Internet-Draft | The GNU Name System | April 2021 |
Schanzenbach, et al. | Expires 19 October 2021 | [Page] |
This document contains the GNU Name System (GNS) technical specification.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 October 2021.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
The Domain Name System (DNS) is a unique distributed database and a vital service for most Internet applications. While DNS is distributed, it relies on centralized, trusted registrars to provide globally unique names. As the awareness of the central role DNS plays on the Internet rises, various institutions are using their power (including legal means) to engage in attacks on the DNS, thus threatening the global availability and integrity of information on the Internet.¶
DNS was not designed with security as a goal. This makes it very vulnerable, especially to attackers that have the technical capabilities of an entire nation state at their disposal. This specification describes a censorship-resistant, privacy-preserving and decentralized name system: The GNU Name System (GNS). It is designed to provide a secure alternative to DNS, especially when censorship or manipulation is encountered. GNS can bind names to any kind of cryptographically secured token, enabling it to double in some respects as even as an alternative to some of today's Public Key Infrastructures, in particular X.509 for the Web.¶
This document contains the GNU Name System (GNS) technical specification of the GNU Name System [GNS], a fully decentralized and censorship-resistant name system. GNS provides a privacy-enhancing alternative to the Domain Name System (DNS). The design of GNS incorporates the capability to integrate and coexist with DNS. GNS is based on the principle of a petname system and builds on ideas from the Simple Distributed Security Infrastructure (SDSI), addressing a central issue with the decentralized mapping of secure identifiers to memorable names: namely the impossibility of providing a global, secure and memorable mapping without a trusted authority. GNS uses the transitivity in the SDSI design to replace the trusted root with secure delegation of authority thus making petnames useful to other users while operating under a very strong adversary model.¶
This document defines the normative wire format of resource records, resolution processes, cryptographic routines and security considerations for use by implementors. GNS requires a distributed hash table (DHT) for record storage. Specification of the DHT is out of scope of this document.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
A zone in GNS is defined by a zone type "ztype" that identifies a cryptosystem and a public/private key pair "(d,zk)", where "d" is the private key and "zk" the corresponding public key in the public key cipher identified by the "ztype". The contents of a zone are cryptographically signed before being published a distributed hash table (DHT). Records are grouped by their label and encrypted (Section 6.3) using an encryption key derived from the label and the zone public key. Instead of the zone private key "d", the signature MUST be created using a blinded public/private key pair "d'" and "zk'". This blinding is realized using a hierarchical deterministic key derivation (HDKD) scheme. Such a scheme allows the deterministic derivation of keys from the original public and private zone keys using "label" values. Specifically, the zone owner can derive private keys "d'", and a resolver to derive the corresponding public keys "zk'". Using different "label" values in the derivation results in different keys. Without knowledge of the "label" values, the different derivations are unlinkable both to the original key and to each other. This prevents zone enumeration and requires knowledge of both "zk" and the "label" to confirm affiliation with a specific zone. At the same time, the blinded "zk'" provides nodes with the ability to verifiy the integrity of the published information without disclosing the originating zone.¶
The following variables are associated with a zone in GNS:¶
The "zid" wire format is defined as follows:¶
For the string representation of the "zid", we use a base-32 encoding "StringEncode". However, instead of following [RFC4648] we base our character map on the optical character recognition friendly proposal of Crockford [CrockfordB32]. The only difference to Crockford is that the letter "U" decodes to the same base-32 value as the letter "V" (27).¶
zkl := <StringEncode(zid)>¶
If "zkl" is less than 63 characters, it is also the "zTLD". If the resulting "zkl" should be longer than 63 characters, the string must be divided into smaller labels separated by the label separator ".". Here, the most significant bytes of the "zid" must be contained in the rightmost label of the resulting string and the least significant bytes in the leftmost label of the resulting string. For example, assuming a "zkl" of 130 characters, the encoding would be:¶
