[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0001] branch master updated: update governance/resolution
From: |
gnunet |
Subject: |
[lsd0001] branch master updated: update governance/resolution |
Date: |
Sun, 15 Dec 2019 19:10:58 +0100 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository lsd0001.
The following commit(s) were added to refs/heads/master by this push:
new 1516476 update governance/resolution
1516476 is described below
commit 151647654c961b3a2cb9af222dedea65087e5d7b
Author: Schanzenbach, Martin <address@hidden>
AuthorDate: Sun Dec 15 19:07:53 2019 +0100
update governance/resolution
---
draft-schanzen-gns.html | 340 ++++++++++++++++++++++++++----------------------
draft-schanzen-gns.txt | 294 ++++++++++++++++++++---------------------
draft-schanzen-gns.xml | 140 +++++++++++---------
3 files changed, 411 insertions(+), 363 deletions(-)
diff --git a/draft-schanzen-gns.html b/draft-schanzen-gns.html
index 6899bb7..8e50c32 100644
--- a/draft-schanzen-gns.html
+++ b/draft-schanzen-gns.html
@@ -1124,28 +1124,25 @@ async function addMetadata(){try{const
e=document.styleSheets[0].cssRules;for(le
<p id="section-boilerplate.3-1.6.1"><a href="#section-6"
class="xref">6</a>. <a href="#name-name-resolution" class="xref">Name
Resolution</a><a href="#section-boilerplate.3-1.6.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-boilerplate.3-1.6.2.1">
- <p id="section-boilerplate.3-1.6.2.1.1"><a href="#section-6.1"
class="xref">6.1</a>. <a href="#name-entry-zone" class="xref">Entry Zone</a><a
href="#section-boilerplate.3-1.6.2.1.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.6.2.1.1"><a href="#section-6.1"
class="xref">6.1</a>. <a href="#name-record-retrieval" class="xref">Record
Retrieval</a><a href="#section-boilerplate.3-1.6.2.1.1"
class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.6.2.2">
- <p id="section-boilerplate.3-1.6.2.2.1"><a href="#section-6.2"
class="xref">6.2</a>. <a href="#name-record-retrieval" class="xref">Record
Retrieval</a><a href="#section-boilerplate.3-1.6.2.2.1"
class="pilcrow">¶</a></p>
-</li>
- <li class="toc ulEmpty" id="section-boilerplate.3-1.6.2.3">
- <p id="section-boilerplate.3-1.6.2.3.1"><a href="#section-6.3"
class="xref">6.3</a>. <a href="#name-record-processing" class="xref">Record
Processing</a><a href="#section-boilerplate.3-1.6.2.3.1"
class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.6.2.2.1"><a href="#section-6.2"
class="xref">6.2</a>. <a href="#name-record-processing" class="xref">Record
Processing</a><a href="#section-boilerplate.3-1.6.2.2.1"
class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
-<li class="toc ulEmpty" id="section-boilerplate.3-1.6.2.3.2.1">
- <p id="section-boilerplate.3-1.6.2.3.2.1.1"><a
href="#section-6.3.1" class="xref">6.3.1</a>. <a href="#name-pkey-2"
class="xref">PKEY</a><a href="#section-boilerplate.3-1.6.2.3.2.1.1"
class="pilcrow">¶</a></p>
+<li class="toc ulEmpty" id="section-boilerplate.3-1.6.2.2.2.1">
+ <p id="section-boilerplate.3-1.6.2.2.2.1.1"><a
href="#section-6.2.1" class="xref">6.2.1</a>. <a href="#name-pkey-2"
class="xref">PKEY</a><a href="#section-boilerplate.3-1.6.2.2.2.1.1"
class="pilcrow">¶</a></p>
</li>
- <li class="toc ulEmpty"
id="section-boilerplate.3-1.6.2.3.2.2">
- <p id="section-boilerplate.3-1.6.2.3.2.2.1"><a
href="#section-6.3.2" class="xref">6.3.2</a>. <a href="#name-gns2dns-2"
class="xref">GNS2DNS</a><a href="#section-boilerplate.3-1.6.2.3.2.2.1"
class="pilcrow">¶</a></p>
+ <li class="toc ulEmpty"
id="section-boilerplate.3-1.6.2.2.2.2">
+ <p id="section-boilerplate.3-1.6.2.2.2.2.1"><a
href="#section-6.2.2" class="xref">6.2.2</a>. <a href="#name-gns2dns-2"
class="xref">GNS2DNS</a><a href="#section-boilerplate.3-1.6.2.2.2.2.1"
class="pilcrow">¶</a></p>
</li>
- <li class="toc ulEmpty"
id="section-boilerplate.3-1.6.2.3.2.3">
- <p id="section-boilerplate.3-1.6.2.3.2.3.1"><a
href="#section-6.3.3" class="xref">6.3.3</a>. <a href="#name-cname"
class="xref">CNAME</a><a href="#section-boilerplate.3-1.6.2.3.2.3.1"
class="pilcrow">¶</a></p>
+ <li class="toc ulEmpty"
id="section-boilerplate.3-1.6.2.2.2.3">
+ <p id="section-boilerplate.3-1.6.2.2.2.3.1"><a
href="#section-6.2.3" class="xref">6.2.3</a>. <a href="#name-cname"
class="xref">CNAME</a><a href="#section-boilerplate.3-1.6.2.2.2.3.1"
class="pilcrow">¶</a></p>
</li>
- <li class="toc ulEmpty"
id="section-boilerplate.3-1.6.2.3.2.4">
- <p id="section-boilerplate.3-1.6.2.3.2.4.1"><a
href="#section-6.3.4" class="xref">6.3.4</a>. <a href="#name-box-2"
class="xref">BOX</a><a href="#section-boilerplate.3-1.6.2.3.2.4.1"
class="pilcrow">¶</a></p>
+ <li class="toc ulEmpty"
id="section-boilerplate.3-1.6.2.2.2.4">
+ <p id="section-boilerplate.3-1.6.2.2.2.4.1"><a
href="#section-6.2.4" class="xref">6.2.4</a>. <a href="#name-box-2"
class="xref">BOX</a><a href="#section-boilerplate.3-1.6.2.2.2.4.1"
class="pilcrow">¶</a></p>
</li>
- <li class="toc ulEmpty"
id="section-boilerplate.3-1.6.2.3.2.5">
- <p id="section-boilerplate.3-1.6.2.3.2.5.1"><a
href="#section-6.3.5" class="xref">6.3.5</a>. <a href="#name-vpn-2"
class="xref">VPN</a><a href="#section-boilerplate.3-1.6.2.3.2.5.1"
class="pilcrow">¶</a></p>
+ <li class="toc ulEmpty"
id="section-boilerplate.3-1.6.2.2.2.5">
+ <p id="section-boilerplate.3-1.6.2.2.2.5.1"><a
href="#section-6.2.5" class="xref">6.2.5</a>. <a href="#name-vpn-2"
class="xref">VPN</a><a href="#section-boilerplate.3-1.6.2.2.2.5.1"
class="pilcrow">¶</a></p>
</li>
</ul>
</li>
@@ -1155,19 +1152,33 @@ async function addMetadata(){try{const
e=document.styleSheets[0].cssRules;for(le
<p id="section-boilerplate.3-1.7.1"><a href="#section-7"
class="xref">7</a>. <a href="#name-zone-revocation" class="xref">Zone
Revocation</a><a href="#section-boilerplate.3-1.7.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.8">
- <p id="section-boilerplate.3-1.8.1"><a href="#section-8"
class="xref">8</a>. <a href="#name-security-considerations"
class="xref">Security Considerations</a><a href="#section-boilerplate.3-1.8.1"
