| Internet-Draft | The GNU Name System | February 2022 |
| Schanzenbach, et al. | Expires 18 August 2022 | [Page] |
This document contains the GNU Name System (GNS) technical specification. GNS is a decentralized and censorship-resistant name system that provides a privacy-enhancing alternative to the Domain Name System (DNS).¶
This document defines the normative wire format of resource records, resolution processes, cryptographic routines and security considerations for use by implementers. It is published here to inform readers about the function of GNS, guide future GNS implementations, and ensure interoperability among implementations including with the pre-existing GNUnet implementation.¶
This specification was developed outside the IETF and does not have IETF consensus. It is published here to guide implementation of GNS and to ensure interoperability among implementations.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 18 August 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Domain Name System (DNS) [RFC1035] is a unique distributed database and a vital service for most Internet applications. While DNS is distributed, in practice it relies on centralized, trusted registrars to provide globally unique names. As the awareness of the central role DNS plays on the Internet rises, various institutions are using their power (including legal means) to engage in attacks on the DNS, thus threatening the global availability and integrity of information on the Internet.¶
DNS was not designed with security in mind. This makes it very vulnerable, especially to attackers that have the technical capabilities of an entire nation state at their disposal. While a wider discussion of this issue is out of scope for this document, analyses and investigations can be found in recent academic research works including [SecureNS].¶
This specification describes a censorship-resistant, privacy-preserving and decentralized name system: The GNU Name System (GNS) [GNS]. It is designed to provide a secure, privacy-enhancing alternative to DNS, especially when censorship or manipulation is encountered. In particular, it directly addresses concerns in DNS with respect to "Query Privacy", the "Single Hierarchy with a Centrally Controlled Root" and "Distribution and Management of Root Servers" as raised in [RFC8324]. GNS can bind names to any kind of cryptographically secured token, enabling it to double in some respects as even as an alternative to some of today's Public Key Infrastructures, in particular X.509 for the Web.¶
The design of GNS incorporates the capability to integrate and coexist with DNS. GNS is based on the principle of a petname system and builds on ideas from the Simple Distributed Security Infrastructure [SDSI], addressing a central issue with the decentralized mapping of secure identifiers to memorable names: namely the impossibility of providing a global, secure and memorable mapping without a trusted authority. GNS uses the transitivity in the SDSI design to replace the trusted root with secure delegation of authority thus making petnames useful to other users while operating under a very strong adversary model.¶
This is an important distinguishing factor from the Domain Name System where root zone governance is centralized at the Internet Corporation for Assigned Names and Numbers (ICANN). In DNS terminology, GNS roughly follows the idea of a hyperlocal root zone deployment, with the difference that it is not expected that all deployments use the same local root zone, and that users can easily delegate control of arbitrary domain names to arbitrary zones.¶
This document defines the normative wire format of resource records, resolution processes, cryptographic routines and security considerations for use by implementers.¶
This specification was developed outside the IETF and does not have IETF consensus. It is published here to guide implementation of GNS and to ensure interoperability among implementations.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In GNS, any user may create and manage one or more cryptographically secured zones (Section 4). Zones are uniquely identified by a zone key. Zone contents are signed using blinded private keys and encrypted using derived secret keys. The zone type determines the respective set of cryptographic operations and the wire formats for encrypted data, public keys and signatures.¶
A zone can be populated with mappings from labels to resource records by its owner (Section 5). A label can be mapped to a delegation record which results in the corresponding subdomain being delegated to another zone. Circular delegations are explicitly allowed, including delegating a subdomain to its immediate parent zone. In order to support (legacy) applications as well as to facilitate the use of petnames, GNS defines auxiliary record types in addition to supporting traditional DNS records.¶
Zone contents are encrypted and signed before being published in a distributed key-value storage (Section 6). In this process, unique zone identification is hidden from the network through the use of key blinding. Key blinding allows the creation of signatures for zone contents using a blinded public/private key pair. This blinding is realized using a deterministic key derivation from the original zone key and corresponding private key using record label values as blinding factors. Specifically, the zone owner can derive blinded private keys for each record set published under a label, and a resolver can derive the corresponding blinded public keys. It is expected that GNS implementations use distributed or decentralized storages such as distributed hash tables (DHT) in order to facilitate availability within a network without the need for dedicated infrastructure. Specification of such a distributed or decentralized storage is out of scope of this document, but possible existing implementations include those based on [RFC7363], [Kademlia] or [R5N].¶
Names in GNS are domain names as defined in [RFC8499]. Starting from a configurable start zone, names are resolved by following zone delegations. For each label in a name, the recursive GNS resolver fetches the respective record from the storage layer (Section 7). Without knowledge of the label values and the zone keys, the different derived keys are unlinkable both to the original zone key and to each other. This prevents zone enumeration (except via impractical online brute force attacks) and requires knowledge of both the zone key and the label to confirm affiliation of a query or the corresponding encrypted record set with a specific zone. At the same time, the blinded zone key provides resolvers with the ability to verify the integrity of the published information without disclosing the originating zone.¶
In the remainder of this document, the "implementer" refers to the developer building a GNS implementation including, for example, zone management tools and name resolution components.¶
A zone in GNS is uniquely identified by its zone type and zone key. Each zone can be represented by a Zone Top-Level Domain (zTLD) string.¶
A implementation SHOULD enable the user to create and manage zones. If this functionality is not implemented, names can still be resolved if zone keys for the initial step in the name resolution are available (see Section 7).¶
Each zone type (ztype) is assigned a unique 32-bit number when it is registered in the GNUnet Assigned Numbers Authority [GANA]. The ztype determines which cryptosystem is used for the asymmetric and symmetric key operations of the zone. The ztype number always corresponds to a resource record type number identifying a delegation into a zone of this type. To ensure that there are no conflicts with DNS record types, ztypes are always assigned numeric values above 65535.¶
For any zone, let d be the private key and zk the public zone key. The specific wire format used depends on the ztype. The creation of zone keys for the default ztypes are specified in Section 5.1. New ztypes may be specified in the future, for example if the cryptographic mechanisms used in this document are broken. Any ztype MUST define the following set of cryptographic functions:¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | ZONE TYPE | ZONE KEY / +-----+-----+-----+-----+ / / / / /
The decoded binary representation of the zTLD¶
The zTLD is the Zone Top-Level Domain. It is a string which encodes the zone type and zone key into a domain name. The zTLD is used as a globally unique reference to a specific namespace in the process of name resolution. To encode the zone key, a zone key label zkl is derived from a concatenation of the zone type and zone key (see Figure 1). The result is encoded using a variation of the Crockford Base32 encoding [CrockfordB32] called Base32GNS. The encoding and decoding symbols for Base32GNS including this modification are defined in Figure 23. The functions for encoding and decoding based on this table are called Base32GNS-Encode and Base32GNS-Decode, respectively.¶
