Internet-Draft The GNU Name System January 2022
Schanzenbach, et al. Expires 22 July 2022 [Page]
Workgroup:
Independent Stream
Internet-Draft:
draft-schanzen-gns-06
Published:
Intended Status:
Informational
Expires:
Authors:
M. Schanzenbach
GNUnet e.V.
C. Grothoff
Berner Fachhochschule
B. Fix
GNUnet e.V.

The GNU Name System

Abstract

This document contains the GNU Name System (GNS) technical specification. GNS is a decentralized and censorship-resistant name system that provides a privacy-enhancing alternative to the Domain Name System (DNS).

This document defines the normative wire format of resource records, resolution processes, cryptographic routines and security considerations for use by implementers.

This specification was developed outside the IETF and does not have IETF consensus. It is published here to guide implementation of GNS and to ensure interoperability among implementations.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 22 July 2022.

Table of Contents

1. Introduction

The Domain Name System (DNS) [RFC1035] is a unique distributed database and a vital service for most Internet applications. While DNS is distributed, in practice it relies on centralized, trusted registrars to provide globally unique names. As the awareness of the central role DNS plays on the Internet rises, various institutions are using their power (including legal means) to engage in attacks on the DNS, thus threatening the global availability and integrity of information on the Internet.

DNS was not designed with security as a goal. This makes it very vulnerable, especially to attackers that have the technical capabilities of an entire nation state at their disposal. This specification describes a censorship-resistant, privacy-preserving and decentralized name system: The GNU Name System (GNS) [GNS]. It is designed to provide a secure, privacy-enhancing alternative to DNS, especially when censorship or manipulation is encountered. In particular, it directly addresses concerns in DNS with respect to "Query Privacy", the "Single Hierarchy with a Centrally Controlled Root" and "Distribution and Management of Root Servers" as raised in [RFC8324]. GNS can bind names to any kind of cryptographically secured token, enabling it to double in some respects as even as an alternative to some of today's Public Key Infrastructures, in particular X.509 for the Web.

The design of GNS incorporates the capability to integrate and coexist with DNS. GNS is based on the principle of a petname system and builds on ideas from the Simple Distributed Security Infrastructure ([SDSI]), addressing a central issue with the decentralized mapping of secure identifiers to memorable names: namely the impossibility of providing a global, secure and memorable mapping without a trusted authority. GNS uses the transitivity in the SDSI design to replace the trusted root with secure delegation of authority thus making petnames useful to other users while operating under a very strong adversary model.

This is an important distinguishing factor from the Domain Name System where root zone governance is centralized at the Internet Corporation for Assigned Names and Numbers (ICANN). In DNS terminology, GNS roughly follows the idea of a hyperlocal root zone deployment, with the difference that it is not expected that all deployments use the same local root zone.

This document defines the normative wire format of resource records, resolution processes, cryptographic routines and security considerations for use by implementers.

This specification was developed outside the IETF and does not have IETF consensus. It is published here to guide implementation of GNS and to ensure interoperability among implementations.

1.1. Requirements Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. Terminology

Label
A GNS label is a label as defined in [RFC8499]. Within this document, labels are always assumed to be strings of UTF-8 characters [RFC8499] in Normalization Form C (NFC) [Unicode-UAX15].
Name
A name in GNS is a domain name as defined in [RFC8499] as an ordered list of labels. The labels in a name are separated using the character "." (dot). Names, like labels, are encoded in UTF-8.
Top-Level Domain
A GNS Top-Level Domain is a GNS label and a Top-Level Domain (TLD) as defined in [RFC8499]. With the exception of Zone Top-Level Domains (see below), GNS TLDs are part of the configuration of the local resolver (see Section 7.1) and may not be globally unique.
Zone
A GNS zone contains authoritative information (resource records). A zone is uniquely identified by its ID.
Zone Type
The type of a GNS zone determines the format and type of the zone key.
Zone Key
The zone key uniquely identifies a zone. Its format and type depend on the associated zone type. The zone key is usually a public key of an asymmetric key pair.
Zone Owner
The owner of a GNS zone is the holder of the private key corresponding to the respective zone key.
Zone Top-Level Domain
A GNS Zone Top-Level Domain (zTLD) is a GNS name and a Top-Level Domain (TLD) as defined in [RFC8499]. It represents a sub-group of all TLDs and encodes the zone type and zone key of a zone. Due to the statistical uniqueness of zone keys, zTLDs are also globally unique.
Resource Record
A GNS resource record is the information associated with a label in a GNS zone. A GNS resource record contains information as defined by its resource record type.

3. Overview

In GNS, any user may create and manage one or more cryptographically secured zones (Section 4). Zones are uniquely identified by a zone key. Zone contents are signed using blinded private keys and encrypted using derived secret keys. The zone type determines the respectice set of cryptographic functions.

A zone can be populated with mappings from labels to resource records by its owner (Section 5). Labels can be delegated to other zones using delegation records and in order to support (legacy) applications as well as facilitate the use of petnames, GNS defines auxiliary record types in addition to supporting traditional DNS records.

Zone contents are encrypted and signed before being published in a distributed key-value storage (Section 6). In this process, unique zone identification is hidden from the network through the use of key blinding. It allows the creation of signatures for zone contents using a blinded public/private key pair. This blinding is realized using a deterministic key derivation from the original zone key and corresponding private key using record label values. Specifically, the zone owner can derive private keys for each record set published under a label, and a resolver can derive the corresponding public keys. It is expected that GNS implementations use distributed or decentralized storages such as distributed hash tables (DHT) in order to facilitate availability within a network without the need of servers. Specification of such a distributed or decentralized storage is out of scope of this document but possible existing implementations include those based on [RFC7363], [Kademlia] or [R5N].

Names in GNS are domain names as defined in [RFC8499]. Starting from a configurable root zone, names are resolved following zone delegations which are recursively queried from the storage (Section 7). Without knowledge of the label values and the zone keys, the different derived keys are unlinkable both to the original key and to each other. This prevents zone enumeration and requires knowledge of both the zone key and the label to confirm affiliation with a specific zone. At the same time, the blinded zone key provides resolvers with the ability to verify the integrity of the published information without disclosing the originating zone.

In the remainder of this document, the "implementer" refers to the developer building a GNS implementation including, for example, zone management tools and name resolution components. An "application" refers to a component which uses a GNS implementation to resolve records from the network and (usually) processes its contents.

4. Zones

A zone in GNS is uniquely identified by its zone type and zone key. It can be represented by a Zone Top-Level Domain (zTLD) string.

The zone type ztype is the unique zone type of the zone as registered in the GNUnet Assigned Numbers Authority [GANA]. The zone type determines which cryptosystem is used for the asymmetric and symmetric key operations of the zone. The zone type is identified by a 32-bit number. It always corresponds to a resource record type number identifying a delegation into a zone of this type.

For any zone, d is the private key. zk is the zone key. The specific formats depends on the zone type. The creation of zone keys for the default zone types are specified in Section 5.1. New zone types may be specified in the future, for example if the cryptographic mechanisms used in this document are broken. Any zone type MUST define the following set of cryptographic functions:

Private-KeyGen() -> d
is a function to generate a fresh private key d.
Public-KeyGen(d) -> zk
is a function to derive a zone key zk from a private key d.
ZKDF-Private(d,label) -> d'
is a zone key derivation function which blinds a private key d using label, resulting in another private key which can be used to create cryptographic signatures.
ZKDF-Public(zk,label) -> zk'
is a zone key derivation function which blinds a zone key zk using a label. zk and zk' must be unlinkable. Furthermore, blinding zk with different values for the label must result in unlinkable different resulting values for zk'.
S-Encrypt(zk,label,nonce,expiration,message) -> ciphertext
is a symmetric encryption function which encrypts the record data based on key material derived from the zone key, a label, a nonce and an expiration. In order to leverage performance-enhancing caching features of certain underlying storages, in particular DHTs, a deterministic encryption scheme is recommended.
S-Decrypt(zk,label,nonce,expiration,ciphertext) -> message
is a symmetric decryption function which decrypts the encrypted record data based on key material derived from the zone key, a label, a nonce and an expiration.
Sign(d',message) -> signature
is a function to sign encrypted record data using the (blinded) private key d', yielding an unforgable cryptographic signature.
Verify(zk',message,signature) -> valid
is a function to verify the signature was created by the private key d' derived from d and a label if zk' was derived from the corresponding zone key zk := Public-Keygen(d) and same label. The function returns a boolean value of "TRUE" if the signature is valid, and otherwise "FALSE".

4.1. Zone Top-Level Domain

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|       ZONE TYPE       |      ZONE KEY         /
+-----+-----+-----+-----+                       /
/                                               /
/                                               /
Figure 1

The decoded binary representation of the zTLD

The zTLD is the Zone Top-Level Domain. It is a string which encodes the zone type and zone key into a domain name. The zTLD is used as a globally unique reference to a specific namespace in the process of name resolution. To encode the zone key, a zone key label zkl is derived from a concatenation of the zone type and zone key (see Figure 1) using the Crockford Base32 encoding [CrockfordB32]. In order to further increase tolerance for failures in character recognition, the letter "U" MUST be decoded to the same Base32 value as the letter "V". The encoding and decoding symbols for Crockford Base32 including this modification are defined in Figure 2. The functions for encoding and decoding based on this table are called GNSCrockfordEncode and GNSCrockfordDecode, respectively.