class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.8.1"><a href="#section-8"
class="xref">8</a>. <a href="#name-root-zone-governance" class="xref">Root
Zone Governance</a><a href="#section-boilerplate.3-1.8.1"
class="pilcrow">¶</a></p>
+<ul class="toc ulEmpty">
+<li class="toc ulEmpty" id="section-boilerplate.3-1.8.2.1">
+ <p id="section-boilerplate.3-1.8.2.1.1"><a href="#section-8.1"
class="xref">8.1</a>. <a href="#name-top-level-domain-as-local-z"
class="xref">Top-level domain as local zone key</a><a
href="#section-boilerplate.3-1.8.2.1.1" class="pilcrow">¶</a></p>
+</li>
+ <li class="toc ulEmpty" id="section-boilerplate.3-1.8.2.2">
+ <p id="section-boilerplate.3-1.8.2.2.1"><a href="#section-8.2"
class="xref">8.2</a>. <a href="#name-top-level-domain-maps-to-a-"
class="xref">Top-level domain maps to a local zone name</a><a
href="#section-boilerplate.3-1.8.2.2.1" class="pilcrow">¶</a></p>
+</li>
+ <li class="toc ulEmpty" id="section-boilerplate.3-1.8.2.3">
+ <p id="section-boilerplate.3-1.8.2.3.1"><a href="#section-8.3"
class="xref">8.3</a>. <a href="#name-name-suffix-mapped-to-an-ex"
class="xref">Name suffix mapped to an external zone key</a><a
href="#section-boilerplate.3-1.8.2.3.1" class="pilcrow">¶</a></p>
+</li>
+ </ul>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.9">
- <p id="section-boilerplate.3-1.9.1"><a href="#section-9"
class="xref">9</a>. <a href="#name-iana-considerations" class="xref">IANA
Considerations</a><a href="#section-boilerplate.3-1.9.1"
class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.9.1"><a href="#section-9"
class="xref">9</a>. <a href="#name-security-considerations"
class="xref">Security Considerations</a><a href="#section-boilerplate.3-1.9.1"
class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.10">
- <p id="section-boilerplate.3-1.10.1"><a href="#section-10"
class="xref">10</a>. <a href="#name-test-vectors" class="xref">Test
Vectors</a><a href="#section-boilerplate.3-1.10.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.10.1"><a href="#section-10"
class="xref">10</a>. <a href="#name-iana-considerations" class="xref">IANA
Considerations</a><a href="#section-boilerplate.3-1.10.1"
class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.11">
- <p id="section-boilerplate.3-1.11.1"><a href="#section-11"
class="xref">11</a>. <a href="#name-normative-references"
class="xref">Normative References</a><a href="#section-boilerplate.3-1.11.1"
class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.11.1"><a href="#section-11"
class="xref">11</a>. <a href="#name-test-vectors" class="xref">Test
Vectors</a><a href="#section-boilerplate.3-1.11.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.12">
- <p id="section-boilerplate.3-1.12.1"><a href="#section-appendix.a"
class="xref"></a> <a href="#name-authors-addresses" class="xref">Authors'
Addresses</a><a href="#section-boilerplate.3-1.12.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.12.1"><a href="#section-12"
class="xref">12</a>. <a href="#name-normative-references"
class="xref">Normative References</a><a href="#section-boilerplate.3-1.12.1"
class="pilcrow">¶</a></p>
+</li>
+ <li class="toc ulEmpty" id="section-boilerplate.3-1.13">
+ <p id="section-boilerplate.3-1.13.1"><a href="#section-appendix.a"
class="xref"></a> <a href="#name-authors-addresses" class="xref">Authors'
Addresses</a><a href="#section-boilerplate.3-1.13.1" class="pilcrow">¶</a></p>
</li>
</ul>
</nav>
@@ -2014,78 +2025,16 @@ async function addMetadata(){try{const
e=document.styleSheets[0].cssRules;for(le
Names in GNS are resolved by recursively querying the DHT record
storage.
In the following, we define how resolution is initiated and each
iteration in the resolution is processed.<a href="#section-6-1"
class="pilcrow">¶</a></p>
-<div id="entry_zone">
-<section id="section-6.1">
- <h3 id="name-entry-zone">
-<a href="#section-6.1" class="section-number selfRef">6.1. </a><a
href="#name-entry-zone" class="section-name selfRef">Entry Zone</a>
- </h3>
-<p id="section-6.1-1">
- There are three sources from which the entry zone can be determined
- which MUST be queried in this order:<a href="#section-6.1-1"
class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal" id="section-6.1-2">
- <li id="section-6.1-2.1">Check if top-level domain maps to a local
zone key.<a href="#section-6.1-2.1" class="pilcrow">¶</a>
-</li>
- <li id="section-6.1-2.2">Check if top-level domain maps to a local
zone name.<a href="#section-6.1-2.2" class="pilcrow">¶</a>
-</li>
- <li id="section-6.1-2.3">Check if a configuration exists that maps a
suffix to an
- external zone key.<a href="#section-6.1-2.3" class="pilcrow">¶</a>
-</li>
- </ol>
-<p id="section-6.1-3">
- If the TLD is a Base32-encoded public zone key "zk", the entry
- zone of the resolution process is implicitly given by the name.<a
href="#section-6.1-3" class="pilcrow">¶</a></p>
-<div class="artwork art-text alignLeft" id="section-6.1-4">
-<pre>
- Example name: www.example.<Base32(zk)>
- => Entry zone: zk
- => Name to resolve from entry zone: www.example
- </pre><a href="#section-6.1-4" class="pilcrow">¶</a>
-</div>
-<p id="section-6.1-5">
- Each local zone is associated with a single GNS label. If this label
- is the top-level domain (TLD) of the name to resolve, resolution
- MUST start from this local zone.<a href="#section-6.1-5"
class="pilcrow">¶</a></p>
-<div class="artwork art-text alignLeft" id="section-6.1-6">
-<pre>
- Example name: www.example.gnu
- Local zones:
- fr = (d0,zk0)
- gnu = (d1,zk1)
- com = (d2,zk2)
- ...
- => Entry zone: zk1
- => Name to resolve from entry zone: www.example
- </pre><a href="#section-6.1-6" class="pilcrow">¶</a>
-</div>
-<p id="section-6.1-7">
- If no matching local zone for the TLD is found, external suffix to
- zone mappings are checked. External suffix to zone key mapping
- SHOULD be configurable through the GNS implementation. A mapping
- has the form "suffix = public zone key".