For the string representation of a zTLD we define:¶
zkl := Base32GNS-Encode(ztype||zkey) ztype||zkey := Base32GNS-Decode(zkl)¶
If zkl is less than 63 characters, it can directly be used as a zTLD. If zkl is longer than 63 characters, the zTLD is constructed by dividing zkl into smaller labels separated by the label separator ".". Here, the most significant bytes of the "ztype||zkey" concatenation must be contained in the rightmost label of the resulting string and the least significant bytes in the leftmost label of the resulting string. This allows the resolver to determine the ztype and zkl length from the rightmost label and to subsequently determine how many labels the zTLD should span. For example, assuming a zkl of 130 characters, the encoding would be:¶
zTLD := zkl[126..129].zkl[63..125].zkl[0..62]¶
Whenever a resolver encounters a new GNS zone, it MUST check against the local revocation list whether the respective zone key has been revoked. If the zone key was revoked, the resolution MUST fail with an empty result set.¶
In order to revoke a zone key, a signed revocation message MUST be published. This message MUST be signed using the private key. The revocation message is broadcast to the network. The specification of the broadcast mechanism is out of scope for this document. A possible broadcast mechanism for efficient flooding in a distributed network is implemented in [GNUnet]. Alternatively, revocation messages could also be distributed via a distributed ledger or a trusted central server. To prevent flooding attacks, the revocation message MUST contain a proof of work (PoW). The revocation message including the PoW MAY be calculated ahead of time to support timely revocation.¶
For all occurrences below, "Argon2id" is the Password-based Key Derivation Function as defined in [RFC9106]. For the PoW calculations the algorithm is instantiated with the following parameters:¶
Figure 2 illustrates the format of the data "P" on which the PoW is calculated.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | POW | +-----------------------------------------------+ | TIMESTAMP | +-----------------------------------------------+ | ZONE TYPE | ZONE KEY | +-----+-----+-----+-----+ | / / / / +-----+-----+-----+-----+-----+-----+-----+-----+
The Format of the PoW Data.¶
Traditionally, PoW schemes require to find a POW value such that at least D leading zeroes are found in the hash result. D is then referred to as the difficulty of the PoW. In order to reduce the variance in time it takes to calculate the PoW, we require that a number Z different PoWs must be found that on average have D leading zeroes.¶
The resulting proofs may then published and disseminated. The concrete dissemination and publication methods are out of scope of this document. Given an average difficulty of D, the proofs have an expiration time of EPOCH. With each additional bit difficulty, the lifetime of the proof is prolonged for another EPOCH. Consequently, by calculating a more difficult PoW, the lifetime of the proof can be increased on demand by the zone owner.¶
The parameters are defined as follows:¶
The revocation message wire format is illustrated in Figure 3.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | TIMESTAMP | +-----+-----+-----+-----+-----+-----+-----+-----+ | TTL | +-----+-----+-----+-----+-----+-----+-----+-----+ | POW_0 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ... | +-----+-----+-----+-----+-----+-----+-----+-----+ | POW_Z-1 | +-----------------------------------------------+ | ZONE TYPE | ZONE KEY | +-----+-----+-----+-----+ | / / / / +-----+-----+-----+-----+-----+-----+-----+-----+ | SIGNATURE | / / / / | | +-----+-----+-----+-----+-----+-----+-----+-----+
The Revocation Message Wire Format.¶
The signature over the public key covers a 32-bit header prefixed to the time stamp and public key fields. The header includes the key length and signature purpose. The wire format is illustrated in Figure 4.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | SIZE | PURPOSE (0x03) | +-----+-----+-----+-----+-----+-----+-----+-----+ | TIMESTAMP | +-----+-----+-----+-----+-----+-----+-----+-----+ | ZONE TYPE | ZONE KEY | +-----+-----+-----+-----+ | / / / / +-----+-----+-----+-----+-----+-----+-----+-----+
The Wire Format of the Revocation Data for Signing.¶
In order to verify a revocation the following steps MUST be taken:¶
A GNS implementer SHOULD provide a mechanism to create and manage resource records for local zones. A new local zone is established by selecting a zone type and creating a zone key pair. As records may be added to each zone by its owner, a (local) persistence mechanism such as a database for resource records and zones SHOULD be provided. This local zone database is used by the name resolution logic and serves as a basis for publishing zones into the GNS storage (see Section 6).¶
A GNS resource record holds the data of a specific record in a zone. The resource record format is defined in Figure 5.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | EXPIRATION | +-----+-----+-----+-----+-----+-----+-----+-----+ | SIZE | FLAGS | TYPE | +-----+-----+-----+-----+-----+-----+-----+-----+ | DATA / / / / /
The Resource Record Wire Format.¶
Flags indicate metadata surrounding the resource record. A flag value of 0 indicates that all flags are unset. Applications creating resource records MUST set all bits which are not defined as a flag to 0. Additional flags may be defined in future protocol versions. If an application or implementation encounters a flag which it does not recognize, it MUST be ignored. Figure 6 illustrates the flag distribution in the 16-bit flag field of a resource record:¶
0 1 2 3 4 5... +--------+--------+--------+--------+--------+---- |CRITICAL|SHADOW |SUPPL |RESERVED +--------+--------+--------+--------+--------+----
The Resource Record Flag Wire Format.¶
This section defines the initial set of zone delegation record types. Any implementation SHOULD support all zone types defined here and MAY support any number of additional delegation records defined in the GNU Name System Record Types registry (see Section 10). Zone delegation records MUST have the CRTITICAL flag set. Not supporting some zone types MAY result in resolution failures. This MAY BE a valid choice if some zone delegation record types have been determined to be cryptographically insecure. Zone delegation records MUST NOT be stored and published under the apex label. A zone delegation record type value is the same as the respective ztype value. The ztype defines the cryptographic primitives for the zone that is being delegated to. A zone delegation resource record payload contains the public key of the zone to delegate to. A zone delegation record MUST be the only record under a label. No other records are allowed.¶
In GNS, a delegation of a label to a zone of type "PKEY" is represented through a PKEY record. The PKEY DATA entry wire format can be found in Figure 7.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | PUBLIC KEY | | | | | | | +-----+-----+-----+-----+-----+-----+-----+-----+
The PKEY Wire Format.¶
For PKEY zones the zone key material is derived using the curve parameters of the twisted Edwards representation of Curve25519 [RFC7748] (a.k.a. Ed25519) with the ECDSA scheme [RFC6979]. Consequently, we use the following naming convention for our cryptographic primitives for PKEY zones:¶
The zone type and zone key of a PKEY are 4 + 32 bytes in length. This means that a zTLD will always fit into a single label and does not need any further conversion.¶
Given a label, the output d' of the ZKDF-Private(d,label) function for zone key blinding is calculated as follows for PKEY zones:¶
ZKDF-Private(d,label):
zk := d * G
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
d' := (h * d) mod L
return d'
¶
Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is calculated as follows for PKEY zones:¶
ZKDF-Public(zk,label)
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
zk' := (h mod L) * zk
return zk'
¶