Symbol      Decode            Encode
Value       Symbol            Symbol
0           0 O o             0
1           1 I i L l         1
2           2                 2
3           3                 3
4           4                 4
5           5                 5
6           6                 6
7           7                 7
8           8                 8
9           9                 9
10          A a               A
11          B b               B
12          C c               C
13          D d               D
14          E e               E
15          F f               F
16          G g               G
17          H h               H
18          J j               J
19          K k               K
20          M m               M
21          N n               N
22          P p               P
23          Q q               Q
24          R r               R
25          S s               S
26          T t               T
27          V v               V U
28          W w               W
29          X x               X
30          Y y               Y
31          Z z               Z
Figure 2

The Base32-Crockford Alphabet Including the Additional U Encode Symbol.

For the string representation of a zTLD we define:

zkl := GNSCrockfordEncode(ztype|zkey)
ztype|zkey := GNSCrockfordDecode(zkl)

If zkl is less than 63 characters, it can directly be used as a zTLD. If zkl is longer than 63 characters, the zTLD is constructed by dividing zkl into smaller labels separated by the label separator ".". Here, the most significant bytes of the "ztype|zkey" concatenation must be contained in the rightmost label of the resulting string and the least significant bytes in the leftmost label of the resulting string. This allows the resolver to determine the zone type and zkl length from the rightmost label. For example, assuming a zkl of 130 characters, the encoding would be:

zTLD := zkl[126..129].zkl[63..125].zkl[0..62]

4.2. Zone Revocation

Whenever a resolver encounters a new GNS zone, it MUST check against the local revocation list whether the respective zone key has been revoked. If the zone key was revoked, the resolution MUST fail with an empty result set.

In order to revoke a zone key, a signed revocation object MUST be published. This object MUST be signed using the private key. The revocation object is broadcast to the network. The specification of the broadcast mechanism is out of scope of this document. A possible broadcast mechanism for efficient flooding in a distributed network is implemented in [GNUnet]. Alternatively, revocation objects could also be distributed via a distributed ledger or a trusted central server. To prevent flooding attacks, the revocation message MUST contain a proof of work (PoW). The revocation message including the PoW MAY be calculated ahead of time to support timely revocation.

For all occurrences below, "Argon2id" is the Password-based Key Derivation Function as defined in [RFC9106]. For the PoW calculations the algorithm is instantiated with the following parameters:

S
The salt. Fixed 16-byte string: "GnsRevocationPow".
t
Number of iterations: 3
m
Memory size in KiB: 1024
T
Output length of hash in bytes: 64
p
Parallelization parameter: 1
v
Algorithm version: 0x13
y
Algorithm type (Argon2id): 2
X
Unused
K
Unused

Figure 3 illustrates the wire format of the message string "P" on which the PoW is calculated.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      POW                      |
+-----------------------------------------------+
|                   TIMESTAMP                   |
+-----------------------------------------------+
|       ZONE TYPE       |    ZONE KEY           |
+-----+-----+-----+-----+                       |
/                                               /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 3

The Wire Format of the PoW Message String.

POW
A 64-bit solution to the PoW. In network byte order.
TIMESTAMP
denotes the absolute 64-bit date when the revocation was computed. In microseconds since midnight (0 hour), January 1, 1970 in network byte order.
ZONE TYPE
is the 32-bit zone type.
ZONE KEY
is the 256-bit public key zk of the zone which is being revoked. The wire format of this value is defined by the ZONE TYPE.

Traditionally, PoW schemes require to find a POW such that at least D leading zeroes are found in the hash result. D is then referred to as the difficulty of the PoW. In order to reduce the variance in time it takes to calculate the PoW, we require that a number Z different PoWs must be found that on average have D leading zeroes.

The resulting proofs may then published and disseminated. The concrete dissemination and publication methods are out of scope of this document. Given an average difficulty of D, the proofs have an expiration time of EPOCH. With each additional bit difficulty, the lifetime of the proof is prolonged for another EPOCH. Consequently, by calculating a more difficult PoW, the lifetime of the proof can be increased on demand by the zone owner.

The parameters are defined as follows:

Z
The number of PoWs required is fixed at 32.
D
The difficulty is fixed at 22.
EPOCH
A single epoch is fixed at 365 days.

The revocation message wire format is illustrated in Figure 4.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   TIMESTAMP                   |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      TTL                      |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                     POW_0                     |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                       ...                     |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                     POW_Z-1                   |
+-----------------------------------------------+
|       ZONE TYPE       |    ZONE KEY           |
+-----+-----+-----+-----+                       |
/                                               /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   SIGNATURE                   |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 4

The Revocation Message Wire Format.

TIMESTAMP
denotes the absolute 64-bit date when the revocation was computed. In microseconds since midnight (0 hour), January 1, 1970 in network byte order. This is the same value as the timestamp used in the individual PoW calculations.
TTL
denotes the relative 64-bit time to live of the record in microseconds also in network byte order. This field is informational for a verifier. The verifier may discard revocation if the TTL indicates that it is already expired. However, the actual TTL of the revocation must be determined by examining the leading zeros in the proof of work calculation.
POW_i
The values calculated as part of the PoW, in network byte order. Each POW_i MUST be unique in the set of POW values. To facilitate fast verification of uniqueness, the POW values must be given in strictly monotonically increasing order in the message.
ZONE TYPE
The 32-bit zone type corresponding to the zone key.
ZONE KEY
is the public key zk of the zone which is being revoked and the key to be used to verify SIGNATURE.
SIGNATURE
A signature over a timestamp and the zone zk of the zone which is revoked and corresponds to the key used in the PoW. The signature is created using the Sign() function of the cryptosystem of the zone and the private key (see Section 4).

The signature over the public key covers a 32-bit pseudo header conceptually prefixed to the public key. The pseudo header includes the key length and signature purpose. The wire format is illustrated in Figure 5.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|         SIZE (0x30)   |       PURPOSE (0x03)  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   TIMESTAMP                   |
+-----+-----+-----+-----+-----+-----+-----+-----+
|       ZONE TYPE       |     ZONE KEY          |
+-----+-----+-----+-----+                       |
/                                               /
/                                               /
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 5

The Wire Format of the Revocation Data for Signing.

SIZE
A 32-bit value containing the length of the signed data in bytes in network byte order.
PURPOSE
A 32-bit signature purpose flag. This field MUST be 3 (in network byte order).
ZONE TYPE
The 32-bit zone type corresponding to the zone key.
ZONE KEY / TIMESTAMP
Both values as defined in the revocation data object above.

In order to verify a revocation the following steps must be taken, in order:

  1. The signature MUST match the public key.
  2. The set of POW values MUST NOT contain duplicates.
  3. The average number of leading zeroes resulting from the provided POW values D' MUST be greater than and not equal to D.
  4. The validation period (TTL) of the revocation is calculated as (D'-D) * EPOCH * 1.1. The EPOCH is extended by 10% in order to deal with unsynchronized clocks. The TTL added on top of the TIMESTAMP yields the expiration date.
  5. The current time MUST be between TIMESTAMP and TIMESTAMP+TTL.

5. Resource Records

A GNS implementer MUST provide a mechanism to create and manage resource records for local zones. A local zone is established by selecting a zone type and creating a zone key pair. As records may be added to each created zone, a (local) persistence mechanism such as a database for resource records and zones must be provided. This local zone database is used by the name resolution logic and serves as a basis for publishing zones into the GNS storage (see Section 6).

A GNS resource record holds the data of a specific record in a zone. The resource record format is defined in Figure 6.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   EXPIRATION                  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|       DATA SIZE       |          TYPE         |
+-----+-----+-----+-----+-----+-----+-----+-----+
|           FLAGS       |        DATA           /
+-----+-----+-----+-----+                       /
/                                               /
/                                               /
Figure 6

The Resource Record Wire Format.

EXPIRATION
denotes the absolute 64-bit expiration date of the record. In microseconds since midnight (0 hour), January 1, 1970 in network byte order.
DATA SIZE
denotes the 32-bit size of the DATA field in bytes and in network byte order.
TYPE
is the 32-bit resource record type. This type can be one of the GNS resource records as defined in Section 5 or a DNS record type as defined in [RFC1035] or any of the complementary standardized DNS resource record types. This value must be stored in network byte order. Note that values below 2^16 are reserved for allocation via IANA ([RFC6895]), while values above 2^16 are allocated by the GNUnet Assigned Numbers Authority [GANA].
FLAGS
is a 32-bit resource record flags field (see below).
DATA
the variable-length resource record data payload. The contents are defined by the respective type of the resource record.