- The suffix may consist of multiple GNS labels concatenated with a
- ".". If multiple suffixes match the name to resolve, the longest
matching
- suffix MUST be used. The suffix length of two results cannot be
equal,
- as this would indicate a misconfiguration.<a href="#section-6.1-7"
class="pilcrow">¶</a></p>
-<div class="artwork art-text alignLeft" id="section-6.1-8">
-<pre>
- Example name: www.example.gnu
- Local suffix mappings:
- gnu = zk0
- example.gnu = zk1
- example.com = zk2
- ...
- => Entry zone: zk1
- => Name to resolve from entry zone: www
- </pre><a href="#section-6.1-8" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
+<p id="section-6-2">
+ GNS resolution of a name must start in a given root entry zone.
+ Details on how the root zone is determined is discussed in
+ <a href="#governance" class="xref">Section 8</a>.<a href="#section-6-2"
class="pilcrow">¶</a></p>
<div id="record_retrieval">
-<section id="section-6.2">
+<section id="section-6.1">
<h3 id="name-record-retrieval">
-<a href="#section-6.2" class="section-number selfRef">6.2. </a><a
href="#name-record-retrieval" class="section-name selfRef">Record Retrieval</a>
+<a href="#section-6.1" class="section-number selfRef">6.1. </a><a
href="#name-record-retrieval" class="section-name selfRef">Record Retrieval</a>
</h3>
-<p id="section-6.2-1">
+<p id="section-6.1-1">
When GNS name resolution is requested, a desired record type MAY be
provided
by the client.
The GNS resolver will use the desired record type to guide
processing, for
@@ -2093,74 +2042,74 @@ async function addMetadata(){try{const
e=document.styleSheets[0].cssRules;for(le
is desired.
However, filtering of record sets according to the required record
types
- MUST still be done by the client after the resource record set is
retrieved.<a href="#section-6.2-1" class="pilcrow">¶</a></p>
-<p id="section-6.2-2">
+ MUST still be done by the client after the resource record set is
retrieved.<a href="#section-6.1-1" class="pilcrow">¶</a></p>
+<p id="section-6.1-2">
In each step of the recursive name resolution, there is an
authoritative zone zk and a name to resolve which may be empty.
Initially, the authoritative zone is the entry zone. If the name
- is empty, it is interpreted as the apex label "@".<a
href="#section-6.2-2" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal" id="section-6.2-3">
- <li id="section-6.2-3.1">Extract the right-most label from the name
to look up.<a href="#section-6.2-3.1" class="pilcrow">¶</a>
+ is empty, it is interpreted as the apex label "@".<a
href="#section-6.1-2" class="pilcrow">¶</a></p>
+<ol start="1" type="1" class="normal" id="section-6.1-3">
+ <li id="section-6.1-3.1">Extract the right-most label from the name
to look up.<a href="#section-6.1-3.1" class="pilcrow">¶</a>
</li>
- <li id="section-6.2-3.2">Calculate q using the label and zk.<a
href="#section-6.2-3.2" class="pilcrow">¶</a>
+ <li id="section-6.1-3.2">Calculate q using the label and zk.<a
href="#section-6.1-3.2" class="pilcrow">¶</a>
</li>
- <li id="section-6.2-3.3">Perform a DHT query GET(q) to retrieve the
RRBLOCK.<a href="#section-6.2-3.3" class="pilcrow">¶</a>
+ <li id="section-6.1-3.3">Perform a DHT query GET(q) to retrieve the
RRBLOCK.<a href="#section-6.1-3.3" class="pilcrow">¶</a>
</li>
- <li id="section-6.2-3.4">Verify the RRBLOCK and decrypt the BDATA
contained in it.<a href="#section-6.2-3.4" class="pilcrow">¶</a>
+ <li id="section-6.1-3.4">Verify the RRBLOCK and decrypt the BDATA
contained in it.<a href="#section-6.1-3.4" class="pilcrow">¶</a>
</li>
</ol>
-<p id="section-6.2-4">
+<p id="section-6.1-4">
Upon receiving the RRBLOCK from the DHT, apart from verifying the
provided signature, the resolver MUST check that the authoritative
zone key was used to sign the record:
The derived zone key "h*zk" MUST match the public key provided in
the RRBLOCK, otherwise the RRBLOCK MUST be ignored and the DHT
lookup
- GET(q) MUST continue.<a href="#section-6.2-4"
class="pilcrow">¶</a></p>
+ GET(q) MUST continue.<a href="#section-6.1-4"
class="pilcrow">¶</a></p>
</section>
</div>
<div id="record_processing">
-<section id="section-6.3">
+<section id="section-6.2">
<h3 id="name-record-processing">
-<a href="#section-6.3" class="section-number selfRef">6.3. </a><a
href="#name-record-processing" class="section-name selfRef">Record
Processing</a>
+<a href="#section-6.2" class="section-number selfRef">6.2. </a><a
href="#name-record-processing" class="section-name selfRef">Record
Processing</a>
</h3>
-<p id="section-6.3-1">
+<p id="section-6.2-1">
If the remainder of the name to resolve is not empty, the records
result MUST consist of a single PKEY record, CNAME record,
or one or more GNS2DNS records. Otherwise, resolution fails
- and GNS returns an empty record set.<a href="#section-6.3-1"
class="pilcrow">¶</a></p>
-<p id="section-6.3-2">
+ and GNS returns an empty record set.<a href="#section-6.2-1"
class="pilcrow">¶</a></p>
+<p id="section-6.2-2">
If the remainder of the name to resolve is empty and the records set
does not consist of a PKEY, CNAME or DNS2GNS record, the record set
- is the result and the resolution is concluded.<a
href="#section-6.3-2" class="pilcrow">¶</a></p>
+ is the result and the resolution is concluded.<a
href="#section-6.2-2" class="pilcrow">¶</a></p>
<div id="pkey_processing">
-<section id="section-6.3.1">
+<section id="section-6.2.1">
<h4 id="name-pkey-2">
-<a href="#section-6.3.1" class="section-number selfRef">6.3.1. </a><a
href="#name-pkey-2" class="section-name selfRef">PKEY</a>
+<a href="#section-6.2.1" class="section-number selfRef">6.2.1. </a><a
href="#name-pkey-2" class="section-name selfRef">PKEY</a>
</h4>
-<p id="section-6.3.1-1">
+<p id="section-6.2.1-1">
When a resolver encounters a PKEY record and the remainder of
the name is non-empty, resolution continues
recursively with the remainder of the name in the newly discovered
- GNS zone as defined in <a href="#entry_zone" class="xref">Section
6.1</a>.<a href="#section-6.3.1-1" class="pilcrow">¶</a></p>
-<p id="section-6.3.1-2">
+ GNS zone.<a href="#section-6.2.1-1" class="pilcrow">¶</a></p>
+<p id="section-6.2.1-2">
If the remainder of the name to resolve is empty and we have
received
a record set containing only a single PKEY record, the recursion
is
continued with the PKEY as authoritative zone and the empty apex
label "@" as remaining name, except in the case where the desired
record type is PKEY, in which case the PKEY record is returned and
- the resolution is concluded without resolving the empty apex
label.<a href="#section-6.3.1-2" class="pilcrow">¶</a></p>
+ the resolution is concluded without resolving the empty apex
label.<a href="#section-6.2.1-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="gns2dns_processing">
-<section id="section-6.3.2">
+<section id="section-6.2.2">
<h4 id="name-gns2dns-2">
-<a href="#section-6.3.2" class="section-number selfRef">6.3.2. </a><a
href="#name-gns2dns-2" class="section-name selfRef">GNS2DNS</a>
+<a href="#section-6.2.2" class="section-number selfRef">6.2.2. </a><a
href="#name-gns2dns-2" class="section-name selfRef">GNS2DNS</a>
</h4>
-<p id="section-6.3.2-1">
+<p id="section-6.2.2-1">
When a resolver encounters a GNS2DNS record and the remaining name
is empty and the desired record type is GNS2DNS, the GNS2DNS
records
- are returned.<a href="#section-6.3.2-1" class="pilcrow">¶</a></p>
-<p id="section-6.3.2-2">
+ are returned.<a href="#section-6.2.2-1" class="pilcrow">¶</a></p>
+<p id="section-6.2.2-2">
Otherwise, it is expected that the resolver first
resolves the IP(s) of the DNS specified name server(s). GNS2DNS
records MAY contain numeric IPv4 or IPv6 addresses, allowing the
@@ -2169,32 +2118,32 @@ async function addMetadata(){try{const
e=document.styleSheets[0].cssRules;for(le
DNS server name ends in ".+", the rest of the name is to be
interpreted
relative to the zone of the GNS2DNS record.
