[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02

Independent Stream                                       M. Schanzenbach
Internet-Draft                                               GNUnet e.V.
Intended status: Informational                               C. Grothoff
Expires: 21 April 2021                             Berner Fachhochschule
                                                                  B. Fix
                                                             GNUnet e.V.
                                                         18 October 2020


                          The GNU Name System
                         draft-schanzen-gns-02

Abstract

   This document contains the GNU Name System (GNS) technical
   specification.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 21 April 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.




Schanzenbach, et al.      Expires 21 April 2021                 [Page 1]


Internet-Draft             The GNU Name System              October 2020


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Zone Types  . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Resource Records  . . . . . . . . . . . . . . . . . . . . . .   6
   5.  Record Types  . . . . . . . . . . . . . . . . . . . . . . . .   8
     5.1.  PKEY  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     5.2.  EDKEY . . . . . . . . . . . . . . . . . . . . . . . . . .  11
     5.3.  GNS2DNS . . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.4.  LEHO  . . . . . . . . . . . . . . . . . . . . . . . . . .  14
     5.5.  NICK  . . . . . . . . . . . . . . . . . . . . . . . . . .  15
     5.6.  BOX . . . . . . . . . . . . . . . . . . . . . . . . . . .  15
     5.7.  VPN . . . . . . . . . . . . . . . . . . . . . . . . . . .  16
   6.  Publishing Records  . . . . . . . . . . . . . . . . . . . . .  17
     6.1.  DHT Key Derivations . . . . . . . . . . . . . . . . . . .  17
     6.2.  Resource Records Block  . . . . . . . . . . . . . . . . .  17
     6.3.  Record Data Encryption and Decryption . . . . . . . . . .  19
   7.  Internationalization and Character Encoding . . . . . . . . .  20
   8.  Name Resolution . . . . . . . . . . . . . . . . . . . . . . .  20
     8.1.  Recursion . . . . . . . . . . . . . . . . . . . . . . . .  20
     8.2.  Record Processing . . . . . . . . . . . . . . . . . . . .  21
       8.2.1.  Encountering zone delegation records  . . . . . . . .  22
       8.2.2.  GNS2DNS . . . . . . . . . . . . . . . . . . . . . . .  22
       8.2.3.  CNAME . . . . . . . . . . . . . . . . . . . . . . . .  23
       8.2.4.  BOX . . . . . . . . . . . . . . . . . . . . . . . . .  23
       8.2.5.  VPN . . . . . . . . . . . . . . . . . . . . . . . . .  24
       8.2.6.  NICK  . . . . . . . . . . . . . . . . . . . . . . . .  24
   9.  Zone Revocation . . . . . . . . . . . . . . . . . . . . . . .  25
   10. Determining the Root Zone and Zone Governance . . . . . . . .  29
   11. Security Considerations . . . . . . . . . . . . . . . . . . .  30
     11.1.  Cryptography . . . . . . . . . . . . . . . . . . . . . .  30
     11.2.  Abuse mitigation . . . . . . . . . . . . . . . . . . . .  31
     11.3.  Zone management  . . . . . . . . . . . . . . . . . . . .  32
     11.4.  Impact of underlying DHT . . . . . . . . . . . . . . . .  32
     11.5.  Revocations  . . . . . . . . . . . . . . . . . . . . . .  32
   12. GANA Considerations . . . . . . . . . . . . . . . . . . . . .  33
   13. Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  34
   14. Normative References  . . . . . . . . . . . . . . . . . . . .  38
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  41











Schanzenbach, et al.      Expires 21 April 2021                 [Page 2]


Internet-Draft             The GNU Name System              October 2020


1.  Introduction

   The Domain Name System (DNS) is a unique distributed database and a
   vital service for most Internet applications.  While DNS is
   distributed, it relies on centralized, trusted registrars to provide
   globally unique names.  As the awareness of the central role DNS
   plays on the Internet rises, various institutions are using their
   power (including legal means) to engage in attacks on the DNS, thus
   threatening the global availability and integrity of information on
   the Internet.

   DNS was not designed with security as a goal.  This makes it very
   vulnerable, especially to attackers that have the technical
   capabilities of an entire nation state at their disposal.  This
   specification describes a censorship-resistant, privacy-preserving
   and decentralized name system: The GNU Name System (GNS).  It is
   designed to provide a secure alternative to DNS, especially when
   censorship or manipulation is encountered.  GNS can bind names to any
   kind of cryptographically secured token, enabling it to double in
   some respects as even as an alternative to some of today's Public Key
   Infrastructures, in particular X.509 for the Web.

   This document contains the GNU Name System (GNS) technical
   specification of the GNU Name System [GNS], a fully decentralized and
   censorship-resistant name system.  GNS provides a privacy-enhancing
   alternative to the Domain Name System (DNS).  The design of GNS
   incorporates the capability to integrate and coexist with DNS.  GNS
   is based on the principle of a petname system and builds on ideas
   from the Simple Distributed Security Infrastructure (SDSI),
   addressing a central issue with the decentralized mapping of secure
   identifiers to memorable names: namely the impossibility of providing
   a global, secure and memorable mapping without a trusted authority.
   GNS uses the transitivity in the SDSI design to replace the trusted
   root with secure delegation of authority thus making petnames useful
   to other users while operating under a very strong adversary model.

   This document defines the normative wire format of resource records,
   resolution processes, cryptographic routines and security
   considerations for use by implementors.  GNS requires a distributed
   hash table (DHT) for record storage.  Specification of the DHT is out
   of scope of this document.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].






Schanzenbach, et al.      Expires 21 April 2021                 [Page 3]


Internet-Draft             The GNU Name System              October 2020


2.  Zones

   A zone in GNS is defined by a zone type "ztype" that identifies a
   cryptosystem and a public/private key pair "(d,zk)", where "d" is the
   private key and "zk" the corresponding public key in the public key
   cipher identified by the "ztype".  The contents of a zone are
   cryptographically signed before being published a distributed hash
   table (DHT).  Records are grouped by their label and encrypted
   (Section 6.3) using an encryption key derived from the label and the
   zone public key.  Instead of the zone private key "d", the signature
   MUST be created using a blinded public/private key pair "d'" and
   "zk'".  This blinding is realized using a hierarchical deterministic
   key derivation (HDKD) scheme.  Such a scheme allows the deterministic
   derivation of keys from the original public and private zone keys
   using "label" values.  Specifically, the zone owner can derive
   private keys "d'", and a resolver to derive the corresponding public
   keys "zk'".  Using different "label" values in the derivation results
   in different keys.  Without knowledge of the "label" values, the
   different derivations are unlinkable both to the original key and to
   each other.  This prevents zone enumeration and requires knowledge of
   both "zk" and the "label" to confirm affiliation with a specific
   zone.  At the same time, the blinded "zk'" provides nodes with the
   ability to verifiy the integrity of the published information without
   disclosing the originating zone.

   The following variables are associated with a zone in GNS:

   ztype  is the unique type of the zone type as registered in the
      GNUnet Assigned Numbers Authority [GANA].  The zone type
      determines which cryptosystem is used for the asymmetric and
      symmetric key operations of the zone.  A 32-bit number.

   d  is the private zone key.  The specific format depends on the zone
      type.

   zk  is the public zone key.  The specific format depends on the zone
      type.

   zid  is the unique public identifier of a zone.  It consists of the
      "ztype" and the public zone key "zk".

   zTLD  is a string which encodes the "ztype" as well as the zone key
      "zk" into a domain name.  The "zTLD" is used as a globally unique
      reference to a specific namespace in the process of name
      resolution.

   The "zid" wire format is defined as follows:




Schanzenbach, et al.      Expires 21 April 2021                 [Page 4]


Internet-Draft             The GNU Name System              October 2020


   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       ZONE TYPE       |      PUBLIC ZONE KEY  /
   +-----+-----+-----+-----+                       /
   /                                               /
   /                                               /

                                  Figure 1

   For the string representation of the "zid", we use a base-32 encoding
   "StringEncode".  However, instead of following [RFC4648] we base our
   character map on the optical character recognition friendly proposal
   of Crockford [CrockfordB32].  The only difference to Crockford is
   that the letter "U" decodes to the same base-32 value as the letter
   "V" (27).

   zkl := <StringEncode(zid)>

   If "zkl" is less than 63 characters, it is also the "zTLD".  If the
   resulting "zkl" should be longer than 63 characters, the string must
   be divided into smaller labels separated by the label separator ".".
   Here, the most significant bytes of the "zid" must be contained in
   the rightmost label of the resulting string and the least significant
   bytes in the leftmost label of the resulting string.  For example,
   assuming a "zkl" of 130 characters, the encoding would be:

   zTLD := zkl[126:129].zkl[63:125].zkl[0:62]

3.  Zone Types

   A zone type identifies a family of eight functions:

   Private-KeyGen() -> d  is a function to generate a fresh private key
      "d".