The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in [RFC5869], using SHA-512 [RFC6234] for the extraction phase and SHA-256 [RFC6234] for the expansion phase. PRK_h is key material retrieved using an HKDF using the string "key-derivation" as salt and the zone key as initial keying material. h is the 512-bit HKDF expansion result and must be interpreted in network byte order. The expansion information input is a concatenation of the label and the string "gns". The label is a UTF-8 string under which the resource records are published. The multiplication of zk with h is a point multiplication, while the multiplication of d with h is a scalar multiplication.¶
The Sign() and Verify() functions for PKEY zones are implemented using 512-bit ECDSA deterministic signatures as specified in [RFC6979]. The same functions can be used for derived keys:¶
SignDerived(d,label,message): d' := ZKDF-Private(d,label) return Sign(d',message)¶
A signature (R,S) is valid if the following holds:¶
VerifyDerived(zk,label,message,signature): zk' := ZKDF-Public(zk,label) return Verify(zk',message,signature)¶
The S-Encrypt() and S-Decrypt() functions use AES in counter mode as defined in [MODES] (CTR-AES-256):¶
S-Encrypt(zk,label,expiration,plaintext):
PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 256 / 8)
NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
IV := NONCE || expiration || 0x0000000000000001
return CTR-AES256(K, IV, plaintext)
The PKEY S-Encrypt Procedure.¶
S-Decrypt(zk,label,expiration,ciphertext):
PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 256 / 8)
NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
IV := NONCE || expiration || 0x0000000000000001
return CTR-AES256(K, IV, ciphertext)
The PKEY S-Decrypt Procedure.¶
The key K and counter IV are derived from the record label and the zone key zk using a hash-based key derivation function (HDKF) as defined in [RFC5869]. SHA-512 [RFC6234] is used for the extraction phase and SHA-256 [RFC6234] for the expansion phase. The output keying material is 32 bytes (256 bits) for the symmetric key and 4 bytes (32 bits) for the nonce. The symmetric key K is a 256-bit AES [RFC3826] key.¶
The nonce is combined with a 64-bit initialization vector and a 32-bit block counter as defined in [RFC3686]. The block counter begins with the value of 1, and it is incremented to generate subsequent portions of the key stream. The block counter is a 32-bit integer value in network byte order. The initialization vector is the expiration time of the resource record block in network byte order. The resulting counter (IV) wire format can be found in Figure 10.¶
0 8 16 24 32 +-----+-----+-----+-----+ | NONCE | +-----+-----+-----+-----+ | EXPIRATION | | | +-----+-----+-----+-----+ | BLOCK COUNTER | +-----+-----+-----+-----+
The Block Counter Wire Format.¶
In GNS, a delegation of a label to a zone of type "EDKEY" is represented through a EDKEY record. The EDKEY DATA entry wire format is illustrated in Figure 11.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | PUBLIC KEY | | | | | | | +-----+-----+-----+-----+-----+-----+-----+-----+
The EDKEY DATA Wire Format.¶
For EDKEY zones the zone key material is derived using the curve parameters of the twisted edwards representation of Curve25519 [RFC7748] (a.k.a. Ed25519) with the Ed25519 scheme [ed25519] as specified in [RFC8032]. Consequently, we use the following naming convention for our cryptographic primitives for EDKEY zones:¶
The zone type and zone key of an EDKEY are 4 + 32 bytes in length. This means that a zTLD will always fit into a single label and does not need any further conversion.¶
The "EDKEY" ZKDF instantiation is based on [Tor224]. The calculation of a is defined in Section 5.1.5 of [RFC8032]. Given a label, the output of the ZKDF-Private function for zone key blinding is calculated as follows for EDKEY zones:¶
ZKDF-Private(d,label):
/* EdDSA clamping */
a := SHA-512 (d)
a[0] &= 248
a[31] &= 127
a[31] |= 64
/* Calculate zk from d */
zk := a * G
/* Calculate the blinding factor */
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
/* Ensure that h == h mod L */
h[31] &= 7
a1 := a >> 3
a2 := (h * a1) mod L
d' := a2 << 3
return d'
¶
Equally, given a label, the output of the ZKDF-Public function is calculated as follows for PKEY zones:¶
ZKDF-Public(zk,label):
/* Calculate the blinding factor */
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
/* Ensure that h == h mod L */
h[31] &= 7
zk' := h * zk
return zk'
¶
We note that implementers SHOULD employ a constant time scalar multiplication for the constructions above to protect against timing attacks. Otherwise, timing attacks may leak private key material if an attacker can predict when a system starts the publication process.¶
The EDKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in [RFC5869], using SHA-512 [RFC6234] for the extraction phase and HMAC-SHA256 [RFC6234] for the expansion phase. PRK_h is key material retrieved using an HKDF using the string "key-derivation" as salt and the zone key as initial keying material. The blinding factor h is the 512-bit HKDF expansion result. The expansion information input is a concatenation of the label and the string "gns". The result of the HKDF must be clamped and interpreted in network byte order. a is the 256-bit integer corresponding to the 256-bit private key d. The label is a UTF-8 string under which the resource records are published. The multiplication of zk with h is a point multiplication, while the division and multiplication of a and a1 with the co-factor are integer operations.¶
The Sign(d,message) and Verify(zk,message,signature) procedures MUST be implemented as defined in [RFC8032].¶
Signatures for EDKEY zones using the derived private scalar d' are not compliant with [RFC8032]. As the corresponding private key to the derived private scalar d' is not known, it is not possible to deterministically derive the signature part R according to [RFC8032]. Instead, signatures MUST be generated as follows for any given message and private zone key: A nonce is calculated from the highest 32 bytes of the expansion of the private key d and the blinding factor h. The nonce is then hashed with the message to r. This way, we include the full derivation path in the calculation of the R value of the signature, ensuring that it is never reused for two different derivation paths or messages.¶
SignDerived(d,label,message):
/* EdDSA clamping */
a := SHA-512 (d)
a[0] &= 248
a[31] &= 127
a[31] |= 64
/* Calculate zk from d */
zk := a * G
/* Calculate blinding factor */
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
d' := ZKDF-Private(d,label)
dh := SHA-512 (d)
nonce := SHA-256 (dh[32..63] || h)
r := SHA-512 (nonce || message)
R := r * G
S := r + SHA-512(R || zk' || message) * d' mod L
return (R,S)
¶
A signature (R,S) is valid if the following holds:¶
VerifyDerived(zk,label,message,signature): zk' := ZKDF-Public(zk,label) (R,S) := signature return S * G == R + SHA-512(R, zk', message) * zk'¶
The S-Encrypt() and S-Decrypt() functions use XSalsa20 as defined in [XSalsa20] (XSalsa20-Poly1305):¶
S-Encrypt(zk,label,expiration,message):
PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 256 / 8)
NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
IV := NONCE || expiration
return XSalsa20-Poly1305(K, IV, message)
S-Decrypt(zk,label,expiration,ciphertext):
PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 256 / 8)
NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
IV := NONCE || expiration
return XSalsa20-Poly1305(K, IV, ciphertext)
¶
The result of the XSalsa20-Poly1305 encryption function is the encrypted ciphertext followed by the 128-bit authentication tag. Accordingly, the length of encrypted data equals the length of the data plus the 16 bytes of the authentication tag.¶
The key K and counter IV are derived from the record label and the zone key zk using a hash-based key derivation function (HKDF) as defined in [RFC5869]. SHA-512 [RFC6234] is used for the extraction phase and SHA-256 [RFC6234] for the expansion phase. The output keying material is 32 bytes (256 bits) for the symmetric key and 16 bytes (128 bits) for the NONCE. The symmetric key K is a 256-bit XSalsa20 [XSalsa20] key. No additional authenticated data (AAD) is used.¶
The nonce is combined with an 8 byte initialization vector. The initialization vector is the expiration time of the resource record block in network byte order. The resulting counter (IV) wire format is illustrated in Figure 12.¶
0 8 16 24 32 +-----+-----+-----+-----+ | NONCE | | | | | | | +-----+-----+-----+-----+ | EXPIRATION | | | +-----+-----+-----+-----+
The Counter Block Initialization Vector¶
Redirect records may be used to redirect resolution. Any implementation SHOULD support all redirection record types defined here and MAY support any number of additional redirection records defined in the GNU Name System Record Types registry (see Section Section 10). Redirection records MUST have the CRTITICAL flag set. Not supporting some record types MAY result in resolution failures. This MAY BE a valid choice if some redirection record types have been determined to be insecure, or if an application has reasons to not support redirection to DNS for reasons such as complexity or security. Redirection records MUST NOT be stored and published under the apex label.¶