If the DNS server name ends in ".<Base32(zk)>", the DNS
server name
- is to be resolved against the GNS zone zk.<a
href="#section-6.3.2-2" class="pilcrow">¶</a></p>
-<p id="section-6.3.2-3">
- Multiple
- GNS2DNS records may be stored under the same label, in which case
the
- resolver MUST try all of them. The resolver may try them in any
+ is to be resolved against the GNS zone zk.<a
href="#section-6.2.2-2" class="pilcrow">¶</a></p>
+<p id="section-6.2.2-3">
+ Multiple GNS2DNS records may be stored under the same label,
+ in which case the resolver MUST try all of them.
+ The resolver may try them in any
order or even in parallel. If multiple GNS2DNS records
are present, the DNS name MUST be identical for all of them, if
not the resolution fails.
The first successful recursive name resolution result
- is returned to the client.<a href="#section-6.3.2-3"
class="pilcrow">¶</a></p>
-<p id="section-6.3.2-4">
+ is returned to the client.<a href="#section-6.2.2-3"
class="pilcrow">¶</a></p>
+<p id="section-6.2.2-4">
Once the IP addresses of the DNS servers have been determined,
the DNS name from the GNS2DNS record is appended
to the remainder of the name to be resolved, and
resolved by querying the name server(s). As the DNS servers
are likely authoritative DNS servers, the GNS resolver MUST
support recursive resolution and not delegate this to the
- authoritative DNS servers.<a href="#section-6.3.2-4"
class="pilcrow">¶</a></p>
+ authoritative DNS servers.<a href="#section-6.2.2-4"
class="pilcrow">¶</a></p>
</section>
</div>
<div id="cname_processing">
-<section id="section-6.3.3">
+<section id="section-6.2.3">
<h4 id="name-cname">
-<a href="#section-6.3.3" class="section-number selfRef">6.3.3. </a><a
href="#name-cname" class="section-name selfRef">CNAME</a>
+<a href="#section-6.2.3" class="section-number selfRef">6.2.3. </a><a
href="#name-cname" class="section-name selfRef">CNAME</a>
</h4>
-<p id="section-6.3.3-1">
+<p id="section-6.2.3-1">
If a CNAME record is encountered, the canonical name is
appended to the remaining name, except if the remaining name
is empty and the desired record type is CNAME, in which case
@@ -2202,41 +2151,41 @@ async function addMetadata(){try{const
e=document.styleSheets[0].cssRules;for(le
If the canonical name ends in ".+",
resolution continues in GNS with the new name in the
current zone. Otherwise, the resulting name is resolved via the
- default operating system name resolution process.<a
href="#section-6.3.3-1" class="pilcrow">¶</a></p>
-<p id="section-6.3.3-2">
+ default operating system name resolution process.<a
href="#section-6.2.3-1" class="pilcrow">¶</a></p>
+<p id="section-6.2.3-2">
The recursive DNS resolution process may yield a CNAME as well
which in turn may either point into the DNS or GNS namespace
(if it ends in a ".<Base32(zk)>").
In order to prevent infinite loops, the resolver MUST
implement loop detections or limit the number of recursive
resolution
- steps.<a href="#section-6.3.3-2" class="pilcrow">¶</a></p>
+ steps.<a href="#section-6.2.3-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="box_processing">
-<section id="section-6.3.4">
+<section id="section-6.2.4">
<h4 id="name-box-2">
-<a href="#section-6.3.4" class="section-number selfRef">6.3.4. </a><a
href="#name-box-2" class="section-name selfRef">BOX</a>
+<a href="#section-6.2.4" class="section-number selfRef">6.2.4. </a><a
href="#name-box-2" class="section-name selfRef">BOX</a>
</h4>
-<p id="section-6.3.4-1">
+<p id="section-6.2.4-1">
When a BOX record is received, a GNS resolver
must unbox it if the name to be resolved continues with
"_SERVICE._PROTO".
Otherwise, the BOX record is to be left untouched. This way,
TLSA (and SRV)
records do not require a separate network request, and TLSA
- records become inseparable from the corresponding address
records.<a href="#section-6.3.4-1" class="pilcrow">¶</a></p>
+ records become inseparable from the corresponding address
records.<a href="#section-6.2.4-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="vpn_processing">
-<section id="section-6.3.5">
+<section id="section-6.2.5">
<h4 id="name-vpn-2">
-<a href="#section-6.3.5" class="section-number selfRef">6.3.5. </a><a
href="#name-vpn-2" class="section-name selfRef">VPN</a>
+<a href="#section-6.2.5" class="section-number selfRef">6.2.5. </a><a
href="#name-vpn-2" class="section-name selfRef">VPN</a>
</h4>
-<p id="section-6.3.5-1">
+<p id="section-6.2.5-1">
If the queried record type is either A or AAAA and the retrieved
record set contains at least one VPN record, the resolver SHOULD
open a
tunnel and return the IPv4 or IPv6 tunnel address, respectively.
The type of tunnel depends on the contents of the VPN record data.
The VPN record MUST be returned if the resolver implementation
does not
- support setting up a tunnnel.<a href="#section-6.3.5-1"
class="pilcrow">¶</a></p>
+ support setting up a tunnnel.<a href="#section-6.2.5-1"
class="pilcrow">¶</a></p>
</section>
</div>
</section>
@@ -2259,32 +2208,117 @@ async function addMetadata(){try{const
e=document.styleSheets[0].cssRules;for(le
A revocation message is defined as follows:<a href="#section-7-2"
class="pilcrow">¶</a></p>
</section>
</div>
-<div id="security">
+<div id="governance">
<section id="section-8">
- <h2 id="name-security-considerations">
-<a href="#section-8" class="section-number selfRef">8. </a><a
href="#name-security-considerations" class="section-name selfRef">Security
Considerations</a>
+ <h2 id="name-root-zone-governance">
+<a href="#section-8" class="section-number selfRef">8. </a><a
href="#name-root-zone-governance" class="section-name selfRef">Root Zone
Governance</a>
</h2>
<p id="section-8-1">
- TODO<a href="#section-8-1" class="pilcrow">¶</a></p>
+ The resolution of a GNS name must start in a given root zone
+ indicated to the resolver using any public zone key.