   Public-KeyGen(d) -> zk  is a function to derive a public key "zk"
      from a private key "d".

   HDKD-Private(d,label) -> d'  is an HDKD function which blinds a
      private zone key "d" using "label", resulting in another private
      key which can be used to create cryptographic signatures.

   S-Encrypt(zk,label,nonce,expiration,rdata) -> bdata  is a
      deterministic symmetric encryption function which encrypts the
      record data "rdata" based on key material derived from "zk",
      "label", "nonce" and "expiration".  A deterministic encryption
      scheme is required to improve performance by leveraging caching
      features of DHTs.



Schanzenbach, et al.      Expires 21 April 2021                 [Page 5]


Internet-Draft             The GNU Name System              October 2020


   Sign(d',bdata) -> sig  is a function to sign "bdata" using the
      (blinded) private key "d'", yielding an unforgable cryptographic
      signature "sig".

   HDKD-Public(zk,label) -> zk'  is a HDKD function which blinds a
      public zone key "zk" using "label". "zk" and "zk'" must be
      unlinkable.  Furthermore, blinding "zk" with different values for
      "label" must result in unlinkable different resulting values for
      "zk'".

   Verify(zk',bdata,sig) -> valid  is a function to verify the signature
      "sig" was created by the a private key "d'" derived from "d" and
      "label" if "zk'" was derived from the corresponding to "zk :=
      Public-Keygen(d)" and "label".  The function returns "true" if the
      signature is valid, and otherwise "false".

   S-Decrypt(zk,label,nonce,expiration,bdata) -> rdata  is a symmetric
      encryption function which decrypts the encrypted record data
      "bdata" based on key material derived from "zk", "label", "nonce"
      and "expiration".

   Zone types are identified by a 32-bit resource record type number.
   Resource record types are discussed in the next section.

4.  Resource Records

   A GNS implementor MUST provide a mechanism to create and manage
   resource records for local zones.  A local zone is established by
   selecting a zone type and creating a zone key pair.  Implementations
   SHOULD select a secure zone type automatically and not leave the zone
   type selection to the user.  Records may be added to each zone, hence
   a (local) persistency mechanism for resource records and zones must
   be provided.  This local zone database is used by the GNS resolver
   implementation and to publish record information.

   A GNS resource record holds the data of a specific record in a zone.
   The resource record format is defined as follows:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       DATA SIZE       |          TYPE         |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |           FLAGS       |        DATA           /
   +-----+-----+-----+-----+                       /
   /                                               /
   /                                               /



Schanzenbach, et al.      Expires 21 April 2021                 [Page 6]


Internet-Draft             The GNU Name System              October 2020


                                  Figure 2

   where:

   EXPIRATION  denotes the absolute 64-bit expiration date of the
      record.  In microseconds since midnight (0 hour), January 1, 1970
      in network byte order.

   DATA SIZE  denotes the 32-bit size of the DATA field in bytes and in
      network byte order.

   TYPE  is the 32-bit resource record type.  This type can be one of
      the GNS resource records as defined in Section 4 or a DNS record
      type as defined in [RFC1035] or any of the complementary
      standardized DNS resource record types.  This value must be stored
      in network byte order.  Note that values below 2^16 are reserved
      for allocation via IANA ([RFC6895]), while values above 2^16 are
      allocated by the GNUnet Assigned Numbers Authority [GANA].

   FLAGS  is a 32-bit resource record flags field (see below).

   DATA  the variable-length resource record data payload.  The contents
      are defined by the respective type of the resource record.

   Flags indicate metadata surrounding the resource record.  A flag
   value of 0 indicates that all flags are unset.  The following
   illustrates the flag distribution in the 32-bit flag value of a
   resource record:

   ... 5       4         3        2        1        0
   ------+--------+--------+--------+--------+--------+
   / ... | SHADOW | EXPREL | SUPPL  | PRIVATE|    /   |
   ------+--------+--------+--------+--------+--------+

                                  Figure 3

   where:

   SHADOW  If this flag is set, this record should be ignored by
      resolvers unless all (other) records of the same record type have
      expired.  Used to allow zone publishers to facilitate good
      performance when records change by allowing them to put future
      values of records into the DHT.  This way, future values can
      propagate and may be cached before the transition becomes active.

   EXPREL  The expiration time value of the record is a relative time





Schanzenbach, et al.      Expires 21 April 2021                 [Page 7]


Internet-Draft             The GNU Name System              October 2020


      (still in microseconds) and not an absolute time.  This flag
      should never be encountered by a resolver for records obtained
      from the DHT, but might be present when a resolver looks up
      private records of a zone hosted locally.

   SUPPL  This is a supplemental record.  It is provided in addition to
      the other records.  This flag indicates that this record is not
      explicitly managed alongside the other records under the
      respective name but may be useful for the application.  This flag
      should only be encountered by a resolver for records obtained from
      the DHT.

   PRIVATE  This is a private record of this peer and it should thus not
      be published in the DHT.  Thus, this flag should never be
      encountered by a resolver for records obtained from the DHT.
      Private records should still be considered just like regular
      records when resolving labels in local zones.

5.  Record Types

   A registry of GNS Record Types is described in Section 12.  The
   registration policy for this registry is "First Come First Served",
   as described in [RFC8126].

5.1.  PKEY

   In GNS, a delegation of a label to a zone of type "PKEY" is
   represented through a PKEY record.  The PKEY number is a zone type
   and thus also implies the cryptosystem for the zone that is being
   delegated to.  A PKEY resource record contains the public key of the
   zone to delegate to.  A PKEY record MUST be the only record under a
   label.  No other records are allowed.  A PKEY DATA entry has the
   following format:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   PUBLIC KEY                  |
   |                                               |
   |                                               |
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 4

   where:

   PUBLIC KEY  A 256-bit ECDSA zone key.




Schanzenbach, et al.      Expires 21 April 2021                 [Page 8]


Internet-Draft             The GNU Name System              October 2020


   For PKEY zones the zone key material is derived using the curve
   parameters of the twisted edwards representation of Curve25519
   [RFC7748] (a.k.a. edwards25519) with the ECDSA scheme ([RFC6979]).
   Consequently , we use the following naming convention for our
   cryptographic primitives for PKEY zones:

   d  is a 256-bit ECDSA private zone key.

   zk  is the ECDSA public zone key corresponding to d.  It is defined
      in [RFC6979] as the curve point d*G where G is the group generator
      of the elliptic curve.  The public key is used to uniquely
      identify a GNS zone and is referred to as the "zone key".

   p  is the prime of edwards25519 as defined in [RFC7748], i.e.  2^255
      - 19.

   G  is the group generator (X(P),Y(P)) of edwards25519 as defined in
      [RFC7748].

   L  is the prime-order subgroup of edwards25519 in [RFC7748].

   The "zid" of a PKEY is 32 + 4 bytes in length.  This means that a
   "zTLD" will always fit into a single label and does not need any
   further conversion.

   Given a label, the output d' of the HDKD-Private(d,label) function
   for zone key blinding is calculated as follows for PKEY zones:

   zk := d * G
   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
   d' := h * d mod L

   Equally, given a label, the output zk' of the HDKD-Public(zk,label)
   function is calculated as follows for PKEY zones:

   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
   zk' := h mod L * zk

   The PKEY cryptosystem uses a hash-based key derivation function
   (HKDF) as defined in [RFC5869], using HMAC-SHA512 for the extraction
   phase and HMAC-SHA256 for the expansion phase.  "PRK_h" is key
   material retrieved using an HKDF using the string "key-derivation" as
   salt and the public zone key "zk" as initial keying material.  "h" is
   the 512-bit HKDF expansion result.  The expansion info input is a
   concatenation of the label and string "gns".  "label" is a UTF-8
   string under which the resource records are published.



Schanzenbach, et al.      Expires 21 April 2021                 [Page 9]


Internet-Draft             The GNU Name System              October 2020


   We point out that the multiplication of "zk" with "h" is a point
   multiplication, while the multiplication of "d" with "h" is a scalar
   multiplication.

   The Sign() and Verify() functions for PKEY zones are implemented
   using 512-bit ECDSA deterministic signatures as specified in
   [RFC6979].

