From 51d627798b6442abc52a447c3f58b8b992813753 Mon Sep 17 00:00:00 2001 From: Martin Schanzenbach Date: Thu, 7 Dec 2023 15:05:57 +0100 Subject: add draft --- draft-nadler-sbox.xml | 420 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 420 insertions(+) create mode 100644 draft-nadler-sbox.xml diff --git a/draft-nadler-sbox.xml b/draft-nadler-sbox.xml new file mode 100644 index 0000000..187d291 --- /dev/null +++ b/draft-nadler-sbox.xml @@ -0,0 +1,420 @@ + + + + + +]> + + + + + The GNS SBOX Record Type + + + Technische Universität München +
+ sebastian.nadler@tum.de +
+ + + Fraunhofer AISEC +
+ + Lichtenbergstrasse 11 + Garching + 85748 + Germany + + martin.schanzenbach@aisec.fraunhofer.de +
+ + + GNUnet + name systems + + + This document provides an extension to the GNU Name System (GNS) technical specification . GNS is a decentralized and censorship-resistant domain name + resolution protocol that provides a privacy-enhancing alternative to the Domain Name System + (DNS) protocols. + + This document defines the normative wire format of an additional resource record + and a modifyed resolution processes for use by implementers. + + + This specification was developed outside the IETF and does not have + IETF consensus. It is published here to inform readers about the + function of GNS, guide future GNS implementations, and ensure + interoperability among implementations (for example, pre-existing + GNUnet implementations). + + + + + +
+ Introduction + This specification describes additions to the GNU Name System (GNS) , + a censorship-resistant, privacy-preserving, and decentralized domain name resolution + protocol. GNS cryptographically secures the binding of names to arbitrary tokens, enabling + it to double in some respects as an alternative to some of today's public key + infrastructures. + + + This document defines the normative wire format of resource + records and resolution processes for use by implementers. + +
+ Requirements Notation + The key words "MUST", "MUST NOT", "REQUIRED", + "SHALL", "SHALL NOT", "SHOULD", "SHOULD + NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", + and "OPTIONAL" in this document are to be interpreted as described in + BCP 14 when, and only when, they + appear in all capitals, as shown here. +
+
+
+ Terminology + The terminology defined in also applies to this document. +
+
+ Resource Records +
+ Auxiliary Records + This section defines an additional auxiliary GNS record type. Any implementation + SHOULD be able to process the specified record types according to . +
+ SBOX + + GNS lookups are expected to return all of the required useful + information in one record set. This avoids unnecessary additional + lookups and cryptographically ties together information that belongs + together, making it impossible for an adversarial storage entity to provide + partial answers that might omit information critical for security. + + + This general strategy is incompatible with the + special labels used by DNS for SRV and TLSA records. Thus, GNS + defines the BOX record format to box up SRV and TLSA records and + include them in the record set of the label they are associated + with. + This way of handling and storing restricts the allowed and processable underscore + labels to the format of "_SERVICE._PROTOCOL" as well as only services registered in + the corresponding IANA registry. To support labels + "c93f1e400f26708f98cb19d936620da35eec8f72e57f9eec01c1afd6._smimecert" + for the intended use of SMIMEA record, a new SBOX record is proposed. The SBOX + record is supposed to handle all variations of underscore labels. The underlying idea is + instead + of storing the service and protocol numbers, the string representation of the underscore + label and all subsequent labels is stored. A SBOX record boxes the records type, the + records + data and the underscore label and subsequent labels and adds them to the record set + of the associated label. For example, a URI record for "_scheme._trust.exampel.com" + will be stored as an SBOX record in the record set of "example.com" with the label + "_schema._trust" and record type URI and the URI records data + For reference, see also . A SBOX DATA entry is illustrated in . +
+ The SBOX DATA Wire Format + +0 8 16 24 32 40 48 56 ++-----+-----+-----+-----+-----+-----+-----+-----+ +| TYPE | LABEL / ++-----------+-----------+ / +/ / +/ / ++-----------------------------------------------+ +/ RECORD DATA / +/ / ++-----+-----+-----+-----+-----+-----+-----+-----+ + +
+
+
TYPE:
+
+ The 32-bit record type of the boxed record in network byte order. +
+
LABEL:
+
A variable-length field containing the first underscore label and all subsequent + labels. Characters are encoded as c-strings and MUST be null + terminated.