zTLD := zkl[126:129].zkl[63:125].zkl[0:62]¶
A zone type identifies a family of eight functions:¶
Zone types are identified by a 32-bit resource record type number. Resource record types are discussed in the next section.¶
A GNS implementor MUST provide a mechanism to create and manage resource records for local zones. A local zone is established by selecting a zone type and creating a zone key pair. Implementations SHOULD select a secure zone type automatically and not leave the zone type selection to the user. Records may be added to each zone, hence a (local) persistency mechanism for resource records and zones must be provided. This local zone database is used by the GNS resolver implementation and to publish record information.¶
A GNS resource record holds the data of a specific record in a zone. The resource record format is defined as follows:¶
where:¶
Flags indicate metadata surrounding the resource record. A flag value of 0 indicates that all flags are unset. The following illustrates the flag distribution in the 32-bit flag value of a resource record:¶
where:¶
A registry of GNS Record Types is described in Section 12. The registration policy for this registry is "First Come First Served", as described in [RFC8126].¶
In GNS, a delegation of a label to a zone of type "PKEY" is represented through a PKEY record. The PKEY number is a zone type and thus also implies the cryptosystem for the zone that is being delegated to. A PKEY resource record contains the public key of the zone to delegate to. A PKEY record MUST be the only record under a label. No other records are allowed. A PKEY DATA entry has the following format:¶
where:¶
For PKEY zones the zone key material is derived using the curve parameters of the twisted edwards representation of Curve25519 [RFC7748] (a.k.a. edwards25519) with the ECDSA scheme ([RFC6979]). Consequently , we use the following naming convention for our cryptographic primitives for PKEY zones:¶
The "zid" of a PKEY is 32 + 4 bytes in length. This means that a "zTLD" will always fit into a single label and does not need any further conversion.¶
Given a label, the output d' of the HDKD-Private(d,label) function for zone key blinding is calculated as follows for PKEY zones:¶
zk := d * G PRK_h := HKDF-Extract ("key-derivation", zk) h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) d' := h * d mod L¶
Equally, given a label, the output zk' of the HDKD-Public(zk,label) function is calculated as follows for PKEY zones:¶
PRK_h := HKDF-Extract ("key-derivation", zk) h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) zk' := h mod L * zk¶
The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in [RFC5869], using HMAC-SHA512 for the extraction phase and HMAC-SHA256 for the expansion phase. "PRK_h" is key material retrieved using an HKDF using the string "key-derivation" as salt and the public zone key "zk" as initial keying material. "h" is the 512-bit HKDF expansion result. The expansion info input is a concatenation of the label and string "gns". "label" is a UTF-8 string under which the resource records are published.¶
We point out that the multiplication of "zk" with "h" is a point multiplication, while the multiplication of "d" with "h" is a scalar multiplication.¶
The Sign() and Verify() functions for PKEY zones are implemented using 512-bit ECDSA deterministic signatures as specified in [RFC6979].¶
The S-Encrypt() and S-Decrypt() functions use AES in counter mode as defined in [MODES] (CTR-AES-256):¶
RDATA := CTR-AES256(K, IV, BDATA) BDATA := CTR-AES256(K, IV, RDATA)¶
The key "K" and counter "IV" are derived from the record "label" and the zone key "zk" as follows:¶
PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) K := HKDF-Expand (PRK_k, label, 256 / 8); NONCE := HKDF-Expand (PRK_n, label, 32 / 8)¶
HKDF is a hash-based key derivation function as defined in [RFC5869]. Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-SHA256 for the expansion phase. The output keying material is 32 octets (256 bits) for the symmetric key and 4 octets (32 bits) for the nonce. The symmetric key "K" is a 256-bit AES [RFC3826] key.¶
The nonce is combined with a 64-bit initialization vector and a 32-bit block counter as defined in [RFC3686]. The block counter begins with the value of 1, and it is incremented to generate subsequent portions of the key stream. The block counter is a 32-bit integer value in network byte order. The initialization vector is the expiration time of the resource record block in network byte order. The resulting counter ("IV") wire format is as follows:¶
In GNS, a delegation of a label to a zone of type "EDKEY" is represented through a EDKEY record. The EDKEY number is a zone type and thus also implies the cryptosystem for the zone that is being delegated to. An EDKEY resource record contains the public key of the zone to delegate to. A EDKEY record MUST be the only record under a label. No other records are allowed. A EDKEY DATA entry has the following format:¶
where:¶