   The S-Encrypt() and S-Decrypt() functions use AES in counter mode as
   defined in [MODES] (CTR-AES-256):

   RDATA := CTR-AES256(K, IV, BDATA)
   BDATA := CTR-AES256(K, IV, RDATA)

   The key "K" and counter "IV" are derived from the record "label" and
   the zone key "zk" as follows:

   PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
   PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
   K := HKDF-Expand (PRK_k, label, 256 / 8);
   NONCE := HKDF-Expand (PRK_n, label, 32 / 8)

   HKDF is a hash-based key derivation function as defined in [RFC5869].
   Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-
   SHA256 for the expansion phase.  The output keying material is 32
   octets (256 bits) for the symmetric key and 4 octets (32 bits) for
   the nonce.  The symmetric key "K" is a 256-bit AES [RFC3826] key.

   The nonce is combined with a 64-bit initialization vector and a
   32-bit block counter as defined in [RFC3686].  The block counter
   begins with the value of 1, and it is incremented to generate
   subsequent portions of the key stream.  The block counter is a 32-bit
   integer value in network byte order.  The initialization vector is
   the expiration time of the resource record block in network byte
   order.  The resulting counter ("IV") wire format is as follows:

   0     8     16    24    32
   +-----+-----+-----+-----+
   |         NONCE         |
   +-----+-----+-----+-----+
   |       EXPIRATION      |
   |                       |
   +-----+-----+-----+-----+
   |      BLOCK COUNTER    |
   +-----+-----+-----+-----+

                                  Figure 5




Schanzenbach, et al.      Expires 21 April 2021                [Page 10]


Internet-Draft             The GNU Name System              October 2020


5.2.  EDKEY

   In GNS, a delegation of a label to a zone of type "EDKEY" is
   represented through a EDKEY record.  The EDKEY number is a zone type
   and thus also implies the cryptosystem for the zone that is being
   delegated to.  An EDKEY resource record contains the public key of
   the zone to delegate to.  A EDKEY record MUST be the only record
   under a label.  No other records are allowed.  A EDKEY DATA entry has
   the following format:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   PUBLIC KEY                  |
   |                                               |
   |                                               |
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 6

   where:

   PUBLIC KEY  A 256-bit EdDSA zone key.

   For EDKEY zones the zone key material is derived using the curve
   parameters of the twisted edwards representation of Curve25519
   [RFC7748] (a.k.a. edwards25519) with the Ed25519-SHA-512 scheme
   [ed25519].  Consequently , we use the following naming convention for
   our cryptographic primitives for EDKEY zones:

   d  is a 256-bit EdDSA private zone key.

   a  is is an integer derived from "d" using the SHA512 hash function
      as defined in [ed25519].

   zk  is the EdDSA public zone key corresponding to "d".  It is defined
      in [ed25519] as the curve point "a*G" where "G" is the group
      generator of the elliptic curve and "a" is an integer derived from
      "d" using the SHA512 hash function.  The public key is used to
      uniquely identify a GNS zone and is referred to as the "zone key".

   p  is the prime of edwards25519 as defined in [RFC7748], i.e.  2^255
      - 19.

   G  is the group generator (X(P),Y(P)) of edwards25519 as defined in
      [RFC7748].

   L  is the prime-order subgroup of edwards25519 in [RFC7748].



Schanzenbach, et al.      Expires 21 April 2021                [Page 11]


Internet-Draft             The GNU Name System              October 2020


   The "zid" of an EDKEY is 32 + 4 bytes in length.  This means that a
   "zTLD" will always fit into a single label and does not need any
   further conversion.

   The "EDKEY" HDKD instantiation is based on [Tor224].  Given a label,
   the output of the HDKD-Private function for zone key blinding is
   calculated as follows for EDKEY zones:

   zk := a * G
   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
   h[31] &= 7
   a1 := a / 8 /* 8 is the cofactor of Curve25519 */
   a2 := h * a1 mod L
   a' = a2 * 8 /* 8 is the cofactor of Curve25519 */

   Equally, given a label, the output of the HDKD-Public function is
   calculated as follows for PKEY zones:

   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
   h[31] &= 7  // Implies h mod L == h
   zk' := h * zk

   We note that implementors must employ a constant time scalar
   multiplication for the constructions above.  Also, implementors must
   ensure that the private key "a" is an ed25519 private key and
   specifically that "a[0] & 7 == 0" holds.

   The EDKEY cryptosystem uses a hash-based key derivation function
   (HKDF) as defined in [RFC5869], using HMAC-SHA512 for the extraction
   phase and HMAC-SHA256 for the expansion phase.  "PRK_h" is key
   material retrieved using an HKDF using the string "key-derivation" as
   salt and the public zone key "zk" as initial keying material.  "h" is
   the 512-bit HKDF expansion result.  The expansion info input is a
   concatenation of the label and string "gns".  The result of the HKDF
   must be clamped.  "a" is the 256-bit integer corresponding to the
   256-bit private zone key "d".  "label" is a UTF-8 string under which
   the resource records are published.

   We point out that the multiplication of "zk" with "h" is a point
   multiplication, while the division and multiplication of "a" and "a1"
   with the cofactor are integer operations.

   Signatures for EDKEY zones using the derived private key "a'" are NOT
   compliant with [ed25519].  Instead, signatures MUST be generated as
   follows for any given message M and deterministic random-looking "r":




Schanzenbach, et al.      Expires 21 April 2021                [Page 12]


Internet-Draft             The GNU Name System              October 2020


   R := r * G
   S := r + SHA512(R, zk', M) * a' mod L

   A signature (R,S) is valid if the following holds:

   SB == R + SHA512(R, zk', M) * A'

   The S-Encrypt() and S-Decrypt() functions use AES in galois counter
   mode as defined in [GCM] (GCM-AES-256):

   RDATA := GCM-AES-256(K, IV, BDATA)
   BDATA := GCM-AES-256(K, IV, RDATA) = CIPHERTEXT | GCM_TAG

   The result of the GCM encryption function is the encrypted ciphertext
   concatenated with the 128-bit GCM authentication tag "GCM_TAG".
   Accordingly, the length of BDATA equals the length of the RDATA plus
   the 16 octets of the authentication tag.

   The key "K" and counter "IV" are derived from the record "label" and
   the zone key "zk" as follows:

   PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
   PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
   K := HKDF-Expand (PRK_k, label, 256 / 8);
   IV := HKDF-Expand (PRK_n, label, 96 / 8)

   HKDF is a hash-based key derivation function as defined in [RFC5869].
   Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-
   SHA256 for the expansion phase.  The output keying material is 32
   octets (256 bits) for the symmetric key and 12 octets (96 bits) for
   the IV.  The symmetric key "K" is a 256-bit AES [RFC3826] key.  No
   additional authenticated data (AAD) is used.

5.3.  GNS2DNS

   It is possible to delegate a label back into DNS through a GNS2DNS
   record.  The resource record contains a DNS name for the resolver to
   continue with in DNS followed by a DNS server.  Both names are in the
   format defined in [RFC1034] for DNS names.  A GNS2DNS DATA entry has
   the following format:











Schanzenbach, et al.      Expires 21 April 2021                [Page 13]


Internet-Draft             The GNU Name System              October 2020


   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                    DNS NAME                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                 DNS SERVER NAME               |
   /                                               /
   /                                               /
   |                                               |
   +-----------------------------------------------+

                                  Figure 7

   where:

   DNS NAME  The name to continue with in DNS (0-terminated).

   DNS SERVER NAME  The DNS server to use.  May be an IPv4/IPv6 address
      in dotted decimal form or a DNS name.  It may also be a relative
      GNS name ending with a "+" top-level domain.  The value is UTF-8
      encoded (also for DNS names) and 0-terminated.

5.4.  LEHO

   Legacy hostname records can be used by applications that are expected
   to supply a DNS name on the application layer.  The most common use
   case is HTTP virtual hosting, which as-is would not work with GNS
   names as those may not be globally unique.  A LEHO resource record is
   expected to be found together in a single resource record with an
   IPv4 or IPv6 address.  A LEHO DATA entry has the following format:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                 LEGACY HOSTNAME               |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 8

   where:

   LEGACY HOSTNAME  A UTF-8 string (which is not 0-terminated)
      representing the legacy hostname.




Schanzenbach, et al.      Expires 21 April 2021                [Page 14]


Internet-Draft             The GNU Name System              October 2020


   NOTE: If an application uses a LEHO value in an HTTP request header
   (e.g.  "Host:" header) it must be converted to a punycode
   representation [RFC5891].

5.5.  NICK

   Nickname records can be used by zone administrators to publish an
   indication on what label this zone prefers to be referred to.  This
   is a suggestion to other zones what label to use when creating a
   delegation record (Section 3) containing this zone's public zone key.
   This record SHOULD only be stored under the empty label "@" but MAY
   be returned with record sets under any label as a supplemental
   record.  Section 8.2.6 details how a resolver must process
   supplemental and non-supplemental NICK records.  A NICK DATA entry
   has the following format:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                  NICKNAME                     |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 9

   where:

   NICKNAME  A UTF-8 string (which is not 0-terminated) representing the
      preferred label of the zone.  This string MUST NOT include a "."
      character.