A REDIRECT record is the GNS equivalent of a CNAME record in DNS. A REDIRECT record MUST be the only record under a label. No other records are allowed. Details on processing of this record is defined in Section 7.3.1. A REDIRECT DATA entry is illustrated in Figure 13.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | REDIRECT NAME | / / / / | | +-----+-----+-----+-----+-----+-----+-----+-----+
The REDIRECT DATA Wire Format¶
It is possible to delegate a label back into DNS through a GNS2DNS record. The resource record contains a DNS name for the resolver to continue with in DNS followed by a DNS server. Both names are in the format defined in [RFC1034] for DNS names. There MAY be multiple GNS2DNS records under a label. There MAY also be DNSSEC DS records or any other records used to secure the connection with the DNS servers under the same label. No other record types are allowed in the same record set. A GNS2DNS DATA entry is illustrated in Figure 14.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | DNS NAME | / / / / | | +-----+-----+-----+-----+-----+-----+-----+-----+ | DNS SERVER NAME | / / / / | | +-----------------------------------------------+
The GNS2DNS DATA Wire Format¶
NOTE: If an application uses DNS names obtained from GNS2DNS records in a DNS request they must first be converted to an IDNA punycode representation [RFC5891].¶
This section defines the initial set of auxiliary GNS record types. Any implementation SHOULD be able to process the specified record types according to Section 7.3.¶
Applications can use the GNS to lookup IPv4 or IPv6 addresses of internet services. However, sometimes connecting to such services does not only require the knowledge of an address and port, but also requires the canonical DNS name of the service to be transmitted over the transport protocol. In GNS, legacy host name records provide applications the DNS name that is required to establish a connection to such a service. The most common use case is HTTP virtual hosting, where a DNS name must be supplied in the HTTP "Host"-header. Using a GNS name for the "Host"-header may not work as it may not be globally unique. Furthermore, even if uniqueness is not an issue, the legacy service might not even be aware of GNS. A LEHO resource record is expected to be found together in a single resource record with an IPv4 or IPv6 address. A LEHO DATA entry is illustrated in Figure 15.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | LEGACY HOSTNAME | / / / / | | +-----+-----+-----+-----+-----+-----+-----+-----+
The LEHO DATA Wire Format.¶
NOTE: If an application uses a LEHO value in an HTTP request header (e.g. "Host:" header) it must be converted to an IDNA punycode representation [RFC5891].¶
Nickname records can be used by zone administrators to publish an the label that a zone prefers to have used when it is referred to. This is a suggestion to other zones what label to use when creating a delegation record (Section 5.1) containing this zone key. This record SHOULD only be stored under the apex label "@" but MAY be returned with record sets under any label as a supplemental record. Section 7.3.5 details how a resolver must process supplemental and non-supplemental NICK records. A NICK DATA entry is illustrated in Figure 16.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | NICKNAME | / / / / | | +-----+-----+-----+-----+-----+-----+-----+-----+
The NICK DATA Wire Format.¶
In GNS, with the notable exception of zTLDs, every "." in a name delegates to another zone. Furthermore, GNS lookups are expected to return all of the required useful information in one record set. This avoids unnecessary additional lookups and cryptographically ties together information that belongs together, making it impossible for an adversarial storage to provide partial answers that might omit information critical for security.¶
However, this general strategy is incompatible with the special labels used by DNS for SRV and TLSA records. Thus, GNS defines the BOX record format to box up SRV and TLSA records and include them in the record set of the label they are associated with. For example, a TLSA record for "_https._tcp.example.org" will be stored in the record set of "example.org" as a BOX record with service (SVC) 443 (https) and protocol (PROTO) 6 (tcp) and record TYPE "TLSA". For reference, see also [RFC2782]. A BOX DATA entry is illustrated in Figure 17.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | PROTO | SVC | TYPE | +-----------+-----------------------------------+ | RECORD DATA | / / / / | | +-----+-----+-----+-----+-----+-----+-----+-----+
The BOX DATA Wire Format.¶
Any API which allows storing a value under a 512-bit key and retrieving one or more values from the key can be used by an implementation for record storage. To be useful, the API MUST permit storing at least 176 byte values to be able to support the defined zone delegation record encodings, and SHOULD allow at least 1024 byte values. We assume that an implementation realizes two procedures on top of a storage:¶
PUT(key,value) GET(key) -> value¶
There is no explicit delete function as the deletion of a non-expired record would require a revocation of the record. In GNS, zones can only be revoked as a whole. Records automatically expire and it is under the discretion of the storage as to when to delete the record. The GNS implementation MUST NOT publish expired resource records. Any GNS resolver MUST discard expired records returned from the storage.¶
Resource records are grouped by their respective labels, encrypted and published together in a single resource records block (RRBLOCK) in the storage under a key q: PUT(q, RRBLOCK). The key q is derived from the zone key and the respective label of the contained records. The required knowledge of both zone key and label in combination with the similarly derived symmetric secret keys and blinded zone keys ensure query privacy (see [RFC8324], Section 3.5). The storage key derivation and records block creation is specified in the following sections. The implementation MUST use the PUT storage procedure in order to update the zone contents accordingly.¶
Given a label, the storage key q is derived as follows:¶
q := SHA-512 (ZKDF-Public(zk, label))¶
GNS records are grouped by their labels and published as a single block in the storage. The grouped record sets MAY be paired with any number of supplemental records. Supplemental records MUST have the supplemental flag set (See Section 5). The contained resource records are encrypted using a symmetric encryption scheme. A GNS implementation publish RRBLOCKs in accordance to the properties and recommendations of the underlying storage. This may include a periodic refresh operation to ensure the availability of the published RRBLOCKs. The GNS RRBLOCK wire format is illustrated in Figure 18.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | SIZE | ZONE TYPE | +-----+-----+-----+-----+-----+-----+-----+-----+ / ZONE KEY / / (BLINDED) / | | +-----+-----+-----+-----+-----+-----+-----+-----+ | SIGNATURE | / / / / | | +-----+-----+-----+-----+-----+-----+-----+-----+ | EXPIRATION | +-----+-----+-----+-----+-----+-----+-----+-----+ | BDATA / / / / | +-----+-----+-----+-----+-----+-----+-----+-----+
The RRBLOCK Wire Format.¶
The signature over the public key covers a 32-bit pseudo header conceptually prefixed to the EXPIRATION and the BDATA fields. The wire format is illustrated in Figure 19.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | SIZE | PURPOSE (0x0F) | +-----+-----+-----+-----+-----+-----+-----+-----+ | EXPIRATION | +-----+-----+-----+-----+-----+-----+-----+-----+ | BDATA | / / / / +-----+-----+-----+-----+-----+-----+-----+-----+
The Wire Format used for creating the signature of the RRBLOCK.¶
A symmetric encryption scheme is used to encrypt the resource records set RDATA into the BDATA field of a GNS RRBLOCK. The wire format of the RDATA is illustrated in Figure 20.¶
0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | EXPIRATION | +-----+-----+-----+-----+-----+-----+-----+-----+ | SIZE | FLAGS | TYPE | +-----+-----+-----+-----+-----+-----+-----+-----+ | DATA / / / / / +-----+-----+-----+-----+-----+-----+-----+-----+ | EXPIRATION | +-----+-----+-----+-----+-----+-----+-----+-----+ | SIZE | FLAGS | TYPE | +-----+-----+-----+-----+-----+-----+-----+-----+ | DATA / / / +-----+-----+-----+-----+-----+-----+-----+-----+ / PADDING / / /
