The GNU Name System
draft-schanzen-gns-06

Document Type Active Internet-Draft (individual)
Authors Martin Schanzenbach  , Christian Grothoff  , Bernd Fix 
Last updated 2022-01-14 (latest revision 2021-12-22)
Stream Independent Submission
Intended RFC status Informational
Formats plain text html xml htmlized pdfized bibtex
Stream ISE state Response to Review Needed
Awaiting Reviews, Revised I-D Needed
Consensus Boilerplate Unknown
Document shepherd Adrian Farrel
IESG IESG state I-D Exists::Revised I-D Needed
Telechat date
Responsible AD (None)
Send notices to rfc-ise@rfc-editor.org
Independent Stream                                       M. Schanzenbach
Internet-Draft                                               GNUnet e.V.
Intended status: Informational                               C. Grothoff
Expires: 25 June 2022                              Berner Fachhochschule
                                                                  B. Fix
                                                             GNUnet e.V.
                                                        22 December 2021

                          The GNU Name System
                         draft-schanzen-gns-06

Abstract

   This document contains the GNU Name System (GNS) technical
   specification.  GNS is a decentralized and censorship-resistant name
   system that provides a privacy-enhancing alternative to the Domain
   Name System (DNS).

   This document defines the normative wire format of resource records,
   resolution processes, cryptographic routines and security
   considerations for use by implementers.

   This specification was developed outside the IETF and does not have
   IETF consensus.  It is published here to guide implementation of GNS
   and to ensure interoperability among implementations.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 25 June 2022.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Schanzenbach, et al.      Expires 25 June 2022                  [Page 1]
Internet-Draft             The GNU Name System             December 2021

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements Notation . . . . . . . . . . . . . . . . . .   4
   2.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Zone Type . . . . . . . . . . . . . . . . . . . . . . . .   5
     3.2.  Zone ID . . . . . . . . . . . . . . . . . . . . . . . . .   6
     3.3.  Zone Top-Level Domain . . . . . . . . . . . . . . . . . .   7
     3.4.  Zone Revocation . . . . . . . . . . . . . . . . . . . . .   9
   4.  Resource Records  . . . . . . . . . . . . . . . . . . . . . .  13
     4.1.  Zone Delegation Records . . . . . . . . . . . . . . . . .  15
       4.1.1.  PKEY  . . . . . . . . . . . . . . . . . . . . . . . .  15
       4.1.2.  EDKEY . . . . . . . . . . . . . . . . . . . . . . . .  18
       4.1.3.  GNS2DNS . . . . . . . . . . . . . . . . . . . . . . .  21
     4.2.  Auxiliary Records . . . . . . . . . . . . . . . . . . . .  22
       4.2.1.  LEHO  . . . . . . . . . . . . . . . . . . . . . . . .  22
       4.2.2.  NICK  . . . . . . . . . . . . . . . . . . . . . . . .  23
       4.2.3.  BOX . . . . . . . . . . . . . . . . . . . . . . . . .  24
       4.2.4.  GTS . . . . . . . . . . . . . . . . . . . . . . . . .  24
   5.  Record Storage  . . . . . . . . . . . . . . . . . . . . . . .  25
     5.1.  The Storage Key . . . . . . . . . . . . . . . . . . . . .  26
     5.2.  The Records Block (RRBLOCK) . . . . . . . . . . . . . . .  26
   6.  Name Resolution . . . . . . . . . . . . . . . . . . . . . . .  29
     6.1.  Root Zone . . . . . . . . . . . . . . . . . . . . . . . .  29
     6.2.  Recursion . . . . . . . . . . . . . . . . . . . . . . . .  31
     6.3.  Record Processing . . . . . . . . . . . . . . . . . . . .  31
       6.3.1.  Zone Delegation Records . . . . . . . . . . . . . . .  32
       6.3.2.  GNS2DNS . . . . . . . . . . . . . . . . . . . . . . .  33
       6.3.3.  CNAME . . . . . . . . . . . . . . . . . . . . . . . .  34
       6.3.4.  BOX . . . . . . . . . . . . . . . . . . . . . . . . .  34
       6.3.5.  GTS . . . . . . . . . . . . . . . . . . . . . . . . .  34
       6.3.6.  NICK  . . . . . . . . . . . . . . . . . . . . . . . .  34
   7.  Internationalization and Character Encoding . . . . . . . . .  35
   8.  Security and Privacy Considerations . . . . . . . . . . . . .  35
     8.1.  Cryptography  . . . . . . . . . . . . . . . . . . . . . .  35
     8.2.  Abuse Mitigation  . . . . . . . . . . . . . . . . . . . .  37
     8.3.  Zone Management . . . . . . . . . . . . . . . . . . . . .  37
     8.4.  Impact of DHTs as Underlying Storage  . . . . . . . . . .  37

Schanzenbach, et al.      Expires 25 June 2022                  [Page 2]
Internet-Draft             The GNU Name System             December 2021