For EDKEY zones the zone key material is derived using the curve parameters of the twisted edwards representation of Curve25519 [RFC7748] (a.k.a. edwards25519) with the Ed25519-SHA-512 scheme [ed25519]. Consequently , we use the following naming convention for our cryptographic primitives for EDKEY zones:¶
The "zid" of an EDKEY is 32 + 4 bytes in length. This means that a "zTLD" will always fit into a single label and does not need any further conversion.¶
The "EDKEY" HDKD instantiation is based on [Tor224]. Given a label, the output of the HDKD-Private function for zone key blinding is calculated as follows for EDKEY zones:¶
zk := a * G PRK_h := HKDF-Extract ("key-derivation", zk) h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) h[31] &= 7 a1 := a / 8 /* 8 is the cofactor of Curve25519 */ a2 := h * a1 mod L a' = a2 * 8 /* 8 is the cofactor of Curve25519 */¶
Equally, given a label, the output of the HDKD-Public function is calculated as follows for PKEY zones:¶
PRK_h := HKDF-Extract ("key-derivation", zk) h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) h[31] &= 7 // Implies h mod L == h zk' := h * zk¶
We note that implementors must employ a constant time scalar multiplication for the constructions above. Also, implementors must ensure that the private key "a" is an ed25519 private key and specifically that "a[0] & 7 == 0" holds.¶
The EDKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in [RFC5869], using HMAC-SHA512 for the extraction phase and HMAC-SHA256 for the expansion phase. "PRK_h" is key material retrieved using an HKDF using the string "key-derivation" as salt and the public zone key "zk" as initial keying material. "h" is the 512-bit HKDF expansion result. The expansion info input is a concatenation of the label and string "gns". The result of the HKDF must be clamped. "a" is the 256-bit integer corresponding to the 256-bit private zone key "d". "label" is a UTF-8 string under which the resource records are published.¶
We point out that the multiplication of "zk" with "h" is a point multiplication, while the division and multiplication of "a" and "a1" with the cofactor are integer operations.¶
Signatures for EDKEY zones using the derived private key "a'" are NOT compliant with [ed25519]. Instead, signatures MUST be generated as follows for any given message M and deterministic random-looking "r":¶
R := r * G S := r + SHA512(R, zk', M) * a' mod L¶
A signature (R,S) is valid if the following holds:¶
SB == R + SHA512(R, zk', M) * A'¶
The S-Encrypt() and S-Decrypt() functions use ChaCha20 as defined in [RFC7539] (ChaCha20-Poly1305):¶
RDATA := ChaCha20(K, IV, BDATA) BDATA := ChaCha20(K, IV, RDATA) = CIPHERTEXT | TAG¶
The result of the ChaCha20 encryption function is the encrypted ciphertext concatenated with the 128-bit authentication tag "TAG". Accordingly, the length of BDATA equals the length of the RDATA plus the 16 octets of the authentication tag.¶
The key "K" and counter "IV" are derived from the record "label" and the zone key "zk" as follows:¶
PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) K := HKDF-Expand (PRK_k, label, 256 / 8); NONCE := HKDF-Expand (PRK_n, label, 32 / 8)¶
HKDF is a hash-based key derivation function as defined in [RFC5869]. Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-SHA256 for the expansion phase. The output keying material is 32 octets (256 bits) for the symmetric key and 4 octets (32 bits) for the NONCE. The symmetric key "K" is a 256-bit ChaCha20 [RFC7539] key. No additional authenticated data (AAD) is used.¶
The nonce is combined with a 64-bit initialization vector and a 32-bit block counter. The block counter begins with the value of 1, and it is incremented to generate subsequent portions of the key stream. The block counter is a 32-bit integer value treated as a 32-bit little-endian integer. The initialization vector is the expiration time of the resource record block in network byte order. The resulting counter ("IV") wire format is as follows:¶
It is possible to delegate a label back into DNS through a GNS2DNS record. The resource record contains a DNS name for the resolver to continue with in DNS followed by a DNS server. Both names are in the format defined in [RFC1034] for DNS names. A GNS2DNS DATA entry has the following format:¶
where:¶
Legacy hostname records can be used by applications that are expected to supply a DNS name on the application layer. The most common use case is HTTP virtual hosting, which as-is would not work with GNS names as those may not be globally unique. A LEHO resource record is expected to be found together in a single resource record with an IPv4 or IPv6 address. A LEHO DATA entry has the following format:¶
where:¶
NOTE: If an application uses a LEHO value in an HTTP request header (e.g. "Host:" header) it must be converted to a punycode representation [RFC5891].¶