The RDATA Wire Format.¶
Names in GNS are resolved by recursively querying the record storage. Recursive in this context means that a resolver does not provide intermediate results for a query. Instead, it MUST respond to a resolution request with either the requested resource record or an error message in case the resolution fails. In the following, we define how resolution is initiated and each iteration in the resolution is processed.¶
GNS resolution of a name must start in a given starting zone indicated using a zone key. Details on how the starting zone may be determined are discussed in Section 7.1.¶
The application MAY provide a desired record type to the resolver. The desired record type is used to guide processing. For example, if a zone delegation record type is requested, the resolution of the apex label in that zone must be skipped, as the desired record is already found. The resolver implementation MUST NOT filter results according to the desired record type. Filtering of record sets is typically done by the application.¶
The resolution of a GNS name starts in an initial start zone. The resolver may have one or more local start zones configured which point to local or remote zone keys. A resolver may also determine the start zone from the suffix of the name given for resolution, or using information retrieved out of band.¶
The governance model of any zone is at the sole discretion of the zone owner. However, the choice of start zone(s) is at the sole discretion of the local system administrator or user. This property addresses the issue of a single hierarchy with a centrally controlled root and the related issue of distribution and management of root servers in DNS (see [RFC8324], Section 3.10 and 3.12).¶
In the following, we give examples how a resolver SHOULD discover the start zone. The process given is not exhaustive and resolvers MAY supplement it with other mechanisms or ignore it if the particular application requires a different process.¶
GNS implementations MUST first try to interpret the top-level domain of a GNS name as a zone key representation (i.e. a zTLD). If the top-level domain can be converted to a valid ztype and zone key value, the resulting zone key is used as the start zone:¶
Example name: www.example.<zTLD> => Start zone: zk of type ztype => Name to resolve from start zone: www.example¶
In GNS, users MAY own and manage their own zones. Each local zone SHOULD be associated with a single GNS label, but users MAY choose to use longer names consisting of multiple labels. If the name of a locally managed zone matches the suffix of the name to be resolved, resolution MUST start from the respective local zone with the longest matching suffix:¶
Example name: www.example.org Local zones: fr = (d0,zk0) org = (d1,zk1) com = (d2,zk2) ... => Start zone: zk1 => Name to resolve from start zone: www.example¶
Finally, additional "suffix-to-zone" mappings MAY be configured. Suffix to zone key mappings MUST be configurable through a local configuration file or database by the user or system administrator. The suffix MAY consist of multiple GNS labels concatenated with a ".". If multiple suffixes match the name to resolve, the longest matching suffix MUST be used. The suffix length of two results MUST NOT be equal. This indicates a misconfiguration and the implementation MUST return an error. If both a locally managed zone and a configuration entry exist for the same suffix, the locally managed zone MUST have priority.¶
Example name: www.example.org Local suffix mappings: org = zk0 example.org = zk1 example.com = zk2 ... => Start zone: zk1 => Name to resolve from start zone: www¶
In each step of the recursive name resolution, there is an authoritative zone zk and a name to resolve. The name may be empty. Initially, the authoritative zone is the start zone. If the name is empty, it is interpreted as the apex label "@".¶
From here, the following steps are recursively executed, in order:¶
Upon receiving the RRBLOCK from the storage, as part of verifying the provided signature, the resolver MUST check that the SHA-512 hash of the derived authoritative zone key zk' from the RRBLOCK matches the query q and that the overall block is not yet expired. If the signature does not match or the block is expired, the RRBLOCK MUST be ignored and, if applicable, the storage lookup GET(q) MUST continue to look for other RRBLOCKs.¶
Record processing occurs once a well-formed block was decrypted. In record processing, only the valid records obtained are considered. To filter records by validity, the resolver MUST at least check the expiration time and the FLAGS of the respective record. In particular, FLAGS may exclude shadow and supplemental records from being considered. If the resolver encounters a record with the CRITICAL flag set and does not support the record type the resolution MUST be aborted and an error MUST be returned. The information that the critical record could not be processed SHOULD be returned in the error description. The implementation MAY choose not to return the reason for the failure, merely complicating troubleshooting for the user. The next steps depend on the context of the name we are trying to resolve:¶
If the remaining name is empty and the desired record type is REDIRECT, in which case the resolution concludes with the REDIRECT record. If the redirect name ends in ".+", resolution continues in GNS with the new name in the current zone. Otherwise, the resulting name is resolved via the default operating system name resolution process. This may in turn trigger a GNS name resolution process depending on the system configuration. In case resolution continues in DNS, the name MUST first be converted to an IDNA punycode representation [RFC5891].¶
In order to prevent infinite loops, the resolver MUST implement loop detections or limit the number of recursive resolution steps. The loop detection MUST be effective even if a REDIRECT found in GNS triggers subsequent GNS lookups via the default operating system name resolution process.¶
When a resolver encounters one or more GNS2DNS records and the remaining name is empty and the desired record type is GNS2DNS, the GNS2DNS records are returned.¶
Otherwise, it is expected that the resolver first resolves the IP addresses of the specified DNS name servers. The DNS name may have to be converted to an IDNA punycode representation [RFC5891] for resolution in DNS. GNS2DNS records MAY contain numeric IPv4 or IPv6 addresses, allowing the resolver to skip this step. The DNS server names may themselves be names in GNS or DNS. If the DNS server name ends in ".+", the rest of the name is to be interpreted relative to the zone of the GNS2DNS record. If the DNS server name ends in a label representation of a zone key, the DNS server name is to be resolved against the GNS zone zk.¶
Multiple GNS2DNS records may be stored under the same label, in which case the resolver MUST try all of them. The resolver MAY try them in any order or even in parallel. If multiple GNS2DNS records are present, the DNS name MUST be identical for all of them, if not the resolution fails and an appropriate error is SHOULD be returned to the application.¶
If there are DNSSEC DS records or any other records used to secure the connection with the DNS servers stored under the label, the DNS resolver SHOULD use them to secure the connection with the DNS server.¶
Once the IP addresses of the DNS servers have been determined, the DNS name from the GNS2DNS record is appended to the remainder of the name to be resolved, and resolved by querying the DNS name server(s). As the DNS servers specified are possibly authoritative DNS servers, the GNS resolver MUST support recursive DNS resolution and MUST NOT delegate this to the authoritative DNS servers. The first successful recursive name resolution result is returned to the application. In addition, the resolver SHOULD return the queried DNS name as a supplemental LEHO record (see Section 5.3.1) with a relative expiration time of one hour.¶
Once the transition from GNS into DNS is made through a GNS2DNS record, there is no "going back". The (possibly recursive) resolution of the DNS name MUST NOT delegate back into GNS and should only follow the DNS specifications. For example, names contained in DNS CNAME records MUST NOT be interpreted as GNS names.¶
GNS resolvers SHOULD offer a configuration option to disable DNS processing to avoid information leakage and provide a consistent security profile for all name resolutions. Such resolvers would return an empty record set upon encountering a GNS2DNS record during the recursion. However, if GNS2DNS records are encountered in the record set for the apex label and a GNS2DNS record is explicitly requested by the application, such records MUST still be returned, even if DNS support is disabled by the GNS resolver configuration.¶