5.6.  BOX

   In GNS, every "." in a name delegates to another zone, and GNS
   lookups are expected to return all of the required useful information
   in one record set.  This is incompatible with the special labels used
   by DNS for SRV and TLSA records.  Thus, GNS defines the BOX record
   format to box up SRV and TLSA records and include them in the record
   set of the label they are associated with.  For example, a TLSA
   record for "_https._tcp.example.org" will be stored in the record set
   of "example.org" as a BOX record with service (SVC) 443 (https) and
   protocol (PROTO) 6 (tcp) and record TYPE "TLSA".  For reference, see
   also [RFC2782].  A BOX DATA entry has the following format:







Schanzenbach, et al.      Expires 21 April 2021                [Page 15]


Internet-Draft             The GNU Name System              October 2020


   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |   PROTO   |    SVC    |       TYPE            |
   +-----------+-----------------------------------+
   |                 RECORD DATA                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 10

   where:

   PROTO  the 16-bit protocol number, e.g. 6 for tcp.  In network byte
      order.

   SVC  the 16-bit service value of the boxed record, i.e. the port
      number.  In network byte order.

   TYPE  is the 32-bit record type of the boxed record.  In network byte
      order.

   RECORD DATA  is a variable length field containing the "DATA" format
      of TYPE as defined for the respective TYPE in DNS.

5.7.  VPN

   A VPN DATA entry has the following format:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |          HOSTING PEER PUBLIC KEY              |
   |                (256 bits)                     |
   |                                               |
   |                                               |
   +-----------+-----------------------------------+
   |   PROTO   |    SERVICE  NAME                  |
   +-----------+                                   +
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 11

   where:




Schanzenbach, et al.      Expires 21 April 2021                [Page 16]


Internet-Draft             The GNU Name System              October 2020


   HOSTING PEER PUBLIC KEY  is a 256-bit EdDSA public key identifying
      the peer hosting the service.

   PROTO  the 16-bit protocol number, e.g. 6 for TCP.  In network byte
      order.

   SERVICE NAME  a shared secret used to identify the service at the
      hosting peer, used to derive the port number requird to connect to
      the service.  The service name MUST be a 0-terminated UTF-8
      string.

6.  Publishing Records

   GNS resource records are published in a distributed hash table (DHT).
   We assume that a DHT provides two functions: GET(key) and
   PUT(key,value).  In GNS, resource records are grouped by their
   respective labels, encrypted and published together in a single
   resource records block (RRBLOCK) in the DHT under a key "q": PUT(q,
   RRBLOCK).  The key "q" which is derived from the zone key "zk" and
   the respective "label" of the contained records.

6.1.  DHT Key Derivations

   Given a label, the DHT key "q" is derived as follows:

   q := SHA512 (HDKD-Public(zk, label))

   label  is a UTF-8 string under which the resource records are
      published.

   zk  is the public zone key.

   q  Is the 512-bit DHT key under which the resource records block is
      published.  It is the SHA512 hash over the derived public zone
      key.

6.2.  Resource Records Block

   GNS records are grouped by their labels and published as a single
   block in the DHT.  The grouped record sets MAY be paired with any
   number of supplemental records.  Supplemental records must have the
   supplemental flag set (See Section 4).  The contained resource
   records are encrypted using a symmetric encryption scheme.  A GNS
   implementation must publish RRBLOCKs in accordance to the properties
   and recommendations of the underlying DHT.  This may include a
   periodic refresh publication.  A GNS RRBLOCK has the following
   format:




Schanzenbach, et al.      Expires 21 April 2021                [Page 17]


Internet-Draft             The GNU Name System              October 2020


   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       ZONE TYPE       |    PUBLIC ZONE KEY    |
   +-----+-----+-----+-----+       (BLINDED)       |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   SIGNATURE                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |         SIZE          |       PURPOSE         |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                    BDATA                      /
   /                                               /
   /                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 12

   where:

   ZONE TYPE  is the 32-bit zone type.

   ZONE PUBLIC KEY  is the blinded public zone key "HDKD-Public(zk,
      label)" to be used to verify SIGNATURE.

   SIGNATURE  The signature is computed over the data following the
      PUBLIC KEY field.  The signature is created using the Sign()
      function of the cryptosystem of the zone and the derived private
      key "HDKD-Private(d, label)" (see Section 3).

   SIZE  A 32-bit value containing the length of the signed data
      following the PUBLIC KEY field in network byte order.  This value
      always includes the length of the fields SIZE (4), PURPOSE (4) and
      EXPIRATION (8) in addition to the length of the BDATA.  While a
      32-bit value is used, implementations MAY refuse to publish blocks
      beyond a certain size significantly below 4 GB.  However, a
      minimum block size of 62 kilobytes MUST be supported.

   PURPOSE  A 32-bit signature purpose flag.  This field MUST be 15 (in
      network byte order).

   EXPIRATION  Specifies when the RRBLOCK expires and the encrypted



Schanzenbach, et al.      Expires 21 April 2021                [Page 18]


Internet-Draft             The GNU Name System              October 2020


      block SHOULD be removed from the DHT and caches as it is likely
      stale.  However, applications MAY continue to use non-expired
      individual records until they expire.  The value MUST be set to
      the expiration time of the resource record contained within this
      block with the smallest expiration time.  If a records block
      includes shadow records, then the maximum expiration time of all
      shadow records with matching type and the expiration times of the
      non-shadow records is considered.  This is a 64-bit absolute date
      in microseconds since midnight (0 hour), January 1, 1970 in
      network byte order.

   BDATA  The encrypted resource records with a total size of SIZE - 16.

6.3.  Record Data Encryption and Decryption

   A symmetric encryption scheme is used to encrypt the resource records
   set RDATA into the BDATA field of a GNS RRBLOCK.  The wire format of
   the RDATA looks as follows:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |     RR COUNT          |        EXPIRA-        /
   +-----+-----+-----+-----+-----+-----+-----+-----+
   /         -TION         |       DATA SIZE       |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |         TYPE          |          FLAGS        |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      DATA                     /
   /                                               /
   /                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       DATA SIZE       |          TYPE         |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |           FLAGS       |        DATA           /
   +-----+-----+-----+-----+                       /
   /                       +-----------------------/
   /                       |                       /
   +-----------------------+                       /
   /                     PADDING                   /
   /                                               /

                                 Figure 13

   where:

   RR COUNT  A 32-bit value containing the number of variable-length



Schanzenbach, et al.      Expires 21 April 2021                [Page 19]


Internet-Draft             The GNU Name System              October 2020


      resource records which are following after this field in network
      byte order.

   EXPIRATION, DATA SIZE, TYPE, FLAGS and DATA  These fields were
      defined in the resource record format in Section 4.  There MUST be
      a total of RR COUNT of these resource records present.

   PADDING  The padding MUST contain the value 0 in all octets.  The
      padding MUST ensure that the size of the RDATA WITHOUT the RR
      COUNT field is a power of two.  As a special exception, record
      sets with (only) a zone delegation record type are never padded.
      Note that a record set with a delegation record MUST NOT contain
      other records.

7.  Internationalization and Character Encoding

   All labels in GNS are encoded in UTF-8 [RFC3629].  This does not
   include any DNS names found in DNS records, such as CNAME records,
   which are internationalized through the IDNA specifications
   [RFC5890].

8.  Name Resolution

   Names in GNS are resolved by recursively querying the DHT record
   storage.  In the following, we define how resolution is initiated and
   each iteration in the resolution is processed.

   GNS resolution of a name must start in a given starting zone
   indicated using a zone public key.  Details on how the starting zone
   may be determined is discussed in Section 10.

   When GNS name resolution is requested, a desired record type MAY be
   provided by the client.  The GNS resolver will use the desired record
   type to guide processing, for example by providing conversion of VPN
   records to A or AAAA records, if that is desired.  However, filtering
   of record sets according to the required record types MUST still be
   done by the client after the resource record set is retrieved.

8.1.  Recursion

   In each step of the recursive name resolution, there is an
   authoritative zone zk and a name to resolve.  The name may be empty.
   Initially, the authoritative zone is the start zone.  If the name is
   empty, it is interpreted as the apex label "@".