Nickname records can be used by zone administrators to publish an indication on what label this zone prefers to be referred to. This is a suggestion to other zones what label to use when creating a delegation record (Section 3) containing this zone's public zone key. This record SHOULD only be stored under the empty label "@" but MAY be returned with record sets under any label as a supplemental record. Section 8.2.6 details how a resolver must process supplemental and non-supplemental NICK records. A NICK DATA entry has the following format:¶
where:¶
In GNS, every "." in a name delegates to another zone, and GNS lookups are expected to return all of the required useful information in one record set. This is incompatible with the special labels used by DNS for SRV and TLSA records. Thus, GNS defines the BOX record format to box up SRV and TLSA records and include them in the record set of the label they are associated with. For example, a TLSA record for "_https._tcp.example.org" will be stored in the record set of "example.org" as a BOX record with service (SVC) 443 (https) and protocol (PROTO) 6 (tcp) and record TYPE "TLSA". For reference, see also [RFC2782]. A BOX DATA entry has the following format:¶
where:¶
A VPN DATA entry has the following format:¶
where:¶
GNS resource records are published in a distributed hash table (DHT). We assume that a DHT provides two functions: GET(key) and PUT(key,value). In GNS, resource records are grouped by their respective labels, encrypted and published together in a single resource records block (RRBLOCK) in the DHT under a key "q": PUT(q, RRBLOCK). The key "q" which is derived from the zone key "zk" and the respective "label" of the contained records.¶
Given a label, the DHT key "q" is derived as follows:¶
q := SHA512 (HDKD-Public(zk, label))¶
GNS records are grouped by their labels and published as a single block in the DHT. The grouped record sets MAY be paired with any number of supplemental records. Supplemental records must have the supplemental flag set (See Section 4). The contained resource records are encrypted using a symmetric encryption scheme. A GNS implementation must publish RRBLOCKs in accordance to the properties and recommendations of the underlying DHT. This may include a periodic refresh publication. A GNS RRBLOCK has the following format:¶
where:¶
A symmetric encryption scheme is used to encrypt the resource records set RDATA into the BDATA field of a GNS RRBLOCK. The wire format of the RDATA looks as follows:¶
where:¶
All labels in GNS are encoded in UTF-8 [RFC3629]. This does not include any DNS names found in DNS records, such as CNAME records, which are internationalized through the IDNA specifications [RFC5890].¶
Names in GNS are resolved by recursively querying the DHT record storage. In the following, we define how resolution is initiated and each iteration in the resolution is processed.¶
GNS resolution of a name must start in a given starting zone indicated using a zone public key. Details on how the starting zone may be determined is discussed in Section 10.¶
When GNS name resolution is requested, a desired record type MAY be provided by the client. The GNS resolver will use the desired record type to guide processing, for example by providing conversion of VPN records to A or AAAA records, if that is desired. However, filtering of record sets according to the required record types MUST still be done by the client after the resource record set is retrieved.¶
In each step of the recursive name resolution, there is an authoritative zone zk and a name to resolve. The name may be empty. Initially, the authoritative zone is the start zone. If the name is empty, it is interpreted as the apex label "@".¶
From here, the following steps are recursively executed, in order:¶
Upon receiving the RRBLOCK from the DHT, apart from verifying the provided signature, the resolver MUST check that the authoritative zone key was used to sign the record: The derived zone key "h*zk" MUST match the public key provided in the RRBLOCK, otherwise the RRBLOCK MUST be ignored and the DHT lookup GET(q) MUST continue.¶
Record processing occurs at the end of a single recursion. We assume that the RRBLOCK has been cryptographically verified and decrypted. At this point, we must first determine if we have received a valid record set in the context of the name we are trying to resolve:¶
When the resolver encounters a record of a supported zone delegation record type (such as PKEY or EDKEY) and the remainder of the name is not empty, resolution continues recursively with the remainder of the name in the GNS zone specified in the delegation record. Implementations MUST NOT allow multiple different zone type delegations under a single label. Implementations MAY support any subset of zone types. If an unsupported zone type is encountered, resolution fails (NXDOMAIN).¶
If the remainder of the name to resolve is empty and we have received a record set containing only a single PKEY record, the recursion is continued with the PKEY as authoritative zone and the empty apex label "@" as remaining name, except in the case where the desired record type is PKEY, in which case the PKEY record is returned and the resolution is concluded without resolving the empty apex label.¶