+
RECORD DATA:
+
A variable-length field containing the "DATA" format of TYPE as defined for the + respective TYPE. Thus, for TYPE values below 216, the format is the same as + the respective record type's binary format in DNS.
+
+
+
+
+
+ Name Resolution +
+ Record Processing + The first step in processing the records remains the same as described in Section 4.1. + The next step depends on the context of the name being resolved. Case 3, as defined in Section 4.1, is modified and Case 6 is added to the list: +
+
Case 3:
+
If the remainder of the name to be resolved is of the format "_SERVICE._PROTO" and the + record set contains one or more matching BOX records, the records in the BOX records are + part of the final result and the recursion is processed as described in . An additional check for "Case 6" MUST be + made if the record set contains SBOX records.
+
+
+
Case 6:
+
If the remainder of the name to be resolved is strating with "_" and the record set + contains one or more matching SBOX records, the records in the SBOX records are part of + the final result and the recursion is processed as described in . An additional check for "Case 3" MUST be + made if the record set contains BOX records.
+
+
+ BOX + + When a BOX record is received, a GNS resolver must unbox it if the + name to be resolved continues with "_SERVICE._PROTO". + Otherwise, the BOX record is to be left untouched. This way, TLSA + (and SRV) records do not require a separate network request, and + TLSA records become inseparable from the corresponding address + records. + +
+
+ SBOX + + When a SBOX record is received, a GNS resolver must unbox it if the + name to be resolved continues with "_" at the start of the next label. + Otherwise, the SBOX record is to be left untouched. + +
+
+
+
+ GANA Considerations +
+ GNS Record Types Registry + GANA manages the "GNS Record Types" registry. + Each entry has the following format: + +
+
Name:
+
The name of the record type (case-insensitive ASCII + string, restricted to alphanumeric characters). For zone delegation + records, the assigned number represents the ztype value of the zone.
+
Number:
+
A 32-bit number above 65535.
+
Comment:
+
Optionally, brief English text describing the purpose of + the record type (in UTF-8).
+
Contact:
+
Optionally, the contact information for a person to contact for + further information.
+
References:
+
Optionally, references (such as an RFC) describing the record type.
+
+ GANA has assigned a number for the record type SBOX defined in this specification in the + "GNS Record Types" registry as listed in . + + + The GANA GNS Record Types Registry + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NumberNameContactReferencesComment
65536PKEY(*)RFC 9498GNS zone delegation (PKEY)
65537NICK(*)RFC 9498GNS zone nickname
65538LEHO(*)RFC 9498GNS legacy hostname
65540GNS2DNS(*)RFC 9498Delegation to DNS
65541BOX(*)RFC 9498Box records
65547SBOX(*)LSD 0010SBox records
65551REDIRECT(*)RFC 9498Redirection record
65556EDKEY(*)RFC 9498GNS zone delegation (EDKEY)
(*): gns-registry@gnunet.org
+
+
+ + + + References + + Normative References + + + + + + + + + + + + + + + + + + + + + + + + + GNUnet Assigned Numbers Authority (GANA) + + GNUnet e.V. + + + + + + + Informative References + + + + + + A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System + + Technische Universität München + + + Technische Universität München + + + Technische Universität München + + + + 13th International Conference on Cryptology and Network Security (CANS) + + + + + + gnunet.git - GNUnet core repository + + GNUnet e.V. + + + + + + + + The GNUnet Project (Home Page) + + GNUnet e.V. + + + + + + + + -- cgit v1.2.3