+ A resolver client may determine the root zone public from the
+ name given for resolution using information retrieved out of band.
+ In the following, we illustrate how prior to recursive resolution, the
+ root zone can be determined.<a href="#section-8-1"
class="pilcrow">¶</a></p>
+<p id="section-8-2">
+ Any of the examples below may be exchanged with other mechanisms
+ an are not normative.<a href="#section-8-2" class="pilcrow">¶</a></p>
+<div id="rootiskey">
+<section id="section-8.1">
+ <h3 id="name-top-level-domain-as-local-z">
+<a href="#section-8.1" class="section-number selfRef">8.1. </a><a
href="#name-top-level-domain-as-local-z" class="section-name selfRef">Top-level
domain as local zone key</a>
+ </h3>
+<p id="section-8.1-1">
+ If the TLD is a Base32-encoded public zone key "zk", the entry
+ zone of the resolution process is implicitly given by the name.<a
href="#section-8.1-1" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-8.1-2">
+<pre>
+ Example name: www.example.<Base32(zk)>
+ => Root zone: zk
+ => Name to resolve from root zone: www.example
+ </pre><a href="#section-8.1-2" class="pilcrow">¶</a>
+</div>
</section>
</div>
-<div id="iana">
+<div id="rootislocal">
+<section id="section-8.2">
+ <h3 id="name-top-level-domain-maps-to-a-">
+<a href="#section-8.2" class="section-number selfRef">8.2. </a><a
href="#name-top-level-domain-maps-to-a-" class="section-name selfRef">Top-level
domain maps to a local zone name</a>
+ </h3>
+<p id="section-8.2-1">
+ Each local zone of the user may be associated with a single GNS
+ label. If this label is the top-level domain (TLD) of the name
+ to resolve, resolution can from the local zone.<a
href="#section-8.2-1" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-8.2-2">
+<pre>
+ Example name: www.example.gnu
+ Local zones:
+ fr = (d0,zk0)
+ gnu = (d1,zk1)
+ com = (d2,zk2)
+ ...
+ => Entry zone: zk1
+ => Name to resolve from entry zone: www.example
+ </pre><a href="#section-8.2-2" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+<div id="rootisoob">
+<section id="section-8.3">
+ <h3 id="name-name-suffix-mapped-to-an-ex">
+<a href="#section-8.3" class="section-number selfRef">8.3. </a><a
href="#name-name-suffix-mapped-to-an-ex" class="section-name selfRef">Name
suffix mapped to an external zone key</a>
+ </h3>
+<p id="section-8.3-1">
+ If no matching local zone for the TLD is found, external suffix to
+ zone mappings may exist. External suffix to zone key mapping
+ may be configurable through the GNS client implementation.
+ A mapping has the form "suffix = public zone key".
+ The suffix may consist of multiple GNS labels concatenated with a
+ ".". If multiple suffixes match the name to resolve, the longest
+ matching suffix MUST be used. The suffix length of two results
+ cannot be equal, as this would indicate a misconfiguration.<a
href="#section-8.3-1" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-8.3-2">
+<pre>
+ Example name: www.example.gnu
+ Local suffix mappings:
+ gnu = zk0
+ example.gnu = zk1
+ example.com = zk2
+ ...
+ => Entry zone: zk1
+ => Name to resolve from entry zone: www
+ </pre><a href="#section-8.3-2" class="pilcrow">¶</a>
+</div>
+</section>
+</div>
+</section>
+</div>
+<div id="security">
<section id="section-9">
- <h2 id="name-iana-considerations">
-<a href="#section-9" class="section-number selfRef">9. </a><a
href="#name-iana-considerations" class="section-name selfRef">IANA
Considerations</a>
+ <h2 id="name-security-considerations">
+<a href="#section-9" class="section-number selfRef">9. </a><a
href="#name-security-considerations" class="section-name selfRef">Security
Considerations</a>
</h2>
<p id="section-9-1">
- This will be fun<a href="#section-9-1" class="pilcrow">¶</a></p>
+ TODO<a href="#section-9-1" class="pilcrow">¶</a></p>
</section>
</div>
+<div id="iana">
<section id="section-10">
- <h2 id="name-test-vectors">
-<a href="#section-10" class="section-number selfRef">10. </a><a
href="#name-test-vectors" class="section-name selfRef">Test Vectors</a>
+ <h2 id="name-iana-considerations">
+<a href="#section-10" class="section-number selfRef">10. </a><a
href="#name-iana-considerations" class="section-name selfRef">IANA
Considerations</a>
</h2>
<p id="section-10-1">
+ This will be fun<a href="#section-10-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<section id="section-11">
+ <h2 id="name-test-vectors">
+<a href="#section-11" class="section-number selfRef">11. </a><a
href="#name-test-vectors" class="section-name selfRef">Test Vectors</a>
+ </h2>
+<p id="section-11-1">
The following represents a test vector for a record of type MX with
- a priority of 10 and the mail hostname mail.example.com.<a
href="#section-10-1" class="pilcrow">¶</a></p>
-<div class="artwork art-text alignLeft" id="section-10-2">
+ a priority of 10 and the mail hostname mail.example.com.<a
href="#section-11-1" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-11-2">
<pre>
label := "mail"
@@ -2382,12 +2416,12 @@ async function addMetadata(){try{const
e=document.styleSheets[0].cssRules;for(le
642920eee8e7a65a
001fd19a6406a721
713f0a0d
- </pre><a href="#section-10-2" class="pilcrow">¶</a>
+ </pre><a href="#section-11-2" class="pilcrow">¶</a>
</div>
</section>
-<section id="section-11">
+<section id="section-12">
<h2 id="name-normative-references">
-<a href="#section-11" class="section-number selfRef">11. </a><a
href="#name-normative-references" class="section-name selfRef">Normative
References</a>
+<a href="#section-12" class="section-number selfRef">12. </a><a
href="#name-normative-references" class="section-name selfRef">Normative
References</a>
</h2>
<dl class="references">
<dt id="RFC1034">[RFC1034]</dt>
diff --git a/draft-schanzen-gns.txt b/draft-schanzen-gns.txt
index 9fbadd3..8cf9404 100644
--- a/draft-schanzen-gns.txt
+++ b/draft-schanzen-gns.txt
@@ -76,19 +76,22 @@ Table of Contents
4.3. Record Data Encryption and Decryption . . . . . . . . . . 13
5. Internationalization and Character Encoding . . . . . . . . . 15
6. Name Resolution . . . . . . . . . . . . . . . . . . . . . . . 15
- 6.1. Entry Zone . . . . . . . . . . . . . . . . . . . . . . . 15
- 6.2. Record Retrieval . . . . . . . . . . . . . . . . . . . . 16
- 6.3. Record Processing . . . . . . . . . . . . . . . . . . . . 17
- 6.3.1. PKEY . . . . . . . . . . . . . . . . . . . . . . . . 17
- 6.3.2. GNS2DNS . . . . . . . . . . . . . . . . . . . . . . . 17
- 6.3.3. CNAME . . . . . . . . . . . . . . . . . . . . . . . . 18
- 6.3.4. BOX . . . . . . . . . . . . . . . . . . . . . . . . . 18
- 6.3.5. VPN . . . . . . . . . . . . . . . . . . . . . . . . . 19
- 7. Zone Revocation . . . . . . . . . . . . . . . . . . . . . . . 19
- 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19
- 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
- 10. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 19
- 11. Normative References . . . . . . . . . . . . . . . . . . . . 21
+ 6.1. Record Retrieval . . . . . . . . . . . . . . . . . . . . 15
+ 6.2. Record Processing . . . . . . . . . . . . . . . . . . . . 16
+ 6.2.1. PKEY . . . . . . . . . . . . . . . . . . . . . . . . 16
+ 6.2.2. GNS2DNS . . . . . . . . . . . . . . . . . . . . . . . 16
+ 6.2.3. CNAME . . . . . . . . . . . . . . . . . . . . . . . . 17
+ 6.2.4. BOX . . . . . . . . . . . . . . . . . . . . . . . . . 17
+ 6.2.5. VPN . . . . . . . . . . . . . . . . . . . . . . . . . 18
+ 7. Zone Revocation . . . . . . . . . . . . . . . . . . . . . . . 18
+ 8. Root Zone Governance . . . . . . . . . . . . . . . . . . . . 18
+ 8.1. Top-level domain as local zone key . . . . . . . . . . . 18
+ 8.2. Top-level domain maps to a local zone name . . . . . . . 18
+ 8.3. Name suffix mapped to an external zone key . . . . . . . 19
+ 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19
+ 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
+ 11. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 19
+ 12. Normative References . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction
@@ -102,10 +105,7 @@ Table of Contents
threatening the global availability and integrity of information on
the Internet.