When a resolver encounters one or more GNS2DNS records and the remaining name is empty and the desired record type is GNS2DNS, the GNS2DNS records are returned.¶
Otherwise, it is expected that the resolver first resolves the IP(s) of the specified DNS name server(s). GNS2DNS records MAY contain numeric IPv4 or IPv6 addresses, allowing the resolver to skip this step. The DNS server names may themselves be names in GNS or DNS. If the DNS server name ends in ".+", the rest of the name is to be interpreted relative to the zone of the GNS2DNS record. If the DNS server name ends in a label representation of a zone key, the DNS server name is to be resolved against the GNS zone zk.¶
Multiple GNS2DNS records may be stored under the same label, in which case the resolver MUST try all of them. The resolver MAY try them in any order or even in parallel. If multiple GNS2DNS records are present, the DNS name MUST be identical for all of them, if not the resolution fails and an emtpy record set is returned as the record set is invalid.¶
Once the IP addresses of the DNS servers have been determined, the DNS name from the GNS2DNS record is appended to the remainder of the name to be resolved, and resolved by querying the DNS name server(s). As the DNS servers specified are possibly authoritative DNS servers, the GNS resolver MUST support recursive resolution and MUST NOT delegate this to the authoritative DNS servers. The first successful recursive name resolution result is returned to the client. In addition, the resolver returns the queried DNS name as a supplemental LEHO record (Section 5.4) with a relative expiration time of one hour.¶
GNS resolvers SHOULD offer a configuration option to disable DNS processing to avoid information leakage and provide a consistent security profile for all name resolutions. Such resolvers would return an empty record set upon encountering a GNS2DNS record during the recursion. However, if GNS2DNS records are encountered in the record set for the apex and a GNS2DNS record is expicitly requested by the application, such records MUST still be returned, even if DNS support is disabled by the GNS resolver configuration.¶
If a CNAME record is encountered, the canonical name is appended to the remaining name, except if the remaining name is empty and the desired record type is CNAME, in which case the resolution concludes with the CNAME record. If the canonical name ends in ".+", resolution continues in GNS with the new name in the current zone. Otherwise, the resulting name is resolved via the default operating system name resolution process. This may in turn again trigger a GNS resolution process depending on the system configuration.¶
The recursive DNS resolution process may yield a CNAME as well which in turn may either point into the DNS or GNS namespace (if it ends in a label representation of a zone key). In order to prevent infinite loops, the resolver MUST implement loop detections or limit the number of recursive resolution steps. If the last CNAME was a DNS name, the resolver returns the DNS name as a supplemental LEHO record (Section 5.4) with a relative expiration time of one hour.¶
When a BOX record is received, a GNS resolver must unbox it if the name to be resolved continues with "_SERVICE._PROTO". Otherwise, the BOX record is to be left untouched. This way, TLSA (and SRV) records do not require a separate network request, and TLSA records become inseparable from the corresponding address records.¶
At the end of the recursion, if the queried record type is either A or AAAA and the retrieved record set contains at least one VPN record, the resolver SHOULD open a tunnel and return the IPv4 or IPv6 tunnel address, respectively. The type of tunnel depends on the contents of the VPN record data. The VPN record MUST be returned if the resolver implementation does not support setting up a tunnnel.¶
NICK records are only relevant to the recursive resolver if the record set in question is the final result which is to be returned to the client. The encountered NICK records may either be supplemental (see Section 4) or non-supplemental. If the NICK record is supplemental, the resolver only returns the record set if one of the non-supplemental records matches the queried record type.¶
The differentiation between a supplemental and non-supplemental NICK record allows the client to match the record to the authoritative zone. Consider the following example:¶
In this example, the returned NICK record is non-supplemental. For the client, this means that the NICK belongs to the zone "alice.doe" and is published under the empty label along with an A record. The NICK record should be interpreted as: The zone defined by "alice.doe" wants to be referred to as "eve". In contrast, consider the following:¶