Flags indicate metadata surrounding the resource record. A flag value of 0 indicates that all flags are unset. Applications creating resource records MUST set all bits which are not defined as a flag to 0. Additional flags may be defined in future protocol versions. If an application or implementation encounters a flag which it does not recognize, it MUST be ignored. Figure 7 illustrates the flag distribution in the 32-bit flag value of a resource record:

 0        1        2        3        4        5...
+--------+--------+--------+--------+--------+----
|RESERVED|PRIVATE |SUPPL   |EXPREL  | SHADOW | ...
+--------+--------+--------+--------+--------+----
Figure 7

The Resource Record Flag Wire Format.

SHADOW
If this flag is set, this record should be ignored by resolvers unless all (other) records of the same record type have expired. Used to allow zone publishers to facilitate good performance when records change by allowing them to put future values of records into the storage. This way, future values can propagate and may be cached before the transition becomes active.
EXPREL
The expiration time value of the record is a relative time (still in microseconds) and not an absolute time. This flag should never be encountered by a resolver for records obtained from the storage, but might be present when a resolver looks up private records of a zone hosted locally.
SUPPL
This is a supplemental record. It is provided in addition to the other records. This flag indicates that this record is not explicitly managed alongside the other records under the respective name but may be useful for the application. This flag should only be encountered by a resolver for records obtained from the storage.
PRIVATE
This is a private record of this peer and it should thus not be published. Thus, this flag should never be encountered by a resolver for records obtained from the storage. Private records should still be considered just like regular records when resolving labels in local zones.

5.1. Zone Delegation Records

This section defines the initial set of zone delegation record types. Any implementation MUST support all zone types defined here and MAY support any number of additional delegation records defined in the GNU Name System Record Types registry Section 10. Zone delegation records MUST NOT be stored and published under the empty label.

5.1.1. PKEY

In GNS, a delegation of a label to a zone of type "PKEY" is represented through a PKEY record. The PKEY number is a zone type and thus also implies the cryptosystem for the zone that is being delegated to. A PKEY resource record contains the public key of the zone to delegate to. A PKEY record MUST be the only record under a label. No other records are allowed. The PKEY DATA entry wire format can be found in Figure 8.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   PUBLIC KEY                  |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 8

The PKEY Wire Format.

PUBLIC KEY
A 256-bit ECDSA zone key.

For PKEY zones the zone key material is derived using the curve parameters of the twisted edwards representation of Curve25519 [RFC7748] (a.k.a. edwards25519) with the ECDSA scheme ([RFC6979]). Consequently, we use the following naming convention for our cryptographic primitives for PKEY zones:

d
is a 256-bit ECDSA private key. The generation of the private scalar as defined in Section 2.2. of [RFC6979] represents the Private-KeyGen() function.
zk
is the ECDSA zone key corresponding to d. Its generation is defined in Section 2.2. of [RFC6979] as the curve point d*G where G is the group generator of the elliptic curve. This generation represents the Public-KeyGen(d) function.
p
is the prime of edwards25519 as defined in [RFC7748], i.e. 2^255 - 19.
G
is the group generator (X(P),Y(P)) of edwards25519 as defined in [RFC7748].
L
is the order of the prime-order subgroup of edwards25519 in [RFC7748].

The zone type and zone key of a PKEY are 32 + 4 bytes in length. This means that a zTLD will always fit into a single label and does not need any further conversion.

Given a label, the output d' of the ZKDF-Private(d,label) function for zone key blinding is calculated as follows for PKEY zones:

zk := d * G
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
d' := (h * d) mod L

Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is calculated as follows for PKEY zones:

PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
zk' := (h mod L) * zk

The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in [RFC5869], using HMAC-SHA512 for the extraction phase and HMAC-SHA256 for the expansion phase. PRK_h is key material retrieved using an HKDF using the string "key-derivation" as salt and the zone key as initial keying material. h is the 512-bit HKDF expansion result and must be interpreted in network byte order. The expansion information input is a concatenation of the label and the string "gns". The label is a UTF-8 string under which the resource records are published. The multiplication of zk with h is a point multiplication, while the multiplication of d with h is a scalar multiplication.

The Sign() and Verify() functions for PKEY zones are implemented using 512-bit ECDSA deterministic signatures as specified in [RFC6979].

The S-Encrypt() and S-Decrypt() functions use AES in counter mode as defined in [MODES] (CTR-AES-256):

CIPHERTEXT := CTR-AES256(K, IV, DATA)
DATA := CTR-AES256(K, IV, CIPHERTEXT)

The key K and counter IV are derived from the record label and the zone key zk as follows:

PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 256 / 8);
NONCE := HKDF-Expand (PRK_n, label, 32 / 8)

HKDF is a hash-based key derivation function as defined in [RFC5869]. Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-SHA256 for the expansion phase. The output keying material is 32 bytes (256 bits) for the symmetric key and 4 bytes (32 bits) for the nonce. The symmetric key K is a 256-bit AES [RFC3826] key.

The nonce is combined with a 64-bit initialization vector and a 32-bit block counter as defined in [RFC3686]. The block counter begins with the value of 1, and it is incremented to generate subsequent portions of the key stream. The block counter is a 32-bit integer value in network byte order. The initialization vector is the expiration time of the resource record block in network byte order. The resulting counter (IV) wire format can be found in Figure 9.

0     8     16    24    32
+-----+-----+-----+-----+
|         NONCE         |
+-----+-----+-----+-----+
|       EXPIRATION      |
|                       |
+-----+-----+-----+-----+
|      BLOCK COUNTER    |
+-----+-----+-----+-----+
Figure 9

The Block Counter Wire Format.

5.1.2. EDKEY

In GNS, a delegation of a label to a zone of type "EDKEY" is represented through a EDKEY record. The EDKEY number is a zone type and thus also implies the cryptosystem for the zone that is being delegated to. An EDKEY resource record contains the public key of the zone to delegate to. A EDKEY record MUST be the only record under a label. No other records are allowed. The EDKEY DATA entry wire format is illustrated in Figure 10.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   PUBLIC KEY                  |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 10

The EDKEY DATA Wire Format.

PUBLIC KEY
A 256-bit EdDSA zone key.

For EDKEY zones the zone key material is derived using the curve parameters of the twisted edwards representation of Curve25519 [RFC7748] (a.k.a. edwards25519) with the Ed25519-SHA-512 scheme [ed25519]. Consequently, we use the following naming convention for our cryptographic primitives for EDKEY zones:

d
is a 256-bit EdDSA private key. The generation as defined in Section 3.2. of [RFC8032] and represents the Private-KeyGen() function.
a
is is an integer derived from d using the SHA512 hash function as defined in [ed25519].
zk
is the EdDSA public key corresponding to d. It is defined in Section 3.2 of [RFC8032] as the curve point a*G where G is the group generator of the elliptic curve and a is an integer derived from d using the SHA512 hash function. This generation including the derivation of a represents the Public-KeyGen(d) function.
p
is the prime of edwards25519 as defined in [RFC7748], i.e. 2^255 - 19.
G
is the group generator (X(P),Y(P)) of edwards25519 as defined in [RFC7748].
L
is the order of the prime-order subgroup of edwards25519 in [RFC7748].

The zone type and zone key of an EDKEY are 32 + 4 bytes in length. This means that a zTLD will always fit into a single label and does not need any further conversion.

The "EDKEY" ZKDF instantiation is based on [Tor224]. Given a label, the output of the ZKDF-Private function for zone key blinding is calculated as follows for EDKEY zones:

zk := a * G
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
h[31] &= 7
a1 := a / 8 /* 8 is the cofactor of Curve25519 */
a2 := (h * a1) mod L
a' = a2 * 8 /* 8 is the cofactor of Curve25519 */

Equally, given a label, the output of the ZKDF-Public function is calculated as follows for PKEY zones:

PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
h[31] &= 7  // Implies h mod L == h
zk' := h * zk

We note that implementers must employ a constant time scalar multiplication for the constructions above. Also, implementers must ensure that the private key a is an ed25519 private key and specifically that "a[0] & 7 == 0" holds.

The EDKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in [RFC5869], using HMAC-SHA512 for the extraction phase and HMAC-SHA256 for the expansion phase. PRK_h is key material retrieved using an HKDF using the string "key-derivation" as salt and the zone key as initial keying material. The blinding factor h is the 512-bit HKDF expansion result. The expansion information input is a concatenation of the label and the string "gns". The result of the HKDF must be clamped and interpreted in network byte order. a is the 256-bit integer corresponding to the 256-bit private key d. The label is a UTF-8 string under which the resource records are published. The multiplication of zk with h is a point multiplication, while the division and multiplication of a and a1 with the co-factor are integer operations.

