a label.
       </dd>

       <dt>Zone Master</dt>
       <dd>
         The component of a GNS implementation which provides
         local zone management and publication as defined in
         <xref target="publish"/>.
       </dd>
       <dt>Zone Owner</dt>
       <dd>
         The holder of the secret (typically a private key)
	 that (together with a label and a value to sign) allows the creation of zone
	 signatures that can be validated against the respective blinded zone key.
       </dd>
       <dt>Zone Top-Level Domain</dt>
       <dd>
         A GNS Zone Top-Level Domain (zTLD) is a sequence of GNS labels at
         the end of a GNS name which encodes a zone type and
         zone key of a zone.
         Due to the statistical uniqueness of zone keys, zTLDs are also globally unique.
	 A zTLD label sequence can only be distinguished from ordinary TLD label sequences
         by attempting to decode the labels into a zone type and zone key.
       </dd>

       <dt>Zone Type</dt>
       <dd>
         The type of a GNS zone determines the cipher system and binary encoding
	 format of the zone key, blinded zone keys, and signatures.
       </dd>
     </dl>
   </section>
   <section anchor="overview" numbered="true" toc="default">
     <name>Overview</name>
       <t>
         GNS exhibits the three properties that are commonly used to describe
         a petname system:
       </t>
       <ol>
         <li>
           Global names through the concept of zone top-level
           domains (zTLDs): As zones can be uniquely identified by their zone key
           and are statistically unique, zTLDs are globally unique mappings to zones.
           Consequently, GNS domain names with a zTLD suffix are also globally unique.
           Names with zTLDs suffixes are not human-readable.
         </li>
         <li>
           Memorable petnames for zones:
           Users can configure local, human-readable references to zones.
           Such petnames serve as zTLD monikers in order to support
           human-readable domain names.
           The petnames may also be published in order to delegate namespaces
           of zones.
         </li>
         <li>
           A secure mapping from names to records:
           GNS allows zone owners to map petnames to resource records or to
           delegate authority of the petname to other zones and publish this
           information.
           The mappings are signed and encrypted using keys derived from local
           labels.
           When names are resolved, resource records including delegations can
           be verified by the implementation.
         </li>
       </ol>
       <t>
         It follows from the above that GNS does not support names which are
         simultaneously global, secure and human-readable.
         Instead, names are either global and not human-readable or not globally
         unique and human-readable.
         An example for a global name pointing to the record "example" in
         a zone is:
       </t>
       <sourcecode>
example.000G006K2TJNMD9VTCYRX7BRVV3HAEPS15E6NHDXKPJA1KAJJEG9AFF884
       </sourcecode>
       <t>
         Now consider the petname "pet" for the example zone
         of the name above.
         The following name would point to the same record as the
         globally unique name above but it is only valid locally:
       </t>
       <sourcecode>
example.pet
       </sourcecode>
       <t>
         The delegation of petnames and subsequent resolution of delegation
         builds on ideas from the Simple Distributed Security Infrastructure
         <xref target="SDSI" />.
         In GNS, any user can create and manage one or more zones
         (<xref target="zones"/>) as part of a zone master implementation.
         The zone type determines the respective set of cryptographic operations
         and the wire formats for encrypted data, public keys and signatures.
         A zone can be populated with mappings from labels to resource records by
         its owner (<xref target="rrecords"/>).
         A label can be mapped to a delegation record which results in the
         corresponding subdomain being delegated to another zone. Circular
         delegations are explicitly allowed, including delegating a subdomain
         to its immediate parent zone.  In
         order to support (legacy) applications as well as to facilitate the use
         of petnames, GNS defines auxiliary record types in addition to
         supporting existing DNS records.
       </t>
       <t>
         Zone contents are encrypted and signed
         before being published in a key-value storage (<xref target="publish"/>)
         as illustrated in <xref target="figure_arch_publish"/>.
         In this process, unique zone identification is hidden from the network
         through the use of key blinding.
         Key blinding allows the creation of signatures for zone contents
         using a blinded public/private key pair.
         This blinding is realized using a deterministic key
         derivation from
         the original zone key and corresponding private key using record label values
         as blinding factors.
         Specifically, the zone owner can derive blinded private keys for each record
         set published under a label, and a
         resolver can derive the corresponding blinded public keys.
         It is expected that GNS implementations use distributed or decentralized
         storages such as distributed hash tables (DHT) in order to facilitate
         availability within a network without the need for dedicated infrastructure.
         Specification of such a distributed or decentralized storage is out of
         scope of this document, but possible existing implementations include those
         based on <xref target="RFC7363" />, <xref target="Kademlia" /> or
         <xref target="R5N" />.
       </t>
       <figure anchor="figure_arch_publish" title="An example diagram of two hosts publishing GNS zones.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
       Local Host     |   Remote        |    Remote Host
                      |   Storage       |
                      |                 |
                      |    +---------+  |
                      |   /         /|  |
             Publish  |  +---------+ |  |  Publish
 +---------+ Records  |  |         | |  |  Records +---------+
 |  Zone   |----------|->| Record  | |<-|----------|  Zone   |
 | Master  |          |  | Storage | |  |          | Master  |
 +---------+          |  |         |/   |          +---------+
      A               |  +---------+    |               A
      |               |                 |               |
   +---------+        |                 |           +---------+
  /   |     /|        |                 |          /    |    /|
 +---------+ |        |                 |         +---------+ |
 |         | |        |                 |         |         | |
 |  Local  | |        |                 |         |  Local  | |
 |  Zones  | |        |                 |         |  Zones  | |
 |         |/         |                 |         |         |/
 +---------+          |                 |         +---------+
           ]]></artwork>
       </figure>
       <t>
         Applications use the resolver to lookup GNS names.
         Starting from a configurable start zone, names are resolved by following zone
         delegations recursively as illustrated in <xref target="figure_arch_resolv"/>.
         For each label in a name, the recursive GNS resolver
         fetches the respective record from the storage layer (<xref target="resolution"/>).
         Without knowledge of the label values and the zone keys, the
         different derived keys are unlinkable both to the original zone key and to each
         other.
         This prevents zone enumeration (except via impractical online brute
         force attacks) and requires knowledge
         of both the zone key and the label to confirm affiliation of a
         query or the corresponding encrypted record set with a
         specific zone. At the same time, the blinded zone key provides
         resolvers
         with the ability to verify the integrity of the published information
         without disclosing the originating zone.
       </t>
       <figure anchor="figure_arch_resolv" title="High-level view of the GNS resolution process.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
                           Local Host           |   Remote
                                                |   Storage
                                                |
                                                |    +---------+
                                                |   /         /|
                                                |  +---------+ |
+-----------+ Name     +----------+ Recursive   |  |         | |
|           | Lookup   |          | Resolution  |  | Record  | |
|Application|----------| Resolver |-------------|->| Storage | |
|           |<---------|          |<------------|--|         |/
+-----------+ Results  +----------+ Intermediate|  +---------+
                          A         Results     |
                          |                     |
                       +---------+              |
                      /   |     /|              |
                     +---------+ |              |
                     |         | |              |
                     |  Start  | |              |
                     |  Zones  | |              |
                     |         |/               |
                     +---------+                |
           ]]></artwork>
       </figure>
       <t>
         In the remainder of this document, the "implementer" refers to the developer building
         a GNS implementation including the resolver, zone master, and
         supporting configuration such as start zones (<xref target="governance"/>).
       </t>
   </section>
   <section anchor="zones" numbered="true" toc="default">
     <name>Zones</name>
     <t>
       A zone master implementation <bcp14>SHOULD</bcp14> enable the zone
       owners to create and manage zones.
       If this functionality is not implemented, names can still be resolved
       if zone keys for the initial step in the name resolution are available
       (see <xref target="resolution"/>).
     </t>
     <t>
       A zone in GNS is uniquely identified by its zone type and zone key.
       Each zone can be represented by a Zone Top-Level Domain (zTLD) string.
       A zone type (ztype) is a unique 32-bit number.
       This number corresponds to a resource record type number
       identifying a delegation record type
       in the GNUnet Assigned Numbers Authority <xref target="GANA" />.
       The ztype is a unique identifier for the set cryptographic functions
       of the zone and the format of the delegation record type.
       Any ztype <bcp14>MUST</bcp14> define the following set of cryptographic functions:
     </t>
     <dl>
       <dt>KeyGen() -> d, zk</dt>
       <dd>
         is a function to generate a new private key d and
	 the corresponding public zone key zk.
       </dd>
       <dt>ZKDF(zk,label) -> zk'</dt>
       <dd>
         is a zone key derivation function which blinds a zone key zk
         using a label. zk and zk' must be unlinkable. Furthermore,
         blinding zk with different values for the label must result
         in different, unlinkable zk' values.
       </dd>
       <dt>S-Encrypt(zk,label,expiration,message) -> ciphertext</dt>
       <dd>
         is a symmetric encryption function which encrypts the record
         data based on key material derived from the zone key,
         a label, and an expiration timestamp.
         In order to leverage performance-enhancing caching features of certain
         underlying storages, in particular DHTs, a deterministic encryption
         scheme is recommended.
       </dd>
       <dt>S-Decrypt(zk,label,expiration,ciphertext) -> message</dt>
       <dd>
         is a symmetric decryption function which decrypts the encrypted record
         data based on key material derived from the zone key,
         a label, and an expiration timestamp.
       </dd>
       <dt>Sign(d,message) -> signature</dt>
       <dd>
         is a function to sign a message using the private
         key d, yielding an unforgeable cryptographic signature.
         In order to leverage performance-enhancing caching features of certain
         underlying storages, in particular DHTs, a deterministic signature
         scheme is recommended.
       </dd>
       <dt>Verify(zk,message,signature) -> boolean</dt>
       <dd>
         is a function to verify the signature was created using
         the private key d corresponding to the zone key zk
         where d,zk := Keygen().
         The function returns a boolean value of "TRUE" if the signature is valid,
         and otherwise "FALSE".
       </dd>
       <dt>SignDerived(d,label,message) -> signature</dt>
       <dd>
         is a function to sign a message (typically encrypted record data) that
         can be verified using the derived zone key zk' := ZKDF(zk,label).
         In order to leverage performance-enhancing caching features of certain
         underlying storages, in particular DHTs, a deterministic signature
         scheme is recommended.
       </dd>
       <dt>VerifyDerived(zk,label,message,signature) -> boolean</dt>
       <dd>
         is function to verify the signature using the derived zone key
         zk' := ZKDF(zk,label).
         The function returns a boolean value of "TRUE" if the signature is valid,
         and otherwise "FALSE".
       </dd>
     </dl>
     <t>
       The cryptographic functions of the default ztypes are specified with
       their corresponding delegation records in <xref target="gnsrecords_delegation"/>.
       In order to support cryptographic agility, additional ztypes <bcp14>MAY</bcp14>
       be defined in the future which replace or update the default ztypes defined in this
       document.
       All ztypes <bcp14>MUST</bcp14> be registered as dedicated zone delegation
       record types in the GNU Name System Record Types registry (see <xref target="gana"/>).
       When defining new record types the cryptographic security considerations
       of this document apply, in particular <xref target="security_cryptography"/>.
     </t>
     <section anchor="zTLD" numbered="true" toc="default">
       <name>Zone Top-Level Domain</name>
       <t>
         The zTLD is the Zone Top-Level Domain.
         It is a string which encodes the zone type and zone key into a domain name.
         The zTLD is used as a globally unique reference to a specific
         zone in the process of name resolution.
         It is created by encoding a binary concatenation of the zone type and
         zone key (see <xref target="figure_zid"/>).
         The used encoding is a variation of the Crockford Base32 encoding
         <xref target="CrockfordB32"/> called Base32GNS.
         The encoding and decoding symbols for Base32GNS including this
         modification are defined in the table found in <xref target="CrockfordB32Encode"/>.
         The functions for encoding and decoding based on this table are called
         Base32GNS-Encode and Base32GNS-Decode, respectively.
       </t>
<figure anchor="figure_zid" title="The decoded binary representation of the zTLD">
       <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|       ZONE TYPE       |      ZONE KEY         /
+-----+-----+-----+-----+                       /
/                                               /
/                                               /
         ]]></artwork>
     </figure>
       <t>
         Consequently, a zTLD is encoded and decoded as follows:
       </t>
       <artwork name="" type="" align="left" alt=""><![CDATA[
zTLD := Base32GNS-Encode(ztype||zkey)
ztype||zkey := Base32GNS-Decode(zTLD)
         ]]></artwork>
       <t>
         where "||" is the concatenation operator.
       </t>
       <t>
         The zTLD can be used as-is as a rightmost label in a GNS name.
         If an application wants to ensure DNS compatibility of the name,
         it <bcp14>MAY</bcp14> also represent the zTLD as follows:
         If the zTLD is less than or equal to 63 characters, it can
         be used as a zTLD as-is.
         If the zTLD is longer than 63 characters, the
         zTLD is divided into smaller labels separated by the label separator.
         Here, the most significant bytes of the "ztype||zkey" concatenation
         must be contained in the rightmost label of the resulting string and
         the least significant bytes in the leftmost label of the resulting string. This allows the
         resolver to determine the ztype and zTLD length from the rightmost
         label and to subsequently determine how many labels the zTLD should span.
         A GNS implementation <bcp14>MUST</bcp14> support the division of zTLDs
         in DNS compatible label lengths.
         For example, assuming a zTLD of 130 characters, the division is:
       </t>
       <!-- FIXME: Is this really really necessary? Really? -->
       <artwork name="" type="" align="left" alt=""><![CDATA[
zTLD[126..129].zTLD[63..125].zTLD[0..62]
         ]]></artwork>
   </section>
    <section anchor="revocation" numbered="true" toc="default">
       <name>Zone Revocation</name>
       <t>
         In order to revoke a zone key, a signed revocation message <bcp14>MUST</bcp14> be
         published.
         This message <bcp14>MUST</bcp14> be signed using the private key.
         The revocation message is broadcast to the network.
         The specification of the broadcast mechanism is out of scope for this
         document.
         A possible broadcast mechanism for efficient flooding in a distributed
         network is implemented in <xref target="GNUnet"/>.
         Alternatively, revocation messages could also be distributed via a
         distributed ledger or a trusted central server.
         To prevent
         flooding attacks, the revocation message <bcp14>MUST</bcp14> contain a proof of work
         (PoW).
         The revocation message including the PoW <bcp14>MAY</bcp14> be calculated
         ahead of time to support timely revocation.
       </t>
       <t>
         For all occurrences below, "Argon2id" is the Password-based Key
         Derivation Function as defined in <xref target="RFC9106" />. For the
         PoW calculations the algorithm is instantiated with the
         following parameters:
       </t>
       <dl>
         <dt>S</dt>
         <dd>The salt. Fixed 16-byte string: "GnsRevocationPow".</dd>
         <dt>t</dt>
         <dd>Number of iterations: 3</dd>
         <dt>m</dt>
         <dd>Memory size in KiB: 1024</dd>
         <dt>T</dt>
         <dd>Output length of hash in bytes: 64</dd>
         <dt>p</dt>
         <dd>Parallelization parameter: 1</dd>
         <dt>v</dt>
         <dd>Algorithm version: 0x13</dd>
         <dt>y</dt>
         <dd>Algorithm type (Argon2id): 2</dd>
         <dt>X</dt><dd>Unused</dd>
         <dt>K</dt><dd>Unused</dd>
       </dl>
       <t>
         <xref target="figure_revocation"/> illustrates the format
         of the data "P" on which the PoW is calculated.
       </t>
       <figure anchor="figure_revocation" title="The Format of the PoW Data.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      POW                      |
+-----------------------------------------------+
|                   TIMESTAMP                   |
+-----------------------------------------------+
|       ZONE TYPE       |    ZONE KEY           |
+-----+-----+-----+-----+                       |
/                                               /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>POW</dt>
         <dd>
           A 64-bit value that is a solution to the PoW. In network byte order.
         </dd>
         <dt>TIMESTAMP</dt>
         <dd>
           denotes the absolute 64-bit date when the revocation was computed.
           In microseconds since midnight (0 hour), January 1, 1970 UTC in network
           byte order.
         </dd>
         <dt>ZONE TYPE</dt>
         <dd>
           is the 32-bit zone type.
         </dd>
         <dt>ZONE KEY</dt>
         <dd>
           is the 256-bit public key zk of the zone which is being revoked.
           The wire format of this value is defined by the ZONE TYPE.
         </dd>
       </dl>
       <t>
         Usually, PoW schemes require to find one POW value such that
         a specific number of leading zeroes are found in the hash result.
         This number is then referred to as the difficulty of the PoW.
         In order to reduce the variance in time it takes to calculate the
         PoW, a valid GNS revocation requires that a number Z different PoWs
         must be found that on average have D leading zeroes.
       </t>
       <t>
         The resulting proofs are ready for dissemination.
         The concrete
         dissemination and publication methods are out of scope of this
         document. Given an average difficulty of D, the proofs have an
         expiration time of EPOCH. With each additional bit difficulty, the
         lifetime of the proof is prolonged for another EPOCH.
         Consequently, by calculating a more difficult PoW, the lifetime of the
         proof can be increased on demand by the zone owner.
       </t>
       <t>
         The parameters are defined as follows:
       </t>
       <dl>
         <dt>Z</dt>
         <dd>The number of PoWs that are required. Its value is fixed at 32.</dd>
         <dt>D</dt>
         <dd>The lower limit of the average difficulty. Its value is fixed at 22.</dd>
         <dt>EPOCH</dt>
         <dd>A single epoch. Its value is fixed at 365 days in microseconds.</dd>
       </dl>
       <t>
         The revocation message wire format is illustrated in
         <xref target="figure_revocationdata"/>.
       </t>
       <figure anchor="figure_revocationdata" title="The Revocation Message Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   TIMESTAMP                   |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      TTL                      |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                     POW_0                     |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                       ...                     |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                     POW_Z-1                   |
+-----------------------------------------------+
|       ZONE TYPE       |    ZONE KEY           |
+-----+-----+-----+-----+                       |
/                                               /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   SIGNATURE                   |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>TIMESTAMP</dt>
         <dd>
           denotes the absolute 64-bit date when the revocation was computed.
           In microseconds since midnight (0 hour), January 1, 1970 UTC in network
           byte order. This is the same value as the time stamp used in the
           individual PoW calculations.
         </dd>
         <dt>TTL</dt>
         <dd>
           denotes the relative 64-bit time to live of the record in
           microseconds in network byte order.
           The field <bcp14>SHOULD</bcp14> be set to EPOCH * 1.1.
           Given an average number of leading zeros D', then the field value
           <bcp14>MAY</bcp14> be increased up to (D'-D+1) * EPOCH * 1.1.
           Validators <bcp14>MAY</bcp14> reject messages with lower or higher
           values when received.
           The EPOCH is extended by
           10% in order to deal with unsynchronized clocks.
         </dd>
         <dt>POW_i</dt>
         <dd>
           The values calculated as part of the PoW, in network byte order.
           Each POW_i <bcp14>MUST</bcp14> be unique in the set of POW values.
           To facilitate fast verification
           of uniqueness, the POW values must be given in strictly
           monotonically increasing order in the message.
         </dd>
         <dt>ZONE TYPE</dt>
         <dd>
           The 32-bit zone type corresponding to the zone key.
         </dd>
         <dt>ZONE KEY</dt>
         <dd>
           is the public key zk of the zone which is being revoked and
           the key to be used to verify SIGNATURE.
         </dd>
         <dt>SIGNATURE</dt>
         <dd>
           A signature over a time stamp and the zone zk of the zone
           which is revoked and corresponds to the key used in the PoW.
           The signature is created using the Sign() function of
           the cryptosystem of the zone and the private key
           (see <xref target="zones" />).
         </dd>
       </dl>
       <!-- FIXME Do we really need a purpose? -->
      <t>
        The signature over the public key covers a 32-bit header
        prefixed to the time stamp and public key fields.
        The header includes the key length and signature purpose.
        The wire format is illustrated
        in <xref target="figure_revsigwithpseudo"/>.
       </t>
       <figure anchor="figure_revsigwithpseudo" title="The Wire Format of the Revocation Data for Signing.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|         SIZE          |       PURPOSE (0x03)  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   TIMESTAMP                   |
+-----+-----+-----+-----+-----+-----+-----+-----+
|       ZONE TYPE       |     ZONE KEY          |
+-----+-----+-----+-----+                       |
/                                               /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>SIZE</dt>
         <dd>
           A 32-bit value containing the length of the signed data in bytes
           in network byte order.
         </dd>
         <dt>PURPOSE</dt>
         <dd>
           A 32-bit signature purpose flag.
           The value of this field <bcp14>MUST</bcp14> be 3.
           The value is encoded in network byte order.
           It defines the context in which
           the signature is created so that it cannot be reused in other parts
           of the protocol including possible future extensions.
           The value of this field corresponds to an entry in the
           GANA "GNUnet Signature Purpose" registry <xref target="gana"/>.
         </dd>
         <dt>TIMESTAMP</dt>
         <dd>
           Field as defined in the revocation message above.
         </dd>
         <dt>ZONE TYPE</dt>
         <dd>
           Field as defined in the revocation message above.
         </dd>
         <dt>ZONE KEY</dt>
         <dd>Field as defined in the revocation message above.</dd>
       </dl>
       <t>
         In order to validate a revocation the following steps <bcp14>MUST</bcp14> be taken:
       </t>
       <ol>
         <li>The signature <bcp14>MUST</bcp14> be verified against the zone key.</li>
         <li>The set of POW values <bcp14>MUST</bcp14> NOT contain duplicates which <bcp14>MUST</bcp14> be checked by verifying that the values are strictly monotonically increasing.</li>
         <li>The average number of leading zeroes D' resulting from the provided
         POW values <bcp14>MUST</bcp14> be greater than or equal to D.  Implementers
         <bcp14>MUST NOT</bcp14> use an integer data type to calculate or represent D'.</li>
       </ol>
       <t>
         The TTL field in the revocation message is informational.
         A revocation <bcp14>MAY</bcp14> be discarded without checking the POW
         values or the signature if the TTL (in combination with TIMESTAMP)
         indicates that the revocation has already expired.
         The actual validity period of the
         revocation <bcp14>MUST</bcp14> be determined by examining the leading
         zeroes in the POW values.
       </t>
       <t>
         The validity period of the revocation is calculated as
         (D'-D+1) * EPOCH * 1.1. The EPOCH is extended by
         10% in order to deal with unsynchronized clocks.
         The validity period added on top of the TIMESTAMP yields the
         expiration date.
         If the current time is after the expiration date, the
         revocation is considered stale.
       </t>
       <t>
         Verified revocations <bcp14>MUST</bcp14> be stored locally.
         The implementation <bcp14>MAY</bcp14> discard stale revocations and
         evict then from the local store at any time.
       </t>
       <t>
         Implementations <bcp14>MUST</bcp14> broadcast received revocations
         if they are valid and not stale.
         Should the calculated validity period differ from the TTL field value,
         the calculated value <bcp14>MUST</bcp14> be used as TTL field value
         when forwarding the revocation message.
         Systems might disagree on the current time, so implementations
         <bcp14>MAY</bcp14> use stale but otherwise valid
         revocations but <bcp14>SHOULD NOT</bcp14> broadcast them.
         Forwarded stale revocations <bcp14>MAY</bcp14> be discarded.
       </t>
       <t>
         Any locally stored revocation <bcp14>MUST</bcp14> be considered during
         delegation record processing (<xref target="delegation_processing"/>).
       </t>
     </section>