In this case, the NICK record is marked as supplemental. This means that the NICK record belongs to the zone "doe" and is published under the label "alice" along with an A record. The NICK record should be interpreted as: The zone defined by "doe" wants to be referred to as "john". This distinction is likely useful for other records published as supplemental.¶
Whenever a recursive resolver encounters a new GNS zone, it MUST check against the local revocation list whether the respective zone key has been revoked. If the zone key was revoked, the resolution MUST fail with an empty result set.¶
In order to revoke a zone key, a signed revocation object SHOULD be published. This object MUST be signed using the private zone key. The revocation object is flooded in the overlay network. To prevent flooding attacks, the revocation message MUST contain a proof of work (PoW). The revocation message including the PoW MAY be calculated ahead of time to support timely revocation.¶
For all occurences below, "Argon2id" is the Password-based Key Derivation Function as defined in [Argon2]. For the PoW calculations the algorithm is instantiated with the following parameters:¶
The following is the message string "P" on which the PoW is calculated:¶
where:¶
Traditionally, PoW schemes require to find a "POW" such that at least D leading zeroes are found in the hash result. D is then referred to as the "difficulty" of the PoW. In order to reduce the variance in time it takes to calculate the PoW, we require that a number "Z" different PoWs must be found that on average have "D" leading zeroes.¶
The resulting proofs may then published and disseminated. The concrete dissemination and publication methods are out of scope of this document. Given an average difficulty of "D", the proofs have an expiration time of EPOCH. With each additional bit difficulty, the lifetime of the proof is prolonged for another EPOCH. Consequently, by calculating a more difficult PoW, the lifetime of the proof can be increased on demand by the zone owner.¶
The parameters are defined as follows:¶
Given that proof has been found, a revocation data object is defined as follows:¶
where:¶
The signature over the public key covers a 32-bit pseudo header conceptually prefixed to the public key. The pseudo header includes the key length and signature purpose:¶
where:¶
In order to verify a revocation the following steps must be taken, in order:¶
The resolution of a GNS name must start in a given start zone indicated to the resolver using any public zone key. The local resolver may have a local start zone configured/hard-coded which points to a local or remote start zone key. A resolver client may also determine the start zone from the suffix of the name given for resolution or using information retrieved out of band. The governance model of any zone is at the sole discretion of the zone owner. However, the choice of start zone(s) is at the sole discretion of the local system administrator or user.¶
This is an important distinguishing factor from the Domain Name System where root zone governance is centralized at the Internet Corporation for Assigned Names and Numbers (ICANN). In DNS terminology, GNS roughly follows the idea of a hyper-hyper local root zone deployment, with the difference that it is not expected that all deployments use the same local root zone.¶
In the following, we give examples how a local client resolver SHOULD discover the start zone. The process given is not exhaustive and clients MAY suppliement it with other mechanisms or ignore it if the particular application requires a different process.¶
GNS clients MUST first try to interpret the top-level domain of a GNS name as a zone key representation ("zTLD"). If the top-level domain is indicated to be a label representation of a public zone key with a well-defined "ztype" value, the root zone of the resolution process is implicitly given by the suffic of the name:¶
Example name: www.example.<zTLD> => Root zone: zk of type ztype => Name to resolve from root zone: www.example¶
In GNS, users MAY own and manage their own zones. Each local zone SHOULD be associated with a single GNS label, but users MAY choose to use longer names consisting of multiple labels. If the name of a locally managed zone matches the suffix of the name to be resolved, resolution SHOULD start from the respective local zone:¶
Example name: www.example.org Local zones: fr = (d0,zk0) gnu = (d1,zk1) com = (d2,zk2) ... => Entry zone: zk1 => Name to resolve from entry zone: www.example¶
Finally, additional "suffix to zone" mappings MAY be configured. Suffix to zone key mappings SHOULD be configurable through a local configuration file or database by the user or system administrator. The suffix MAY consist of multiple GNS labels concatenated with a ".". If multiple suffixes match the name to resolve, the longest matching suffix MUST BE used. The suffix length of two results cannot be equal, as this would indicate a misconfiguration. If both a locally managed zone and a configuration entry exist for the same suffix, the locally managed zone MUST have priority.¶