Signatures for EDKEY zones using the derived private key a' are not compliant with [ed25519]. As the corresponding private key to the derived private scalar a' is not known, it is not possible to deterministically derive the signature part R according to [ed25519]. Instead, signatures MUST be generated as follows for any given message M: A nonce is calculated from the highest 32 bytes of the expansion of the private key d and the blinding factor h. The nonce is then hashed with the message M to r. This way, we include the full derivation path in the calculation of the R value of the signature, ensuring that it is never reused for two different derivation paths or messages.

dh := SHA512 (d)
nonce := SHA256 (dh[32..63] | h)
r := SHA512 (nonce | M)
R := r * G
S := r + SHA512(R | zk' | M) * a' mod L

A signature (R,S) is valid if the following holds:

S * G == R + SHA512(R, zk', M) * zk'

The S-Encrypt() and S-Decrypt() functions use XSalsa20 as defined in [XSalsa20] (XSalsa20-Poly1305):

CIPHERTEXT := XSalsa20-Poly1305(K, IV, DATA)
DATA := XSalsa20-Poly1305(K, IV, CIPHERTEXT)

The result of the XSalsa20-Poly1305 encryption function is the encrypted ciphertext concatenated with the 128-bit authentication tag. Accordingly, the length of encrypted data equals the length of the data plus the 16 bytes of the authentication tag.

The key K and counter IV are derived from the record label and the zone key zk as follows:

PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 256 / 8);
NONCE := HKDF-Expand (PRK_n, label, 32 / 8)

HKDF is a hash-based key derivation function as defined in [RFC5869]. Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-SHA256 for the expansion phase. The output keying material is 32 bytes (256 bits) for the symmetric key and 16 bytes (128 bits) for the NONCE. The symmetric key K is a 256-bit XSalsa20 [XSalsa20] key. No additional authenticated data (AAD) is used.

The nonce is combined with an 8 byte initialization vector. The initialization vector is the expiration time of the resource record block in network byte order. The resulting counter (IV) wire format is illustrated in Figure 11.

0     8     16    24    32
+-----+-----+-----+-----+
|         NONCE         |
|                       |
|                       |
|                       |
+-----+-----+-----+-----+
|       EXPIRATION      |
|                       |
+-----+-----+-----+-----+
Figure 11

The Counter Block Initialization Vector

5.1.3. GNS2DNS

It is possible to delegate a label back into DNS through a GNS2DNS record. The resource record contains a DNS name for the resolver to continue with in DNS followed by a DNS server. Both names are in the format defined in [RFC1034] for DNS names. A GNS2DNS DATA entry is illustrated in Figure 12.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                    DNS NAME                   |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                 DNS SERVER NAME               |
/                                               /
/                                               /
|                                               |
+-----------------------------------------------+
Figure 12

The GNS2DNS DATA Wire Format

DNS NAME
The name to continue with in DNS. The value is UTF-8 encoded and 0-terminated.
DNS SERVER NAME
The DNS server to use. May be an IPv4 address in dotted-decimal form or an IPv6 address in colon-hexadecimal form or a DNS name. It may also be a relative GNS name ending with a "+" top-level domain. The implementation MUST check the string syntactically for a an IP address in the respective notation before checking for a relative GNS name. If all three checks fail, the name MUST be treated as a DNS name. The value is UTF-8 encoded and 0-terminated.

5.2. Auxiliary Records

This section defines the initial set of auxiliary GNS record types. Any implementation MUST be able to process the specified record types according to Section 7.3.

5.2.1. LEHO

Applications can use the GNS to lookup IPv4 or IPv6 addresses of internet services. However, sometimes connecting to such services does not only require the knowledge of an address and port, but also requires the canonical DNS name of the service to be transmitted over the transport protocol. In GNS, legacy host name records provide applications the DNS name that is required to establish a connection to such a service. The most common use case is HTTP virtual hosting, where a DNS name must be supplied in the HTTP "Host"-header. Using a GNS name for the "Host"-header may not work as it may not be globally unique. A LEHO resource record is expected to be found together in a single resource record with an IPv4 or IPv6 address. A LEHO DATA entry is illustrated in Figure 13.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                 LEGACY HOSTNAME               |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 13

The LEHO DATA Wire Format.

LEGACY HOSTNAME
A UTF-8 string (which is not 0-terminated) representing the legacy hostname.

NOTE: If an application uses a LEHO value in an HTTP request header (e.g. "Host:" header) it must be converted to a punycode representation [RFC5891].

5.2.2. NICK

Nickname records can be used by zone administrators to publish an the label that a zone prefers to have used when it is referred to. This is a suggestion to other zones what label to use when creating a delegation record (Section 5.1) containing this zone key. This record SHOULD only be stored under the empty label "@" but MAY be returned with record sets under any label as a supplemental record. Section 7.3.6 details how a resolver must process supplemental and non-supplemental NICK records. A NICK DATA entry is illustrated in Figure 14.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                  NICKNAME                     |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 14

The NICK DATA Wire Format.

NICKNAME
A UTF-8 string (which is not 0-terminated) representing the preferred label of the zone. This string MUST NOT include a "." character.

5.2.3. BOX

In GNS, with the notable exception of zTLDs, every "." in a name delegates to another zone, and GNS lookups are expected to return all of the required useful information in one record set. This is incompatible with the special labels used by DNS for SRV and TLSA records. Thus, GNS defines the BOX record format to box up SRV and TLSA records and include them in the record set of the label they are associated with. For example, a TLSA record for "_https._tcp.example.org" will be stored in the record set of "example.org" as a BOX record with service (SVC) 443 (https) and protocol (PROTO) 6 (tcp) and record TYPE "TLSA". For reference, see also [RFC2782]. A BOX DATA entry is illustrated in Figure 15.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|   PROTO   |    SVC    |       TYPE            |
+-----------+-----------------------------------+
|                 RECORD DATA                   |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 15

The BOX DATA Wire Format.

PROTO
the 16-bit protocol number, e.g. 6 for tcp. In network byte order.
SVC
the 16-bit service value of the boxed record, i.e. the port number. In network byte order.
TYPE
is the 32-bit record type of the boxed record. In network byte order.
RECORD DATA
is a variable length field containing the "DATA" format of TYPE as defined for the respective TYPE in DNS.

5.2.4. GTS

The GNUnet Tunnel Service record is used by applications to establish a tunnel between two peers in the peer-to-peer network (see [GNUnet]). The GTS record serves as an example of how resolvers may automatically initiate tunnel establishment and provide IP address information in the resolution process as specified in Section 7.

A GTS DATA entry wire format is illustrated in Figure 16.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|          HOSTING PEER PUBLIC KEY              |
|                (256 bits)                     |
|                                               |
|                                               |
+-----------+-----------------------------------+
|   PROTO   |    SERVICE  NAME                  |
+-----------+                                   +
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 16

The GTS DATA Wire Format.

HOSTING PEER PUBLIC KEY
is a 256-bit EdDSA public key identifying the peer hosting the service.
PROTO
the 16-bit tunnel protocol number. In network byte order. The possible values are defined by the GNUnet Tunnel Service.
SERVICE NAME
a shared secret used to identify the service at the hosting peer, used to derive the port number required to connect to the service. The service name MUST be a 0-terminated UTF-8 string.

6. Record Storage

Any API which allows storing a value under a key and retrieving a value from the key can be used by an implementation for record storage. We assume that an implementation realizes two procedures on top of a storage:

PUT(key,value)
GET(key) -> value

There is no explicit delete function as the deletion of a non-expired record would require a revocation of the record. In GNS, zones can only be revoked as a whole. Records automatically expire and it is under the discretion of the storage as to when to delete the record. The GNS implementation MUST NOT publish expired resource records. Any GNS resolver MUST discard expired records returned from the storage.

Resource records are grouped by their respective labels, encrypted and published together in a single resource records block (RRBLOCK) in the storage under a key q: PUT(q, RRBLOCK). The key q is derived from the zone key and the respective label of the contained records. The required knowledge of both zone key and label in combination with the similarly derived symmetric secret keys and blinded zone keys ensure query privacy (see [RFC8324], Section 3.5). The storage key derivation and records block creation is specified in the following sections. A client implementation MUST enable the user the manage zones. The implementation MUST use the PUT storage procedure in order to update the zone contents accordingly.

6.1. The Storage Key

Given a label, the storage key q is derived as follows:

q := SHA512 (HDKD-Public(zk, label))
label
is a UTF-8 string under which the resource records are published.
zk
is the zone key.
q
Is the 512-bit storage key under which the resource records block is published. It is the SHA512 hash over the derived zone key.

6.2. The Records Block (RRBLOCK)

GNS records are grouped by their labels and published as a single block in the storage. The grouped record sets MAY be paired with any number of supplemental records. Supplemental records must have the supplemental flag set (See Section 5). The contained resource records are encrypted using a symmetric encryption scheme. A GNS implementation must publish RRBLOCKs in accordance to the properties and recommendations of the underlying storage. This may include a periodic refresh publication. The GNS RRBLOCK wire format is illustrated in Figure 17.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|       ZONE TYPE       |    ZONE KEY           |
+-----+-----+-----+-----+       (BLINDED)       |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   SIGNATURE                   |
/                                               /
/                                               /
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|         SIZE          |       PURPOSE         |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   EXPIRATION                  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                    BDATA                      /
/                                               /
/                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 17

The RRBLOCK Wire Format.