   </section>
   <section anchor="rrecords" numbered="true" toc="default">
     <name>Resource Records</name>
     <t>
       A GNS implementation <bcp14>SHOULD</bcp14> provide a mechanism to create and manage local
       zones as well as a persistence mechanism such as a database for resource
       records.
       A new local zone is established by selecting a zone type and creating a
       zone key pair.
       If this mechanism is not implemented,
       no zones can be published in the storage (<xref target="publish"/>)
       and name resolution is limited to non-local start zones
       (<xref target="governance"/>).
     </t>
     <t>
       A GNS resource record holds the data of a specific record in a zone.
       The resource record format is defined in
       <xref target="figure_gnsrecord"/>.
     </t>
     <figure anchor="figure_gnsrecord" title="The Resource Record Wire Format.">
       <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   EXPIRATION                  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|    SIZE   |   FLAGS   |          TYPE         |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      DATA                     /
/                                               /
/                                               /
         ]]></artwork>
     </figure>
     <dl>
       <dt>EXPIRATION</dt>
       <dd>
         denotes the absolute 64-bit expiration date of the record.
         In microseconds since midnight (0 hour), January 1, 1970 UTC in network
         byte order.
       </dd>
       <dt>SIZE</dt>
       <dd>
         denotes the 16-bit size of the DATA field in bytes and in network byte
         order.
       </dd>
       <dt>FLAGS</dt>
       <dd>
         is a 16-bit resource record flags field (see below).
       </dd>
       <dt>TYPE</dt>
       <dd>
         is the 32-bit resource record type. This type can be one of the GNS resource
         records as defined in <xref target="rrecords" /> or a DNS record
         type as defined in <xref target="RFC1035" /> or any of the
         complementary standardized DNS resource record types. This value must be
         stored in network byte order. Note that values
         below 2^16 are reserved for 16-bit DNS Resorce Record types allocated by IANA <xref target="RFC6895" />.
         Values above 2^16 are allocated by the
         GNUnet Assigned Numbers Authority <xref target="GANA" />.
       </dd>
       <dt>DATA</dt>
       <dd>
         the variable-length resource record data payload. The content is defined
         by the
         respective type of the resource record.
       </dd>
     </dl>
     <t>
       Flags indicate metadata surrounding the resource record.
       An application creating resource records <bcp14>MUST</bcp14> set all bits
       to 0 unless it wants to set the respective flag.
       As additional flags can be defined in future protocol versions,
       if an application or implementation encounters a flag which it does not
       recognize, it <bcp14>MUST</bcp14> be ignored.
       Any combination of the flags specified below are valid.
       <xref target="figure_flag"/>
       illustrates the flag distribution in the 16-bit flag field of a
       resource record:
     </t>
     <figure anchor="figure_flag" title="The Resource Record Flag Wire Format.">
       <artwork name="" type="" align="left" alt=""><![CDATA[
0           13            14      15
+--------...+-------------+-------+---------+
| Reserved  |SUPPLEMENTAL |SHADOW |CRITICAL |
+--------...+-------------+-------+---------+
         ]]></artwork>
     </figure>
     <dl>
       <dt>CRITICAL</dt>
       <dd>
         If this flag is set, it indicates that processing is critical.
         Implementations that do not support the record type or are otherwise
         unable to process the record <bcp14>MUST</bcp14> abort resolution upon encountering
         the record in the resolution process.
       </dd>
       <dt>SHADOW</dt>
       <dd>
         If this flag is set, this record <bcp14>MUST</bcp14> be ignored by resolvers unless all (other)
         records of the same record type have expired.  Used to allow zone publishers to
         facilitate good performance when records change by allowing them to put future
         values of records into the storage.
         This way, future values can propagate and can be
         cached before the transition becomes active.
       </dd>
       <dt>SUPPLEMENTAL</dt>
       <dd>
         This is a supplemental record. It is provided in addition to the
         other records. This flag indicates that this record is not explicitly
         managed alongside the other records under the respective name but
         might be useful for the application.
       </dd>
     </dl>
   <section anchor="gnsrecords_delegation" numbered="true" toc="default">
     <name>Zone Delegation Records</name>
     <t>
       This section defines the initial set of zone delegation record types.
       Any implementation <bcp14>SHOULD</bcp14> support all zone types defined here and
       <bcp14>MAY</bcp14> support any number of additional delegation records defined in
       the GNU Name System Record Types registry (see <xref target="gana"/>).
       Not supporting some zone types will result in resolution failures in case
       the respective zone type is encountered.
       This is be a valid choice if some zone delegation record types have been
       determined to be cryptographically insecure.
       Zone delegation records <bcp14>MUST NOT</bcp14> be stored and published
       under the apex label.
       A zone delegation record type value is the same as the respective ztype
       value.
       The ztype defines the cryptographic primitives for the zone that is
       being delegated to.
       A zone delegation record payload contains the public key of
       the zone to delegate to.
       A zone delegation record <bcp14>MUST</bcp14> have the CRITICAL flag set
       and <bcp14>MUST</bcp14> be the only non-supplemental record under a label.
       There <bcp14>MAY</bcp14> be inactive records of the same type which have
       the SHADOW flag set in order to facilitate smooth key rollovers.
     </t>
     <t>
       In the following, "||" is the concatenation operator of two byte strings.
       The algorithm specification uses character strings such as GNS labels or
       constant values.
       When used in concatenations or as input to functions the
       null-terminator of the character strings <bcp14>MUST NOT</bcp14> be
       included.
     </t>
     <section anchor="gnsrecords_pkey" numbered="true" toc="default">
       <name>PKEY</name>
       <t>
         In GNS, a delegation of a label to a zone of type "PKEY" is
         represented through a PKEY record.  The PKEY DATA entry wire format can be found in <xref target="figure_pkeyrecord"/>.
       </t>
       <figure anchor="figure_pkeyrecord" title="The PKEY Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   PUBLIC KEY                  |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>PUBLIC KEY</dt>
         <dd>
           A 256-bit Ed25519 public key.
         </dd>
       </dl>

       <t>
         For PKEY zones the zone key material is derived using the
         curve parameters of the twisted Edwards representation
         of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519)
         with the ECDSA scheme <xref target="RFC6979" />.
         The following naming convention is used for the cryptographic primitives of PKEY zones:
       </t>
       <dl>
         <dt>d</dt>
         <dd>
           is a 256-bit Ed25519 private key (private scalar).
         </dd>
         <dt>zk</dt>
         <dd>
           is the Ed25519 public zone key corresponding to d.
         </dd>
         <dt>p</dt>
         <dd>
           is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e.
           2^255 - 19.
         </dd>
         <dt>G</dt>
         <dd>
           is the group generator (X(P),Y(P)) of edwards25519 as defined in
           <xref target="RFC7748" />.
         </dd>
         <dt>L</dt>
         <dd>
           is the order of the prime-order subgroup of edwards25519 in <xref target="RFC7748" />.
         </dd>
         <dt>KeyGen()</dt>
         <dd>The generation of the private
           scalar d and the curve point zk := d*G (where G is the group generator
           of the elliptic curve) as defined in Section 2.2. of
           <xref target="RFC6979" /> represents the KeyGen() function.
         </dd>
       </dl>
       <t>
         The zone type and zone key of a PKEY are 4 + 32 bytes in length. This means that
         a zTLD will always fit into a single label and does
         not need any further conversion.
         Given a label, the output zk' of the ZKDF(zk,label) function is
         calculated as follows for PKEY zones:
       </t>
       <artwork name="" type="" align="left" alt=""><![CDATA[
ZKDF(zk,label):
  PRK_h := HKDF-Extract ("key-derivation", zk)
  h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
  zk' := (h mod L) * zk
  return zk'
        ]]></artwork>
       <t>
         The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in
         <xref target="RFC5869" />, using SHA-512 <xref target="RFC6234"/> for the extraction
         phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
         PRK_h is key material retrieved using an HKDF using the string
         "key-derivation" as salt and the zone key as initial
         keying material.
         h is the 512-bit HKDF expansion result and must be interpreted in
         network byte order. The expansion information input is
         a concatenation of the label and the string "gns".
         The multiplication of zk with h is a point multiplication,
         while the multiplication of d with h is a scalar multiplication.
       </t>
       <t>
         The Sign() and Verify() functions
         for PKEY zones are implemented using 512-bit ECDSA deterministic
         signatures as specified in <xref target="RFC6979" />.
         The same functions can be used for derived keys:
       </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
SignDerived(d,label,message):
  zk := d * G
  PRK_h := HKDF-Extract ("key-derivation", zk)
  h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
  d' := (h * d) mod L
  return Sign(d',message)
           ]]></artwork>
         <t>
           A signature (R,S) is valid if the following holds:
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
VerifyDerived(zk,label,message,signature):
  zk' := ZKDF(zk,label)
  return Verify(zk',message,signature)
           ]]></artwork>
       <t>
         The S-Encrypt() and S-Decrypt() functions use AES in counter mode
         as defined in <xref target="MODES" /> (CTR-AES-256):
       </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
S-Encrypt(zk,label,expiration,plaintext):
  PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
  PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
  K := HKDF-Expand (PRK_k, label, 256 / 8)
  NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
  IV := NONCE || expiration || 0x0000000000000001
  return CTR-AES256(K, IV, plaintext)