When a BOX record is received, a GNS resolver must unbox it if the name to be resolved continues with "_SERVICE._PROTO". Otherwise, the BOX record is to be left untouched. This way, TLSA (and SRV) records do not require a separate network request, and TLSA records become inseparable from the corresponding address records.¶
When the resolver encounters a record of a supported zone delegation record type (such as PKEY or EDKEY) and the remainder of the name is not empty, resolution continues recursively with the remainder of the name in the GNS zone specified in the delegation record. Implementations MUST NOT allow multiple different zone delegations under a single label. Implementations MAY support any subset of ztypes. Handling of Implementations MUST NOT process zone delegation for the apex label "@". Upon encountering a zone delegation record under this label, resolution fails and an error MUST be returned. The implementation MAY choose not to return the reason for the failure, merely impacting troubleshooting information for the user.¶
If the remainder of the name to resolve is empty and we have received a record set containing only a single delegation record, the recursion is continued with the record value as authoritative zone and the apex label "@" as remaining name. Except in the case where the desired record type as specified by the application is equal to the ztype, in which case the delegation record is returned.¶
NICK records are only relevant to the recursive resolver if the record set in question is the final result which is to be returned to the application. The encountered NICK records may either be supplemental (see Section 5) or non-supplemental. If the NICK record is supplemental, the resolver only returns the record set if one of the non-supplemental records matches the queried record type. It is possible that one record set contains both supplemental and non-supplemental NICK records.¶
The differentiation between a supplemental and non-supplemental NICK record allows the application to match the record to the authoritative zone. Consider the following example:¶
Query: alice.example (type=A) Result: A: 192.0.2.1 NICK: eve (non-Supplemental)¶
In this example, the returned NICK record is non-supplemental. For the application, this means that the NICK belongs to the zone "alice.example" and is published under the apex label along with an A record. The NICK record should be interpreted as: The zone defined by "alice.example" wants to be referred to as "eve". In contrast, consider the following:¶
Query: alice.example (type=AAAA) Result: AAAA: 2001:DB8::1 NICK: john (Supplemental)¶
In this case, the NICK record is marked as supplemental. This means that the NICK record belongs to the zone "example" and is published under the label "alice" along with an A record. The NICK record should be interpreted as: The zone defined by "example" wants to be referred to as "john". This distinction is likely useful for other records published as supplemental.¶
All labels in GNS are encoded in UTF-8 [RFC3629]. Labels MUST be canonicalized using Normalization Form C (NFC) [Unicode-UAX15]. This does not include any DNS names found in DNS records, such as CNAME records, which are internationalized through the IDNA specifications [RFC5890].¶
In order to ensure availability of records beyond their absolute expiration times, implementations MAY allow to locally define relative expiration time values of records. Records can then be published recurringly with updated absolute expiration times by the implementation.¶
Implementations MAY allow users to manage private records in their zones that are not published in the storage. Private records are considered just like regular records when resolving labels in local zones, but their data is completely unavailable to non-local users.¶
The security of cryptographic systems depends on both the strength of the cryptographic algorithms chosen and the strength of the keys used with those algorithms. The security also depends on the engineering of the protocol used by the system to ensure that there are no non-cryptographic ways to bypass the security of the overall system. This is why developers of applications managing GNS zones SHOULD select a default ztype considered secure at the time of releasing the software. For applications targeting end users that are not expected to understand cryptography, the application developer MUST NOT leave the ztype selection of new zones to end users.¶
This document concerns itself with the selection of cryptographic algorithms used in GNS. The algorithms identified in this document are not known to be broken (in the cryptographic sense) at the current time, and cryptographic research so far leads us to believe that they are likely to remain secure into the foreseeable future. However, this is not necessarily forever, and it is expected that new revisions of this document will be issued from time to time to reflect the current best practices in this area.¶
In terms of crypto-agility, whenever the need for an updated cryptographic scheme arises to, for example, replace ECDSA over Ed25519 for PKEY records it may simply be introduced through a new record type. Such a new record type may then replace the delegation record type for future records. The old record type remains and zones can iteratively migrate to the updated zone keys. To ensure that implementations correctly generate an error message when encountering a ztype that they do not support, current and future delegation records must always have the CRITICAL flag set.¶
GNS PKEY zone keys use ECDSA over Ed25519. This is an unconventional choice, as ECDSA is usually used with other curves. However, traditional ECDSA curves are problematic for a range of reasons described in the Curve25519 and EdDSA papers. Using EdDSA directly is also not possible, as a hash function is used on the private key which destroys the linearity that the GNU Name System depends upon. We are not aware of anyone suggesting that using Ed25519 instead of another common curve of similar size would lower the security of ECDSA. GNS uses 256-bit curves because that way the encoded (public) keys fit into a single DNS label, which is good for usability.¶
In order to ensure ciphertext indistinguishability, care must be taken with respect to the initialization vector in the counter block. In our design, the IV always includes the expiration time of the record block. When applications store records with relative expiration times, monotonicity is implicitly ensured because each time a block is published into the storage, its IV is unique as the expiration time is calculated dynamically and increases monotonically with the system time. Still, an implementation MUST ensure that when relative expiration times are decreased, the expiration time of the next record block MUST be after the last published block. For records where an absolute expiration time is used, the implementation MUST ensure that the expiration time is always increased when the record data changes. For example, the expiration time on the wire may be increased by a single microsecond even if the user did not request a change. In case of deletion of all resource records under a label, the implementation MUST keep track of the last absolute expiration time of the last published resource block. Implementations MAY use a PADDING record as a tombstone that preserves the last absolute expiration time, but then MUST take care to not publish a block with just a PADDING record. When new records are added under this label later, the implementation MUST ensure that the expiration times are after the last published block. Finally, in order to ensure monotonically increasing expiration times the implementation MUST keep a local record of the last time obtained from the system clock, so as to construct a monotonic clock in case the system clock jumps backwards.¶
GNS names are UTF-8 strings. Consequently, GNS faces similar issues with respect to name spoofing as DNS does for internationalized domain names. In DNS, attackers may register similar sounding or looking names (see above) in order to execute phishing attacks. GNS zone administrators must take into account this attack vector and incorporate rules in order to mitigate it.¶
Further, DNS can be used to combat illegal content on the internet by having the respective domains seized by authorities. However, the same mechanisms can also be abused in order to impose state censorship, which is one of the motivations behind GNS. Hence, such a seizure is, by design, difficult to impossible in GNS.¶