ZONE TYPE
is the 32-bit zone type.
ZONE KEY
is the blinded zone key "ZKDF-Public(zk, label)" to be used to verify SIGNATURE.
SIGNATURE
The signature is computed over the data following this field. The signature is created using the Sign() function of the cryptosystem of the zone and the derived private key "ZKDF-Private(d, label)" (see Section 4).
SIZE
A 32-bit value containing the length of the signed data following the PUBLIC KEY field in network byte order. This value always includes the length of the fields SIZE (4), PURPOSE (4) and EXPIRATION (8) in addition to the length of the BDATA. While a 32-bit value is used, implementations MAY refuse to publish blocks beyond a certain size significantly below 4 GB. However, a minimum block size of 62 kilobytes MUST be supported.
PURPOSE
A 32-bit signature purpose flag. For a RRBLOCK the value of this field MUST be 15. The value is encoded in network byte order. The value of this field corresponds to an entry in the GANA "GNUnet Signature Purpose" registry.
EXPIRATION
Specifies when the RRBLOCK expires and the encrypted block SHOULD be removed from the storage and caches as it is likely stale. However, applications MAY continue to use non-expired individual records until they expire. The value MUST be set to the expiration time of the resource record contained within this block with the smallest expiration time. If a records block includes shadow records, then the maximum expiration time of all shadow records with matching type and the expiration times of the non-shadow records is considered. This is a 64-bit absolute date in microseconds since midnight (0 hour), January 1, 1970 in network byte order.
BDATA
The encrypted RDATA with a total size of SIZE - 16.

A symmetric encryption scheme is used to encrypt the resource records set RDATA into the BDATA field of a GNS RRBLOCK. The wire format of the RDATA is illustrated in Figure 18.

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|     RR COUNT          |        EXPIRA-        /
+-----+-----+-----+-----+-----+-----+-----+-----+
/         -TION         |       DATA SIZE       |
+-----+-----+-----+-----+-----+-----+-----+-----+
|         TYPE          |          FLAGS        |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      DATA                     /
/                                               /
/                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                   EXPIRATION                  |
+-----+-----+-----+-----+-----+-----+-----+-----+
|       DATA SIZE       |          TYPE         |
+-----+-----+-----+-----+-----+-----+-----+-----+
|           FLAGS       |        DATA           /
+-----+-----+-----+-----+                       /
/                       +-----------------------/
/                       |                       /
+-----------------------+                       /
/                     PADDING                   /
/                                               /
Figure 18

The RDATA Wire Format.

RR COUNT
A 32-bit value containing the number of variable-length resource records which are following after this field in network byte order.
EXPIRATION, DATA SIZE, TYPE, FLAGS and DATA
These fields were defined in the resource record format in Section 5. There MUST be a total of RR COUNT of these resource records present.
PADDING
When publishing an RDATA block, the implementation MUST ensure that the size of the RDATA WITHOUT the RR COUNT field is a power of two using the padding field. The field MUST be set to zero and MUST be ignored on receipt. As a special exception, record sets with (only) a zone delegation record type are never padded. Note that a record set with a delegation record MUST NOT contain other records. If other records are encountered, the whole record block MUST be discarded.

7. Name Resolution

Names in GNS are resolved by recursively querying the record storage. Recursive in this context means that a resolver does not provide iterative results for a query. Instead, it MUST respond to a resolution request with either the requested resource record or an error message in case the resolution fails. In the following, we define how resolution is initiated and each iteration in the resolution is processed.

GNS resolution of a name must start in a given starting zone indicated using a zone key. Details on how the starting zone may be determined are discussed in Section 7.1.

When GNS name resolution is requested, a desired record type MAY be provided by the client. The GNS resolver will use the desired record type to guide processing, for example by providing conversion of GTS records to A or AAAA records. However, filtering of record sets according to the required record types MUST still be done by the client after the resource record set is retrieved.

7.1. Root Zone

The resolution of a GNS name must start in a given start zone indicated to the resolver using any zone key. The local resolver may have a local start zone configured/hard-coded which points to a local or remote start zone key. A resolver client may also determine the start zone from the suffix of the name given for resolution or using information retrieved out of band. The governance model of any zone is at the sole discretion of the zone owner. However, the choice of start zone(s) is at the sole discretion of the local system administrator or user. This property addresses the issue of a single hierarchy with a centrally controlled root and the related issue of distribution and management of root servers in DNS (see [RFC8324], Section 3.10 and 3.12).

In the following, we give examples how a local client resolver SHOULD discover the start zone. The process given is not exhaustive and clients MAY supplement it with other mechanisms or ignore it if the particular application requires a different process.

GNS clients MUST first try to interpret the top-level domain of a GNS name as a zone key representation (i.e. a zTLD). If the top-level domain is indicated to be a label representation of a zone key with a supported zone type value, the root zone of the resolution process is implicitly given by the suffix of the name:

Example name: www.example.<zTLD>
=> Root zone: zk of type ztype
=> Name to resolve from root zone: www.example

In GNS, users MAY own and manage their own zones. Each local zone SHOULD be associated with a single GNS label, but users MAY choose to use longer names consisting of multiple labels. If the name of a locally managed zone matches the suffix of the name to be resolved, resolution MUST start from the respective local zone:

Example name: www.example.org
Local zones:
fr = (d0,zk0)
org = (d1,zk1)
com = (d2,zk2)
...
=> Root zone: zk1
=> Name to resolve from root zone: www.example

Finally, additional "suffix-to-zone" mappings MAY be configured. Suffix to zone key mappings MUST be configurable through a local configuration file or database by the user or system administrator. The suffix MAY consist of multiple GNS labels concatenated with a ".". If multiple suffixes match the name to resolve, the longest matching suffix MUST be used. The suffix length of two results MUST NOT be equal. This indicates a misconfiguration and the implementation MUST return an error. If both a locally managed zone and a configuration entry exist for the same suffix, the locally managed zone MUST have priority.

Example name: www.example.org
Local suffix mappings:
gnu = zk0
example.org = zk1
example.com = zk2
...
=> Root zone: zk1
=> Name to resolve from root zone: www

7.2. Recursion

In each step of the recursive name resolution, there is an authoritative zone zk and a name to resolve. The name may be empty. Initially, the authoritative zone is the start zone. If the name is empty, it is interpreted as the apex label "@".

From here, the following steps are recursively executed, in order:

  1. Extract the right-most label from the name to look up.
  2. Calculate q using the label and zk as defined in Section 6.1.
  3. Perform a storage query GET(q) to retrieve the RRBLOCK.
  4. Verify and process the RRBLOCK and decrypt the BDATA contained in it as defined by its zone type (see also Section 6.2).

Upon receiving the RRBLOCK from the storage, apart from verifying the provided signature, the resolver MUST check that the authoritative zone key was used to sign the record: The derived zone key zk' MUST match the public key provided in the RRBLOCK, otherwise the RRBLOCK MUST be ignored and the storage lookup GET(q) MUST continue.

7.3. Record Processing

Record processing occurs at the end of a single recursion. We assume that the RRBLOCK has been cryptographically verified and decrypted. At this point, we must first determine if we have received a valid record set in the context of the name we are trying to resolve:

  • Case 1: If the remainder of the name to resolve is empty and the record set does not consist of a delegation, CNAME or DNS2GNS record, the record set is the result and the recursion is concluded.
  • Case 2: If the name to be resolved is of the format "_SERVICE._PROTO" and the record set contains one or more matching BOX records, the records in the BOX records are the result and the recursion is concluded (Section 7.3.4).
  • Case 3: If the remainder of the name to resolve is not empty and does not match the "_SERVICE._PROTO" syntax, then the current record set MUST consist of a single delegation record (Section 7.3.1), a single CNAME record (Section 7.3.3), or one or more GNS2DNS records (Section 7.3.2), which are processed as described in the respective sections below. The record set may include any number of supplemental records. Otherwise, resolution fails and the resolver MUST return an empty record set. Finally, after the recursion terminates, the client preferences for the record type MUST be considered and possible conversions such as defined in Section 7.3.5 MUST be performed.

7.3.1. Zone Delegation Records

When the resolver encounters a record of a supported zone delegation record type (such as PKEY or EDKEY) and the remainder of the name is not empty, resolution continues recursively with the remainder of the name in the GNS zone specified in the delegation record. Implementations MUST NOT allow multiple different zone type delegations under a single label. Implementations MAY support any subset of zone types. If an unsupported zone type is encountered, resolution fails and an error MUST be returned. The information that the zone type is unknown SHOULD be returned in the error description. The implementation MAY choose not to return the reason for the failure, merely impacting troubleshooting information for the user. Implementations MUST NOT process zone delegation for the empty apex label "@". Upon encountering a zone delegation record under this label, resolution fails and an error MUST be returned. The implementation MAY choose not to return the reason for the failure, merely impacting troubleshooting information for the user.