S-Decrypt(zk,label,expiration,ciphertext):
  PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
  PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
  K := HKDF-Expand (PRK_k, label, 256 / 8)
  NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
  IV := NONCE || expiration || 0x0000000000000001
  return CTR-AES256(K, IV, ciphertext)
           ]]></artwork>
       <t>
         The key K and counter IV are derived from
         the record label and the zone key zk using a hash-based key
         derivation function (HKDF) as defined in <xref target="RFC5869" />.
         SHA-512 <xref target="RFC6234"/> is used for the
         extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
         The output keying material is 32 bytes (256 bits) for the symmetric
         key and 4 bytes (32 bits) for the nonce.
         The symmetric key K is a 256-bit AES <xref target="RFC3826" /> key.
       </t>
       <t>
         The nonce is combined with a 64-bit initialization vector and a
         32-bit block counter as defined in <xref target="RFC3686" />.
         The block counter begins with the value of 1, and it is incremented
         to generate subsequent portions of the key stream.
         The block counter is a 32-bit integer value in network byte order.
         The initialization vector is the expiration time of the
         resource record block in network byte order.
         The resulting counter (IV) wire format can be found in
         <xref target="figure_hkdf_ivs_pkey"/>.
       </t>
       <figure anchor="figure_hkdf_ivs_pkey" title="The Block Counter Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32
+-----+-----+-----+-----+
|         NONCE         |
+-----+-----+-----+-----+
|       EXPIRATION      |
|                       |
+-----+-----+-----+-----+
|      BLOCK COUNTER    |
+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
     </section>
     <section anchor="gnsrecords_edkey" numbered="true" toc="default">
       <name>EDKEY</name>
       <t>
         In GNS, a delegation of a label to a zone of type "EDKEY" is
         represented through a EDKEY record.
         The EDKEY DATA entry wire format
         is illustrated in <xref target="figure_edkeyrecord"/>.
       </t>
       <figure anchor="figure_edkeyrecord" title="The EDKEY DATA Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   PUBLIC KEY                  |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>PUBLIC KEY</dt>
         <dd>
           A 256-bit EdDSA zone key.
         </dd>
       </dl>
         <t>
           For EDKEY zones the zone key material is derived using the
           curve parameters of the twisted edwards representation
           of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519)
           with the Ed25519 scheme <xref target="ed25519" /> as specified in
           <xref target="RFC8032" />.
           The following naming convention is used for the
           cryptographic primitives of EDKEY zones:
         </t>
         <!-- Check if we want to use RFC8032 instead of paper ed25519 -->
         <dl>
           <dt>d</dt>
           <dd>
             is a 256-bit EdDSA private key.
           </dd>
           <dt>a</dt>
           <dd>
             is is an integer derived from d using the SHA-512 hash function
             as defined in <xref target="RFC8032" />.
           </dd>
           <dt>zk</dt>
           <dd>
             is the EdDSA public key corresponding to d. It is defined
             as the curve point a*G where G is the
             group generator of the elliptic curve
             as defined in <xref target="RFC8032" />.
           </dd>
           <dt>p</dt>
           <dd>
             is the prime of edwards25519 as defined in <xref target="RFC8032" />, i.e.
             2^255 - 19.
           </dd>
           <dt>G</dt>
           <dd>
             is the group generator (X(P),Y(P)) of edwards25519 as defined in
              <xref target="RFC8032" />.
           </dd>
           <dt>L</dt>
           <dd>
             is the order of the prime-order subgroup of edwards25519 in <xref target="RFC8032" />.
           </dd>
           <dt>KeyGen()</dt>
           <dd>
             The generation of the private key d and the associated public
             key zk := a*G where G is the
             group generator of the elliptic curve and a is an integer
             derived from d using the SHA-512 hash function
             as defined
             in Section 5.1.5 of <xref target="RFC8032" /> represents the KeyGen()
             function.
            </dd>
         </dl>
         <t>
           The zone type and zone key of an EDKEY are 4 + 32 bytes in length. This means that
           a zTLD will always fit into a single label and does
           not need any further conversion.
         </t>
         <t>
           The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>.
           The calculation of a is defined in Section 5.1.5 of <xref target="RFC8032" />.
           Given a label, the output of the ZKDF function is
           calculated as follows:
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
ZKDF(zk,label):
  /* Calculate the blinding factor */
  PRK_h := HKDF-Extract ("key-derivation", zk)
  h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
  /* Ensure that h == h mod L */
  h[31] &= 7

  zk' := h * zk
  return zk'
           ]]></artwork>
         <t>
           Implementers <bcp14>SHOULD</bcp14> employ a constant time scalar
           multiplication for the constructions above to protect against
           timing attacks. Otherwise, timing attacks could leak private key
           material if an attacker can predict when a system starts the
           publication process.
           <!--Also, implementers
           <bcp14>MUST</bcp14> ensure that the private key a is an ed25519 private key
           and specifically that "a[0] &#38; 7 == 0" holds.-->
         </t>
         <t>
           The EDKEY cryptosystem uses a
           hash-based key derivation function (HKDF) as defined in
           <xref target="RFC5869" />, using SHA-512 <xref target="RFC6234"/> for the extraction
           phase and HMAC-SHA256 <xref target="RFC6234"/> for the expansion phase.
           PRK_h is key material retrieved using an HKDF using the string
           "key-derivation" as salt and the zone key as initial
           keying material.
           The blinding factor h is the 512-bit HKDF expansion result.
           The expansion information input is
           a concatenation of the label and the string "gns".
           The result of the HKDF must be clamped and interpreted in network
           byte order.
           a is the 256-bit integer corresponding to the 256-bit private
           key d.
           The multiplication of zk with h is a point multiplication,
           while the division and multiplication of a and a1 with the
           co-factor are integer operations.
         </t>
         <t>
           The Sign(d,message) and Verify(zk,message,signature) procedures <bcp14>MUST</bcp14>
           be implemented as defined in <xref target="RFC8032" />.
         </t>
         <t>
           Signatures for EDKEY zones use a derived private scalar d'
           which is not compliant with <xref target="RFC8032" />.
           As the corresponding private key to the derived private scalar
           is not known, it is not possible to deterministically derive the
           signature part R according to <xref target="RFC8032" />.
           Instead, signatures <bcp14>MUST</bcp14> be generated as follows for any given
           message and private zone key:
           A nonce is calculated from the highest 32 bytes of the
           expansion of the private key d and the blinding factor h.
           The nonce is then hashed with the message to r.
           This way, the full derivation path is included in the calculation
           of the R value of the signature, ensuring that it is never reused
           for two different derivation paths or messages.
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
SignDerived(d,label,message):
  /* Key expansion */
  dh := SHA-512 (d)
  /* EdDSA clamping */
  a := dh[0..31]
  a[0] &= 248
  a[31] &= 127
  a[31] |= 64
  /* Calculate zk corresponding to d */
  zk := a * G

  /* Calculate blinding factor */
  PRK_h := HKDF-Extract ("key-derivation", zk)
  h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
  /* Ensure that h == h mod L */
  h[31] &= 7

  zk' := h * zk
  a1 := a >> 3
  a2 := (h * a1) mod L
  d' := a2 << 3
  nonce := SHA-256 (dh[32..63] || h)
  r := SHA-512 (nonce || message)
  R := r * G
  S := r + SHA-512(R || zk' || message) * d' mod L
  return (R,S)
           ]]></artwork>
         <t>
           A signature (R,S) is valid if the following holds:
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
VerifyDerived(zk,label,message,signature):
  zk' := ZKDF(zk,label)
  (R,S) := signature
  return S * G == R + SHA-512(R, zk', message) * zk'
           ]]></artwork>
         <t>
           The S-Encrypt() and S-Decrypt() functions use XSalsa20
           as defined in <xref target="XSalsa20" />
           (XSalsa20-Poly1305):
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
S-Encrypt(zk,label,expiration,message):
  PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
  PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
  K := HKDF-Expand (PRK_k, label, 256 / 8)
  NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
  IV := NONCE || expiration
  return XSalsa20-Poly1305(K, IV, message)

S-Decrypt(zk,label,expiration,ciphertext):
  PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
  PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
  K := HKDF-Expand (PRK_k, label, 256 / 8)
  NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
  IV := NONCE || expiration
  return XSalsa20-Poly1305(K, IV, ciphertext)
           ]]></artwork>
         <t>
           The result of the XSalsa20-Poly1305 encryption function is the encrypted
           ciphertext followed by the 128-bit authentication
           tag.
           Accordingly, the length of encrypted data equals the length of the
           data plus the 16 bytes of the authentication tag.
         </t>
         <t>
           The key K and counter IV are derived from
           the record label and the zone key zk using a hash-based key
           derivation function (HKDF) as defined in
           <xref target="RFC5869" />.
           SHA-512 <xref target="RFC6234"/> is used for the
           extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
           The output keying material is 32 bytes (256 bits) for the symmetric
           key and 16 bytes (128 bits) for the NONCE.
           The symmetric key K is a 256-bit XSalsa20
           <xref target="XSalsa20" /> key.
           No additional authenticated data (AAD) is used.
         </t>
         <t>
           The nonce is combined with an 8 byte initialization vector.
           The initialization vector is the expiration time of the
           resource record block in network byte order.
           The resulting counter (IV) wire format is illustrated in
           <xref target="figure_hkdf_ivs_edkey"/>.
         </t>
         <figure anchor="figure_hkdf_ivs_edkey" title="The Counter Block Initialization Vector.">
           <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32
+-----+-----+-----+-----+
|         NONCE         |
|                       |
|                       |
|                       |
+-----+-----+-----+-----+
|       EXPIRATION      |
|                       |
+-----+-----+-----+-----+
             ]]></artwork>
       </figure>
     </section>
   </section>
   <section anchor="gnsrecords_redirect" numbered="true" toc="default">
     <name>Redirection Records</name>
     <t>
       Redirect records are used to redirect resolution.
       Any implementation <bcp14>SHOULD</bcp14> support all redirection record types defined here
       and <bcp14>MAY</bcp14> support any number of additional redirection records defined in
       the GNU Name System Record Types registry (see Section <xref target="gana"/>).
       Redirection records <bcp14>MUST</bcp14> have the CRITICAL flag set.
       Not supporting some record types can result in resolution failures.
       This can be a valid choice if some redirection record types have been
       determined to be insecure, or if an application has reasons to not
       support redirection to DNS for reasons such as complexity or security.
       Redirection records <bcp14>MUST NOT</bcp14> be stored and published under the apex label.
     </t>
     <section anchor="gnsrecords_rdr" numbered="true" toc="default">
       <name>REDIRECT</name>
       <t>
         A REDIRECT record is the GNS equivalent of a CNAME record in DNS.
         A REDIRECT record <bcp14>MUST</bcp14> be the only non-supplemental
         record under a label.
         There <bcp14>MAY</bcp14> be inactive records of the same type which have
         the SHADOW flag set in order to facilitate smooth changes of redirection
         targets.
         No other records are allowed.
         Details on processing of this record is defined in <xref target="redirect_processing"/>.

         A REDIRECT DATA entry is illustrated in <xref target="figure_redirectrecord"/>.
       </t>
       <figure anchor="figure_redirectrecord" title="The REDIRECT DATA Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   REDIRECT NAME               |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>REDIRECT NAME</dt>
         <dd>
           The name to continue with.
           The value of a redirect record can be a regular name, or a relative
           name.
           Relative GNS names are indicated by an extension label (U+002B, "+")
           as rightmost label.
           The string is UTF-8 encoded and 0-terminated.
         </dd>
       </dl>
     </section>
     <section anchor="gnsrecords_gns2dns" numbered="true" toc="default">
       <name>GNS2DNS</name>
       <t>
         It is possible to delegate a label back into DNS through a GNS2DNS record.
         The resource record contains a DNS name for the resolver to continue with
         in DNS followed by a DNS server. Both names are in the format defined in
         <xref target="RFC1034" /> for DNS names.
         There <bcp14>MAY</bcp14> be multiple GNS2DNS records under a label.
         There <bcp14>MAY</bcp14> also be DNSSEC DS records or any other records used to
         secure the connection with the DNS servers under the same label.
         There <bcp14>MAY</bcp14> be inactive records of the same type(s) which have
         the SHADOW flag set in order to facilitate smooth changes of redirection
         targets.
         No other non-supplemental record types are allowed in the same record set.
         A GNS2DNS DATA entry is illustrated in <xref target="figure_gns2dnsrecord"/>.</t>
       <figure anchor="figure_gns2dnsrecord" title="The GNS2DNS DATA Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      NAME                     |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                 DNS SERVER NAME               |
/                                               /
/                                               /
|                                               |
+-----------------------------------------------+
           ]]></artwork>
       </figure>
       <dl>
         <dt>NAME</dt>
         <dd>
           The name to continue with in DNS. The value is UTF-8 encoded and
           0-terminated.
         </dd>
         <dt>DNS SERVER NAME</dt>
         <dd>
           The DNS server to use. This value can be an IPv4 address in dotted-decimal
           form or an IPv6 address in colon-hexadecimal form or a DNS name.
           It can also be a relative GNS name ending with a
           "+" as the rightmost label.
           The implementation <bcp14>MUST</bcp14> check the string syntactically for
           an IP address in the respective notation before checking for a
           relative GNS name.
           If all three checks fail, the name <bcp14>MUST</bcp14> be treated as a DNS name.
           The value is UTF-8 encoded and 0-terminated.
         </dd>
       </dl>
       <t>
         NOTE: If an application uses DNS names obtained from GNS2DNS records
         in a DNS request they <bcp14>MUST</bcp14> first be converted to an IDNA compliant
         representation <xref target="RFC5890" />.
       </t>
     </section>
   </section>
   <section anchor="gnsrecords_other" numbered="true" toc="default">
       <name>Auxiliary Records</name>
       <t>
         This section defines the initial set of auxiliary GNS record types. Any
         implementation <bcp14>SHOULD</bcp14> be able to process the specified record types
         according to <xref target="record_processing"/>.
       </t>
     <section anchor="gnsrecords_leho" numbered="true" toc="default">
       <name>LEHO</name>
       <t>
         This record is used to provide a hint for LEgacy HOstnames:
         Applications can use the GNS to lookup IPv4 or IPv6 addresses of
         internet services.
         However, sometimes connecting to such services does not only require
         the knowledge of an address and port, but also requires the canonical
         DNS name of the service to be transmitted over the transport protocol.
         In GNS, legacy host name records provide applications the DNS name that
         is required to establish a connection to such a service.
         The most common use case is HTTP virtual hosting and TLS Server Name
         Indication <xref target="RFC6066"/>, where a DNS name must
         be supplied in the HTTP "Host"-header and the TLS handshake,
         respectively.
         Using a GNS name in those cases might not work as
         it might not be globally unique. Furthermore, even if uniqueness is
         not an issue, the legacy service might not even be aware of GNS.
       </t>
       <t>
         A LEHO resource record is expected to be found together in a single
         resource record with an IPv4 or IPv6 address.
           A LEHO DATA entry is illustrated in <xref target="figure_lehorecord"/>.
       </t>
       <figure anchor="figure_lehorecord" title="The LEHO DATA Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                 LEGACY HOSTNAME               |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>LEGACY HOSTNAME</dt>
         <dd>
           A UTF-8 string (which is not 0-terminated) representing the legacy hostname.
         </dd>
       </dl>
       <t>
         NOTE: If an application uses a LEHO value in an HTTP request header
         (e.g. "Host:" header) it <bcp14>MUST</bcp14> be converted to an IDNA compliant representation
         <xref target="RFC5890" />.
       </t>
     </section>
     <section anchor="gnsrecords_nick" numbered="true" toc="default">
       <name>NICK</name>
       <t>
         Nickname records can be used by zone administrators to publish a
         label that a zone prefers to have used when it is referred to.
         This is a suggestion to other zones what label to use when creating a
         delegation record (<xref target="gnsrecords_delegation" />) containing
         this zone key.
         This record <bcp14>SHOULD</bcp14> only be stored under the apex label "@" but <bcp14>MAY</bcp14> be
         returned with record sets under any label as a supplemental record.
         <xref target="nick_processing"/> details how a resolver must process
         supplemental and non-supplemental NICK records.
         A NICK DATA entry is illustrated in <xref target="figure_nickrecord"/>.
       </t>
       <figure anchor="figure_nickrecord" title="The NICK DATA Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                  NICKNAME                     |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>NICKNAME</dt>
         <dd>
           A UTF-8 string (which is not 0-terminated) representing the preferred
           label of the zone. This string <bcp14>MUST</bcp14> be a valid GNS label.
         </dd>
       </dl>
     </section>
     <section anchor="gnsrecords_box" numbered="true" toc="default">
       <name>BOX</name>
       <t>
         GNS lookups are expected to return all of the required useful
         information in one record set. This avoids unnecessary additional
         lookups and cryptographically ties together information that belongs
         together, making it impossible for an adversarial storage to provide
         partial answers that might omit information critical for security.
       </t>
       <t>
         This general strategy is incompatible with the
         special labels used by DNS for SRV and TLSA records.  Thus, GNS
         defines the BOX record format to box up SRV and TLSA records and
         include them in the record set of the label they are associated
         with.  For example, a
         TLSA record for "_https._tcp.example.org" will be stored in the record set of
         "example.org" as a BOX record with service (SVC) 443 (https) and protocol (PROTO) 6
         (tcp) and record TYPE "TLSA".
         For reference, see also <xref target="RFC2782" />.
           A BOX DATA entry is illustrated in <xref target="figure_boxrecord"/>.
       </t>
       <figure anchor="figure_boxrecord" title="The BOX DATA Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|   PROTO   |    SVC    |       TYPE            |
+-----------+-----------------------------------+
|                 RECORD DATA                   |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>PROTO</dt>
         <dd>
           the 16-bit protocol number, e.g. 6 for TCP.
           Note that values
           below 2^8 are reserved for 8-bit Internet Protocol numbers allocated by IANA <xref target="RFC5237" />.
           Values above 2^8 are allocated by the
           GNUnet Assigned Numbers Authority <xref target="GANA" />.
           In network byte order.
         </dd>
         <dt>SVC</dt>
         <dd>
           the 16-bit service value of the boxed record. In case of
           TCP and UDP it is the port number.
           In network byte order.
         </dd>
         <dt>TYPE</dt>
         <dd>
           is the 32-bit record type of the boxed record. In network byte order.
         </dd>
         <dt>RECORD DATA</dt>
         <dd>
           is a variable length field containing the "DATA" format of TYPE as
           defined for the respective TYPE in DNS.
         </dd>
       </dl>
     </section>
   </section>
   </section>
   <section anchor="publish" numbered="true" toc="default">
     <name>Record Encoding</name>
     <t>
       Any API which allows storing a value under a 512-bit key and retrieving
       one or more values from the key can be used by an implementation for record storage.
       To be useful, the API <bcp14>MUST</bcp14> permit storing at least 176 byte values
       to be able to support the defined zone delegation record encodings,
       and <bcp14>SHOULD</bcp14> allow at least 1024 byte values.
       In the following, it is assumed that an implementation realizes two
       procedures on top of a storage:
     </t>
     <artwork name="" type="" align="left" alt=""><![CDATA[
PUT(key,value)
GET(key) -> value
       ]]></artwork>
     <t>
       There is no explicit delete function as the deletion of a non-expired
       record would require a revocation of the record.
       In GNS, zones can only be revoked as a whole. Records automatically
       expire and it is under the discretion of the storage as to when to delete
       the record. The GNS implementation <bcp14>MUST NOT</bcp14> publish expired resource
       records. Any GNS resolver <bcp14>MUST</bcp14> discard expired records returned from
       the storage.
     </t>
     <t>
       Resource records are grouped by their respective labels,
       encrypted and published together in a single records block
         (RRBLOCK) in the storage under a storage key q as illustrated in <xref target="figure_storage_publish"/>.
       The implementation <bcp14>MUST</bcp14> use the PUT storage procedure in order to update the zone contents accordingly.
     </t>
     <figure anchor="figure_storage_publish" title="Management and publication of local zones in the distributed storage.">
       <artwork name="" type="" align="left" alt=""><![CDATA[
                           Local Host          |   Remote
                                               |   Storage
                                               |
                                               |    +---------+
                                               |   /         /|
                                               |  +---------+ |
+-----------+                                  |  |         | |
|           |       +---------+PUT(q, RRBLOCK) |  | Record  | |
|    User   |       |  Zone   |----------------|->| Storage | |
|           |       | Master  |                |  |         |/
+-----------+       +---------+                |  +---------+
     |                     A                   |
     |                     | Zone records      |
     |                     | grouped by label  |
     |                     |                   |
     |                 +---------+             |
     |Create / Delete /    |    /|             |
     |and Update     +---------+ |             |
     |Local Zones    |         | |             |
     |               |  Local  | |             |
     +-------------->|  Zones  | |             |
                     |         |/              |
                     +---------+               |
         ]]></artwork>
     </figure>
     <t>
       The storage key is derived from the zone key and the respective
       label of the contained records.
       The required knowledge of both zone key and label in combination
       with the similarly derived symmetric secret keys and blinded zone keys
       ensure query privacy (see <xref target="RFC8324"/>, Section 3.5).
       The storage Key derivation and records
       block creation using is specified in the following sections and a high-level
       overview is illustrated in <xref target="figure_storage_derivations"/>.
     </t>
     <figure anchor="figure_storage_derivations" title="Storage key and records block creation overview.">
       <artwork name="" type="" align="left" alt=""><![CDATA[
+----------+ +-------+ +------------+ +-------------+
| Zone Key | | Label | | Record Set | | Private Key |
+----------+ +-------+ +------------+ +-------------+
    |          |            |               |
    |          |            v               |
    |          |           +-----------+    |
    |          +---------->| S-Encrypt |    |
    +----------|---------->+-----------+    |
    |          |               |    |       |
    |          |               |    v       v
    |          |               |   +-------------+
    |          +---------------|-->| SignDerived |
    |          |               |   +-------------+
    |          |               |        |
    |          v               v        v
    |      +------+        +---------------+
    +----->| ZKDF |------->| Records Block |
           +------+        +---------------+
              |
              v
           +------+        +-------------+
           | Hash |------->| Storage Key |
           +------+        +-------------+
         ]]></artwork>
     </figure>
     <section anchor="blinding" numbered="true" toc="default">
       <name>The Storage Key</name>
       <t>
         Given a label, the storage key q is derived as follows:
       </t>
       <artwork name="" type="" align="left" alt=""><![CDATA[
q := SHA-512 (ZKDF(zk, label))
         ]]></artwork>
       <dl>
         <dt>label</dt>
         <dd>is a UTF-8 string under which the resource records are published.
         </dd>
         <dt>zk</dt>
         <dd>
           is the zone key.
         </dd>
         <dt>q</dt>
         <dd>
           Is the 512-bit storage key under which the resource records block is
           published.
           It is the SHA-512 hash <xref target="RFC6234"/> over the derived zone key.
         </dd>
       </dl>
     </section>
     <section anchor="records_block" numbered="true" toc="default">
       <name>The Records Block</name>
       <t>
         GNS records are grouped by their labels and published as a single
         block in the storage. The grouped record sets <bcp14>MAY</bcp14> be paired with any
         number of supplemental records. Supplemental records <bcp14>MUST</bcp14> have the
         supplemental flag set (See <xref target="rrecords"/>).
         The contained resource records are encrypted using a symmetric
         encryption scheme.
         A GNS implementation publishes RRBLOCKs
         in accordance to the properties and recommendations of the underlying
         storage. This can include a periodic refresh operation to ensure the
         availability of the published RRBLOCKs.
         The GNS RRBLOCK wire format is illustrated in
         <xref target="figure_record_block"/>.
       </t>
       <figure anchor="figure_record_block" title="The RRBLOCK Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|          SIZE         |    ZONE TYPE          |
+-----+-----+-----+-----+-----+-----+-----+-----+
/                  ZONE KEY                     /
/                  (BLINDED)                    /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   SIGNATURE                   |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   EXPIRATION                  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                    BDATA                      /
/                                               /
/                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>SIZE</dt>
         <dd>
           A 32-bit value containing the length of the block in bytes.
           In network byte order.
           While a 32-bit value is used,
           implementations <bcp14>MAY</bcp14> refuse to publish blocks beyond a certain
           size significantly below 4 GB.
         </dd>
         <dt>ZONE TYPE</dt>
         <dd>
           is the 32-bit ztype. In network byte order.
         </dd>
         <dt>ZONE KEY</dt>
         <dd>
           is the blinded zone key "ZKDF(zk, label)"
           to be used to verify SIGNATURE.
           The length and format of the public key depends on the ztype.
         </dd>
         <dt>SIGNATURE</dt>
         <dd>
           The signature is computed over the EXPIRATION and BDATA fields
           as detailed in <xref target="figure_rrsigwithpseudo"/>.
           The length and format of the signature depends on the ztype.
           The signature is created using the SignDerived() function of
           the cryptosystem of the zone (see <xref target="zones" />).
         </dd>
         <dt>EXPIRATION</dt>
         <dd>
           Specifies when the RRBLOCK expires and the encrypted block
           <bcp14>SHOULD</bcp14> be removed from the storage and caches as it is likely stale.
           However, applications <bcp14>MAY</bcp14> continue to use non-expired individual
           records until they expire.  The value <bcp14>MUST</bcp14> be set to the
           expiration time of the resource record contained within this block with the
           smallest expiration time.
           If a records block includes shadow records, then the maximum
           expiration time of all shadow records with matching type and the
           expiration times of the non-shadow records is considered.
           This is a 64-bit absolute date in microseconds since midnight
           (0 hour), January 1, 1970 UTC in network byte order.
         </dd>
         <dt>BDATA</dt>
         <dd>
           The encrypted RDATA. Its size is determined by the S-Encrypt()
           function of the ztype.
         </dd>
       </dl>
       <t>
         The signature over the public key covers a 32-bit pseudo header
         conceptually prefixed to the EXPIRATION and the BDATA fields.
         The wire format is illustrated
         in <xref target="figure_rrsigwithpseudo"/>.
       </t>
       <figure anchor="figure_rrsigwithpseudo" title="The Wire Format used for creating the signature of the RRBLOCK.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|         SIZE          |       PURPOSE (0x0F)  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   EXPIRATION                  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                    BDATA                      |
/                                               /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
           ]]></artwork>
       </figure>
       <dl>
         <dt>SIZE</dt>
         <dd>
           A 32-bit value containing the length of the signed data in bytes
           in network byte order.
         </dd>
         <dt>PURPOSE</dt>
         <dd>
           A 32-bit signature purpose flag. The value of this
           field <bcp14>MUST</bcp14> be 15.
           The value is encoded in network byte order.
           It defines the context in which
           the signature is created so that it cannot be reused in other parts
           of the protocol including possible future extensions.
           The value of this field corresponds to an entry in the
           GANA "GNUnet Signature Purpose" registry <xref target="gana"/>.
         </dd>
         <dt>EXPIRATION</dt>
         <dd>
           Field as defined in the RRBLOCK message above.
         </dd>
         <dt>BDATA</dt>
         <dd>Field as defined in the RRBLOCK message above.</dd>
       </dl>