Example name: www.example.org Local suffix mappings: gnu = zk0 example.org = zk1 example.com = zk2 ... => Entry zone: zk1 => Name to resolve from entry zone: www¶
The security of cryptographic systems depends on both the strength of the cryptographic algorithms chosen and the strength of the keys used with those algorithms. The security also depends on the engineering of the protocol used by the system to ensure that there are no non-cryptographic ways to bypass the security of the overall system.¶
This document concerns itself with the selection of cryptographic algorithms for use in GNS. The algorithms identified in this document are not known to be broken (in the cryptographic sense) at the current time, and cryptographic research so far leads us to believe that they are likely to remain secure into the foreseeable future. However, this isn't necessarily forever, and it is expected that new revisions of this document will be issued from time to time to reflect the current best practices in this area.¶
GNS PKEY zone keys use ECDSA over Curve25519. This is an unconventional choice, as ECDSA is usually used with other curves. However, traditional ECDSA curves are problematic for a range of reasons described in the Curve25519 and EdDSA papers. Using EdDSA directly is also not possible, as a hash function is used on the private key which destroys the linearity that the GNU Name System depends upon. We are not aware of anyone suggesting that using Curve25519 instead of another common curve of similar size would lower the security of ECDSA. GNS uses 256-bit curves because that way the encoded (public) keys fit into a single DNS label, which is good for usability.¶
In terms of crypto-agility, whenever the need for an updated cryptographic scheme arises to, for example, replace ECDSA over Curve25519 for PKEY records it may simply be introduced through a new record type. Such a new record type may then replace the delegation record type for future records. The old record type remains and zones can iteratively migrate to the updated zone keys.¶
In order to ensure ciphertext indistinguishability, care must be taken with respect to the initialization vector in the counter block. In our design, the IV is always the expiration time of the record block. For blocks with relative expiration times it is implicitly ensured that each time a block is published into the DHT, its IV is unique as the expiration time is calculated dynamically and increases monotonically. For blocks with absolute expiration times, the implementation MUST ensure that the expiration time is modified when the record data changes. For example. the expiration time may be increased by a single microsecond.¶
GNS names are UTF-8 strings. Consequently, GNS faces similar issues with respect to name spoofing as DNS does for internationalized domain names. In DNS, attackers may register similar sounding or looking names (see above) in order to execute phishing attacks. GNS zone administrators must take into account this attack vector and incorporate rules in order to mitigate it.¶
Further, DNS can be used to combat illegal content on the internet by having the respective domains seized by authorities. However, the same mechanisms can also be abused in order to impose state censorship, which ist one of the motivations behind GNS. Hence, such a seizure is, by design, difficult to impossible in GNS. In particular, GNS does not support WHOIS ([RFC3912]).¶
In GNS, zone administrators need to manage and protect their zone keys. Once a zone key is lost it cannot be recovered. Once it is compromised it cannot be revoked (unless a revocation message was pre-calculated and is still available). Zone administrators, and for GNS this includes end-users, are required to responsibly and dilligently protect their cryptographic keys. Offline signing is in principle possible, but GNS does not support separate zone signing and key-signing keys (as in [RFC6781]) in order to provide usable security.¶
Similarly, users are required to manage their local root zone. In order to ensure integrity and availability or names, users must ensure that their local root zone information is not compromised or outdated. It can be expected that the processing of zone revocations and an initial root zone is provided with a GNS client implementation ("drop shipping"). Extension and customization of the zone is at the full discretion of the user.¶
This document does not specifiy the properties of the underlying distributed hash table (DHT) which is required by any GNS implementation. For implementors, it is important to note that the properties of the DHT are directly inherited by the GNS implementation. This includes both security as well as other non-functional properties such as scalability and performance. Implementors should take great care when selecting or implementing a DHT for use in a GNS implementation. DHTs with strong security and performance guarantees exist [R5N]. It should also be taken into consideration that GNS implementations which build upon different DHT overlays are unlikely to be interoperable with each other.¶