If the remainder of the name to resolve is empty and we have received a record set containing only a single delegation record, the recursion is continued with the record value as authoritative zone and the empty apex label "@" as remaining name, except in the case where the desired record type is equal to the zone type, in which case the delegation record is returned and the resolution is concluded without resolving the empty apex label.

7.3.2. GNS2DNS

When a resolver encounters one or more GNS2DNS records and the remaining name is empty and the desired record type is GNS2DNS, the GNS2DNS records are returned.

Otherwise, it is expected that the resolver first resolves the IP addresses of the specified DNS name servers. GNS2DNS records MAY contain numeric IPv4 or IPv6 addresses, allowing the resolver to skip this step. The DNS server names may themselves be names in GNS or DNS. If the DNS server name ends in ".+", the rest of the name is to be interpreted relative to the zone of the GNS2DNS record. If the DNS server name ends in a label representation of a zone key, the DNS server name is to be resolved against the GNS zone zk.

Multiple GNS2DNS records may be stored under the same label, in which case the resolver MUST try all of them. The resolver MAY try them in any order or even in parallel. If multiple GNS2DNS records are present, the DNS name MUST be identical for all of them, if not the resolution fails and an empty record set is returned as the record set is invalid.

Once the IP addresses of the DNS servers have been determined, the DNS name from the GNS2DNS record is appended to the remainder of the name to be resolved, and resolved by querying the DNS name server(s). As the DNS servers specified are possibly authoritative DNS servers, the GNS resolver MUST support recursive DNS resolution and MUST NOT delegate this to the authoritative DNS servers. The first successful recursive name resolution result is returned to the client. In addition, the resolver returns the queried DNS name as a supplemental LEHO record (Section 5.2.1) with a relative expiration time of one hour.

GNS resolvers MUST offer a configuration option to disable DNS processing to avoid information leakage and provide a consistent security profile for all name resolutions. Such resolvers would return an empty record set upon encountering a GNS2DNS record during the recursion. However, if GNS2DNS records are encountered in the record set for the apex and a GNS2DNS record is explicitly requested by the application, such records MUST still be returned, even if DNS support is disabled by the GNS resolver configuration.

7.3.3. CNAME

If a CNAME record is encountered, the canonical name is appended to the remaining name, except if the remaining name is empty and the desired record type is CNAME, in which case the resolution concludes with the CNAME record. If the canonical name ends in ".+", resolution continues in GNS with the new name in the current zone. Otherwise, the resulting name is resolved via the default operating system name resolution process. This may in turn again trigger a GNS resolution process depending on the system configuration.

The recursive DNS resolution process may yield a CNAME as well which in turn may either point into the DNS or GNS namespace (if it ends in a label representation of a zone key). In order to prevent infinite loops, the resolver MUST implement loop detections or limit the number of recursive resolution steps. If the last CNAME was a DNS name, the resolver returns the DNS name as a supplemental LEHO record (Section 5.2.1) with a relative expiration time of one hour.

7.3.4. BOX

When a BOX record is received, a GNS resolver must unbox it if the name to be resolved continues with "_SERVICE._PROTO". Otherwise, the BOX record is to be left untouched. This way, TLSA (and SRV) records do not require a separate network request, and TLSA records become inseparable from the corresponding address records.

7.3.5. GTS

At the end of the recursion, if the queried record type is either A or AAAA and the retrieved record set contains at least one GTS record, the resolver SHOULD open a tunnel and return the IPv4 or IPv6 tunnel address, respectively. If the implementation does not have the capacity to establish a GTS tunnel, for example because it is not connected to the GNUnet network, the record set MUST be returned as retrieved from the network.

7.3.6. NICK

NICK records are only relevant to the recursive resolver if the record set in question is the final result which is to be returned to the client. The encountered NICK records may either be supplemental (see Section 5) or non-supplemental. If the NICK record is supplemental, the resolver only returns the record set if one of the non-supplemental records matches the queried record type. It is possible that one record set contains both supplemental and non-supplemental NICK records.

The differentiation between a supplemental and non-supplemental NICK record allows the client to match the record to the authoritative zone. Consider the following example:

Query: alice.example (type=A)
Result:
A: 192.0.2.1
NICK: eve

In this example, the returned NICK record is non-supplemental. For the client, this means that the NICK belongs to the zone "alice.example" and is published under the empty label along with an A record. The NICK record should be interpreted as: The zone defined by "alice.example" wants to be referred to as "eve". In contrast, consider the following:

Query: alice.example (type=AAAA)
Result:
AAAA: 2001:DB8::1
NICK: john (Supplemental)

In this case, the NICK record is marked as supplemental. This means that the NICK record belongs to the zone "example" and is published under the label "alice" along with an A record. The NICK record should be interpreted as: The zone defined by "example" wants to be referred to as "john". This distinction is likely useful for other records published as supplemental.

8. Internationalization and Character Encoding

All labels in GNS are encoded in UTF-8 [RFC3629]. This does not include any DNS names found in DNS records, such as CNAME records, which are internationalized through the IDNA specifications [RFC5890].

9. Security and Privacy Considerations

9.1. Cryptography

The security of cryptographic systems depends on both the strength of the cryptographic algorithms chosen and the strength of the keys used with those algorithms. The security also depends on the engineering of the protocol used by the system to ensure that there are no non-cryptographic ways to bypass the security of the overall system. This is why developers of applications managing GNS zones SHOULD select a default zone type considered secure at the time of releasing the software. For applications targeting end users that are not expected to understand cryptography, the application developer MUST NOT leave the zone type selection of new zones to end users.

This document concerns itself with the selection of cryptographic algorithms for use in GNS. The algorithms identified in this document are not known to be broken (in the cryptographic sense) at the current time, and cryptographic research so far leads us to believe that they are likely to remain secure into the foreseeable future. However, this isn't necessarily forever, and it is expected that new revisions of this document will be issued from time to time to reflect the current best practices in this area.

GNS PKEY zone keys use ECDSA over Curve25519. This is an unconventional choice, as ECDSA is usually used with other curves. However, traditional ECDSA curves are problematic for a range of reasons described in the Curve25519 and EdDSA papers. Using EdDSA directly is also not possible, as a hash function is used on the private key which destroys the linearity that the GNU Name System depends upon. We are not aware of anyone suggesting that using Curve25519 instead of another common curve of similar size would lower the security of ECDSA. GNS uses 256-bit curves because that way the encoded (public) keys fit into a single DNS label, which is good for usability.

In terms of crypto-agility, whenever the need for an updated cryptographic scheme arises to, for example, replace ECDSA over Curve25519 for PKEY records it may simply be introduced through a new record type. Such a new record type may then replace the delegation record type for future records. The old record type remains and zones can iteratively migrate to the updated zone keys.

In order to ensure ciphertext indistinguishability, care must be taken with respect to the initialization vector in the counter block. In our design, the IV is always the expiration time of the record block. For blocks with relative expiration times it is implicitly ensured that each time a block is published into the storage, its IV is unique as the expiration time is calculated dynamically and increases monotonically. The implementation MUST ensure that when relative expiration times are decreased that the expiration time of the next record block is always after the last published block. For blocks with absolute expiration times, the implementation MUST ensure that the expiration time is increased when the record data changes. For example, the expiration time may be increased by a single microsecond. In case of deletion of all resource records under a label, the implementation MUST keep track of the last absolute expiration time of the last published resource block. When new records are added under this label later, the implementation MUST ensure that the expiration times are after the last published block. Finally, in order to ensure monotonically increasing expiration times the implementation MUST keep a local record of the last time obtained from the system clock, so as to construct a monotonic clock in case the system clock jumps backwards.

9.2. Abuse Mitigation

GNS names are UTF-8 strings. Consequently, GNS faces similar issues with respect to name spoofing as DNS does for internationalized domain names. In DNS, attackers may register similar sounding or looking names (see above) in order to execute phishing attacks. GNS zone administrators must take into account this attack vector and incorporate rules in order to mitigate it.

Further, DNS can be used to combat illegal content on the internet by having the respective domains seized by authorities. However, the same mechanisms can also be abused in order to impose state censorship, which is one of the motivations behind GNS. Hence, such a seizure is, by design, difficult to impossible in GNS.

9.3. Zone Management

In GNS, zone administrators need to manage and protect their zone keys. Once a zone key is lost it cannot be recovered. Once it is compromised it cannot be revoked (unless a revocation message was pre-calculated and is still available). Zone administrators, and for GNS this includes end-users, are required to responsibly and diligently protect their cryptographic keys. GNS supports offline signing of records. It does not support separate zone signing and key-signing keys (as in [RFC6781]) in order to provide usable security.

Similarly, users are required to manage their local root zone. In order to ensure integrity and availability or names, users must ensure that their local root zone information is not compromised or outdated. It can be expected that the processing of zone revocations and an initial root zone is provided with a GNS client implementation ("drop shipping"). Extension and customization of the zone is at the full discretion of the user.