       <t>
         A symmetric encryption scheme is used to encrypt the resource records
         set RDATA into the BDATA field of a GNS RRBLOCK.
         The wire format of the RDATA is illustrated in
         <xref target="figure_rdata"/>.
       </t>
       <figure anchor="figure_rdata" title="The RDATA Wire Format.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                 EXPIRATION                    |
+-----+-----+-----+-----+-----+-----+-----+-----+
|    SIZE   |    FLAGS  |        TYPE           |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      DATA                     /
/                                               /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   EXPIRATION                  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|    SIZE   |    FLAGS  |        TYPE           |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                     DATA                      /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
/                     PADDING                   /
/                                               /
           ]]></artwork>
       </figure>
       <dl>
         <dt>EXPIRATION, SIZE, TYPE, FLAGS and DATA</dt>
         <dd>
           These fields were defined
           in the resource record format in <xref target="rrecords" />.
         </dd>
         <dt>PADDING</dt>
         <dd>
           When publishing an RDATA block, the implementation <bcp14>MUST</bcp14> ensure that
           the size of the RDATA is a power of two
           using the padding field. The field <bcp14>MUST</bcp14> be set to zero and <bcp14>MUST</bcp14> be
           ignored on receipt.
           As a special exception, record sets with (only) a zone delegation
           record type are never padded.
           Note that a record set with a delegation record <bcp14>MUST NOT</bcp14>
           contain other records. If other records are encountered, the whole
           record block <bcp14>MUST</bcp14> be discarded.
         </dd>
       </dl>
     </section>
   </section>
    <section anchor="resolution" numbered="true" toc="default">
     <name>Name Resolution</name>
     <t>
       Names in GNS are resolved by recursively querying the record storage.
       Recursive in this context means that a resolver does not provide
       intermediate results for a query to the application.
       Instead, it <bcp14>MUST</bcp14> respond to a resolution request with either the
       requested resource record or an error message in case the resolution
       fails.
       <xref target="figure_resolution"/> illustrates how an application
       requests the lookup of a GNS name (1).
       The application <bcp14>MAY</bcp14> provide a desired record type to the resolver.
       Subsequently, the Start Zone is determined (2) and the recursive
       resolution process started.
       This is where the desired record type is used to guide processing.
       For example, if a zone delegation record type is requested, the
       resolution of the apex label in that zone must be skipped, as
       the desired record is already found.
       Details on how the resolution process is initiated and each iterative
       result (3a,3b) in the resolution is processed are provided in the sections below.
       The results of the lookup are eventually returned to the application (4).
       The implementation <bcp14>MUST NOT</bcp14> filter results
       according to the desired record type.
       Filtering of record sets is typically done by the application.
     </t>
     <figure anchor="figure_resolution" title="The recursive GNS resolution process.">
       <artwork name="" type="" align="left" alt=""><![CDATA[
                           Local Host             |   Remote
                                                  |   Storage
                                                  |
                                                  |    +---------+
                                                  |   /         /|
                                                  |  +---------+ |
+-----------+ (1) Name +----------+               |  |         | |
|           | Lookup   |          | (3a) GET(q)   |  | Record  | |
|Application|----------| Resolver |---------------|->| Storage | |
|           |<---------|          |<--------------|--|         |/
+-----------+ (4)      +----------+ (3b) RRBLOCK  |  +---------+
              Records     A                       |
                          |                       |
     (2) Determination of |                       |
         Start Zone       |                       |
                          |                       |
                       +---------+                |
                      /   |     /|                |
                     +---------+ |                |
                     |         | |                |
                     |  Start  | |                |
                     |  Zones  | |                |
                     |         |/                 |
                     +---------+                  |
         ]]></artwork>
     </figure>
     <section anchor="governance" numbered="true" toc="default">
       <name>Start Zones</name>
       <t>
         The resolution of a GNS name starts by identifying the start zone
         suffix. Once the start zone suffix is identified, recursive resolution
         of the remainder of the name is initiated (<xref target="recursion"/>).
         There are two types of start zone suffixes: zTLDs and local
         suffix-to-zone mappings.
         The choice of available suffix-to-zone mappings is at the sole
         discretion of the local system administrator or user.
         This property addresses the issue of a single hierarchy with a
         centrally controlled root and the related issue of distribution and
         management of root servers in DNS (see <xref target="RFC8324"/>, Section 3.10 and 3.12).
       </t>
       <t>
         For names ending with a zTLD the start zone is explicitly given in the
         suffix of the name to resolve.
         In order to ensure uniqueness of names with zTLDs any
         implementation <bcp14>MUST</bcp14> use the given zone as start zone.
         An implementation <bcp14>MUST</bcp14> first try to interpret the rightmost label of
         the given name as the beginning of a zTLD (<xref target="zTLD"/>).
         If the rightmost label cannot be (partially) decoded or if it does not
         indicate a supported ztype, the name is treated as a normal name and
         start zone discovery <bcp14>MUST</bcp14> continue with finding a local suffix-to-zone
         mapping.
         If a valid ztype can be found in the rightmost label, the
         implementation <bcp14>MUST</bcp14> try to synthesize and decode the zTLD to retrieve
         the start zone key according to <xref target="zTLD"/>.
         If the zTLD cannot be synthesized or decoded, the resolution of
         the name fails and an error is returned to the application.
         Otherwise, the zone key <bcp14>MUST</bcp14> be used as the start zone:
       </t>
       <artwork name="" type="" align="left" alt=""><![CDATA[
Example name: www.example.<zTLD>
=> Start zone: zk of type ztype
=> Name to resolve from start zone: www.example
         ]]></artwork>
       <t>
         For names not ending with a zTLD the resolver <bcp14>MUST</bcp14> determine the start
         zone through a local suffix-to-zone mapping.
         Suffix-to-zone mappings <bcp14>MUST</bcp14> be configurable through a local
         configuration file or database by the user or system administrator.
         A suffix <bcp14>MAY</bcp14> consist of multiple GNS labels concatenated with a
         label separator.
         If multiple suffixes match the name to resolve, the longest
         matching suffix <bcp14>MUST</bcp14> be used. The suffix length of two results
         <bcp14>MUST NOT</bcp14> be equal. This indicates a misconfiguration and the
         implementation <bcp14>MUST</bcp14> return an error.
         The following is a non-normative example mapping of start zones:
       </t>
       <artwork name="" type="" align="left" alt=""><![CDATA[
Example name: www.example.org
Local suffix mappings:
org = zTLD0 := Base32GNS(ztype0||zk0)
example.org = zTLD1 := Base32GNS(ztype1||zk1)
example.com = zTLD2 := Base32GNS(ztype2||zk2)
...
=> Start zone: zk1
=> Name to resolve from start zone: www
         ]]></artwork>
       <t>
         The process given above <bcp14>MAY</bcp14> be supplemented with other mechanisms if
         the particular application requires a different process.
         If no start zone can be discovered, resolution <bcp14>MUST</bcp14> fail and an
         error <bcp14>MUST</bcp14> be returned to the application.
       </t>
     </section>
       <section anchor="recursion" numbered="true" toc="default">
         <name>Recursion</name>
         <t>
           In each step of the recursive name resolution, there is an
           authoritative zone zk and a name to resolve.
           The name <bcp14>MAY</bcp14> be empty.
           If the name is empty, it is interpreted as the apex label "@".
           Initially, the authoritative zone is the start zone.
         </t>
         <t>
           From here, the following steps are recursively executed, in order:
         </t>
         <ol>
           <li>Extract the right-most label from the name to look up.</li>
           <li>Calculate q using the label and zk as defined in
           <xref target="blinding" />.</li>
           <li>Perform a storage query GET(q) to retrieve the RRBLOCK.</li>
           <li>Verify and process the RRBLOCK and decrypt the BDATA contained
             in it as defined in <xref target="records_block" />.</li>
         </ol>
         <t>
           Upon receiving the RRBLOCK from the storage, as part of verifying the
           provided signature, the resolver <bcp14>MUST</bcp14> check that the SHA-512 hash of the
           derived authoritative zone key zk' from the RRBLOCK matches the query q
           and that the block is not yet expired.
           If the signature does not match or the block is expired, the RRBLOCK <bcp14>MUST</bcp14>
           be ignored and, if applicable, the storage lookup GET(q) <bcp14>MUST</bcp14> continue to
           look for other RRBLOCKs.
         </t>
       </section>
       <section anchor="record_processing" numbered="true" toc="default">
         <name>Record Processing</name>
         <t>
           Record processing occurs once a well-formed block has been decrypted.
           In record processing, only the valid records obtained are considered.
           To filter records by validity, the resolver
           <bcp14>MUST</bcp14> at least check the expiration time and the FLAGS field of the
           respective record.  In particular, SHADOW and
           SUPPLEMENTAL flags can exclude the record from being considered.
           If the resolver encounters a record with the CRITICAL flag set and
           does not support the record type the resolution <bcp14>MUST</bcp14> be aborted
           and an error <bcp14>MUST</bcp14> be returned. The information that the critical
           record could not be processed <bcp14>SHOULD</bcp14> be returned in the error
           description. The implementation <bcp14>MAY</bcp14> choose not to return the reason for the failure,
           merely complicating troubleshooting for the user.
         </t>
         <t>
           The next steps depend on the context of the name that is being
           resolved:
         </t>
         <ul>
         <li>
           Case 1:
           If the filtered record set consists of a single REDIRECT record,
           the remainder of the name is prepended to the REDIRECT data and the
           recursion is started again from the resulting name.
           Details are described in <xref target="redirect_processing" />.
         </li>
         <li>
           Case 2:
           If the filtered record set consists exclusively of one or more GNS2DNS records
           resolution continues with DNS.
           Details are described in <xref target="gns2dns_processing" />.
         </li>
         <li>
           Case 3:
           If the remainder of the name to be resolved is of the format
           "_SERVICE._PROTO" and the record set contains one or more matching BOX
           records, the records in the BOX records are the final result and the recursion
           is concluded as described in <xref target="box_processing" />.
         </li>
         <li>
           Case 4:
           If the current record set
           consist of a single delegation record,
           resolution of the remainder of the name is delegated to
           the target zone as described in <xref target="delegation_processing" />.
         </li>
         <li>
           Case 5:
           If the remainder of the name to resolve is empty
           the record set is the final result.
           If any NICK records are in the final result set, it <bcp14>MUST</bcp14> be
           processed according to <xref target="nick_processing" />.
           Otherwise, the final result set is returned.
         </li>
         <li>
           Finally, if none of the above is applicable resolution fails and the
           resolver <bcp14>MUST</bcp14> return an empty record set.
         </li>
        </ul>
         <section anchor="redirect_processing" numbered="true" toc="default">
           <name>REDIRECT</name>
           <t>
             If the remaining name is empty and the desired record type is
             REDIRECT, in which case the resolution concludes with the REDIRECT record.
             If the rightmost label of the redirect name is the extension label
             (U+002B, "+"),
             resolution continues in GNS with the new name in the
             current zone.
             Otherwise, the resulting name is resolved via the
             default operating system name resolution process.
             This can in turn trigger a GNS name resolution process depending
             on the system configuration.
             In case resolution continues in DNS, the name <bcp14>MUST</bcp14> first be
             converted to an IDNA compliant representation <xref target="RFC5890" />.
           </t>
           <t>
             In order to prevent infinite loops, the resolver <bcp14>MUST</bcp14>
             implement loop detection or limit the number of recursive
             resolution steps.
             The loop detection <bcp14>MUST</bcp14> be effective even
             if a REDIRECT found in GNS triggers subsequent GNS lookups via
             the default operating system name resolution process.
           </t>
         </section>
         <section anchor="gns2dns_processing" numbered="true" toc="default">
           <name>GNS2DNS</name>
           <t>
             When a resolver encounters one or more GNS2DNS records and the remaining name
             is empty and the desired record type is GNS2DNS, the GNS2DNS
             records are returned.
           </t>
           <t>
             Otherwise, it is expected that the resolver first resolves the
             IP addresses of the specified DNS name servers.
             The DNS name <bcp14>MUST</bcp14> be converted to an IDNA compliant
             representation <xref target="RFC5890" /> for resolution in DNS.
             GNS2DNS records <bcp14>MAY</bcp14>
             contain numeric IPv4 or IPv6 addresses, allowing the resolver to
             skip this step.
             The DNS server names might themselves be names in GNS or DNS.
             If the rightmost label of the DNS server name is the extension label
             (U+002B, "+"), the rest of the name is to be
             interpreted relative to the zone of the GNS2DNS record.
             If the DNS server name ends in a label representation of a
             zone key, the DNS server name is to be resolved against
             the GNS zone zk.
           </t>
           <t>
             Multiple GNS2DNS records can be stored under the same label,
             in which case the resolver <bcp14>MUST</bcp14> try all of them.
             The resolver <bcp14>MAY</bcp14> try them in any order or even in parallel.
             If multiple GNS2DNS records are present, the DNS name <bcp14>MUST</bcp14> be
             identical for all of them. Otherwise, it is not clear which name
             the resolver is supposed to follow. If multiple DNS names are
             present the resolution fails and an
             appropriate error is <bcp14>SHOULD</bcp14> be returned to the application.
           </t>
           <t>
             If there are DNSSEC DS records or any other records used to
             secure the connection with the DNS servers stored under the label,
             the DNS resolver <bcp14>SHOULD</bcp14> use them to secure the connection with
             the DNS server.
           </t>
           <t>
             Once the IP addresses of the DNS servers have been determined,
             the DNS name from the GNS2DNS record is appended
             to the remainder of the name to be resolved, and
             resolved by querying the DNS name server(s).
             The synthesized name has to be converted to an IDNA compliant
             representation <xref target="RFC5890" /> for resolution in DNS.
             If such a conversion is not possible, the resolution <bcp14>MUST</bcp14> be aborted
             and an error <bcp14>MUST</bcp14> be returned. The information that the critical
             record could not be processed <bcp14>SHOULD</bcp14> be returned in the error
             description. The implementation <bcp14>MAY</bcp14> choose not to return the reason for the failure,
             merely complicating troubleshooting for the user.
           </t>
           <t>
             As the DNS servers
             specified are possibly authoritative DNS servers, the GNS resolver <bcp14>MUST</bcp14>
             support recursive DNS resolution and <bcp14>MUST NOT</bcp14> delegate this to the
             authoritative DNS servers.
             The first successful recursive name resolution result
             is returned to the application.
             In addition, the resolver <bcp14>SHOULD</bcp14> return the queried DNS name as a
             supplemental LEHO record (see <xref target="gnsrecords_leho" />) with a
             relative expiration time of one hour.
           </t>
           <t>
             Once the transition from GNS into DNS is made through a
             GNS2DNS record, there is no "going back".
             The (possibly recursive) resolution of the DNS name <bcp14>MUST NOT</bcp14>
             delegate back into GNS and should only follow the DNS specifications.
             For example, names contained in DNS CNAME records <bcp14>MUST NOT</bcp14> be
             interpreted by resolvers that support both DNS and GNS as GNS names.
           </t>
           <t>
             GNS resolvers <bcp14>SHOULD</bcp14> offer a configuration
             option to disable DNS processing to avoid information leakage
             and provide a consistent security profile for all name resolutions.
             Such resolvers would return an empty record set upon encountering
             a GNS2DNS record during the recursion. However, if GNS2DNS records
             are encountered in the record set for the apex label and a GNS2DNS record
             is explicitly requested by the application, such records <bcp14>MUST</bcp14>
             still be returned, even if DNS support is disabled by the
             GNS resolver configuration.
           </t>
           <!-- FIXME: State the DNS resolution never "returns" to GNS. -->
         </section>
         <section anchor="box_processing" numbered="true" toc="default">
           <name>BOX</name>
           <t>
             When a BOX record is received, a GNS resolver must unbox it if the
             name to be resolved continues with "_SERVICE._PROTO".
             Otherwise, the BOX record is to be left untouched. This way, TLSA
             (and SRV) records do not require a separate network request, and
             TLSA records become inseparable from the corresponding address
             records.
           </t>
         </section>
         <section anchor="delegation_processing" numbered="true" toc="default">
           <name>Zone Delegation Records</name>
           <t>
             When the resolver encounters a record of a supported
             zone delegation record type (such as PKEY or EDKEY)
             and the remainder of the name is not empty, resolution continues
             recursively with the remainder of the name in the
             GNS zone specified in the delegation record.
           </t>
           <t>
             Whenever a resolver encounters a new GNS zone, it <bcp14>MUST</bcp14>
             check against the local revocation list whether the respective
             zone key has been revoked. If the zone key was revoked, the
             resolution <bcp14>MUST</bcp14> fail with an empty result set.
           </t>
           <t>
             Implementations <bcp14>MUST NOT</bcp14> allow multiple different zone
             delegations under a single label.
             Implementations <bcp14>MAY</bcp14> support any subset of ztypes.
             Handling of
             Implementations <bcp14>MUST NOT</bcp14> process zone delegation for the apex
             label "@". Upon encountering a zone delegation record under
             this label, resolution fails and an error <bcp14>MUST</bcp14> be returned. The
             implementation <bcp14>MAY</bcp14> choose not to return the reason for the failure,
             merely impacting troubleshooting information for the user.
           </t>
           <t>
             If the remainder of the name to resolve is empty and a record set
             was received containing only a single delegation record, the
             recursion is continued with the record value as authoritative zone
             and the apex label "@" as remaining name.
             Except in the case where the desired record type as specified by
             the application is equal to the ztype, in which case the delegation
             record is returned.
           </t>
         </section>
         <section anchor="nick_processing" numbered="true" toc="default">
           <name>NICK</name>
           <t>
             NICK records are only relevant to the recursive resolver
             if the record set in question is the final result which is to
             be returned to the application. The encountered NICK records can either
             be supplemental (see <xref target="rrecords"/>) or
             non-supplemental.
             If the NICK record is supplemental, the resolver only returns the
             record set if one of the non-supplemental records matches the
             queried record type.
             It is possible that one record set contains both supplemental
             and non-supplemental NICK records.
           </t>
           <t>
             The differentiation between a supplemental and non-supplemental
             NICK record allows the application to match the record to the
             authoritative zone. Consider the following example:
           </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
Query: alice.example (type=A)
Result:
A: 192.0.2.1
NICK: eve (non-Supplemental)
         ]]></artwork>
        <t>
          In this example, the returned NICK record is non-supplemental.
          For the application, this means that the NICK belongs to the zone
          "alice.example" and is published under the apex label along with an A
          record. The NICK record is interpreted as: The zone defined by
          "alice.example" wants to be referred to as "eve".
          In contrast, consider the following:
        </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
Query: alice.example (type=AAAA)
Result:
AAAA: 2001:DB8::1
NICK: john (Supplemental)
         ]]></artwork>
     <t>
       In this case, the NICK record is marked as supplemental. This means that
       the NICK record belongs to the zone "example" and is published under the
       label "alice" along with an A record. The NICK record should be
       interpreted as: The zone defined by "example" wants to be referred to as
       "john". This distinction is likely useful for other records published as
       supplemental.
      </t>