   From here, the following steps are recursively executed, in order:

   1.  Extract the right-most label from the name to look up.



Schanzenbach, et al.      Expires 21 April 2021                [Page 20]


Internet-Draft             The GNU Name System              October 2020


   2.  Calculate q using the label and zk as defined in Section 6.1.

   3.  Perform a DHT query GET(q) to retrieve the RRBLOCK.

   4.  Verify and process the RRBLOCK and decrypt the BDATA contained in
       it as defined in Section 6.3.

   Upon receiving the RRBLOCK from the DHT, apart from verifying the
   provided signature, the resolver MUST check that the authoritative
   zone key was used to sign the record: The derived zone key "h*zk"
   MUST match the public key provided in the RRBLOCK, otherwise the
   RRBLOCK MUST be ignored and the DHT lookup GET(q) MUST continue.

8.2.  Record Processing

   Record processing occurs at the end of a single recursion.  We assume
   that the RRBLOCK has been cryptographically verified and decrypted.
   At this point, we must first determine if we have received a valid
   record set in the context of the name we are trying to resolve:

   1.  Case 1: If the remainder of the name to resolve is empty and the
       record set does not consist of a delegation, CNAME or DNS2GNS
       record, the record set is the result and the recursion is
       concluded.

   2.  Case 2: If the name to be resolved is of the format
       "_SERVICE._PROTO" and the record set contains one or more
       matching BOX records, the records in the BOX records are the
       result and the recusion is concluded (Section 8.2.4).

   3.  Case 3: If the remainder of the name to resolve is not empty and
       does not match the "_SERVICE._PROTO" syntax, then the current
       record set MUST consist of a single delegation record
       (Section 8.2.1), a single CNAME record (Section 8.2.3), or one or
       more GNS2DNS records (Section 8.2.2), which are processed as
       described in the respective sections below.  The record set may
       include any number of supplemental records.  Otherwise,
       resolution fails and the resolver MUST return an empty record
       set.  Finally, after the recursion terminates, the client
       preferences for the record type SHOULD be considered.  If a VPN
       record is found and the client requests an A or AAAA record, the
       VPN record SHOULD be converted (Section 8.2.5) if possible.









Schanzenbach, et al.      Expires 21 April 2021                [Page 21]


Internet-Draft             The GNU Name System              October 2020


8.2.1.  Encountering zone delegation records

   When the resolver encounters a record of a supported zone delegation
   record type (such as PKEY or EDKEY) and the remainder of the name is
   not empty, resolution continues recursively with the remainder of the
   name in the GNS zone specified in the delegation record.
   Implementations MUST NOT allow multiple different zone type
   delegations under a single label.  Implementations MAY support any
   subset of zone types.  If an unsupported zone type is encountered,
   resolution fails (NXDOMAIN).

   If the remainder of the name to resolve is empty and we have received
   a record set containing only a single PKEY record, the recursion is
   continued with the PKEY as authoritative zone and the empty apex
   label "@" as remaining name, except in the case where the desired
   record type is PKEY, in which case the PKEY record is returned and
   the resolution is concluded without resolving the empty apex label.

8.2.2.  GNS2DNS

   When a resolver encounters one or more GNS2DNS records and the
   remaining name is empty and the desired record type is GNS2DNS, the
   GNS2DNS records are returned.

   Otherwise, it is expected that the resolver first resolves the IP(s)
   of the specified DNS name server(s).  GNS2DNS records MAY contain
   numeric IPv4 or IPv6 addresses, allowing the resolver to skip this
   step.  The DNS server names may themselves be names in GNS or DNS.
   If the DNS server name ends in ".+", the rest of the name is to be
   interpreted relative to the zone of the GNS2DNS record.  If the DNS
   server name ends in a label representation of a zone key, the DNS
   server name is to be resolved against the GNS zone zk.

   Multiple GNS2DNS records may be stored under the same label, in which
   case the resolver MUST try all of them.  The resolver MAY try them in
   any order or even in parallel.  If multiple GNS2DNS records are
   present, the DNS name MUST be identical for all of them, if not the
   resolution fails and an emtpy record set is returned as the record
   set is invalid.












Schanzenbach, et al.      Expires 21 April 2021                [Page 22]


Internet-Draft             The GNU Name System              October 2020


   Once the IP addresses of the DNS servers have been determined, the
   DNS name from the GNS2DNS record is appended to the remainder of the
   name to be resolved, and resolved by querying the DNS name server(s).
   As the DNS servers specified are possibly authoritative DNS servers,
   the GNS resolver MUST support recursive resolution and MUST NOT
   delegate this to the authoritative DNS servers.  The first successful
   recursive name resolution result is returned to the client.  In
   addition, the resolver returns the queried DNS name as a supplemental
   LEHO record (Section 5.4) with a relative expiration time of one
   hour.

   GNS resolvers SHOULD offer a configuration option to disable DNS
   processing to avoid information leakage and provide a consistent
   security profile for all name resolutions.  Such resolvers would
   return an empty record set upon encountering a GNS2DNS record during
   the recursion.  However, if GNS2DNS records are encountered in the
   record set for the apex and a GNS2DNS record is expicitly requested
   by the application, such records MUST still be returned, even if DNS
   support is disabled by the GNS resolver configuration.

8.2.3.  CNAME

   If a CNAME record is encountered, the canonical name is appended to
   the remaining name, except if the remaining name is empty and the
   desired record type is CNAME, in which case the resolution concludes
   with the CNAME record.  If the canonical name ends in ".+",
   resolution continues in GNS with the new name in the current zone.
   Otherwise, the resulting name is resolved via the default operating
   system name resolution process.  This may in turn again trigger a GNS
   resolution process depending on the system configuration.

   The recursive DNS resolution process may yield a CNAME as well which
   in turn may either point into the DNS or GNS namespace (if it ends in
   a label representation of a zone key).  In order to prevent infinite
   loops, the resolver MUST implement loop detections or limit the
   number of recursive resolution steps.  If the last CNAME was a DNS
   name, the resolver returns the DNS name as a supplemental LEHO record
   (Section 5.4) with a relative expiration time of one hour.

8.2.4.  BOX

   When a BOX record is received, a GNS resolver must unbox it if the
   name to be resolved continues with "_SERVICE._PROTO".  Otherwise, the
   BOX record is to be left untouched.  This way, TLSA (and SRV) records
   do not require a separate network request, and TLSA records become
   inseparable from the corresponding address records.





Schanzenbach, et al.      Expires 21 April 2021                [Page 23]


Internet-Draft             The GNU Name System              October 2020


8.2.5.  VPN

   At the end of the recursion, if the queried record type is either A
   or AAAA and the retrieved record set contains at least one VPN
   record, the resolver SHOULD open a tunnel and return the IPv4 or IPv6
   tunnel address, respectively.  The type of tunnel depends on the
   contents of the VPN record data.  The VPN record MUST be returned if
   the resolver implementation does not support setting up a tunnnel.

8.2.6.  NICK

   NICK records are only relevant to the recursive resolver if the
   record set in question is the final result which is to be returned to
   the client.  The encountered NICK records may either be supplemental
   (see Section 4) or non-supplemental.  If the NICK record is
   supplemental, the resolver only returns the record set if one of the
   non-supplemental records matches the queried record type.

   The differentiation between a supplemental and non-supplemental NICK
   record allows the client to match the record to the authoritative
   zone.  Consider the following example:

   Query: alice.example (type=A)
   Result:
   A: 192.0.2.1
   NICK: eve

                                 Figure 14

   In this example, the returned NICK record is non-supplemental.  For
   the client, this means that the NICK belongs to the zone "alice.doe"
   and is published under the empty label along with an A record.  The
   NICK record should be interpreted as: The zone defined by "alice.doe"
   wants to be referred to as "eve".  In contrast, consider the
   following:

   Query: alice.example (type=AAAA)
   Result:
   AAAA: 2001:DB8::1
   NICK: john (Supplemental)

                                 Figure 15









Schanzenbach, et al.      Expires 21 April 2021                [Page 24]


Internet-Draft             The GNU Name System              October 2020


   In this case, the NICK record is marked as supplemental.  This means
   that the NICK record belongs to the zone "doe" and is published under
   the label "alice" along with an A record.  The NICK record should be
   interpreted as: The zone defined by "doe" wants to be referred to as
   "john".  This distinction is likely useful for other records
   published as supplemental.

9.  Zone Revocation

   Whenever a recursive resolver encounters a new GNS zone, it MUST
   check against the local revocation list whether the respective zone
   key has been revoked.  If the zone key was revoked, the resolution
   MUST fail with an empty result set.

   In order to revoke a zone key, a signed revocation object SHOULD be
   published.  This object MUST be signed using the private zone key.
   The revocation object is flooded in the overlay network.  To prevent
   flooding attacks, the revocation message MUST contain a proof of work
   (PoW).  The revocation message including the PoW MAY be calculated
   ahead of time to support timely revocation.