- DNS was not designed with security as a goal. This makes it very
- vulnerable, especially to attackers that have the technical
- capabilities of an entire nation state at their disposal. This
- specification describes a censorship-resistant, privacy-preserving
+
@@ -114,6 +114,10 @@ Schanzenbach, et al. Expires 13 May 2020
[Page 2]
Internet-Draft The GNU Name System November 2019
+ DNS was not designed with security as a goal. This makes it very
+ vulnerable, especially to attackers that have the technical
+ capabilities of an entire nation state at their disposal. This
+ specification describes a censorship-resistant, privacy-preserving
and decentralized name system: The GNU Name System (GNS). It is
designed to provide a secure alternative to DNS, especially when
censorship or manipulation is encountered. GNS can bind names to any
@@ -159,10 +163,6 @@ Internet-Draft The GNU Name System
November 2019
p is the prime of edwards25519 as defined in [RFC7748], i.e. 2^255
- 19.
- B is the group generator (X(P),Y(P)) of edwards25519 as defined in
- [RFC7748].
-
-
Schanzenbach, et al. Expires 13 May 2020 [Page 3]
@@ -170,6 +170,9 @@ Schanzenbach, et al. Expires 13 May 2020
[Page 3]
Internet-Draft The GNU Name System November 2019
+ B is the group generator (X(P),Y(P)) of edwards25519 as defined in
+ [RFC7748].
+
L is the prime-order subgroup of edwards25519 in [RFC7748].
zk is the ECDSA public key corresponding to d. It is defined in
@@ -215,9 +218,6 @@ Internet-Draft The GNU Name System
November 2019
the GNS resource records as defined in Section 3 or a DNS record
type as defined in [RFC1035] or any of the complementary
standardized DNS resource record types. This value must be stored
- in network byte order. Note that values below 2^16 are reserved
- for allocation via IANA ([RFC6895]).
-
@@ -226,6 +226,9 @@ Schanzenbach, et al. Expires 13 May 2020
[Page 4]
Internet-Draft The GNU Name System November 2019
+ in network byte order. Note that values below 2^16 are reserved
+ for allocation via IANA ([RFC6895]).
+
FLAGS is a 32-bit resource record flags field (see below).
DATA the variable-length resource record data payload. The contents
@@ -274,9 +277,6 @@ Internet-Draft The GNU Name System
November 2019
-
-
-
Schanzenbach, et al. Expires 13 May 2020 [Page 5]
Internet-Draft The GNU Name System November 2019
@@ -820,64 +820,10 @@ Internet-Draft The GNU Name System
November 2019
storage. In the following, we define how resolution is initiated and
each iteration in the resolution is processed.
-6.1. Entry Zone
-
- There are three sources from which the entry zone can be determined
- which MUST be queried in this order:
-
- 1. Check if top-level domain maps to a local zone key.
-
- 2. Check if top-level domain maps to a local zone name.
-
- 3. Check if a configuration exists that maps a suffix to an external
- zone key.
-
- If the TLD is a Base32-encoded public zone key "zk", the entry zone
- of the resolution process is implicitly given by the name.
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 15]
-
-Internet-Draft The GNU Name System November 2019
-
-
- Example name: www.example.<Base32(zk)>
- => Entry zone: zk
- => Name to resolve from entry zone: www.example
-
- Each local zone is associated with a single GNS label. If this label
- is the top-level domain (TLD) of the name to resolve, resolution MUST
- start from this local zone.
-
- Example name: www.example.gnu
- Local zones:
- fr = (d0,zk0)
- gnu = (d1,zk1)
- com = (d2,zk2)
- ...
- => Entry zone: zk1
- => Name to resolve from entry zone: www.example
-
- If no matching local zone for the TLD is found, external suffix to
- zone mappings are checked. External suffix to zone key mapping
- SHOULD be configurable through the GNS implementation. A mapping has
- the form "suffix = public zone key". The suffix may consist of
- multiple GNS labels concatenated with a ".". If multiple suffixes
- match the name to resolve, the longest matching suffix MUST be used.
- The suffix length of two results cannot be equal, as this would
- indicate a misconfiguration.
-
- Example name: www.example.gnu
- Local suffix mappings:
- gnu = zk0
- example.gnu = zk1
- example.com = zk2
- ...
- => Entry zone: zk1
- => Name to resolve from entry zone: www
+ GNS resolution of a name must start in a given root entry zone.
+ Details on how the root zone is determined is discussed in Section 8.
-6.2. Record Retrieval
+6.1. Record Retrieval
When GNS name resolution is requested, a desired record type MAY be
provided by the client. The GNS resolver will use the desired record
@@ -888,16 +834,17 @@ Internet-Draft The GNU Name System
November 2019
In each step of the recursive name resolution, there is an
authoritative zone zk and a name to resolve which may be empty.
- Initially, the authoritative zone is the entry zone. If the name is
- empty, it is interpreted as the apex label "@".
-Schanzenbach, et al. Expires 13 May 2020 [Page 16]
+Schanzenbach, et al. Expires 13 May 2020 [Page 15]
Internet-Draft The GNU Name System November 2019
+ Initially, the authoritative zone is the entry zone. If the name is
+ empty, it is interpreted as the apex label "@".