Zone administrators are advised to pre-generate zone revocations and securely store the revocation information in case the zone key is lost, compromised or replaced in the furture. Pre-calculated revocations may become invalid due to expirations or protocol changes such as epoch adjustments. Consequently, implementors and users must make precautions in order to manage revocations accordingly.¶
Revocation payloads do NOT include a 'new' key for key replacement. Inclusion of such a key would have two major disadvantages:¶
If revocation is used after a private key was compromised, allowing key replacement would be dangerous: if an adversary took over the private key, the adversary could then broadcast a revocation with a key replacement. For the replacement, the compromised owner would have no chance to issue even a revocation. Thus, allowing a revocation message to replace a private key makes dealing with key compromise situations worse.¶
Sometimes, key revocations are used with the objective of changing cryptosystems. Migration to another cryptosystem by replacing keys via a revocation message would only be secure as long as both cryptosystems are still secure against forgery. Such a planned, non-emergency migration to another cryptosystem should be done by running zones for both ciphersystems in parallel for a while. The migration would conclude by revoking the legacy zone key only once it is deemed no longer secure, and hopefully after most users have migrated to the replacement.¶
GANA [GANA] is requested to create an "GNU Name System Record Types" registry. The registry shall record for each entry:¶
The registration policy for this sub-registry is "First Come First Served", as described in [RFC8126]. GANA is requested to populate this registry as follows:¶
GANA is requested to amend the "GNUnet Signature Purpose" registry as follows:¶
The following represents a test vector for a record set with a DNS record of type "A" as well as a GNS record of type "PKEY" under the label "test".¶
Zone private key (d, little-endian, with ztype prepended): 0001000020110ab2 807d702f7b86dc30 6c37e8e2e0a5dbb2 7ae934727d9ca07d 69c73579 Zone identifier (zid): 0001000063db8bf0 44212617ce5db4fc 7c06fb9e35b2e177 3b4b76c05b42a1e7 17d018c6 Encoded zone identifier (zkl = zTLD): 000G0033VE5Z0H114RBWWQDMZHY0DYWY6PSE2XSV9DVC0PT2M7KHFM0RRR Label: test RRCOUNT: 2 Record #0 EXPIRATION: 1602865000130231 DATA_SIZE: 4 TYPE: 1 FLAGS: 0 DATA: 01020304 Record #1 EXPIRATION: 1602865000130231 DATA_SIZE: 32 TYPE: 65536 FLAGS: 2 DATA: 00010000796f4a8b 66d7780f62f46604 24c750295f31674d 052a4989cf0779a7 RDATA: 0005b1cc16f4a6b7 0000000400000001 0000000001020304 0005b1cc16f4a6b7 0000002000010000 0000000200010000 796f4a8b66d7780f 62f4660424c75029 5f31674d052a4989 cf0779a700000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 BDATA: 4f20986bde1fbbed b57196c1c23e35e9 f1ee62207de81297 0c2b370a9980042f e8296cdd8ca66d69 11ebb2f3b2550959 7cb781ef56ac07d1 7c5dd0903bb94c67 c07e100079f59db3 3363fe110f435838 ef482e60b527f553 2ee435e4c0525439 3965d3dbe72e7c92 9bb4172b3bda7270 06c33578682cb212 23ac2cf389a4fbab bb8cb55e RRBLOCK: 000100007bc2eb40 ef056b05a5a84c35 241ca7190284a4a4 f5afdae14e8b784c 4b516dd6082d7969 2d2bbcb1328bc1df 270b2c02693bdaa9 f4d496dd850068d4 3a471fac0156b902 3536e54960fac47b 58762d82c5ad8e7f 34a121819c7ca75d 64c78d3a00000094 0000000f0005b1cc 16f4a6b74f20986b de1fbbedb57196c1 c23e35e9f1ee6220 7de812970c2b370a 9980042fe8296cdd 8ca66d6911ebb2f3 b25509597cb781ef 56ac07d17c5dd090 3bb94c67c07e1000 79f59db33363fe11 0f435838ef482e60 b527f5532ee435e4 c05254393965d3db e72e7c929bb4172b 3bda727006c33578 682cb21223ac2cf3 89a4fbabbb8cb55e¶
The following is an example revocation for a zone:¶
Zone private key (d, little-endian scalar, with ztype prepended): 00010000a065bf68 07cb3d90d10394a9 a56693e07087ad35 24f8e303931d4ade 946dc447 Zone identifier (zid): 00010000d06ab6d9 14e8a8064609b2b3 cb661c586042adcb 0dc5faeb61994d25 5ebdca72 Encoded zone identifier (zkl = zTLD): 000G006GDAVDJ578N034C2DJPF5PC72RC11AVJRDRQXEPRCS9MJNXFEAE8 Difficulty (5 base difficulty + 2 epochs): 7 Proof: 0005b13f536e2b0e 0000395d1827c000 5caaeaa2b955d82c 5caaeaa2b955da02 5caaeaa2b955daf0 5caaeaa2b955db20 5caaeaa2b955db2d 5caaeaa2b955dba1 5caaeaa2b955dba9 5caaeaa2b955dbc2 5caaeaa2b955dbc8 5caaeaa2b955dbd1 5caaeaa2b955dbf7 5caaeaa2b955dc0e 5caaeaa2b955dc54 5caaeaa2b955dc8c 5caaeaa2b955dca5 5caaeaa2b955dcb5 5caaeaa2b955dcf8 5caaeaa2b955dd47 5caaeaa2b955dd91 5caaeaa2b955dd98 5caaeaa2b955dd99 5caaeaa2b955ddc4 5caaeaa2b955de7f 5caaeaa2b955de80 5caaeaa2b955de92 5caaeaa2b955ded3 5caaeaa2b955df1a 5caaeaa2b955df77 5caaeaa2b955dfdf 5caaeaa2b955e06e 5caaeaa2b955e08d 5caaeaa2b955e0c4 00010000d06ab6d9 14e8a8064609b2b3 cb661c586042adcb 0dc5faeb61994d25 5ebdca7206b11f93 41f4e1649976c421 b1efe668a44becbe 5a9f76804adb6f6e 2cd16de00d81841d cbd135aacad3bdab 3f2209bd10d55cc1 c7aed9a9bd53a1f6 cae1789d¶