   For all occurences below, "Argon2id" is the Password-based Key
   Derivation Function as defined in [Argon2].  For the PoW calculations
   the algorithm is instantiated with the following parameters:

   S  The salt.  Fixed 16-octet string: "GnsRevocationPow".

   t  Number of iterations: 3

   m  Memory size in KiB: 1024

   T  Output length of hash in bytes: 64

   p  Parallelization parameter: 1

   v  Algorithm version: 0x13

   y  Algorithm type (Argon2id): 2

   X  Unused

   K  Unused

   The following is the message string "P" on which the PoW is
   calculated:






Schanzenbach, et al.      Expires 21 April 2021                [Page 25]


Internet-Draft             The GNU Name System              October 2020


   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      POW                      |
   +-----------------------------------------------+
   |                   TIMESTAMP                   |
   +-----------------------------------------------+
   |       ZONE TYPE       |    PUBLIC ZONE KEY    |
   +-----+-----+-----+-----+                       |
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 16

   where:

   POW  A 64-bit solution to the PoW.  In network byte order.

   TIMESTAMP  denotes the absolute 64-bit date when the revocation was
      computed.  In microseconds since midnight (0 hour), January 1,
      1970 in network byte order.

   PUBLIC KEY  is the 256-bit public key "zk" of the zone which is being
      revoked and the key to be used to verify SIGNATURE.  The wire
      format of this value is defined in [RFC8032], Section 5.1.5.

   Traditionally, PoW schemes require to find a "POW" such that at least
   D leading zeroes are found in the hash result.  D is then referred to
   as the "difficulty" of the PoW.  In order to reduce the variance in
   time it takes to calculate the PoW, we require that a number "Z"
   different PoWs must be found that on average have "D" leading zeroes.

   The resulting proofs may then published and disseminated.  The
   concrete dissemination and publication methods are out of scope of
   this document.  Given an average difficulty of "D", the proofs have
   an expiration time of EPOCH.  With each additional bit difficulty,
   the lifetime of the proof is prolonged for another EPOCH.
   Consequently, by calculating a more difficult PoW, the lifetime of
   the proof can be increased on demand by the zone owner.

   The parameters are defined as follows:

   Z  The number of PoWs required is fixed at 32.

   D  The difficulty is fixed at 22.

   EPOCH  A single epoch is fixed at 365 days.




Schanzenbach, et al.      Expires 21 April 2021                [Page 26]


Internet-Draft             The GNU Name System              October 2020


   Given that proof has been found, a revocation data object is defined
   as follows:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   TIMESTAMP                   |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      TTL                      |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                     POW_0                     |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                       ...                     |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                     POW_Z-1                   |
   +-----------------------------------------------+
   |       ZONE TYPE       |    PUBLIC ZONE KEY    |
   +-----+-----+-----+-----+                       |
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   SIGNATURE                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 17

   where:

   TIMESTAMP  denotes the absolute 64-bit date when the revocation was
      computed.  In microseconds since midnight (0 hour), January 1,
      1970 in network byte order.  This is the same value as the
      timestamp used in the individual PoW calculations.

   TTL  denotes the relative 64-bit time to live of of the record in
      microseconds also in network byte order.  This field is
      informational for a verifier.  The verifier may discard revocation
      if the TTL indicates that it is already expired.  However, the
      actual TTL of the revocation must be determined by examining the
      leading zeros in the proof of work calculation.

   POW_i  The values calculated as part of the PoW, in network byte
      order.  Each POW_i MUST be unique in the set of POW values.  To
      facilitate fast verification of uniqueness, the POW values must be
      given in strictly monotonically increasing order in the message.

   ZONE TYPE  The 32-bit zone type corresponding to the zone public key.



Schanzenbach, et al.      Expires 21 April 2021                [Page 27]


Internet-Draft             The GNU Name System              October 2020


   ZONE PUBLIC KEY  is the public key "zk" of the zone which is being
      revoked and the key to be used to verify SIGNATURE.

   SIGNATURE  A signature over a timestamp and the public zone zk of the
      zone which is revoked and corresponds to the key used in the PoW.
      The signature is created using the Sign() function of the
      cryptosystem of the zone and the private zone key (see Section 3).

   The signature over the public key covers a 32-bit pseudo header
   conceptually prefixed to the public key.  The pseudo header includes
   the key length and signature purpose:

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |         SIZE (0x30)   |       PURPOSE (0x03)  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       ZONE TYPE       |     ZONE PUBLIC KEY   |
   +-----+-----+-----+-----+                       |
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   TIMESTAMP                   |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 18

   where:

   SIZE  A 32-bit value containing the length of the signed data in
      bytes in network byte order.

   PURPOSE  A 32-bit signature purpose flag.  This field MUST be 3 (in
      network byte order).

   ZONE TYPE  The 32-bit zone type corresponding to the zone public key.

   ZONE PUBLIC KEY / TIMESTAMP  Both values as defined in the revocation
      data object above.

   In order to verify a revocation the following steps must be taken, in
   order:

   1.  The current time MUST be between TIMESTAMP and TIMESTAMP+TTL.

   2.  The signature MUST match the public key.

   3.  The set of POW values MUST NOT contain duplicates.




Schanzenbach, et al.      Expires 21 April 2021                [Page 28]


Internet-Draft             The GNU Name System              October 2020


   4.  The average number of leading zeroes resulting from the provided
       POW values D' MUST be greater than D.

   5.  The validation period (TTL) of the revocation is calculated as
       (D'-D) * EPOCH * 1.1.  The EPOCH is extended by 10% in order to
       deal with unsynchronized clocks.  The TTL added on top of the
       TIMESTAMP yields the expiration date.

10.  Determining the Root Zone and Zone Governance

   The resolution of a GNS name must start in a given start zone
   indicated to the resolver using any public zone key.  The local
   resolver may have a local start zone configured/hard-coded which
   points to a local or remote start zone key.  A resolver client may
   also determine the start zone from the suffix of the name given for
   resolution or using information retrieved out of band.  The
   governance model of any zone is at the sole discretion of the zone
   owner.  However, the choice of start zone(s) is at the sole
   discretion of the local system administrator or user.

   This is an important distinguishing factor from the Domain Name
   System where root zone governance is centralized at the Internet
   Corporation for Assigned Names and Numbers (ICANN).  In DNS
   terminology, GNS roughly follows the idea of a hyper-hyper local root
   zone deployment, with the difference that it is not expected that all
   deployments use the same local root zone.

   In the following, we give examples how a local client resolver SHOULD
   discover the start zone.  The process given is not exhaustive and
   clients MAY suppliement it with other mechanisms or ignore it if the
   particular application requires a different process.

   GNS clients MUST first try to interpret the top-level domain of a GNS
   name as a zone key representation ("zTLD").  If the top-level domain
   is indicated to be a label representation of a public zone key with a
   well-defined "ztype" value, the root zone of the resolution process
   is implicitly given by the suffic of the name:

   Example name: www.example.<zTLD>
   => Root zone: zk of type ztype
   => Name to resolve from root zone: www.example

   In GNS, users MAY own and manage their own zones.  Each local zone
   SHOULD be associated with a single GNS label, but users MAY choose to
   use longer names consisting of multiple labels.  If the name of a
   locally managed zone matches the suffix of the name to be resolved,
   resolution SHOULD start from the respective local zone:




Schanzenbach, et al.      Expires 21 April 2021                [Page 29]


Internet-Draft             The GNU Name System              October 2020


   Example name: www.example.org
   Local zones:
   fr = (d0,zk0)
   gnu = (d1,zk1)
   com = (d2,zk2)
   ...
   => Entry zone: zk1
   => Name to resolve from entry zone: www.example

   Finally, additional "suffix to zone" mappings MAY be configured.
   Suffix to zone key mappings SHOULD be configurable through a local
   configuration file or database by the user or system administrator.
   The suffix MAY consist of multiple GNS labels concatenated with a
   ".".  If multiple suffixes match the name to resolve, the longest
   matching suffix MUST BE used.  The suffix length of two results
   cannot be equal, as this would indicate a misconfiguration.  If both
   a locally managed zone and a configuration entry exist for the same
   suffix, the locally managed zone MUST have priority.

   Example name: www.example.org
   Local suffix mappings:
   gnu = zk0
   example.org = zk1
   example.com = zk2
   ...
   => Entry zone: zk1
   => Name to resolve from entry zone: www

11.  Security Considerations

11.1.  Cryptography

   The security of cryptographic systems depends on both the strength of
   the cryptographic algorithms chosen and the strength of the keys used
   with those algorithms.  The security also depends on the engineering
   of the protocol used by the system to ensure that there are no non-
   cryptographic ways to bypass the security of the overall system.