         </section>
       </section>
     </section>
     <section anchor="encoding" numbered="true" toc="default">
       <name>Internationalization and Character Encoding</name>
       <t>
         All names in GNS are encoded in UTF-8 <xref target="RFC3629" />.
         Labels <bcp14>MUST</bcp14> be canonicalized using
         Normalization Form C (NFC) <xref target="Unicode-UAX15"/>.
         This does not include any DNS names found in DNS records, such as CNAME
         record data, which is internationalized through the IDNA specifications
         <xref target="RFC5890" />.
       </t>
     </section>
     <section anchor="security" numbered="true" toc="default">
       <name>Security and Privacy Considerations</name>
       <section anchor="security_availability" numbered="true" toc="default">
         <name>Availability</name>
         <t>
           In order to ensure availability of records beyond their
           absolute expiration times, implementations <bcp14>MAY</bcp14> allow to locally
           define relative expiration time values of records.
           Records can then be published recurringly with updated
           absolute expiration times by the implementation.
         </t>
         <t>
           Implementations <bcp14>MAY</bcp14> allow users to manage private records in
           their zones that are not published in the storage.
           Private records are considered just like
           regular records when resolving labels in local zones,
           but their data is completely unavailable to non-local users.
         </t>
       </section>
       <section anchor="security_agility" numbered="true" toc="default">
         <name>Agility</name>
         <t>
           The security of cryptographic systems depends on both the strength of
           the cryptographic algorithms chosen and the strength of the keys used
           with those algorithms.  The security also depends on the engineering
           of the protocol used by the system to ensure that there are no
           non-cryptographic ways to bypass the security of the overall system.
           This is why developers of applications managing GNS zones <bcp14>SHOULD</bcp14>
           select a default ztype considered secure at the time of
           releasing the software.
           For applications targeting end users that are not expected to
           understand cryptography, the application developer <bcp14>MUST NOT</bcp14> leave
           the ztype selection of new zones to end users.
         </t>
         <t>
           This document concerns itself with the selection of cryptographic
           algorithms used in GNS.
           The algorithms identified in this document are not known to be
           broken (in the cryptographic sense) at the current time, and
           cryptographic research so far leads us to believe that they are
           likely to remain secure into the foreseeable future.  However, this
           is not necessarily forever, and it is expected that new revisions of
           this document will be issued from time to time to reflect the current
           best practices in this area.
         </t>
         <t>
           In terms of crypto-agility, whenever the need for an updated cryptographic
           scheme arises to, for example, replace ECDSA over Ed25519 for
           PKEY records it can simply be introduced
           through a new record type.
           Zone administrators can then replace
           the delegation record type for future records.
           The old record type remains
           and zones can iteratively migrate to the updated zone keys.
           To ensure that implementations correctly generate an error message
           when encountering a ztype that they do not support,
           current and future delegation records must always have the
           CRITICAL flag set.
         </t>
       </section>
       <section anchor="security_cryptography" numbered="true" toc="default">
         <name>Cryptography</name>
         <t>
           The following considerations provide background on the design choices
           of the ztypes specified in this document.
           When specifying new ztypes as per <xref target="zones"/>, the same
           considerations apply.
         </t>
         <t>
           GNS PKEY zone keys use ECDSA over Ed25519.
           This is an unconventional choice,
           as ECDSA is usually used with other curves.  However, standardized
           ECDSA curves are problematic for a range of reasons described in
           the Curve25519 and EdDSA papers <xref target="ed25519"/>.
           Using EdDSA directly is also
           not possible, as a hash function is used on the private key which
           destroys the linearity that the key blinding in GNS depends upon.
           We are not aware of anyone suggesting that using Ed25519 instead
           of another common curve of similar size would lower the security of
           ECDSA.  GNS uses 256-bit curves because that way the encoded (public)
           keys fit into a single DNS label, which is good for usability.
         </t>
         <t>
           In order to ensure ciphertext indistinguishability, care must be
           taken with respect to the initialization vector in the counter
           block. In our design, the IV always includes the expiration time of the
           record block.
           When applications store records with relative expiration times,
           monotonicity is implicitly
           ensured because each time a block is published into the storage, its IV is
           unique as the expiration time is calculated dynamically and increases
           monotonically with the system time. Still,
           an implementation <bcp14>MUST</bcp14> ensure that when relative expiration times
           are decreased, the expiration time of the next record block <bcp14>MUST</bcp14>
           be after the last published block.
           For records where an absolute expiration time is used, the implementation
           <bcp14>MUST</bcp14> ensure that the expiration time is always increased when the record
           data changes. For example, the expiration time on the wire could be increased
           by a single microsecond even if the user did not request a change.
           In case of deletion of all resource records under a label, the
           implementation <bcp14>MUST</bcp14> keep track of the last absolute expiration time
           of the last published resource block.  Implementations <bcp14>MAY</bcp14> define 
           and use a special record type as a tombstone that preserves the last
           absolute expiration time, but then <bcp14>MUST</bcp14> take care to not publish a
           block with this record.
           When new records are added under this label later, the implementation
           <bcp14>MUST</bcp14> ensure that the expiration times are after the last published
           block.
           Finally, in order to ensure monotonically increasing expiration times
           the implementation <bcp14>MUST</bcp14> keep a local record of the last time obtained
           from the system clock, so as to construct a monotonic clock in case
           the system clock jumps backwards.
         </t>
       </section>
       <section anchor="security_abuse" numbered="true" toc="default">
         <name>Abuse Mitigation</name>
         <t>
           GNS names are UTF-8 strings. Consequently, GNS faces similar issues
           with respect to name spoofing as DNS does for internationalized
           domain names.
           In DNS, attackers can register similar sounding or looking
           names (see above) in order to execute phishing attacks.
           GNS zone administrators must take into account this attack vector and
           incorporate rules in order to mitigate it.
         </t>
         <t>
           Further, DNS can be used to combat illegal content on the internet
           by having the respective domains seized by authorities.
           However, the same mechanisms can also be abused in order to impose
           state censorship.
           Avoiding that possibility is one of the motivations behind GNS.
           In GNS, TLDs are not enumerable. By design, the start zone of
           the resolver is defined locally and hence such a seizure is
           difficult and ineffective in GNS.
           <!--In particular, GNS does not support WHOIS (<xref target="RFC3912" />).-->
         </t>
       </section>
       <section anchor="security_keymanagement" numbered="true" toc="default">
         <name>Zone Management</name>
         <t>
           In GNS, zone administrators need to manage and protect their zone
           keys. Once a zone key is lost, it cannot be recovered or revoked.
           Revocation messages can be pre-calculated if revocation is
           required in case a zone key is lost.
           Zone administrators, and for GNS this includes end-users, are
           required to responsibly and diligently protect their cryptographic
           keys.
           GNS supports signing records in advance ("offline") in order to
           support processes which aim to protect private keys such as air gaps.
           <!-- It does not support separate zone signing and key-signing keys
           (as in <xref target="RFC6781" />) in order to provide usable security. This is not useful for any implementer -->
         </t>
         <t>
           Similarly, users are required to manage their local start zone configuration.
           In order to ensure integrity and availability or names, users must
           ensure that their local start zone information is not compromised or
           outdated.
           It can be expected that the processing of zone revocations and an
           initial start zone is provided with a GNS implementation
           ("drop shipping").
           Shipping an initial start zone configuration effectively establishes
           a root zone.
           Extension and customization of the zone is at the full discretion of
           the user.
         </t>
         <t>
           While implementations following this specification will be
           interoperable, if two implementations connect to different storages
           they are mutually unreachable.
           This can lead to a state where a record exists in the global
           namespace for a particular name, but the implementation is not
           communicating with the storage and is hence unable to resolve it.
           This situation is similar to a split-horizon DNS configuration.
           Which storages are implemented usually depends on the application
           it is built for.
           The storage used will most likely depend on the specific application
           context using GNS resolution.
           For example, one application is the resolution of hidden services
           within the Tor network, which would suggest using Tor routers for storage.
           <!-- FIXME: add non-normative reference to Tor / Tor hidden services here? -->
           Implementations of "aggregated" storages are conceivable, but
           are expected to be the exception.
         </t>
       </section>
       <section anchor="security_dht" numbered="true" toc="default">
         <name>DHTs as Storage</name>
         <t>
           This document does not specify the properties of the underlying
           storage which is required by any GNS implementation.
           It is important to note that the properties of the underlying
           storage are directly inherited by the
           GNS implementation. This includes both security as well as
           other non-functional properties such as scalability and performance.
           Implementers should take great care when selecting or implementing
           a DHT for use as storage in a GNS implementation.
           DHTs with reasonable security and performance properties exist
           <xref target="R5N"/>.
           It should also be taken into consideration that GNS implementations
           which build upon different DHT overlays are unlikely to be
           interoperable with each other.
         </t>
       </section>
       <section anchor="security_rev" numbered="true" toc="default">
         <name>Revocations</name>
         <t>
           Zone administrators are advised to pre-generate zone revocations
           and to securely store the revocation information in case the zone
           key is lost, compromised or replaced in the future.
           Pre-calculated revocations can cease to be valid due to expirations
           or protocol changes such as epoch adjustments.
           Consequently, implementers and users must take precautions in order
           to manage revocations accordingly.
         </t>
         <t>
           Revocation payloads do not include a 'new' key for key replacement.
           Inclusion of such a key would have two major disadvantages:
         </t>
         <ol>
           <li>
           If a revocation is published after a private key was compromised,
           allowing key replacement would be dangerous: if an
           adversary took over the private key, the adversary could then
           broadcast a revocation with a key replacement. For the replacement,
           the compromised owner would have no chance to issue even a
           revocation. Thus, allowing a revocation message to replace a private
           key makes dealing with key compromise situations worse.
           </li>
           <li>
           Sometimes, key revocations are used with the objective of changing
           cryptosystems. Migration to another cryptosystem by replacing keys
           via a revocation message would only be secure as long as both
           cryptosystems are still secure against forgery. Such a planned,
           non-emergency migration to another cryptosystem should be done by
           running zones for both cipher systems in parallel for a while. The
           migration would conclude by revoking the legacy zone key only once
           it is deemed no longer secure, and hopefully after most users have
           migrated to the replacement.
           </li>
         </ol>
       </section>
       <section anchor="privacy_labels" numbered="true" toc="default">
         <name>Zone Privacy</name>
         <t>
           GNS does not support authenticated denial of existence of names
           within a zone.
           Record blocks are published in encrypted form using keys derived from the
           zone key and record label. Zone administrators should
           carefully consider if the label and zone key is public or if
           those should be used and considered as a shared secret.
           Unlike zone keys, labels can also be guessed by
           an attacker in the network observing queries and responses. Given
           a known and targeted zone key, the use of well known or easily guessable
           labels effectively results in general disclosure of the records to
           the public.
           If the labels and hence the records should be kept secret except to
           those knowing a secret label and the zone in which to look, the
           label must be chosen accordingly. It is recommended to then use a
           label with sufficient entropy as to prevent guessing attacks.
         </t>
         <t>
           It should be noted that this attack on labels only applies if the
           zone key is somehow disclosed to the adversary. GNS itself
           does not disclose it during a lookup or when resource records are
           published as the zone keys are blinded beforehand.  However,
           zone keys do become public during revocation.
         </t>
       </section>
       <section anchor="sec_governance">
         <name>Zone Governance</name>
         <t>
           While DNS is distributed, in practice it
           relies on centralized, trusted registrars to provide globally unique
           names. As the awareness of the central role DNS plays on the Internet
           rises, various institutions are using their power (including legal means)
           to engage in attacks on the DNS, thus threatening the global availability
           and integrity of information on the Internet.
           While a wider discussion of this issue is out of scope for this document,
           analyses and investigations can be found in recent academic research
           works including <xref target="SecureNS"/>.
         </t>
         <t>
           GNS is designed to provide a secure, privacy-enhancing alternative to the
           DNS name resolution protocol, especially when censorship or manipulation
           is encountered.
           In particular, it directly addresses concerns in DNS with respect to
           query privacy.
           However, depending on the governance of the root zone, any deployment
           will likely suffer from the issues of a
           "Single Hierarchy with a Centrally Controlled Root" and
           "Distribution and Management of Root Servers" as raised in
           <xref target="RFC8324"/>.
           In the Domain Name System root zone governance is centralized at the
           Internet Corporation for Assigned Names and Numbers (ICANN).
           GNS can be used to leverage the transitivity in the SDSI design to
           replace the trusted root with secure delegation of authority thus
           making petnames useful to other users while operating under a very
           strong adversary model.
           By building on the ideas from SDSI, GNS allows to address a central
           issue with the decentralized mapping of secure identifiers to memorable
           names: namely the impossiblity of providing a global, secure and
           memorable mapping without a trusted authority.
         </t>
         <t>
           Any GNS implementation <bcp14>MAY</bcp14> provide a default
           governance model in the form of an initial start zone mapping.
         </t>
       </section>
       <section anchor="namespace_ambiguity">
         <name>Namespace Ambiguity</name>
         <t>
           Technically, the GNS protocol can be used to resolve names in the
           namespace of the global DNS.
           However, this would require the respective governance bodies and
           stakeholders to standardize the use of GNS for this particular use
           case and publish their zones accordingly.
         </t>
         <t>
           However, this capability  means that by definition GNS names may be
           indistinguishable from DNS names in their
           respective common display format <xref target="RFC8499"/> or
           other special-use domain names <xref target="RFC6761"/> given
           a local GNS start zone configuration that maps suffixes from the
           global DNS to GNS zones.
           For applications, it is then ambiguous which name system should be
           used in order to resolve a given name.
           This poses a risk when trying to resolve a name through DNS when
           it is actually a GNS name.
           In such a case, the GNS name is likely to be leaked as part of the DNS
           resolution.
         </t>
         <t>
           In order to prevent disclosure of queried GNS names it is
           <bcp14>RECOMMENDED</bcp14> that GNS-aware applications try to resolve
           a given name in GNS before any other method taking into account
           potential suffix-to-zone mappings and zTLDs.
           Suffix-to-zone mappings are expected to be configured by the user or
           local administrator and as such the resolution in GNS is
           in line with user expectations even if the name could also be resolved
           through DNS.
           If no suffix-to-zone mapping for the name exists and no zTLD is found,
           resolution <bcp14>MAY</bcp14> continue with other methods such as DNS.
           If a suffix-to-zone mapping for the name exists or the name ends with
           a zTLD, it <bcp14>MUST</bcp14> be resolved using GNS and
           resolution <bcp14>MUST NOT</bcp14> continue by any other means
           independent of the GNS resolution result.
         </t>
         <t>
           Mechanisms such as the Name Service Switch (NSS) of Unix-like
           operating systems are an example of how such a resolution process
           can be implemented and used.
           It allows system administrators to configure host name resolution
           precedence and is integrated with the system resolver implementation.
         </t>
         <t>
           The user or system administrator <bcp14>MAY</bcp14> configure one or
           more unique suffixes for all suffix-to-zone mappings.
           If this suffix is a special-use domain name for GNS or an unreserved
           DNS TLD, this prevents namespace ambiguity through local configuration.
         </t>
       </section>
     </section>
     <section anchor="gana" numbered="true" toc="default">
       <name>GANA Considerations</name>
       <t>
         GANA <xref target="GANA" />
         manages the "GNU Name System Record Types" registry.
         Each entry has the following format:
       </t>
       <ul>
         <li>Name: The name of the record type (case-insensitive ASCII
           string, restricted to alphanumeric characters. For zone delegation
       records, the assigned number represents the ztype value of the zone.</li>
         <li>Number: 32-bit, above 65535</li>
         <li>Comment: Optionally, a brief English text describing the purpose of
           the record type (in UTF-8)</li>
         <li>Contact: Optionally, the contact information of a person to contact for
           further information.</li>
         <li>References: Optionally, references describing the record type
           (such as an RFC)</li>
       </ul>
       <t>
         The registration policy for this registry is "First Come First
         Served". This policy is modeled on that described in <xref target="RFC8126"/>,
         and describes the actions taken by GANA:
       </t>
       <t>
         <!-- FIXME: Unclear who are the experts how are they selected and
         by whom? GNUnet e.V. Politbüro? The DAO?
         Unreserved/Reserved for private use record type range? -->
         Adding new records is possible after expert review, using a
         first-come-first-served policy for unique name allocation.
         Experts are responsible to ensure that the chosen "Name" is
         appropriate for the record type.
         The registry will assign a unique number for the entry.
       </t>
       <t>
         The current contact(s) for expert review are reachable at
         gns-registry@gnunet.org.
       </t>
       <t>
         Any request <bcp14>MUST</bcp14> contain a unique name and a point of contact.
         The contact information <bcp14>MAY</bcp14> be added to the registry given the consent
         of the requester.
         The request <bcp14>MAY</bcp14> optionally also contain relevant references as well
         as a descriptive comment as defined above.
       </t>
       <t>
         GANA has assigned numbers for the record types defined in this
         specification in the "GNU Name System Record Types" registry
         as listed in <xref target="figure_rrtypenums"/>.
       </t>
       <figure anchor="figure_rrtypenums" title="The GANA Resource Record Registry.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
Number | Name    | Contact | References | Comment
-------+---------+---------+------------+-------------------------
65536  | PKEY    | N/A     | [This.I-D] | GNS zone delegation (PKEY)
65537  | NICK    | N/A     | [This.I-D] | GNS zone nickname
65538  | LEHO    | N/A     | [This.I-D] | GNS legacy hostname
65540  | GNS2DNS | N/A     | [This.I-D] | Delegation to DNS
65541  | BOX     | N/A     | [This.I-D] | Boxed records
65551  | REDIRECT| N/A     | [This.I-D] | Redirection record.
65556  | EDKEY   | N/A     | [This.I-D] | GNS zone delegation (EDKEY)
           ]]></artwork>
       </figure>
       <t>
         GANA has assigned signature purposes in its
         "GNUnet Signature Purpose" registry as listed in
         <xref target="figure_purposenums"/>.
       </t>
       <figure anchor="figure_purposenums" title="Requested Changes in the GANA GNUnet Signature Purpose Registry.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
Purpose | Name            | References | Comment
--------+-----------------+------------+--------------------------
  3     | GNS_REVOCATION  | [This.I-D] | GNS zone key revocation
 15     | GNS_RECORD_SIGN | [This.I-D] | GNS record set signature
           ]]></artwork>
       </figure>
     </section>
     <!-- gana -->
     <section>
       <name>IANA Considerations</name>
       <t>
         This document makes no requests for IANA action.
         This section may be removed on publication as an RFC.
       </t>
     </section>
     <section>
       <name>Implementation and Deployment Status</name>
       <t>
         There are two implementations conforming to this specification written
         in C and Go, respectively. The C implementation as part of GNUnet
         <xref target="GNUnetGNS"/> represents the original
         and reference implementation. The Go implementation
         <xref target="GoGNS"/> demonstrates how two implementations of GNS are
         interoperable if they are built on top of the same underlying
         DHT storage.
       </t>
       <t>
         Currently, the GNUnet peer-to-peer network <xref target="GNUnet"/>
         is an active deployment of GNS on top of its <xref target="R5N"/>
         DHT. The <xref target="GoGNS"/> implementation uses this deployment
         by building on top of the GNUnet DHT services available on any
         GNUnet peer. It shows how GNS implementations
         can attach to this existing deployment and participate in name
         resolution as well as zone publication.
       </t>
       <t>
         The self-sovereign identity system re:claimID <xref target="reclaim"/>
         is using GNS in order to selectively share identity attributes and
         attestations with third parties.
       </t>
       <t>
         The Ascension tool <xref target="Ascension"/> facilitates the migration of DNS zones to
         GNS zones by translating information retrieved from a DNS zone
         transfer into a GNS zone.
       </t>
     </section>
     <section>
        <name>Acknowledgements</name>
        <t>
          The authors thank all reviewers for their comments. In particular,
          we thank D. J. Bernstein, S. Bortzmeyer, A. Farrel, E. Lear and R. Salz for their
          insightful and detailed technical reviews. We thank J. Yao and J. Klensin for the
          internationalization reviews. We thank NLnet and NGI DISCOVERY for funding
          work on the GNU Name System.
        </t>
     </section>
   </middle>
   <back>
     <references>
       <name>Normative References</name>