In GNS, zone administrators need to manage and protect their zone keys. Once a zone key is lost, it cannot be recovered or revoked. Revocation messages may be pre-calculated if revocation is required in case a zone key is lost. Zone administrators, and for GNS this includes end-users, are required to responsibly and diligently protect their cryptographic keys. GNS supports offline signing of records.¶
Similarly, users are required to manage their local start zone configuration. In order to ensure integrity and availability or names, users must ensure that their local start zone information is not compromised or outdated. It can be expected that the processing of zone revocations and an initial start zone is provided with a GNS implementation ("drop shipping"). Shipping an initial start zone with an entry for the root (".") effectively establishes a root zone. Extension and customization of the zone is at the full discretion of the user.¶
While implementations following this specification will be interoperable, if two implementations connect to different storages they are mutually unreachable. This may lead to a state where a record may exist in the global namespace for a particular name, but the implementation is not communicating with the storage and is hence unable to resolve it. This situation is similar to a split-horizon DNS configuration. Which storages are implemented usually depends on the application it is built for. The storage used will most likely depend on the specific application context using GNS resolution. For example, one application may be the resolution of hidden services within the Tor network, which may suggest using Tor routers for storage. Implementations of "aggregated" storages are conceivable, but are expected to be the exception.¶
This document does not specify the properties of the underlying storage which is required by any GNS implementation. It is important to note that the properties of the underlying storage are directly inherited by the GNS implementation. This includes both security as well as other non-functional properties such as scalability and performance. Implementers should take great care when selecting or implementing a DHT for use as storage in a GNS implementation. DHTs with reasonable security and performance properties exist [R5N]. It should also be taken into consideration that GNS implementations which build upon different DHT overlays are unlikely to be interoperable with each other.¶
Zone administrators are advised to pre-generate zone revocations and to securely store the revocation information in case the zone key is lost, compromised or replaced in the future. Pre-calculated revocations may become invalid due to expirations or protocol changes such as epoch adjustments. Consequently, implementers and users must take precautions in order to manage revocations accordingly.¶
Revocation payloads do NOT include a 'new' key for key replacement. Inclusion of such a key would have two major disadvantages:¶
Record blocks are published in encrypted form using keys derived from the zone key and record label. Zone administrators should carefully consider if the label and zone key may be public or if those should be used and considered as a shared secret. Unlike zone keys, labels can also be guessed by an attacker in the network observing queries and responses. Given a known and targeted zone key, the use of well known or easily guessable labels effectively result in general disclosure of the records to the public. If the labels and hence the records should be kept secret except to those knowing a secret label and the zone in which to look, the label must be chosen accordingly. It is recommended to then use a label with sufficient entropy as to prevent guessing attacks.¶
It should be noted that this attack on labels only applies if the zone key is somehow disclosed to the adversary. GNS itself does not disclose it during a lookup or when resource records are published as the zone keys are blinded beforehand. However, zone keys do become public during revocation.¶
GANA [GANA] manages the "GNU Name System Record Types" registry. Each entry has the following format:¶
The registration policy for this registry is "First Come First Served". This policy is modeled on that described in [RFC8126], and describes the actions taken by GANA:¶
Adding new records is possible after expert review, using a first-come-first-served policy for unique name allocation. Experts are responsible to ensure that the chosen "Name" is appropriate for the record type. The registry will assign a unique number for the entry.¶
The current contact(s) for expert review are reachable at gns-registry@gnunet.org.¶
Any request MUST contain a unique name and a point of contact. The contact information MAY be added to the registry given the consent of the requester. The request MAY optionally also contain relevant references as well as a descriptive comment as defined above.¶
GANA is requested to populate this registry as listed in Figure 21.¶
Number | Name | Contact | References | Comment -------+---------+---------+------------+------------------------- 65536 | PKEY | N/A | [This.I-D] | GNS zone delegation (PKEY) 65537 | NICK | N/A | [This.I-D] | GNS zone nickname 65538 | LEHO | N/A | [This.I-D] | GNS legacy hostname 65540 | GNS2DNS | N/A | [This.I-D] | Delegation to DNS 65541 | BOX | N/A | [This.I-D] | Boxed records 65551 | REDIRECT| N/A | [This.I-D] | Redirection record. 65556 | EDKEY | N/A | [This.I-D] | GNS zone delegation (EDKEY)
The GANA Resource Record Registry.¶
GANA is requested to amend the "GNUnet Signature Purpose" registry as illustrated in Figure 22.¶
Purpose | Name | References | Comment --------+-----------------+------------+-------------------------- 3 | GNS_REVOCATION | [This.I-D] | GNS zone key revocation 15 | GNS_RECORD_SIGN | [This.I-D] | GNS record set signature
Requested Changes in the GANA GNUnet Signature Purpose Registry.¶
This document makes no requests for IANA action. This section may be removed on publication as an RFC.¶
There are two implementations conforming to this specification written in C and Go, respectively. The C implementation as part of GNUnet [GNUnetGNS] represents the original and reference implementation. The Go implementation [GoGNS] demonstrates how two implementations of GNS are interoperable given that they are built on top of the same underlying DHT storage.¶
Currently, the GNUnet peer-to-peer network [GNUnet] is an active deployment of GNS on top of its [R5N] DHT. The [GoGNS] implementation uses this deployment by building on top of the GNUnet DHT services available on any GNUnet peer. It shows how GNS implementations can attach to this existing deployment and participate in name resolution as well as zone publication.¶
The self-sovereign identity system re:claimID [reclaim] is using GNS in order to selectively share identity attributes and attestations with third parties.¶
The Ascension tool [Ascension] facilitates the migration of DNS zones to GNS zones by translating information retrieved from a DNS zone transfer into a GNS zone.¶
The authors thank D. J. Bernstein, A. Farrel and S. Bortzmeyer for their insightful reviews. We thank NLnet and NGI DISCOVERY for funding work on the GNU Name System.¶
This table defines the encode symbol and decode symbol for a given symbol value. It can be used to implement the encoding by reading it as: A character "A" or "a" is decoded to a 5 bit value 10 when decoding. A 5 bit block with a value of 18 is encoded to the character "J" when encoding. If the bit length of the byte string to encode is not a multiple of 5 it is padded to the next multiple with zeroes. In order to further increase tolerance for failures in character recognition, the letter "U" MUST be decoded to the same value as the letter "V" in Base32GNS.¶
Symbol Decode Encode Value Symbol Symbol 0 0 O o 0 1 1 I i L l 1 2 2 2 3 3 3 4 4 4 5 5 5 6 6 6 7 7 7 8 8 8 9 9 9 10 A a A 11 B b B 12 C c C 13 D d D 14 E e E 15 F f F 16 G g G 17 H h H 18 J j J 19 K k K 20 M m M 21 N n N 22 P p P 23 Q q Q 24 R r R 25 S s S 26 T t T 27 V v U u V 28 W w W 29 X x X 30 Y y Y 31 Z z Z
The Base32GNS Alphabet Including the Additional U Encode Symbol.¶
The following are test vectors for the Base32GNS encoding used for zTLDs. The strings are encoded without the zero terminator.¶
Base32GNS-Encode: Input string: "Hello World" Output string: "91JPRV3F41BPYWKCCG" Input bytes: 474e55204e616d652053797374656d Output string: "8X75A82EC5PPA82KF5SQ8SBD" Base32GNS-Decode: Input string: "91JPRV3F41BPYWKCCG" Output string: "Hello World" Input string: "91JPRU3F41BPYWKCCG" Output string: "Hello World"¶