+
1. Extract the right-most label from the name to look up.
2. Calculate q using the label and zk.
@@ -912,7 +859,7 @@ Internet-Draft The GNU Name System
November 2019
MUST match the public key provided in the RRBLOCK, otherwise the
RRBLOCK MUST be ignored and the DHT lookup GET(q) MUST continue.
-6.3. Record Processing
+6.2. Record Processing
If the remainder of the name to resolve is not empty, the records
result MUST consist of a single PKEY record, CNAME record, or one or
@@ -923,12 +870,11 @@ Internet-Draft The GNU Name System
November 2019
does not consist of a PKEY, CNAME or DNS2GNS record, the record set
is the result and the resolution is concluded.
-6.3.1. PKEY
+6.2.1. PKEY
When a resolver encounters a PKEY record and the remainder of the
name is non-empty, resolution continues recursively with the
- remainder of the name in the newly discovered GNS zone as defined in
- Section 6.1.
+ remainder of the name in the newly discovered GNS zone.
If the remainder of the name to resolve is empty and we have received
a record set containing only a single PKEY record, the recursion is
@@ -937,23 +883,24 @@ Internet-Draft The GNU Name System
November 2019
record type is PKEY, in which case the PKEY record is returned and
the resolution is concluded without resolving the empty apex label.
-6.3.2. GNS2DNS
+6.2.2. GNS2DNS
When a resolver encounters a GNS2DNS record and the remaining name is
empty and the desired record type is GNS2DNS, the GNS2DNS records are
returned.
- Otherwise, it is expected that the resolver first resolves the IP(s)
- of the DNS specified name server(s). GNS2DNS records MAY contain
- numeric IPv4 or IPv6 addresses, allowing the resolver to skip this
-Schanzenbach, et al. Expires 13 May 2020 [Page 17]
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 16]
Internet-Draft The GNU Name System November 2019
+ Otherwise, it is expected that the resolver first resolves the IP(s)
+ of the DNS specified name server(s). GNS2DNS records MAY contain
+ numeric IPv4 or IPv6 addresses, allowing the resolver to skip this
step. The DNS server names may themselves be names in GNS or DNS.
If the DNS server name ends in ".+", the rest of the name is to be
interpreted relative to the zone of the GNS2DNS record. If the DNS
@@ -974,7 +921,7 @@ Internet-Draft The GNU Name System
November 2019
resolver MUST support recursive resolution and not delegate this to
the authoritative DNS servers.
-6.3.3. CNAME
+6.2.3. CNAME
If a CNAME record is encountered, the canonical name is appended to
the remaining name, except if the remaining name is empty and the
@@ -990,7 +937,7 @@ Internet-Draft The GNU Name System
November 2019
MUST implement loop detections or limit the number of recursive
resolution steps.
-6.3.4. BOX
+6.2.4. BOX
When a BOX record is received, a GNS resolver must unbox it if the
name to be resolved continues with "_SERVICE._PROTO". Otherwise, the
@@ -1002,15 +949,12 @@ Internet-Draft The GNU Name System
November 2019
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 18]
+Schanzenbach, et al. Expires 13 May 2020 [Page 17]
Internet-Draft The GNU Name System November 2019
-6.3.5. VPN
+6.2.5. VPN
If the queried record type is either A or AAAA and the retrieved
record set contains at least one VPN record, the resolver SHOULD open
@@ -1030,15 +974,80 @@ Internet-Draft The GNU Name System
November 2019
A revocation message is defined as follows:
-8. Security Considerations
+8. Root Zone Governance
+
+ The resolution of a GNS name must start in a given root zone
+ indicated to the resolver using any public zone key. A resolver
+ client may determine the root zone public from the name given for
+ resolution using information retrieved out of band. In the
+ following, we illustrate how prior to recursive resolution, the root
+ zone can be determined.
+
+ Any of the examples below may be exchanged with other mechanisms an
+ are not normative.
+
+8.1. Top-level domain as local zone key
+
+ If the TLD is a Base32-encoded public zone key "zk", the entry zone
+ of the resolution process is implicitly given by the name.
+
+ Example name: www.example.<Base32(zk)>
+ => Root zone: zk
+ => Name to resolve from root zone: www.example
+
+8.2. Top-level domain maps to a local zone name
+
+ Each local zone of the user may be associated with a single GNS
+ label. If this label is the top-level domain (TLD) of the name to
+ resolve, resolution can from the local zone.
+
+
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 18]
+
+Internet-Draft The GNU Name System November 2019
+
+
+ Example name: www.example.gnu
+ Local zones:
+ fr = (d0,zk0)
+ gnu = (d1,zk1)
+ com = (d2,zk2)
+ ...
+ => Entry zone: zk1
+ => Name to resolve from entry zone: www.example
+
+8.3. Name suffix mapped to an external zone key
+
+ If no matching local zone for the TLD is found, external suffix to
+ zone mappings may exist. External suffix to zone key mapping may be
+ configurable through the GNS client implementation. A mapping has
+ the form "suffix = public zone key". The suffix may consist of
+ multiple GNS labels concatenated with a ".". If multiple suffixes
+ match the name to resolve, the longest matching suffix MUST be used.
+ The suffix length of two results cannot be equal, as this would
+ indicate a misconfiguration.
+
+ Example name: www.example.gnu
+ Local suffix mappings:
+ gnu = zk0
+ example.gnu = zk1
+ example.com = zk2
+ ...
+ => Entry zone: zk1
+ => Name to resolve from entry zone: www
+
+9. Security Considerations
TODO
-9. IANA Considerations
+10. IANA Considerations
This will be fun
-10. Test Vectors
+11. Test Vectors
The following represents a test vector for a record of type MX with a
priority of 10 and the mail hostname mail.example.com.
@@ -1049,6 +1058,14 @@ Internet-Draft The GNU Name System
November 2019
71199f7b287cc77a
0d21b5e40a77cb1d
f89333903b284fe8
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 19]
+
+Internet-Draft The GNU Name System November 2019
+
+
1878bf47f3b39da0
zk (public zone key) :=
@@ -1058,14 +1075,6 @@ Internet-Draft The GNU Name System
November 2019
17fc32dc410e082e
h :=
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 19]
-
-Internet-Draft The GNU Name System November 2019
-
-
2af3275a9cf90e54
f2dbf7930be76fb9
5e7c80b1416f8ca6
@@ -1105,6 +1114,14 @@ Internet-Draft The GNU Name System
November 2019
c9d0089df01d0bf4
e4c8db4b2ccc7328
3425e8a811ae59d2
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 20]
+
+Internet-Draft The GNU Name System November 2019
+
+
99e2747285d2a479
TWOFISH_IV :=
@@ -1114,14 +1131,6 @@ Internet-Draft The GNU Name System
November 2019
RDATA :=
0000000100059412 RR COUNT | EXPIRA-
09ddea0f00000014 -TION | DATA SIZE (20)
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 20]
-
-Internet-Draft The GNU Name System November 2019
-
-
0000000f00000000 TYPE (15=MX) | FLAGS (0)
000a046d61696c07 Priority (10) |4 | mail | 7
6578616d706c6503 example | 3
@@ -1156,12 +1165,19 @@ Internet-Draft The GNU Name System
November 2019
001fd19a6406a721
713f0a0d
-11. Normative References
+12. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>.