       &RFC1034;
       &RFC1035;
       &RFC2782;
       &RFC2119;
       &RFC3629;
       &RFC3686;
       &RFC3826;
       &RFC5237;
       &RFC5869;
       &RFC5890;
       &RFC5895;
       &RFC6234;
       &RFC6895;
       &RFC6979;
       &RFC7748;
       &RFC8032;
       &RFC8126;
       &RFC8174;
       &RFC8499;
       &RFC9106;

       <reference anchor="GANA" target="https://gana.gnunet.org/">
         <front>
           <title>GNUnet Assigned Numbers Authority (GANA)</title>
           <author><organization>GNUnet e.V.</organization>
           </author>
           <date month="April" year="2020" />
         </front>
       </reference>

       <reference anchor="MODES" target="https://doi.org/10.6028/NIST.SP.800-38A">
         <front>
           <title>Recommendation for Block Cipher Modes of Operation: Methods and Techniques</title>
          <author initials="M." surname="Dworkin" fullname="Morris Dworkin">
            <organization>NIST</organization>
          </author>

           <date year="2001" month="December"/>
           <abstract>
             <t>
               This recommendation defines five confidentiality modes of operation for use with an underlying symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). Used with an underlying block cipher algorithm that is approved in a Federal Information Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer data.
             </t>
           </abstract>
         </front>
       </reference>
       <!--       <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D">
         <front>
           <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
          <author initials="M." surname="Dworkin" fullname="Morris Dworkin">
            <organization>NIST</organization>
          </author>

           <date year="2007" month="November"/>
           <abstract>
             <t>
               This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher.
             </t>
           </abstract>
         </front>
       </reference>-->
      <reference anchor="CrockfordB32" target="https://www.crockford.com/base32.html">
         <front>
           <title>Base32</title>
          <author initials="D." surname="Douglas" fullname="Crockford">
          </author>

           <date year="2019" month="March"/>
         </front>
       </reference>
       <reference anchor="XSalsa20" target="https://cr.yp.to/snuffle/xsalsa-20110204.pdf">
         <front>
           <title>Extending the Salsa20 nonce</title>
          <author initials="D." surname="Bernstein" fullname="Daniel Bernstein">
            <organization>University of Illinois at Chicago</organization>
          </author>
           <date year="2011"/>
         </front>
       </reference>
       <reference anchor="Unicode-UAX15" target="http://www.unicode.org/reports/tr15/tr15-31.html">
         <front>
           <title>Unicode Standard Annex #15: Unicode Normalization Forms, Revision 31</title>
          <author>
            <organization>The Unicode Consortium</organization>
          </author>
           <date year="2009" month="September"/>
         </front>
       </reference>
       <reference anchor="Unicode-UTS46" target="https://www.unicode.org/reports/tr46">
         <front>
           <title>Unicode Technical Standard #46: Unicode IDNA Compatibility Processing, Revision 27</title>
          <author>
            <organization>The Unicode Consortium</organization>
          </author>
           <date year="2021" month="August"/>
         </front>
       </reference>




             <!--    <reference anchor="ISO20022">
         <front>
         <title>ISO 20022 Financial Services - Universal financial industry message scheme</title>
         <author>
         <organization>International Organization for Standardization</organization>
         <address>
         <uri>http://www.iso.ch</uri>
         </address>
         </author>
         <date month="May" year="2013"/>
         </front>
       </reference>-->
     </references>
     <references>
       <name>Informative References</name>
         &RFC1928;
         &RFC4033;
         &RFC6066;
         &RFC7363;
         &RFC8324;
         &RFC8806;
         &RFC6761;

       <!--         &RFC3912;-->

       <reference anchor="Tor224" target="https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n2135">
         <front>
           <title>Next-Generation Hidden Services in Tor</title>
          <author initials="D." surname="Goulet" fullname="David Goulet">
          </author>
          <author initials="G." surname="Kadianakis" fullname="George Kadianakis">
          </author>
          <author initials="N." surname="Mathewson" fullname="Nick Mathewson">
          </author>

           <date year="2013" month="November"/>
         </front>
       </reference>
       <reference anchor="SDSI" target="http://people.csail.mit.edu/rivest/Sdsi10.ps">
         <front>
           <title>SDSI - A Simple Distributed Security Infrastructure</title>
           <author initials="R." surname="Rivest" fullname="Ron Rivest">
           </author>
           <author initials="B." surname="Lampson" fullname="Butler Lampson">
           </author>
           <date year="1996" month="April"/>
        </front>
       </reference>
       <reference anchor="Kademlia" target="http://css.csail.mit.edu/6.824/2014/papers/kademlia.pdf">
         <front>
           <title>Kademlia: A peer-to-peer information system based on the xor metric.</title>
          <author initials="P." surname="Maymounkov" fullname="Petar Maymounkov">
          </author>