While implementations following this specification will be interoperable, if two implementations connect to different storages they are mutually unreachable. This may lead to a state where a record may exist in the global namespace for a particular name, but the implementation is not communicating with the storage and is hence unable to resolve it. This situation is similar to a split-horizon DNS configuration. Which storages are implemented usually depend on the application it is built for. The storage used will most likely depend on the specific application context using GNS resolution. For example, one application may be the resolution of hidden services within the Tor network. Implementations of "aggregated" storages are conceivable, but are expected to be the exception.

9.4. Impact of DHTs as Underlying Storage

This document does not specify the properties of the underlying storage which is required by any GNS implementation. For implementers using a DHT as underlying storage, it is important to note that the properties of the DHT are directly inherited by the GNS implementation. This includes both security as well as other non-functional properties such as scalability and performance. Implementers should take great care when selecting or implementing a DHT for use in a GNS implementation. DHTs with strong security and performance guarantees exist [R5N]. It should also be taken into consideration that GNS implementations which build upon different DHT overlays are unlikely to be interoperable with each other.

9.5. Revocations

Zone administrators are advised to pre-generate zone revocations and securely store the revocation information in case the zone key is lost, compromised or replaced in the future. Pre-calculated revocations may become invalid due to expirations or protocol changes such as epoch adjustments. Consequently, implementers and users must make precautions in order to manage revocations accordingly.

Revocation payloads do NOT include a 'new' key for key replacement. Inclusion of such a key would have two major disadvantages:

If revocation is used after a private key was compromised, allowing key replacement would be dangerous: if an adversary took over the private key, the adversary could then broadcast a revocation with a key replacement. For the replacement, the compromised owner would have no chance to issue even a revocation. Thus, allowing a revocation message to replace a private key makes dealing with key compromise situations worse.

Sometimes, key revocations are used with the objective of changing cryptosystems. Migration to another cryptosystem by replacing keys via a revocation message would only be secure as long as both cryptosystems are still secure against forgery. Such a planned, non-emergency migration to another cryptosystem should be done by running zones for both ciphersystems in parallel for a while. The migration would conclude by revoking the legacy zone key only once it is deemed no longer secure, and hopefully after most users have migrated to the replacement.

9.6. Label Guessing

Record blocks are published encrypted using keys derived from the zone key and record label. Zone administrators should carefully consider if the label and zone key may be public or if those should be used and considered as a shared secret. Unlike zone keys, labels can also be guessed by an attacker in the network observing queries and responses. Given a known and targeted zone key, the use of well known or easily guessable labels effectively result in general disclosure of the records to the public. If the labels and hence the records should be kept secret except to those knowing a secret label and the zone in which to look, the label must be chosen accordingly. It is recommended to then use a label with sufficient entropy as to prevent guessing attacks.

It should be noted that this attack on labels only applies if the zone key is somehow disclosed to the adversary. GNS itself does not disclose it during a lookup or when resource records are published as the zone keys are blinded beforehand.

10. GANA Considerations

GANA [GANA] is requested to create an "GNU Name System Record Types" registry. The registry shall record for each entry:

The registration policy for this sub-registry is "First Come First Served". This policy is modeled on that described in [RFC8126], but describes the actions taken by GANA.

Adding records is possible after expert review, using a first-come-first-served policy for unique name allocation. Experts are responsible to ensure that the chosen "Name" is appropriate for the record type. The registry will assign a unique number for the entry.

The current contact(s) for expert review are reachable at gns-registry@gnunet.org.

Any request MUST contain a unique name and a point of contact. The contact information MAY be added to the registry given the consent of the requester. The request MAY optionally also contain relevant references as well as a descriptive comment as defined above.

GANA is requested to populate this registry as listed in Figure 19.

Number | Name    | Contact | References | Comment
-------+---------+---------+------------+-------------------------
65536  | PKEY    | N/A     | [This.I-D] | GNS zone delegation (PKEY)
65537  | NICK    | N/A     | [This.I-D] | GNS zone nickname
65538  | LEHO    | N/A     | [This.I-D] | GNS legacy hostname
65539  | GTS     | N/A     | [This.I-D] | GTS tunnel metadata
65540  | GNS2DNS | N/A     | [This.I-D] | Delegation to DNS
65556  | EDKEY   | N/A     | [This.I-D] | GNS zone delegation (EDKEY)

Figure 19

The GANA Resource Record Registry.

GANA is requested to amend the "GNUnet Signature Purpose" registry as illustrated in Figure 20.

Purpose | Name            | References | Comment
--------+-----------------+------------+--------------------------
  3     | GNS_REVOCATION  | [This.I-D] | GNS zone key revocation
 15     | GNS_RECORD_SIGN | [This.I-D] | GNS record set signature
Figure 20

Requested Changes in the GANA GNUnet Signature Purpose Registry.

11. IANA Considerations

This document makes no requests for IANA action. This section may be removed on publication as an RFC.

12. Implementation and Deployment Status

There are two implementations conforming to this specification written in C and Go, respectively. The C implementation as part of GNUnet [GNUnetGNS] represents the original and reference implementation. The Go implementation [GoGNS] demonstrates how two implementations of GNS are interoperable given that they are built on top of the same underlying DHT storage.

Currently, the GNUnet peer-to-peer network [GNUnet] is an active deployment of GNS on top of its [R5N] DHT. The [GoGNS] implementation uses this deployment by building on top of the GNUnet DHT services available on any GNUnet peer. It shows how GNS implementations and client resolvers can attach to this existing deployment and participate in name resolution as well as zone publication.

13. Test Vectors

The following represents a test vector for a record set with a DNS record of type "A" as well as a GNS record of type "PKEY" under the label "test".


Zone private key (d, little-endian, with ztype prepended):
00010000c004a6d4
9668ff30d8316b9c
2c1f242d16985f48
e7467aff2d4d06c9
1bd00c73

Zone identifier (ztype|zkey):
00010000de93f193
8df85f1918a35c6d
d0f3ae70f94692a7
1fe1fbffb75ee185
9c444a44

Encoded zone identifier (zkl = zTLD):
000G006YJFRS73FRBWCHH8TWDQ8F7BKGZ53959RZW7XZZDTYW62SRH2A8G

Label: test
RRCOUNT: 2

Record #0
EXPIRATION: 1620285180789328
DATA_SIZE: 4
TYPE: 1
FLAGS: 0
DATA:
01020304

Record #1
EXPIRATION: 1620285180789328
DATA_SIZE: 32
TYPE: 65536
FLAGS: 2
DATA:
00010000be1cd4e7
0dc7cff6cb446f77
fe4fd36b19a33718
d7c2331be6550836

RDATA:
0005c1a40aa2c250
0000000400000001
0000000001020304
0005c1a40aa2c250
0000002000010000
0000000200010000
be1cd4e70dc7cff6
cb446f77fe4fd36b
19a33718d7c2331b
e655083600000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000

BDATA:
79995bb1a99f2dc2
dd91757a929d57bc
5e87f2bbc8a475a1
549d7e5e4a9d4076
e2c676f139bb2b85
b4c09443b5724ee0
511283bb2bf08401
3c72ad3c518e7b34
e52e526fa78ae192
1a9ac03db4d69e94
81e9a8c04a326f0a
db2c35296bad0707
bcd00ff668f605ab
16589841870831b2
43b87b37fc360e33
512b75de819822e7
9d989a92

RRBLOCK:
0001000069fb663f
f40b0ffb883d5777
6c61fd3a5bab11ce
8d1e92fadda21720
c5bc6e7f0fb47c68
3bed6fc190c53501
c321199117a01c31
4f02d7456e878166
7ed8a9fc0fb370b5
30dfab2597907cfb
7f4b6ea6381abb89
b004ad7c55fdb426
639b22dc00000094
0000000f0005c1a4
0aa2c25079995bb1
a99f2dc2dd91757a
929d57bc5e87f2bb
c8a475a1549d7e5e
4a9d4076e2c676f1
39bb2b85b4c09443
b5724ee0511283bb
2bf084013c72ad3c
518e7b34e52e526f
a78ae1921a9ac03d
b4d69e9481e9a8c0
4a326f0adb2c3529
6bad0707bcd00ff6
68f605ab16589841
870831b243b87b37
fc360e33512b75de
819822e79d989a92

The following represents a test vector for a record set with a DNS record of type "A" as well as a GNS record of type "EDKEY" under the label "test".