   This document concerns itself with the selection of cryptographic
   algorithms for use in GNS.  The algorithms identified in this
   document are not known to be broken (in the cryptographic sense) at
   the current time, and cryptographic research so far leads us to
   believe that they are likely to remain secure into the foreseeable
   future.  However, this isn't necessarily forever, and it is expected
   that new revisions of this document will be issued from time to time
   to reflect the current best practices in this area.





Schanzenbach, et al.      Expires 21 April 2021                [Page 30]


Internet-Draft             The GNU Name System              October 2020


   GNS PKEY zone keys use ECDSA over Curve25519.  This is an
   unconventional choice, as ECDSA is usually used with other curves.
   However, traditional ECDSA curves are problematic for a range of
   reasons described in the Curve25519 and EdDSA papers.  Using EdDSA
   directly is also not possible, as a hash function is used on the
   private key which destroys the linearity that the GNU Name System
   depends upon.  We are not aware of anyone suggesting that using
   Curve25519 instead of another common curve of similar size would
   lower the security of ECDSA.  GNS uses 256-bit curves because that
   way the encoded (public) keys fit into a single DNS label, which is
   good for usability.

   In terms of crypto-agility, whenever the need for an updated
   cryptographic scheme arises to, for example, replace ECDSA over
   Curve25519 for PKEY records it may simply be introduced through a new
   record type.  Such a new record type may then replace the delegation
   record type for future records.  The old record type remains and
   zones can iteratively migrate to the updated zone keys.

   In order to ensure ciphertext indistinguishability, care must be
   taken with respect to the initialization vector in the counter block.
   In our design, the IV is always the expiration time of the record
   block.  For blocks with relative expiration times it is implicitly
   ensured that each time a block is published into the DHT, its IV is
   unique as the expiration time is calculated dynamically and increases
   monotonically.  For blocks with absolute expiration times, the
   implementation MUST ensure that the expiration time is modified when
   the record data changes.  For example. the expiration time may be
   increased by a single microsecond.

11.2.  Abuse mitigation

   GNS names are UTF-8 strings.  Consequently, GNS faces similar issues
   with respect to name spoofing as DNS does for internationalized
   domain names.  In DNS, attackers may register similar sounding or
   looking names (see above) in order to execute phishing attacks.  GNS
   zone administrators must take into account this attack vector and
   incorporate rules in order to mitigate it.

   Further, DNS can be used to combat illegal content on the internet by
   having the respective domains seized by authorities.  However, the
   same mechanisms can also be abused in order to impose state
   censorship, which ist one of the motivations behind GNS.  Hence, such
   a seizure is, by design, difficult to impossible in GNS.  In
   particular, GNS does not support WHOIS ([RFC3912]).






Schanzenbach, et al.      Expires 21 April 2021                [Page 31]


Internet-Draft             The GNU Name System              October 2020


11.3.  Zone management

   In GNS, zone administrators need to manage and protect their zone
   keys.  Once a zone key is lost it cannot be recovered.  Once it is
   compromised it cannot be revoked (unless a revocation message was
   pre-calculated and is still available).  Zone administrators, and for
   GNS this includes end-users, are required to responsibly and
   dilligently protect their cryptographic keys.  Offline signing is in
   principle possible, but GNS does not support separate zone signing
   and key-signing keys (as in [RFC6781]) in order to provide usable
   security.

   Similarly, users are required to manage their local root zone.  In
   order to ensure integrity and availability or names, users must
   ensure that their local root zone information is not compromised or
   outdated.  It can be expected that the processing of zone revocations
   and an initial root zone is provided with a GNS client implementation
   ("drop shipping").  Extension and customization of the zone is at the
   full discretion of the user.

11.4.  Impact of underlying DHT

   This document does not specifiy the properties of the underlying
   distributed hash table (DHT) which is required by any GNS
   implementation.  For implementors, it is important to note that the
   properties of the DHT are directly inherited by the GNS
   implementation.  This includes both security as well as other non-
   functional properties such as scalability and performance.
   Implementors should take great care when selecting or implementing a
   DHT for use in a GNS implementation.  DHTs with strong security and
   performance guarantees exist [R5N].  It should also be taken into
   consideration that GNS implementations which build upon different DHT
   overlays are unlikely to be interoperable with each other.

11.5.  Revocations

   Zone administrators are advised to pre-generate zone revocations and
   securely store the revocation information in case the zone key is
   lost, compromised or replaced in the furture.  Pre-calculated
   revocations may become invalid due to expirations or protocol changes
   such as epoch adjustments.  Consequently, implementors and users must
   make precautions in order to manage revocations accordingly.

   Revocation payloads do NOT include a 'new' key for key replacement.
   Inclusion of such a key would have two major disadvantages:






Schanzenbach, et al.      Expires 21 April 2021                [Page 32]


Internet-Draft             The GNU Name System              October 2020


   If revocation is used after a private key was compromised, allowing
   key replacement would be dangerous: if an adversary took over the
   private key, the adversary could then broadcast a revocation with a
   key replacement.  For the replacement, the compromised owner would
   have no chance to issue even a revocation.  Thus, allowing a
   revocation message to replace a private key makes dealing with key
   compromise situations worse.

   Sometimes, key revocations are used with the objective of changing
   cryptosystems.  Migration to another cryptosystem by replacing keys
   via a revocation message would only be secure as long as both
   cryptosystems are still secure against forgery.  Such a planned, non-
   emergency migration to another cryptosystem should be done by running
   zones for both ciphersystems in parallel for a while.  The migration
   would conclude by revoking the legacy zone key only once it is deemed
   no longer secure, and hopefully after most users have migrated to the
   replacement.

12.  GANA Considerations

   GANA [GANA] is requested to create an "GNU Name System Record Types"
   registry.  The registry shall record for each entry:

   *  Name: The name of the record type (case-insensitive ASCII string,
      restricted to alphanumeric characters

   *  Number: 32-bit, above 65535

   *  Comment: Optionally, a brief English text describing the purpose
      of the record type (in UTF-8)

   *  Contact: Optionally, the contact information of a person to
      contact for further information

   *  References: Optionally, references describing the record type
      (such as an RFC)

   The registration policy for this sub-registry is "First Come First
   Served", as described in [RFC8126].  GANA is requested to populate
   this registry as follows:











Schanzenbach, et al.      Expires 21 April 2021                [Page 33]


Internet-Draft             The GNU Name System              October 2020


   Number | Name    | Contact | References | Description
   -------+---------+---------+------------+-------------------------
   65536  | PKEY    | N/A     | [This.I-D] | GNS zone delegation
   65537  | NICK    | N/A     | [This.I-D] | GNS zone nickname
   65538  | LEHO    | N/A     | [This.I-D] | GNS legacy hostname
   65539  | VPN     | N/A     | [This.I-D] | VPN resolution
   65540  | GNS2DNS | N/A     | [This.I-D] | Delegation to DNS
   65541  | BOX     | N/A     | [This.I-D] | Boxed record

                                 Figure 19

   GANA is requested to amend the "GNUnet Signature Purpose" registry as
   follows:

   Purpose | Name            | References | Description
   --------+-----------------+------------+--------------------------
     3     | GNS_REVOCATION  | [This.I-D] | GNS zone key revocation
    15     | GNS_RECORD_SIGN | [This.I-D] | GNS record set signature

                                 Figure 20

13.  Test Vectors

   The following represents a test vector for a record set with a DNS
   record of type "A" as well as a GNS record of type "PKEY" under the
   label "test".