The following represents a test vector for a record set with a DNS record of type "A" as well as a GNS record of type "PKEY" under the label "test".¶
Zone private key (d, big-endian): 50d7b652a4efeadf f37396909785e595 2171a02178c8e7d4 50fa907925fafd98 Zone identifier (ztype|zkey): 00010000677c477d 2d93097c85b195c6 f96d84ff61f5982c 2c4fe02d5a11fedf b0c2901f Encoded zone identifier (zkl = zTLD): 000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W Label: testdelegation RRCOUNT: 1 Record #0 EXPIRATION: 2463385894000000 DATA_SIZE: 36 TYPE: 65536 FLAGS: 01000000 DATA: 0001000021e3b30f f93bc6d35ac8c6e0 e13afdff794cb7b4 4bbbc748d259d0a0 284dbe84 RDATA: 0008c06fb9281580 0024000100010000 0001000021e3b30f f93bc6d35ac8c6e0 e13afdff794cb7b4 4bbbc748d259d0a0 284dbe84 Encryption NONCE|EXPIRATION|BLOCK COUNTER: e90a00610008c06f b928158000000001 Encryption key (K): 864e7138eae7fd91 a30136899c132b23 acebdb2cef43cb19 f6bf55b67db9b3b3 Storage key (q): 4adc67c5ecee9f76 986abd71c2224a3d ce2e917026c9a09d fd44cef3d20f55a2 7332725a6c8afbbb b0f7ec9af1cc4264 1299406b04fd9b5b 5791f86c4b08d5f4 BDATA: 41dc7b5f2176ba59 199cafb9e3c82579 71b21ccb6de51d38 bd2a21e9322c6af8 4243e8de876b5b76 37462e79b2c162db 4014d5c9 RRBLOCK: 000000a400010000 182bb636eda79f79 5711bc2708adbb24 2a60446ad3c30803 121d03d348b7ceb6 01a968a5eac3cb95 ed58c1c5386f4ab6 539edd8099b4893a be83f242115e3e35 03965dc924a6001a e94ecab9b2f25c4c 6fdc7ffbe9f3b2a2 854b321b1d7ea9ab 0008c06fb9281580 41dc7b5f2176ba59 199cafb9e3c82579 71b21ccb6de51d38 bd2a21e9322c6af8 4243e8de876b5b76 37462e79b2c162db 4014d5c9 Zone private key (d, big-endian): 50d7b652a4efeadf f37396909785e595 2171a02178c8e7d4 50fa907925fafd98 Zone identifier (ztype|zkey): 00010000677c477d 2d93097c85b195c6 f96d84ff61f5982c 2c4fe02d5a11fedf b0c2901f Encoded zone identifier (zkl = zTLD): 000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W Label: testset RRCOUNT: 3 Record #0 EXPIRATION: 2463385894000000 DATA_SIZE: 16 TYPE: 28 FLAGS: 00000000 DATA: 0000000000000000 00000000deadbeef Record #1 EXPIRATION: 49556645701000000 DATA_SIZE: 9 TYPE: 65537 FLAGS: 00800000 DATA: 536f6d65206e6963 6b Record #2 EXPIRATION: 6091321688 DATA_SIZE: 11 TYPE: 16 FLAGS: 04400000 DATA: 48656c6c6f20576f 726c64 RDATA: 0008c06fb9281580 001000000000001c 0000000000000000 00000000deadbeef 00b00f81b7449b40 0009800000010001 536f6d65206e6963 6b000000016b1231 58000b4004000000 1048656c6c6f2057 6f726c6400000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Encryption NONCE|EXPIRATION|BLOCK COUNTER: 4edb104e0005d78a 44e4e6c800000001 Encryption key (K): 4a7d3f21f67c377e ad2cb255b6c05930 6287e78caeff4c80 f08e1df327900d21 Storage key (q): e8f9a842256e825b f40e802ab2a81a3c 31d621100b4adec0 3c152e22cdbcab0d d5dde37815887f74 950b22179269e6b3 2b75928dd80111de 3e12eca5517ae246 BDATA: a6b26ac00e485ddd 26e8db68e3eaba01 b5760ae197f70e28 39cc9e4ac40668f4 61285e42d8e7c397 cfc90e8042106666 9a0506edccfacb1b 520103c2a68eb06d 770c7bd65e6810c3 88e192cc313f924b ffe67ce114694f20 03d851c7fe5623b2 5eb0fad6bbdf917b e7eac3a9ec795dd4 a9c8b4c683896b2c 69d4d5ae8dafd93a RRBLOCK: 000000f000010000 d84c242613691d2f 2150f55b89ee03ca 0b13f9fa6905eb17 acedcbc55518b8aa 042c1e6e6e3aa52a 6538a91fd3d5e9cd 987edb1106f3f864 fea111382f5a0a42 0b954ccb4dc6e9e1 3cbec65e7ae021ec 7c4f7830aa158423 da439dc17fee7586 0005d78a44e4e6c8 a6b26ac00e485ddd 26e8db68e3eaba01 b5760ae197f70e28 39cc9e4ac40668f4 61285e42d8e7c397 cfc90e8042106666 9a0506edccfacb1b 520103c2a68eb06d 770c7bd65e6810c3 88e192cc313f924b ffe67ce114694f20 03d851c7fe5623b2 5eb0fad6bbdf917b e7eac3a9ec795dd4 a9c8b4c683896b2c 69d4d5ae8dafd93a¶
The following represents a test vector for a record set with a DNS record of type "A" as well as a GNS record of type "EDKEY" under the label "test".¶
Zone private key (d): 5af7020ee1916032 8832352bbc6a68a8 d71a7cbe1b929969 a7c66d415a0d8f65 Zone identifier (ztype|zkey): 000100143cf4b924 032022f0dc505814 53b85d93b047b63d 446c5845cb48445d db96688f Encoded zone identifier (zkl = zTLD): 000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW Label: testdelegation RRCOUNT: 1 Record #0 EXPIRATION: 2463385894000000 DATA_SIZE: 36 TYPE: 65536 FLAGS: 01000000 DATA: 0001000021e3b30f f93bc6d35ac8c6e0 e13afdff794cb7b4 4bbbc748d259d0a0 284dbe84 RDATA: 0008c06fb9281580 0024000100010000 0001000021e3b30f f93bc6d35ac8c6e0 e13afdff794cb7b4 4bbbc748d259d0a0 284dbe84 Encryption NONCE|EXPIRATION: 98132ea86859d35c 88bfd317fa991bcb 0008c06fb9281580 Encryption key (K): 85c429a9567aa633 411a9691e9094c45 281672be586034aa e4a2a2cc716159e2 Storage key (q): abaabac0e1249459 75988395aac0241e 5559c41c4074e255 7b9fe6d154b614fb cdd47fc7f51d786d c2e0b1ece76037c0 a1578c384ec61d44 5636a94e880329e9 BDATA: 7d9ecea3c19ef07b 0db1fab44c5e4477 6ea8d8894e904a0c 35ed1c5c2ff2ed93 bd204b3fcae98192 fad94afbc5bba3a6 de538c01c7e1f65e 2a883cc068c02109 7afd7330 RRBLOCK: 000000b400010014 9bf233198c6d53bb dbac495cabd91049 a684af3f4051baca b0dcf21c8cf27a1a 69ac3485946796d1 e31837f569d71e06 e79c4777ab9c41fa 29cdd198464aac3d aaeea2c192eb6e71 1d0dc7bb76994eca ab837e402ba2c994 4df155b6e96fdf0a 0008c06fb9281580 7d9ecea3c19ef07b 0db1fab44c5e4477 6ea8d8894e904a0c 35ed1c5c2ff2ed93 bd204b3fcae98192 fad94afbc5bba3a6 de538c01c7e1f65e 2a883cc068c02109 7afd7330 Zone private key (d): 5af7020ee1916032 8832352bbc6a68a8 d71a7cbe1b929969 a7c66d415a0d8f65 Zone identifier (ztype|zkey): 000100143cf4b924 032022f0dc505814 53b85d93b047b63d 446c5845cb48445d db96688f Encoded zone identifier (zkl = zTLD): 000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW Label: testset RRCOUNT: 3 Record #0 EXPIRATION: 2463385894000000 DATA_SIZE: 16 TYPE: 28 FLAGS: 00000000 DATA: 0000000000000000 00000000deadbeef Record #1 EXPIRATION: 49556645701000000 DATA_SIZE: 9 TYPE: 65537 FLAGS: 00800000 DATA: 536f6d65206e6963 6b Record #2 EXPIRATION: 6091321688 DATA_SIZE: 11 TYPE: 16 FLAGS: 04400000 DATA: 48656c6c6f20576f 726c64 RDATA: 0008c06fb9281580 001000000000001c 0000000000000000 00000000deadbeef 00b00f81b7449b40 0009800000010001 536f6d65206e6963 6b000000016b1231 58000b4004000000 1048656c6c6f2057 6f726c6400000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Encryption NONCE|EXPIRATION: 0a27e1f82798d680 4285c81ef29391f9 0005d78a44e4ff82 Encryption key (K): 227730f8c97f94ab 5de3645aa731be24 769f04cacb88312d e8e5102909693488 Storage key (q): 60c6e5b3442eb232 837e70205f26ca16 539f1354692fbeb3 05541efd0e3216cc 9373d3e2c6f8fa1d 1e49cfd9c19cb654 0621377eb989461c f09676309323b000 BDATA: dfc0aa69cee85288 434b48d487ed3911 5118213b7b2efe73 9067c6f6c0e83d59 7d9288b018e73b66 264ee8587d026c60 bd2ff2e3d50a7d49 1b53803c8ff4eb3c 03197178d551434e 20851fda85950116 5a6f51dc9accaf5a daf5ed94a707ffb9 2854ef15c67fb1ec 465f168d480f6436 a1c5affccef33fdd 0b99ea4719debbfd c1e7e52aaa546b3f 4c4c91d7f1aba812 RRBLOCK: 0000010000010014 dd541a46885a250a 27db63b2b1c07c04 3137271edc77df52 0a30b7bb909060f6 3b8be702f815cb02 f3186874a331d87f 0263393fa66b6197 52b35fd117f27b73 86ab6924bd948de9 cd5f512d3ca370c5 3bfccfc5238516cc 0ddeacf65b145709 0005d78a44e4ff82 dfc0aa69cee85288 434b48d487ed3911 5118213b7b2efe73 9067c6f6c0e83d59 7d9288b018e73b66 264ee8587d026c60 bd2ff2e3d50a7d49 1b53803c8ff4eb3c 03197178d551434e 20851fda85950116 5a6f51dc9accaf5a daf5ed94a707ffb9 2854ef15c67fb1ec 465f168d480f6436 a1c5affccef33fdd 0b99ea4719debbfd c1e7e52aaa546b3f 4c4c91d7f1aba812¶
The following is an example revocation for a zone:¶
Zone private key (d, big-endian scalar): 6fea32c05af58bfa 979553d188605fd5 7d8bf9cc263b78d5 f7478c07b998ed70 Zone identifier (ztype|zkey): 000100002ca223e8 79ecc4bbdeb5da17 319281d63b2e3b69 55f1c3775c804a98 d5f8ddaa Encoded zone identifier (zkl = zTLD): 000G001CM8HYGYFCRJXXXDET2WRS50EP7CQ3PTANY71QEQ409ACDBY6XN8 Difficulty (5 base difficulty + 2 epochs): 7 Signed message: 0000003400000003 0005d66da3598127 000100002ca223e8 79ecc4bbdeb5da17 319281d63b2e3b69 55f1c3775c804a98 d5f8ddaa Proof: 0005d66da3598127 0000395d1827c000 3ab877d07570f2b8 3ab877d07570f332 3ab877d07570f4f5 3ab877d07570f50f 3ab877d07570f537 3ab877d07570f599 3ab877d07570f5cd 3ab877d07570f5d9 3ab877d07570f66a 3ab877d07570f69b 3ab877d07570f72f 3ab877d07570f7c3 3ab877d07570f843 3ab877d07570f8d8 3ab877d07570f91b 3ab877d07570f93a 3ab877d07570f944 3ab877d07570f98a 3ab877d07570f9a7 3ab877d07570f9b0 3ab877d07570f9df 3ab877d07570fa05 3ab877d07570fa3e 3ab877d07570fa63 3ab877d07570fa84 3ab877d07570fa8f 3ab877d07570fa91 3ab877d07570fad6 3ab877d07570fb0a 3ab877d07570fc0f 3ab877d07570fc43 3ab877d07570fca5 000100002ca223e8 79ecc4bbdeb5da17 319281d63b2e3b69 55f1c3775c804a98 d5f8ddaa053b0259 700039187d1da461 3531502bc4a4eecc c69900d24f8aac54 30f28fc509270133 1f178e290fe06e82 ce2498ce7b23a340 58e3d6a2f247e92b c9d7b9ab¶