Zone private key (d, little-endian, with ztype prepended):
000100144d704a54
e439e4cd1139a4bf
476fe7497164ec2e
cb74318c3abd331a
488e30f6

Zone identifier (ztype|zkey):
000100140f833e26
fed15c9e6c03f31c
fb724e9ebf6889e9
d080c8aeff2d8528
e42b599c

Encoded zone identifier (zkl = zTLD):
000G050FGCZ2DZPHBJF6R0ZK3KXQ4KMYQXM8KTEGG34AXZSDGMME8ATSKG

Label: test
RRCOUNT: 2

Record #0
EXPIRATION: 1620285180795764
DATA_SIZE: 4
TYPE: 1
FLAGS: 0
DATA:
01020304

Record #1
EXPIRATION: 1620285180795764
DATA_SIZE: 32
TYPE: 65556
FLAGS: 2
DATA:
0001001439f0fc1a
eec45cf22cbd87a2
82bd6321ee90ebfc
f542b5e2aabf25bf

RDATA:
0005c1a40aa2db74
0000000400000001
0000000001020304
0005c1a40aa2db74
0000002000010014
0000000200010014
39f0fc1aeec45cf2
2cbd87a282bd6321
ee90ebfcf542b5e2
aabf25b00000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000

BDATA:
b1230c25642caef0
a8fbaea6edff9852
6d5f40fc4e7d088f
ab3d2986acbc7f5d
cd8684dbad707761
4ee346c18f3daae2
9f3c4de2d626ce85
8e729d2cc69a2842
a73346ea38ac7196
6f8104f78439f34b
56c2cd0a3bd5f073
3790f45a942a1cb9
a593ff5776378ba4
d9df7b1d820585c0
7958928090d18361
c36778b316c14f91
f5a3ad502d6fdc9a
009e1169723dd158
da32920f

RRBLOCK:
00010014d880b5e8
c09f479d7b8c8c57
7cb498b60d7b1e86
d066daa57089f985
f86ccdd51f20583c
e826f12b42cf2153
9d9f32048f909535
fb7cc36d586c15fc
91fcfdeb9136c8ff
8775e1e9ed892a4c
d1b1f761e96f33d7
e9cc91c727f5bfb1
e12d220d000000a4
0000000f0005c1a4
0aa2db74b1230c25
642caef0a8fbaea6
edff98526d5f40fc
4e7d088fab3d2986
acbc7f5dcd8684db
ad7077614ee346c1
8f3daae29f3c4de2
d626ce858e729d2c
c69a2842a73346ea
38ac71966f8104f7
8439f34b56c2cd0a
3bd5f0733790f45a
942a1cb9a593ff57
76378ba4d9df7b1d
820585c079589280
90d18361c36778b3
16c14f91f5a3ad50
2d6fdc9a009e1169
723dd158da32920f

The following is an example revocation for a zone:


Zone private key (d, little-endian scalar, with ztype prepended):
00010000a065bf68
07cb3d90d10394a9
a56693e07087ad35
24f8e303931d4ade
946dc447

Zone identifier (ztype|zkey):
00010000d06ab6d9
14e8a8064609b2b3
cb661c586042adcb
0dc5faeb61994d25
5ebdca72

Encoded zone identifier (zkl = zTLD):
000G006GDAVDJ578N034C2DJPF5PC72RC11AVJRDRQXEPRCS9MJNXFEAE8

Difficulty (5 base difficulty + 2 epochs): 7

Proof:
0005b13f536e2b0e
0000395d1827c000
5caaeaa2b955d82c
5caaeaa2b955da02
5caaeaa2b955daf0
5caaeaa2b955db20
5caaeaa2b955db2d
5caaeaa2b955dba1
5caaeaa2b955dba9
5caaeaa2b955dbc2
5caaeaa2b955dbc8
5caaeaa2b955dbd1
5caaeaa2b955dbf7
5caaeaa2b955dc0e
5caaeaa2b955dc54
5caaeaa2b955dc8c
5caaeaa2b955dca5
5caaeaa2b955dcb5
5caaeaa2b955dcf8
5caaeaa2b955dd47
5caaeaa2b955dd91
5caaeaa2b955dd98
5caaeaa2b955dd99
5caaeaa2b955ddc4
5caaeaa2b955de7f
5caaeaa2b955de80
5caaeaa2b955de92
5caaeaa2b955ded3
5caaeaa2b955df1a
5caaeaa2b955df77
5caaeaa2b955dfdf
5caaeaa2b955e06e
5caaeaa2b955e08d
5caaeaa2b955e0c4
00010000d06ab6d9
14e8a8064609b2b3
cb661c586042adcb
0dc5faeb61994d25
5ebdca7206b11f93
41f4e1649976c421
b1efe668a44becbe
5a9f76804adb6f6e
2cd16de00d81841d
cbd135aacad3bdab
3f2209bd10d55cc1
c7aed9a9bd53a1f6
cae1789d

14. Normative References

[RFC1034]
Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, , <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035]
Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, , <https://www.rfc-editor.org/info/rfc1035>.
[RFC2782]
Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, DOI 10.17487/RFC2782, , <https://www.rfc-editor.org/info/rfc2782>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC3629]
Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, , <https://www.rfc-editor.org/info/rfc3629>.
[RFC3686]
Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, DOI 10.17487/RFC3686, , <https://www.rfc-editor.org/info/rfc3686>.
[RFC3826]
Blumenthal, U., Maino, F., and K. McCloghrie, "The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model", RFC 3826, DOI 10.17487/RFC3826, , <https://www.rfc-editor.org/info/rfc3826>.
[RFC5869]
Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, , <https://www.rfc-editor.org/info/rfc5869>.
[RFC5890]
Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, , <https://www.rfc-editor.org/info/rfc5890>.
[RFC5891]
Klensin, J., "Internationalized Domain Names in Applications (IDNA): Protocol", RFC 5891, DOI 10.17487/RFC5891, , <https://www.rfc-editor.org/info/rfc5891>.
[RFC6895]
Eastlake 3rd, D., "Domain Name System (DNS) IANA Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, , <https://www.rfc-editor.org/info/rfc6895>.
[RFC6979]
Pornin, T., "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, , <https://www.rfc-editor.org/info/rfc6979>.
[RFC7748]
Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, , <https://www.rfc-editor.org/info/rfc7748>.
[RFC8032]
Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, , <https://www.rfc-editor.org/info/rfc8032>.
[RFC8126]
Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, , <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8499]
Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, , <https://www.rfc-editor.org/info/rfc8499>.
[RFC9106]
Biryukov, A., Dinu, D., Khovratovich, D., and S. Josefsson, "Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications", RFC 9106, DOI 10.17487/RFC9106, , <https://www.rfc-editor.org/info/rfc9106>.
[GANA]
GNUnet e.V., "GNUnet Assigned Numbers Authority (GANA)", , <https://gana.gnunet.org/>.
[MODES]
Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", , <https://doi.org/10.6028/NIST.SP.800-38A>.
[CrockfordB32]
Douglas, D., "Base32", , <https://www.crockford.com/base32.html>.
[XSalsa20]
Bernstein, D., "Extending the Salsa20 nonce", , <https://cr.yp.to/snuffle/xsalsa-20110204.pdf>.
[Unicode-UAX15]
Consortium, T. U., "Unicode Standard Annex #15: Unicode Normalization Forms, Revision 31", , <http://www.unicode.org/reports/tr15/tr15-31.html>.

15. Informative References

[RFC6781]
Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC Operational Practices, Version 2", RFC 6781, DOI 10.17487/RFC6781, , <https://www.rfc-editor.org/info/rfc6781>.
[RFC7363]
Maenpaa, J. and G. Camarillo, "Self-Tuning Distributed Hash Table (DHT) for REsource LOcation And Discovery (RELOAD)", RFC 7363, DOI 10.17487/RFC7363, , <https://www.rfc-editor.org/info/rfc7363>.
[RFC8324]
Klensin, J., "DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for Another Look?", RFC 8324, DOI 10.17487/RFC8324, , <https://www.rfc-editor.org/info/rfc8324>.
[Tor224]
Goulet, D., Kadianakis, G., and N. Mathewson, "Next-Generation Hidden Services in Tor", , <https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n2135>.
[SDSI]
Rivest, R. and B. Lampson, "SDSI - A Simple Distributed Security Infrastructure", , <http://people.csail.mit.edu/rivest/Sdsi10.ps>.
[Kademlia]
Maymounkov, P. and D. Mazieres, "Kademlia: A peer-to-peer information system based on the xor metric.", , <http://css.csail.mit.edu/6.824/2014/papers/kademlia.pdf>.
[ed25519]
Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. Yang, "High-Speed High-Security Signatures", , <http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9>.
[GNS]
Wachs, M., Schanzenbach, M., and C. Grothoff, "A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System", , <https://sci-hub.st/10.1007/978-3-319-12280-9_9>.
[R5N]
Evans, N. S. and C. Grothoff, "R5N: Randomized recursive routing for restricted-route networks", , <https://sci-hub.st/10.1109/ICNSS.2011.6060022>.
[GNUnetGNS]
GNUnet e.V., "The GNUnet GNS Implementation", <https://git.gnunet.org/gnunet.git/tree/src/gns>.
[GNUnet]
GNUnet e.V., "The GNUnet Project", <https://gnunet.org>.
[GoGNS]
Fix, B., "The Go GNS Implementation", <https://github.com/bfix/gnunet-go/tree/master/src/gnunet/service/gns>.

Authors' Addresses

Martin Schanzenbach
GNUnet e.V.
Boltzmannstrasse 3
85748 Garching
Germany
Christian Grothoff
Berner Fachhochschule
Hoeheweg 80
CH-2501 Biel/Bienne
Switzerland
Bernd Fix
GNUnet e.V.
Boltzmannstrasse 3
85748 Garching
Germany