          <author initials="D." surname="Mazieres"
            fullname="David Mazieres">
        </author>
           <date year="2002"/>
         </front>
       </reference>
       <!--<reference anchor="Ipfs" target="https://arxiv.org/pdf/1407.3561">
         <front>
           <title>Ipfs-content addressed, versioned, p2p file system.</title>
          <author initials="J." surname="Benet" fullname="Juan Benet">
          </author>
           <date year="2014"/>
         </front>
       </reference>
       -->

       <reference anchor="ed25519" target="https://ed25519.cr.yp.to/ed25519-20110926.pdf">
         <front>
           <title>High-Speed High-Security Signatures</title>
          <author initials="D." surname="Bernstein" fullname="Daniel Bernstein">
            <organization>University of Illinois at Chicago</organization>
          </author>

          <author initials="N." surname="Duif"
            fullname="Niels Duif">
          <organization>Technische Universiteit Eindhoven</organization>

        </author>
          <author initials="T." surname="Lange"
            fullname="Tanja Lange">
          <organization>Technische Universiteit Eindhoven</organization>

          </author>
          <author initials="P." surname="Schwabe"
            fullname="Peter Schwabe">
          <organization>National Taiwan University</organization>

          </author>
          <author initials="B." surname="Yang"
            fullname="Bo-Yin Yang">
          <organization>Academia Sinica</organization>

          </author>
           <date year="2011"/>
         </front>
       </reference>
       <reference anchor="GNS" target="https://sci-hub.st/10.1007/978-3-319-12280-9_9">
         <front>
           <title>A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System</title>
          <author initials="M." surname="Wachs" fullname="Matthias Wachs">
            <organization>Technische Universität München</organization>
          </author>

          <author initials="M." surname="Schanzenbach" fullname="Martin Schanzenbach">
            <organization>Technische Universität München</organization>
          </author>

          <author initials="C." surname="Grothoff"
            fullname="Christian Grothoff">
          <organization>Technische Universität München</organization>
          </author>
           <date year="2014"/>
         </front>
       </reference>
      <reference anchor="R5N" target="https://sci-hub.st/10.1109/ICNSS.2011.6060022">
         <front>
           <title>R5N: Randomized recursive routing for restricted-route networks</title>
          <author initials="N. S." surname="Evans" fullname="Nathan S. Evans">
            <organization>Technische Universität München</organization>
          </author>

          <author initials="C." surname="Grothoff"
            fullname="Christian Grothoff">
          <organization>Technische Universität München</organization>
          </author>
           <date year="2011"/>
         </front>
       </reference>
       <reference anchor="SecureNS" target="https://sci-hub.st/https://doi.org/10.1016/j.cose.2018.01.018">
         <front>
           <title>Towards secure name resolution on the Internet</title>
          <author initials="C." surname="Grothoff"
            fullname="Christian Grothoff">
          <organization>Bern University of Applied Sciences</organization>
          </author>
          <author initials="M." surname="Wachs"
            fullname="Matthias Wachs">
          <organization>Technische Universität München</organization>
          </author>
          <author initials="M." surname="Ermert"
            fullname="Monika Ermert">
          </author>

          <author initials="J." surname="Appelbaum"
            fullname="Jacob Appelbaum">
          <organization>TU Eindhoven</organization>
          </author>
           <date year="2018"/>
         </front>
       </reference>

       <reference anchor="GNUnetGNS" target="https://git.gnunet.org/gnunet.git/tree/src/gns">
         <front>
           <title>The GNUnet GNS Implementation</title>
          <author>
            <organization>GNUnet e.V.</organization>
          </author>
        </front>
       </reference>
       <reference anchor="Ascension" target="https://git.gnunet.org/ascension.git">
         <front>
           <title>The Ascension Implementation</title>
          <author>
            <organization>GNUnet e.V.</organization>
          </author>
        </front>
       </reference>

       <reference anchor="GNUnet" target="https://gnunet.org">
         <front>
           <title>The GNUnet Project</title>
          <author>
            <organization>GNUnet e.V.</organization>
          </author>
        </front>
      </reference>
       <reference anchor="reclaim" target="https://reclaim.gnunet.org">
         <front>
           <title>The GNUnet Project</title>
          <author>
            <organization>GNUnet e.V.</organization>
          </author>
        </front>
       </reference>

       <reference anchor="GoGNS" target="https://github.com/bfix/gnunet-go/tree/master/src/gnunet/service/gns">
         <front>
           <title>The Go GNS Implementation</title>
          <author initials="B." surname="Fix" fullname="Bernd Fix">
          </author>
        </front>
       </reference>

       <reference anchor="nsswitch" target="https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html">
         <front>
           <title>System Databases and Name Service Switch</title>
           <author>
             <organization>GNU Project</organization>
           </author>
        </front>
       </reference>

     </references>
     <section>
       <name>Usage and Migration</name>
       <t>
         This section outlines a number of specific use cases which may
         help readers of the technical specification to understand the protocol
         better.
         The considerations below are not meant to be normative for the
         GNS protocol in any way.
         Instead, they are provided in order to give context and to provide
         some background on what the intended use of the protocol is
         by its designers.
         Further, this section contains pointers to migration paths.
       </t>
       <section anchor="day_in_zoneowner">
         <name>Zone Dissemination</name>
         <t>
           In order to become a zone owner, it is sufficient to generate
           a zone key and a corresponding secret key using a GNS implementation.
           At this point, the zone owner can manage GNS resource records in a
           local zone database.
           The resource records can then be published by a GNS implementation
           as defined in <xref target="publish"/>.
           For other users to resolve the resource records, respective
           zone information must be disseminated first.
           The zone owner may decide to make the zone key and labels known
           to a selected set of users only or to make this information available
           to the general public.
         </t>
         <t>
           Sharing zone information directly with specific users not only allows
           to potentially preserve zone and record privacy, but also allows
           the zone owner and the user to establish strong trust relationships.
           For example, a bank may send a customer letter with a QR code which
           contains the GNS zone of the bank.
           This allows the user to scan the QR code and establish a strong
           link to the zone of the bank and with it, for example, the IP address
           of the online banking web site.
         </t>
         <t>
           Most Internet services likely want to make their zones available
           to the general public as efficiently as possible.
           First, it is reasonable to assume that zones which are commanding
           high levels of reputation and trust are likely included in the
           default suffix-to-zone mappings of implementations.
           Hence dissemination of a zone through delegation under such zones
           can be a viable path in order to disseminate a zone publicly.
           For example, it is conceivable that organizations such as ICANN
           or country-code top-level domain registrars also manage GNS zones
           and offer registration or delegation services.
         </t>
         <t>
           Following best practices in particularly those relating to
           security and abuse mitigation are methods which allow zone owners
           and aspiring registrars to gain a good reputation and eventually
           trust.
           This includes, of course, diligent protection of private zone key
           material.
           Formalizing such best practices is out of scope of this
           specification and should be addressed in a separate document and take
           <xref target="security"/> into account.
         </t>
       </section>
       <section>
         <name>Start Zone Configuration</name>
         <t>
           A user is expected to install a GNS implementation if it is not already
           provided through other means such as the operating system
           or the browser.
           It is likely that the implementation ships with a
           default start zone configuration.
           This means that the user is able to resolve GNS names ending on a
           zTLD or ending on any suffix-to-name mapping that is part of the
           default start zone configuration.
           At this point the user may delete or otherwise modify the
           implementation's default configuration:
          </t>
          <t>
            Deletion of suffix-to-zone mappings may become necessary of the
            zone owner referenced by the mapping has lost the trust of the user.
            For example, this could be due to lax registration policies resulting
            in phishing activities.
            Modification and addition of new mappings are means to heal the
            namespace perforation which would occur in the case of a deletion
            or to simply establish a strong direct trust relationship.
            However, this requires the user's knowledge of the respective zone
            keys.
            This information must be retrieved out of band, as illustrated in
            <xref target="day_in_zoneowner"/>:
            A bank may send the user a letter with a QR code which contains the
            GNS zone of the bank.
            The user scans the QR code and adds a new suffix-to-name mapping
            using a chosen local name for his bank.
            Other examples include scanning zone information off the device of
            a friend, from a storefront, or an advertisement.
            The level of trust in the respective zone is contextual and likely
            varies from user to user.
            Trust in a zone provided through a letter from a bank which
            may also include a credit card is certainly different from a zone
            found on a random advertisement in the streets.
            However, this trust is immediately tangible to the user and can
            be reflected in the local naming as well.
          </t>
          <t>
            User clients should facilitate the modification of the start zone
            configuration, for example by providing a QR code reader or other
            import mechanisms.
            Implementations are ideally implemented
            according to best practices and addressing applicable points
            from <xref target="security"/>.
            Formalizing such best practices is out of scope of this
            specification.
         </t>
       </section>
       <section anchor="uc_virthost">
         <name>Globally Unique Names and the Web</name>
         <t>
           HTTP virtual hosting and TLS Server Name Indication are common
           use cases on the Web.
           HTTP clients supply a DNS name in the HTTP
           "Host"-header or as part of the TLS handshake, respectively.
           This allows the HTTP server to serve the indicated virtual host
           with a matching TLS certificate.
           The global uniqueness of DNS names are a prerequisite of those use cases.
         </t>
         <t>
           Not all GNS names are globally unique.
           But, any resource record in GNS can be represented as a
           concatenation of of a GNS label and the zTLD of the zone.
           While not human-readable, this globally unique GNS name can be
           leveraged in order to facilitate the same use cases.
           Consider the GNS name "www.example.gns" entered in a GNS-aware
           HTTP client.
           At first, "www.example.gns" is resolved using GNS yielding a record
           set.
           Then, the HTTP client determines the virtual host as follows:
          </t>
          <t>
            If there is a LEHO record (<xref target="gnsrecords_leho"/>)
            containing "www.example.com" in the record set, then the HTTP
            client uses this as the value of the
            "Host"-header field of the HTTP request:
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
GET / HTTP/1.1
Host: www.example.com
          ]]></artwork>
           <t>
              If there is no LEHO record in the record set,
              then the HTTP client tries to find the zone of the record
              and translates the GNS name into a globally unique
              zTLD-representation before using it in the "Host"-header field of
             the HTTP request:
           </t>
           <artwork name="" type="" align="left" alt=""><![CDATA[
GET / HTTP/1.1
Host: www.000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W
           ]]></artwork>
          <t>
            In order to determine the canonical representation of the record with
            a zTLD, at most two queries are required:
            First, it must be checked whether "www.example.gns" itself points to
            a zone delegation record which would imply that the record set which
            was originally resolved is published under the apex label.
            If it does, the unique GNS name is simply the zTLD representation
            of the delegated zone:
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
GET / HTTP/1.1
Host: 000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W
            ]]></artwork>
          <t>
            If it does not, the unique GNS name is the concatenation of the
            label "www" and the zTLD representation of the zone as given in the
            example above.
            In any case, this representation is globally unique.
            As such, it can be configured by the HTTP server administrator as a
            virtual host name and respective certificates may be issued.
          </t>
          <t>
            If the HTTP client is a browser, the use of a unique GNS name
            for virtual hosting or TLS SNI does not necessarily have to be
            shown to the user.
            For example, the name in the URL bar may remain as "www.example.gnu"
            even if the used unique name differs.
          </t>
        </section>
        <section>
          <name>Migration Paths</name>
          <t>
            DNS resolution is built into a variety of existing software
            components.
            Most significantly operating systems and HTTP clients.
            This section illustrates possible migration paths for both in order
            to enable "legacy" applications to resolve GNS names.
          </t>
          <t>
            One way to efficiently facilitate the resolution of GNS names
            are GNS-enabled DNS server implementations.
            Local DNS queries are thereby either rerouted or explicitly configured
            to be resolved by a "DNS-to-GNS" server that runs locally.
            This DNS server tries to interpret any incoming query for a name
            as a GNS resolution request.
            If no start zone can be found for the name and it does not end in
            a zTLD, the server tries to resolve the name in DNS.
            Otherwise, the name is resolved in GNS.
            In the latter case, the resulting record set is converted to a DNS
            answer packet and is returned accordingly.
            An implementation of a DNS-to-GNS server can be found in
            <xref target="GNUnet"/>.
          </t>
          <t>
            A similar approach is to use operating systems extensions such as
            the name service switch <xref target="nsswitch"/>.
            It allows the system administrator to configure plugins
            which are used for hostname resolution.
            A GNS name service switch plugin can be used in a similar fashion as
            the "DNS-to-GNS" server.
            An implementation of a glibc-compatible nsswitch plugin for GNS
            can be found in <xref target="GNUnet"/>.
          </t>
          <t>
            The methods above are usually also effective for HTTP client
            software.
            However, HTTP clients are commonly used in combination with
            TLS.
            TLS certificate validation and in particular server name indication
            (SNI) requires additional logic in HTTP clients when GNS names are
            in play (<xref target="uc_virthost"/>).
            In order to transparently enable this functionality for migration
            purposes, a local GNS-aware SOCKS5 proxy <xref target="RFC1928"/>
            can be configured to resolve domain names.
            The SOCKS5 proxy, similar to the DNS-to-GNS server, is capable
            of resolving both GNS and DNS names.
            In the event of a TLS connection request with a GNS name, the SOCKS5
            proxy can act as a man-in-the-middle, terminating the TLS connection
            and establishing a secure connection against the requested host.
            In order to establish a secure connection, the proxy may use LEHO
            and TLSA records stored in the record set under the GNS name.
            The proxy must provide a locally trusted certificate for the GNS
            name to the HTTP client which usually requires the generation and
            configuration of a local trust anchor in the browser.
            An implementation of this SOCKS5 proxy can be found in
            <xref target="GNUnet"/>.
          </t>
        </section>
     </section>
     <section>
       <name>Example flows</name>
       <section>
         <name>AAAA Example Resolution</name>
         <figure anchor="figure_resolution_ex_aaaa" title="Example resolution of an IPv6 address.">
           <artwork name="" type="" align="left" alt=""><![CDATA[
                           Local Host             |   Remote
                                                  |   Storage
                                                  |
                                                  |    +---------+
                                                  |   /         /|
                                                  |  +---------+ |
+-----------+ (1)      +----------+               |  |         | |
|           |          |          |      (4,6)    |  | Record  | |
|Application|----------| Resolver |---------------|->| Storage | |
|           |<---------|          |<--------------|--|         |/
+-----------+ (8)      +----------+      (5,7)    |  +---------+
                          A                       |
                          |                       |
                    (2,3) |                       |
                          |                       |
                          |                       |
                       +---------+                |
                      /   v     /|                |
                     +---------+ |                |
                     |         | |                |
                     |  Start  | |                |
                     |  Zones  | |                |
                     |         |/                 |
                     +---------+                  |
         ]]></artwork>
         </figure>
         <ol>
           <li>Lookup AAAA record for name: www.example.gns.</li>
           <li>Determine start zone for www.example.gns.</li>
           <li>Start zone: zk0 - Remainder: www.example.</li>
           <li>Calculate q0=SHA512(ZKDF(zk0, "example")) and initiate GET(q0).</li>
           <li>Retrieve and decrypt RRBLOCK consisting of a single PKEY record containing zk1.</li>
           <li>Calculate q1=SHA512(ZKDF(zk1, "www")) and initiate GET(q1).</li>
           <li>Retrieve RRBLOCK consisting of a single AAAA record containing the IPv6 address 2001:db8::1.</li>
           <li>Return record set to application</li>
         </ol>
       </section>
       <section>
         <name>REDIRECT Example Resolution</name>
         <figure anchor="figure_resolution_ex_redir" title="Example resolution of an IPv6 address with redirect.">
           <artwork name="" type="" align="left" alt=""><![CDATA[
                           Local Host              |   Remote
                                                   |   Storage
                                                   |
                                                   |    +---------+
                                                   |   /         /|
                                                   |  +---------+ |
+-----------+ (1)      +----------+                |  |         | |
|           |          |          |      (4,6,8)   |  | Record  | |
|Application|----------| Resolver |----------------|->| Storage | |
|           |<---------|          |<---------------|--|         |/
+-----------+ (10)     +----------+      (5,7,9)   |  +---------+
                          A                        |
                          |                        |
                    (2,3) |                        |
                          |                        |
                          |                        |
                       +---------+                 |
                      /   v     /|                 |
                     +---------+ |                 |
                     |         | |                 |
                     |  Start  | |                 |
                     |  Zones  | |                 |
                     |         |/                  |
                     +---------+                   |
         ]]></artwork>
         </figure>
         <ol>
           <li>Lookup AAAA record for name: www.example.tld.</li>
           <li>Determine start zone for www.example.tld.</li>
           <li>Start zone: zk0 - Remainder: www.example.</li>
           <li>Calculate q0=SHA512(ZKDF(zk0, "example")) and initiate GET(q0).</li>
           <li>Retrieve and decrypt RRBLOCK consisting of a single REDIRECT record containing zk1.</li>
           <li>Calculate q1=SHA512(ZKDF(zk1, "www")) and initiate GET(q1).</li>
           <li>Retrieve and decrypt RRBLOCK consisting of a single REDIRECT record containing www2.+.</li>
           <li>Calculate q2=SHA512(ZKDF(zk1, "www2")) and initiate GET(q2).</li>
           <li>Retrieve and decrypt RRBLOCK consisting of a single AAAA record containing the IPv6 address 2001:db8::1.</li>
           <li>Return record set to application.</li>
         </ol>
       </section>
       <section>
         <name>GNS2DNS Example Resolution</name>
         <figure anchor="figure_resolution_ex_gnsdns" title="Example resolution of an IPv6 address with DNS handover.">
           <artwork name="" type="" align="left" alt=""><![CDATA[
                           Local Host                |   Remote
                                                     |   Storage
                                                     |
                                                     |    +---------+
                                                     |   /         /|
                                                     |  +---------+ |
+-----------+ (1)      +----------+                  |  |         | |
|           |          |          |      (4)         |  | Record  | |
|Application|----------| Resolver |------------------|->| Storage | |
|           |<---------|          |<-----------------|--|         |/
+-----------+ (8)      +----------+      (5)         |  +---------+
                          A    A                     |
                          |    |    (6,7)            |
                    (2,3) |    +----------+          |
                          |               |          |
                          |               v          |
                       +---------+    +------------+ |
                      /   v     /|    | System DNS | |
                     +---------+ |    | resolver   | |
                     |         | |    +------------+ |
                     |  Start  | |                   |
                     |  Zones  | |                   |
                     |         |/                    |
                     +---------+                     |
         ]]></artwork>
         </figure>
         <ol>
           <li>Lookup AAAA record for name: www.example.gnu</li>
           <li>Determine start zone for www.example.gnu.</li>
           <li>Start zone: zk0 - Remainder: www.example.</li>
           <li>Calculate q0=SHA512(ZKDF(zk0, "example")) and initiate GET(q0).</li>
           <li>Retrieve and decrypt RRBLOCK consisting of a single GNS2DNS record containing the name example.com and the DNS server IPv4 address 192.0.2.1.</li>
           <li>Use system resolver to lookup an AAAA record for the DNS name www.example.com.</li>
           <li>Retrieve a DNS reply consisting of a single AAAA record containing the IPv6 address 2001:db8::1.</li>
           <li>Return record set to application.</li>
         </ol>
       </section>