   Zone private key (d, little-endian, with ztype prepended):
   0001000020110ab2
   807d702f7b86dc30
   6c37e8e2e0a5dbb2
   7ae934727d9ca07d
   69c73579

   Zone identifier (zid):
   0001000063db8bf0
   44212617ce5db4fc
   7c06fb9e35b2e177
   3b4b76c05b42a1e7
   17d018c6

   Encoded zone identifier (zkl = zTLD):
   000G0033VE5Z0H114RBWWQDMZHY0DYWY6PSE2XSV9DVC0PT2M7KHFM0RRR

   Label: test
   RRCOUNT: 2




Schanzenbach, et al.      Expires 21 April 2021                [Page 34]


Internet-Draft             The GNU Name System              October 2020


   Record #0
   EXPIRATION: 1602865000130231
   DATA_SIZE: 4
   TYPE: 1
   FLAGS: 0
   DATA:
   01020304

   Record #1
   EXPIRATION: 1602865000130231
   DATA_SIZE: 32
   TYPE: 65536
   FLAGS: 2
   DATA:
   00010000796f4a8b
   66d7780f62f46604
   24c750295f31674d
   052a4989cf0779a7

   RDATA:
   0005b1cc16f4a6b7
   0000000400000001
   0000000001020304
   0005b1cc16f4a6b7
   0000002000010000
   0000000200010000
   796f4a8b66d7780f
   62f4660424c75029
   5f31674d052a4989
   cf0779a700000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000

   BDATA:
   4f20986bde1fbbed
   b57196c1c23e35e9
   f1ee62207de81297
   0c2b370a9980042f
   e8296cdd8ca66d69
   11ebb2f3b2550959
   7cb781ef56ac07d1
   7c5dd0903bb94c67
   c07e100079f59db3
   3363fe110f435838



Schanzenbach, et al.      Expires 21 April 2021                [Page 35]


Internet-Draft             The GNU Name System              October 2020


   ef482e60b527f553
   2ee435e4c0525439
   3965d3dbe72e7c92
   9bb4172b3bda7270
   06c33578682cb212
   23ac2cf389a4fbab
   bb8cb55e

   RRBLOCK:
   000100007bc2eb40
   ef056b05a5a84c35
   241ca7190284a4a4
   f5afdae14e8b784c
   4b516dd6082d7969
   2d2bbcb1328bc1df
   270b2c02693bdaa9
   f4d496dd850068d4
   3a471fac0156b902
   3536e54960fac47b
   58762d82c5ad8e7f
   34a121819c7ca75d
   64c78d3a00000094
   0000000f0005b1cc
   16f4a6b74f20986b
   de1fbbedb57196c1
   c23e35e9f1ee6220
   7de812970c2b370a
   9980042fe8296cdd
   8ca66d6911ebb2f3
   b25509597cb781ef
   56ac07d17c5dd090
   3bb94c67c07e1000
   79f59db33363fe11
   0f435838ef482e60
   b527f5532ee435e4
   c05254393965d3db
   e72e7c929bb4172b
   3bda727006c33578
   682cb21223ac2cf3
   89a4fbabbb8cb55e


   The following is an example revocation for a zone:








Schanzenbach, et al.      Expires 21 April 2021                [Page 36]


Internet-Draft             The GNU Name System              October 2020


   Zone private key (d, little-endian scalar, with ztype prepended):
   00010000a065bf68
   07cb3d90d10394a9
   a56693e07087ad35
   24f8e303931d4ade
   946dc447

   Zone identifier (zid):
   00010000d06ab6d9
   14e8a8064609b2b3
   cb661c586042adcb
   0dc5faeb61994d25
   5ebdca72

   Encoded zone identifier (zkl = zTLD):
   000G006GDAVDJ578N034C2DJPF5PC72RC11AVJRDRQXEPRCS9MJNXFEAE8

   Difficulty (5 base difficulty + 2 epochs): 7

   Proof:
   0005b13f536e2b0e
   0000395d1827c000
   5caaeaa2b955d82c
   5caaeaa2b955da02
   5caaeaa2b955daf0
   5caaeaa2b955db20
   5caaeaa2b955db2d
   5caaeaa2b955dba1
   5caaeaa2b955dba9
   5caaeaa2b955dbc2
   5caaeaa2b955dbc8
   5caaeaa2b955dbd1
   5caaeaa2b955dbf7
   5caaeaa2b955dc0e
   5caaeaa2b955dc54
   5caaeaa2b955dc8c
   5caaeaa2b955dca5
   5caaeaa2b955dcb5
   5caaeaa2b955dcf8
   5caaeaa2b955dd47
   5caaeaa2b955dd91
   5caaeaa2b955dd98
   5caaeaa2b955dd99
   5caaeaa2b955ddc4
   5caaeaa2b955de7f
   5caaeaa2b955de80
   5caaeaa2b955de92
   5caaeaa2b955ded3



Schanzenbach, et al.      Expires 21 April 2021                [Page 37]


Internet-Draft             The GNU Name System              October 2020


   5caaeaa2b955df1a
   5caaeaa2b955df77
   5caaeaa2b955dfdf
   5caaeaa2b955e06e
   5caaeaa2b955e08d
   5caaeaa2b955e0c4
   00010000d06ab6d9
   14e8a8064609b2b3
   cb661c586042adcb
   0dc5faeb61994d25
   5ebdca7206b11f93
   41f4e1649976c421
   b1efe668a44becbe
   5a9f76804adb6f6e
   2cd16de00d81841d
   cbd135aacad3bdab
   3f2209bd10d55cc1
   c7aed9a9bd53a1f6
   cae1789d


14.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
              <https://www.rfc-editor.org/info/rfc1034>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the location of services (DNS SRV)", RFC 2782,
              DOI 10.17487/RFC2782, February 2000,
              <https://www.rfc-editor.org/info/rfc2782>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <https://www.rfc-editor.org/info/rfc3629>.







Schanzenbach, et al.      Expires 21 April 2021                [Page 38]


Internet-Draft             The GNU Name System              October 2020


   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004,
              <https://www.rfc-editor.org/info/rfc3686>.

   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826,
              DOI 10.17487/RFC3826, June 2004,
              <https://www.rfc-editor.org/info/rfc3826>.

   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
              DOI 10.17487/RFC3912, September 2004,
              <https://www.rfc-editor.org/info/rfc3912>.

   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/info/rfc4648>.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC5891]  Klensin, J., "Internationalized Domain Names in
              Applications (IDNA): Protocol", RFC 5891,
              DOI 10.17487/RFC5891, August 2010,
              <https://www.rfc-editor.org/info/rfc5891>.

   [RFC6781]  Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
              Operational Practices, Version 2", RFC 6781,
              DOI 10.17487/RFC6781, December 2012,
              <https://www.rfc-editor.org/info/rfc6781>.

   [RFC6895]  Eastlake 3rd, D., "Domain Name System (DNS) IANA
              Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
              April 2013, <https://www.rfc-editor.org/info/rfc6895>.

   [RFC6979]  Pornin, T., "Deterministic Usage of the Digital Signature
              Algorithm (DSA) and Elliptic Curve Digital Signature
              Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
              2013, <https://www.rfc-editor.org/info/rfc6979>.




Schanzenbach, et al.      Expires 21 April 2021                [Page 39]


Internet-Draft             The GNU Name System              October 2020


   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032,
              DOI 10.17487/RFC8032, January 2017,
              <https://www.rfc-editor.org/info/rfc8032>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [GANA]     GNUnet e.V., "GNUnet Assigned Numbers Authority (GANA)",
              April 2020, <https://gana.gnunet.org/>.

   [GNS]      Wachs, M., Schanzenbach, M., and C. Grothoff, "A
              Censorship-Resistant, Privacy-Enhancing and Fully
              Decentralized Name System", 2014,
              <https://doi.org/10.1007/978-3-319-12280-9_9>.

   [R5N]      Evans, N. S. and C. Grothoff, "R5N: Randomized recursive
              routing for restricted-route networks", 2011,
              <https://doi.org/10.1109/ICNSS.2011.6060022>.

   [Argon2]   Biryukov, A., Dinu, D., Khovratovich, D., and S.
              Josefsson, "The memory-hard Argon2 password hash and
              proof-of-work function", March 2020,
              <https://datatracker.ietf.org/doc/draft-irtf-cfrg-
              argon2/>.

   [MODES]    Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Methods and Techniques", December 2001,
              <https://doi.org/10.6028/NIST.SP.800-38A>.

   [GCM]      Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Galois/Counter Mode (GCM) and GMAC", November
              2007, <https://doi.org/10.6028/NIST.SP.800-38D>.

   [CrockfordB32]
              Douglas, D., "Base32", March 2019,
              <https://www.crockford.com/base32.html>.

   [Tor224]   Goulet, D., Kadianakis, G., and N. Mathewson, "Next-
              Generation Hidden Services in Tor", November 2013,
              <https://gitweb.torproject.org/torspec.git/tree/
              proposals/224-rend-spec-ng.txt#n2135>.



Schanzenbach, et al.      Expires 21 April 2021                [Page 40]


Internet-Draft             The GNU Name System              October 2020


   [ed25519]  Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B.
              Yang, "High-Speed High-Security Signatures", 2011,
              <http://link.springer.com/
              chapter/10.1007/978-3-642-23951-9_9>.

Authors' Addresses

   Martin Schanzenbach
   GNUnet e.V.
   Boltzmannstrasse 3
   85748 Garching
   Germany

   Email: schanzen@gnunet.org


   Christian Grothoff
   Berner Fachhochschule
   Hoeheweg 80
   CH-2501 Biel/Bienne
   Switzerland

   Email: grothoff@gnunet.org


   Bernd Fix
   GNUnet e.V.
   Boltzmannstrasse 3
   85748 Garching
   Germany

   Email: fix@gnunet.org



















Schanzenbach, et al.      Expires 21 April 2021                [Page 41]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/