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 21]
+
+Internet-Draft The GNU Name System November 2019
+
+
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
@@ -1171,13 +1187,6 @@ Internet-Draft The GNU Name System
November 2019
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 21]
-
-Internet-Draft The GNU Name System November 2019
-
-
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
@@ -1217,6 +1226,14 @@ Internet-Draft The GNU Name System
November 2019
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
2013, <https://www.rfc-editor.org/info/rfc6979>.
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 22]
+
+Internet-Draft The GNU Name System November 2019
+
+
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>.
@@ -1226,14 +1243,6 @@ Internet-Draft The GNU Name System
November 2019
DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 22]
-
-Internet-Draft The GNU Name System November 2019
-
-
[TWOFISH] Schneier, B., "The Twofish Encryptions Algorithm: A
128-Bit Block Cipher, 1st Edition", March 1999.
@@ -1275,14 +1284,5 @@ Authors' Addresses
-
-
-
-
-
-
-
-
-
Schanzenbach, et al. Expires 13 May 2020 [Page 23]
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index d4aea50..9d6fa6b 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -852,65 +852,11 @@
In the following, we define how resolution is initiated and each
iteration in the resolution is processed.
</t>
- <section anchor="entry_zone" numbered="true" toc="default">
- <name>Entry Zone</name>
- <t>
- There are three sources from which the entry zone can be determined
- which MUST be queried in this order:
- </t>
- <ol>
- <li>Check if top-level domain maps to a local zone key.</li>
- <li>Check if top-level domain maps to a local zone name.</li>
- <li>Check if a configuration exists that maps a suffix to an
- external zone key.</li>
- </ol>
- <t>
- If the TLD is a Base32-encoded public zone key "zk", the entry
- zone of the resolution process is implicitly given by the name.
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- Example name: www.example.<Base32(zk)>
- => Entry zone: zk
- => Name to resolve from entry zone: www.example
- ]]></artwork>
-
- <t>
- Each local zone is associated with a single GNS label. If this label
- is the top-level domain (TLD) of the name to resolve, resolution
- MUST start from this local zone.
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- Example name: www.example.gnu
- Local zones:
- fr = (d0,zk0)
- gnu = (d1,zk1)
- com = (d2,zk2)
- ...
- => Entry zone: zk1
- => Name to resolve from entry zone: www.example
- ]]></artwork>
-
- <t>
- If no matching local zone for the TLD is found, external suffix to
- zone mappings are checked. External suffix to zone key mapping
- SHOULD be configurable through the GNS implementation. A mapping
- has the form "suffix = public zone key".
- The suffix may consist of multiple GNS labels concatenated with a
- ".". If multiple suffixes match the name to resolve, the longest
matching
- suffix MUST be used. The suffix length of two results cannot be
equal,
- as this would indicate a misconfiguration.
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- Example name: www.example.gnu
- Local suffix mappings:
- gnu = zk0
- example.gnu = zk1
- example.com = zk2
- ...
- => Entry zone: zk1
- => Name to resolve from entry zone: www
- ]]></artwork>
- </section>
+ <t>
+ GNS resolution of a name must start in a given root entry zone.
+ Details on how the root zone is determined is discussed in
+ <xref target="governance" />.
+ </t>
<section anchor="record_retrieval" numbered="true" toc="default">
<name>Record Retrieval</name>
<t>
@@ -963,7 +909,7 @@
When a resolver encounters a PKEY record and the remainder of
the name is non-empty, resolution continues
recursively with the remainder of the name in the newly discovered
- GNS zone as defined in <xref target="entry_zone" />.
+ GNS zone.
</t>
<t>
If the remainder of the name to resolve is empty and we have
received
@@ -993,9 +939,9 @@
is to be resolved against the GNS zone zk.
</t>
<t>
- Multiple
- GNS2DNS records may be stored under the same label, in which case
the
- resolver MUST try all of them. The resolver may try them in any
+ Multiple GNS2DNS records may be stored under the same label,
+ in which case the resolver MUST try all of them.
+ The resolver may try them in any
order or even in parallel. If multiple GNS2DNS records
are present, the DNS name MUST be identical for all of them, if
not the resolution fails. <!-- FIXME: specify how to return the
error? -->
@@ -1071,6 +1017,74 @@
A revocation message is defined as follows:
</t>
</section>
+ <section anchor="governance" numbered="true" toc="default">
+ <name>Root Zone Governance</name>
+ <t>
+ The resolution of a GNS name must start in a given root zone
+ indicated to the resolver using any public zone key.
+ A resolver client may determine the root zone public from the
+ name given for resolution using information retrieved out of band.
+ In the following, we illustrate how prior to recursive resolution, the
+ root zone can be determined.
+ </t>
+ <t>
+ Any of the examples below may be exchanged with other mechanisms
+ an are not normative.
+ </t>
+ <section anchor="rootiskey" numbered="true" toc="default">
+ <name>Top-level domain as local zone key</name>
+ <t>
+ If the TLD is a Base32-encoded public zone key "zk", the entry
+ zone of the resolution process is implicitly given by the name.
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ Example name: www.example.<Base32(zk)>
+ => Root zone: zk
+ => Name to resolve from root zone: www.example
+ ]]></artwork>
+ </section>
+ <section anchor="rootislocal" numbered="true" toc="default">
+ <name>Top-level domain maps to a local zone name</name>
+ <t>
+ Each local zone of the user may be associated with a single GNS
+ label. If this label is the top-level domain (TLD) of the name
+ to resolve, resolution can from the local zone.
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ Example name: www.example.gnu
+ Local zones:
+ fr = (d0,zk0)
+ gnu = (d1,zk1)
+ com = (d2,zk2)
+ ...
+ => Entry zone: zk1
+ => Name to resolve from entry zone: www.example
+ ]]></artwork>
+ </section>
+ <section anchor="rootisoob" numbered="true" toc="default">
+ <name>Name suffix mapped to an external zone key</name>
+ <t>
+ If no matching local zone for the TLD is found, external suffix to
+ zone mappings may exist. External suffix to zone key mapping
+ may be configurable through the GNS client implementation.
+ A mapping has the form "suffix = public zone key".
+ The suffix may consist of multiple GNS labels concatenated with a
+ ".". If multiple suffixes match the name to resolve, the longest
+ matching suffix MUST be used. The suffix length of two results
+ cannot be equal, as this would indicate a misconfiguration.
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ Example name: www.example.gnu
+ Local suffix mappings:
+ gnu = zk0
+ example.gnu = zk1
+ example.com = zk2
+ ...
+ => Entry zone: zk1
+ => Name to resolve from entry zone: www
+ ]]></artwork>
+ </section>
+ </section>
<section anchor="security" numbered="true" toc="default">
<name>Security Considerations</name>
<t>
--
To stop receiving notification emails like this one, please contact
address@hidden.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lsd0001] branch master updated: update governance/resolution,
gnunet <=