     </section>
     <section>
       <name>Base32GNS</name>
       <t>
         This table defines the encode symbol and decode symbol for a given
         symbol value.
         It can be used to implement the encoding by reading it as:
         A character "A" or "a" is decoded to a 5 bit value 10 when decoding.
         A 5 bit block with a value of 18 is encoded to the character "J" when encoding.
         If the bit length of the byte string to encode is not a multiple of 5
         it is padded to the next multiple with zeroes.
         In order to further increase tolerance for failures in character
         recognition, the letter "U" <bcp14>MUST</bcp14> be decoded to the same value as the
         letter "V" in Base32GNS.
       </t>
       <figure anchor="CrockfordB32Encode" title="The Base32GNS Alphabet Including the Additional U Encode Symbol.">
         <artwork name="" type="" align="left" alt=""><![CDATA[
Symbol      Decode            Encode
Value       Symbol            Symbol
0           0 O o             0
1           1 I i L l         1
2           2                 2
3           3                 3
4           4                 4
5           5                 5
6           6                 6
7           7                 7
8           8                 8
9           9                 9
10          A a               A
11          B b               B
12          C c               C
13          D d               D
14          E e               E
15          F f               F
16          G g               G
17          H h               H
18          J j               J
19          K k               K
20          M m               M
21          N n               N
22          P p               P
23          Q q               Q
24          R r               R
25          S s               S
26          T t               T
27          V v U u           V
28          W w               W
29          X x               X
30          Y y               Y
31          Z z               Z
         ]]></artwork>
       </figure>
     </section>

     <section>
       <name>Test Vectors</name>
       <t>
         The following are test vectors for the Base32GNS encoding used for zTLDs.
         The strings are encoded without the zero terminator.
       </t>
       <artwork name="" type="" align="left" alt="">
         <![CDATA[
Base32GNS-Encode:
  Input string: "Hello World"
  Output string: "91JPRV3F41BPYWKCCG"

  Input bytes: 474e55204e616d652053797374656d
  Output string: "8X75A82EC5PPA82KF5SQ8SBD"

Base32GNS-Decode:
  Input string: "91JPRV3F41BPYWKCCG"
  Output string: "Hello World"

  Input string: "91JPRU3F41BPYWKCCG"
  Output string: "Hello World"
           ]]>
       </artwork>
       <t>
         The following test vectors can be used by implementations to test
         for conformance with this specification.
         The test vectors include record sets with a variety
         of record types and flags for both PKEY and EDKEY zones.
         Unless indicated otherwise, the test vectors are provided as
         hex byte values.
         This includes labels as some test vectors contain UTF-8 multibyte
         characters to demonstrate internationalized labels.
       </t>
       <artwork name="" type="" align="left" alt="">
         <![CDATA[
Zone private key (d, big-endian):
50d7b652a4efeadf
f37396909785e595
2171a02178c8e7d4
50fa907925fafd98

Zone identifier (ztype|zkey):
00010000677c477d
2d93097c85b195c6
f96d84ff61f5982c
2c4fe02d5a11fedf
b0c2901f

zTLD:
000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W

Label:
7465737464656c65
676174696f6e

Number of records (integer): 1

Record #0 := (
EXPIRATION:
0008c06fb9281580

DATA_SIZE:
0020

TYPE:
00010000

FLAGS: 0001

DATA:
21e3b30ff93bc6d3
5ac8c6e0e13afdff
794cb7b44bbbc748
d259d0a0284dbe84

)

RDATA:
0008c06fb9281580
0020000100010000
21e3b30ff93bc6d3
5ac8c6e0e13afdff
794cb7b44bbbc748
d259d0a0284dbe84

Encryption NONCE|EXPIRATION|BLOCK COUNTER:
e90a00610008c06f
b928158000000001

Encryption key (K):
864e7138eae7fd91
a30136899c132b23
acebdb2cef43cb19
f6bf55b67db9b3b3

Storage key (q):
4adc67c5ecee9f76
986abd71c2224a3d
ce2e917026c9a09d
fd44cef3d20f55a2
7332725a6c8afbbb
b0f7ec9af1cc4264
1299406b04fd9b5b
5791f86c4b08d5f4

BDATA:
41dc7b5f2176ba59
1998afb9e3c82579
5050afc4b53d68e4
1ed921da89de51e7
da35a295b59c2b8a
aea4399148d50cff

RRBLOCK:
000000a000010000
182bb636eda79f79
5711bc2708adbb24
2a60446ad3c30803
121d03d348b7ceb6
01beab944aff7ccc
51bffb212779c341
87660c625d1ceb59
d5a0a9a2dfe4072d
0f08cd2ab1e9ed63
d3898ff732521b57
317a6c4950e1984d
74df015f9eb72c4a
0008c06fb9281580
41dc7b5f2176ba59
1998afb9e3c82579
5050afc4b53d68e4
1ed921da89de51e7
da35a295b59c2b8a
aea4399148d50cff

Zone private key (d, big-endian):
50d7b652a4efeadf
f37396909785e595
2171a02178c8e7d4
50fa907925fafd98

Zone identifier (ztype|zkey):
00010000677c477d
2d93097c85b195c6
f96d84ff61f5982c
2c4fe02d5a11fedf
b0c2901f

zTLD:
000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W

Label:
e5a4a9e4b88be784
a1e695b5

Number of records (integer): 3

Record #0 := (
EXPIRATION:
0008c06fb9281580

DATA_SIZE:
0010

TYPE:
0000001c

FLAGS: 0000

DATA:
0000000000000000
00000000deadbeef

)

Record #1 := (
EXPIRATION:
00b00f81b7449b40

DATA_SIZE:
0006

TYPE:
00010001

FLAGS: 8000

DATA:
e6849be7a7b0

)

Record #2 := (
EXPIRATION:
000000016b597108

DATA_SIZE:
000b

TYPE:
00000010

FLAGS: 4004

DATA:
48656c6c6f20576f
726c64

)

RDATA:
0008c06fb9281580
001000000000001c
0000000000000000
00000000deadbeef
00b00f81b7449b40
0006800000010001
e6849be7a7b00000
00016b597108000b
4004000000104865
6c6c6f20576f726c
6400000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000

Encryption NONCE|EXPIRATION|BLOCK COUNTER:
ee9633c10005db3b
cdbd617c00000001

Encryption key (K):
fb3ab5de23bddae1
997aaf7b92c2d271
51408b77af7a41ac
79057c4df5383d01

Storage key (q):
aff0ad6a44097368
429ac476dfa1f34b
ee4c36e7476d07aa
6463ff20915b1005
c0991def91fc3e10
909f8702c0be4043
6778c711f2ca47d5
5cf0b54d235da977

BDATA:
f8c5e4badf1649d4
04da64df7d9d285f
4072a5f7a2547d56
74227e9b188eb2bb
6b34532f61e08ffb
d5bdea3741e60967
b687f8d8c44c8f6f
120a0f980f393b21
60407be128a74a51
51d6370be56a86ea
e32fdc217596b13f
6fea3fcfea0f4deb
881a25458f505a8f
cfca62d6da56073f
497698613475a1ad
14b7877f9455b0ec

RRBLOCK:
000000f000010000
a51296df757ee275
ca118d4f07fa7aae
5508bcf512aa4112
1429d4a0de9d057e
05c095040b10c7f8
187aa5da12287d1c
2910ff04d6f50af1
fa95382e9f007f75
098f620d1ff7c971
28f40d7458a2d3c7
f048ca3820064bdd
ee9413e9548ec994
0005db3bcdbd617c
f8c5e4badf1649d4
04da64df7d9d285f
4072a5f7a2547d56
74227e9b188eb2bb
6b34532f61e08ffb
d5bdea3741e60967
b687f8d8c44c8f6f
120a0f980f393b21
60407be128a74a51
51d6370be56a86ea
e32fdc217596b13f
6fea3fcfea0f4deb
881a25458f505a8f
cfca62d6da56073f
497698613475a1ad
14b7877f9455b0ec

Zone private key (d):
5af7020ee1916032
8832352bbc6a68a8
d71a7cbe1b929969
a7c66d415a0d8f65

Zone identifier (ztype|zkey):
000100143cf4b924
032022f0dc505814
53b85d93b047b63d
446c5845cb48445d
db96688f

zTLD:
000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW

Label:
7465737464656c65
676174696f6e

Number of records (integer): 1

Record #0 := (
EXPIRATION:
0008c06fb9281580

DATA_SIZE:
0020

TYPE:
00010000

FLAGS: 0001

DATA:
21e3b30ff93bc6d3
5ac8c6e0e13afdff
794cb7b44bbbc748
d259d0a0284dbe84

)

RDATA:
0008c06fb9281580
0020000100010000
21e3b30ff93bc6d3
5ac8c6e0e13afdff
794cb7b44bbbc748
d259d0a0284dbe84

Encryption NONCE|EXPIRATION:
98132ea86859d35c
88bfd317fa991bcb
0008c06fb9281580

Encryption key (K):
85c429a9567aa633
411a9691e9094c45
281672be586034aa
e4a2a2cc716159e2

Storage key (q):
abaabac0e1249459
75988395aac0241e
5559c41c4074e255
7b9fe6d154b614fb
cdd47fc7f51d786d
c2e0b1ece76037c0
a1578c384ec61d44
5636a94e880329e9

BDATA:
9cc455a129331943
5993cb3d67179ec0
6ea8d8894e904a0c
35e91c5c2ff2ed93
9cc2f8301231f44e
592a4ac87e4998b9
4625c64af51686a2
b36a2b2892d44f2d

RRBLOCK:
000000b000010014
9bf233198c6d53bb
dbac495cabd91049
a684af3f4051baca
b0dcf21c8cf27a1a
44d240d07902f490
b7c43ef00758abce
8851c18c70ac6df9
7a88f79211cf875f
784885ca3e349ec4
ca892b9ff084c535
8965b8e74a231595
2d4c8c06521c2f0c
0008c06fb9281580
9cc455a129331943
5993cb3d67179ec0
6ea8d8894e904a0c
35e91c5c2ff2ed93
9cc2f8301231f44e
592a4ac87e4998b9
4625c64af51686a2
b36a2b2892d44f2d

Zone private key (d):
5af7020ee1916032
8832352bbc6a68a8
d71a7cbe1b929969
a7c66d415a0d8f65

Zone identifier (ztype|zkey):
000100143cf4b924
032022f0dc505814
53b85d93b047b63d
446c5845cb48445d
db96688f

zTLD:
000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW

Label:
e5a4a9e4b88be784
a1e695b5

Number of records (integer): 3

Record #0 := (
EXPIRATION:
0008c06fb9281580

DATA_SIZE:
0010

TYPE:
0000001c

FLAGS: 0000

DATA:
0000000000000000
00000000deadbeef

)

Record #1 := (
EXPIRATION:
00b00f81b7449b40

DATA_SIZE:
0006

TYPE:
00010001

FLAGS: 8000

DATA:
e6849be7a7b0

)

Record #2 := (
EXPIRATION:
000000016b597108

DATA_SIZE:
000b

TYPE:
00000010

FLAGS: 4004

DATA:
48656c6c6f20576f
726c64

)

RDATA:
0008c06fb9281580
001000000000001c
0000000000000000
00000000deadbeef
00b00f81b7449b40
0006800000010001
e6849be7a7b00000
00016b597108000b
4004000000104865
6c6c6f20576f726c
6400000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000

Encryption NONCE|EXPIRATION:
bb0d3f0fbd224277
50da5d691216e6c9
0005db3bcdbd7769

Encryption key (K):
3df805bd6687aa14
209628c244b11191
88c3925637a41e5d
76496c2945dc377b

Storage key (q):
baf82177eec081e0
74a7da47ffc64877
58fb0df01a6c7fbb
52fc8a31bef029af
74aa0dc15ab8e2fa
7a54b4f5f637f615
8fa7f03c3fcebe78
d3f9d640aac0d1ed

BDATA:
6f79a9fd28bc5e38
2fc931ed22931797
326fdd698129fc47
8a639e902b411088
0a45037c667ff769
5f09c4a7f4f3471a
b2365bf3af79e953
697f1e35f93bd1ad
876971ce70527a3b
82c098d23fffd4a4
0057b694bec43416
4fb83c12b1f4570f
69a28f3bc3b7d838
b2619f6b8e1723ba
78c4b7ce19ef3f39
0405b63f7ce00216
1bdd7f5e9b3622bc
1af2d4ca84fd5fc5

RRBLOCK:
0000010000010014
74f90068f1676953
52a8a6c2eb984898
c53acca0980470c6
c81264cbdd78ad11
13b6b78358a88de7
3c5d22f73f1ad588
ee6f07d13410a2f5
15a074872608ec02
ef9020fdeb4266bf
1177c7e57e786059
97032a3f71f7216c
894e073ac77f2a0d
0005db3bcdbd7769
6f79a9fd28bc5e38
2fc931ed22931797
326fdd698129fc47
8a639e902b411088
0a45037c667ff769
5f09c4a7f4f3471a
b2365bf3af79e953
697f1e35f93bd1ad
876971ce70527a3b
82c098d23fffd4a4
0057b694bec43416
4fb83c12b1f4570f
69a28f3bc3b7d838
b2619f6b8e1723ba
78c4b7ce19ef3f39
0405b63f7ce00216
1bdd7f5e9b3622bc
1af2d4ca84fd5fc5
         ]]>
       </artwork>
       <t>
         The following is an example revocation for a zone:
       </t>
       <artwork name="" type="" align="left" alt="">
         <![CDATA[
Zone private key (d, big-endian scalar):
6fea32c05af58bfa
979553d188605fd5
7d8bf9cc263b78d5
f7478c07b998ed70

Zone identifier (ztype|zkey):
000100002ca223e8
79ecc4bbdeb5da17
319281d63b2e3b69
55f1c3775c804a98
d5f8ddaa

Encoded zone identifier (zTLD):
000G001CM8HYGYFCRJXXXDET2WRS50EP7CQ3PTANY71QEQ409ACDBY6XN8

Difficulty (5 base difficulty + 2 epochs): 7

Signed message:
0000003400000003
0005d66da3598127
000100002ca223e8
79ecc4bbdeb5da17
319281d63b2e3b69
55f1c3775c804a98
d5f8ddaa

Proof:
0005d66da3598127
0000395d1827c000
3ab877d07570f2b8
3ab877d07570f332
3ab877d07570f4f5
3ab877d07570f50f
3ab877d07570f537
3ab877d07570f599
3ab877d07570f5cd
3ab877d07570f5d9
3ab877d07570f66a
3ab877d07570f69b
3ab877d07570f72f
3ab877d07570f7c3
3ab877d07570f843
3ab877d07570f8d8
3ab877d07570f91b
3ab877d07570f93a
3ab877d07570f944
3ab877d07570f98a
3ab877d07570f9a7
3ab877d07570f9b0
3ab877d07570f9df
3ab877d07570fa05
3ab877d07570fa3e
3ab877d07570fa63
3ab877d07570fa84
3ab877d07570fa8f
3ab877d07570fa91
3ab877d07570fad6
3ab877d07570fb0a
3ab877d07570fc0f
3ab877d07570fc43
3ab877d07570fca5
000100002ca223e8
79ecc4bbdeb5da17
319281d63b2e3b69
55f1c3775c804a98
d5f8ddaa053b0259
700039187d1da461
3531502bc4a4eecc
c69900d24f8aac54
30f28fc509270133
1f178e290fe06e82
ce2498ce7b23a340
58e3d6a2f247e92b
c9d7b9ab
         ]]>
       </artwork>
     </section>



     <!-- Change Log
       v00 2017-07-23  MS   Initial version
     -->
   </back>
 </rfc>