     8.5.  Revocations . . . . . . . . . . . . . . . . . . . . . . .  38
     8.6.  Label Guessing  . . . . . . . . . . . . . . . . . . . . .  38
   9.  GANA Considerations . . . . . . . . . . . . . . . . . . . . .  39
   10. IANA Considertations  . . . . . . . . . . . . . . . . . . . .  40
   11. Implementation and Deployment Status  . . . . . . . . . . . .  40
   12. Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  41
   13. Normative References  . . . . . . . . . . . . . . . . . . . .  47
   14. Informative References  . . . . . . . . . . . . . . . . . . .  49
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  50

1.  Introduction

   The Domain Name System (DNS) [RFC1035] is a unique distributed
   database and a vital service for most Internet applications.  While
   DNS is distributed, it relies on centralized, trusted registrars to
   provide globally unique names.  As the awareness of the central role
   DNS plays on the Internet rises, various institutions are using their
   power (including legal means) to engage in attacks on the DNS, thus
   threatening the global availability and integrity of information on
   the Internet.

   DNS was not designed with security as a goal.  This makes it very
   vulnerable, especially to attackers that have the technical
   capabilities of an entire nation state at their disposal.  This
   specification describes a censorship-resistant, privacy-preserving
   and decentralized name system: The GNU Name System (GNS) [GNS].  It
   is designed to provide a secure, privacy-enhancing alternative to
   DNS, especially when censorship or manipulation is encountered.  GNS
   can bind names to any kind of cryptographically secured token,
   enabling it to double in some respects as even as an alternative to
   some of today's Public Key Infrastructures, in particular X.509 for
   the Web.

   The design of GNS incorporates the capability to integrate and
   coexist with DNS.  GNS is based on the principle of a petname system
   and builds on ideas from the Simple Distributed Security
   Infrastructure (SDSI) [RFC2693], addressing a central issue with the
   decentralized mapping of secure identifiers to memorable names:
   namely the impossibility of providing a global, secure and memorable
   mapping without a trusted authority.  GNS uses the transitivity in
   the SDSI design to replace the trusted root with secure delegation of
   authority thus making petnames useful to other users while operating
   under a very strong adversary model.

Schanzenbach, et al.      Expires 25 June 2022                  [Page 3]
Internet-Draft             The GNU Name System             December 2021

   This is an important distinguishing factor from the Domain Name
   System where root zone governance is centralized at the Internet
   Corporation for Assigned Names and Numbers (ICANN).  In DNS
   terminology, GNS roughly follows the idea of a hyper-hyper local root
   zone deployment, with the difference that it is not expected that all
   deployments use the same local root zone.

   This document defines the normative wire format of resource records,
   resolution processes, cryptographic routines and security
   considerations for use by implementers.

   This specification was developed outside the IETF and does not have
   IETF consensus.  It is published here to guide implementation of GNS
   and to ensure interoperability among implementations.

1.1.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Overview

   In GNS, any user may create and manage one or more cryptographically
   secured zones (Section 3).  A set of cryptographic functions which
   are determined by the zone type enable the creation of signatures for
   zone contents using blinded public/private key pairs and encryption
   of zone contents.

   A zone can be populated with mappings from labels to resource records
   by its owner (Section 4).  Labels can be delegated to other zones
   using delegation records and in order to support (legacy)
   applications as well as facilitate the use of petnames, GNS defines
   auxiliary record types in addition to supporting traditional DNS
   records.

   Zone contents are encrypted and signed before being published in a
   distributed key-value storage (Section 5).  In this process, unique
   zone identification is hidden from the network through the use of key
   blinding.  It allows the creation of signatures for zone contents
   using a blinded public/private key pair.  This blinding is realized
   using a deterministic key derivation from the original public and
   private zone keys using record label values.  Specifically, the zone
   owner can derive private keys for each record set published under a
   label, and a resolver can derive the corresponding public keys.  It
   is expected that GNS implementations use distributed or decentralized

Schanzenbach, et al.      Expires 25 June 2022                  [Page 4]
Internet-Draft             The GNU Name System             December 2021

   storages such as distributed hash tables (DHT) in order to facilitate
   availability within a network without the need of servers.
   Specification of such a distributed or decentralized storage is out
   of scope of this document but possible existing implementations
   include those based on [RFC7363], [Kademlia] or [R5N].

   Starting from a configurable root zone, names are resolved following
   zone delegations which are recursively queried from the storage
   (Section 6).  Without knowledge of the label values and the zone
   public keys, the different derived keys are unlinkable both to the
   original key and to each other.  This prevents zone enumeration and
   requires knowledge of both the public zone key and the label to
   confirm affiliation with a specific zone.  At the same time, the
   blinded zone public key provides resolvers with the ability to verify
   the integrity of the published information without disclosing the
   originating zone.

   In the remainder of this document, the "implementer" refers to the
   developer building a GNS implementation including, for example, zone
   management tools and name resolution components.  An "application"
   refers to a component which uses a GNS implementation to resolve
   records from the network and (usually) processes its contents.

3.  Zones

   A zone in GNS is defined by its zone type and zone ID.  Further, each
   zone can be represented by a Zone Top-Level Domain (zTLD) string.  In
   this section, the zone type, zone ID, zTLD and zone revocation is
   specified.

3.1.  Zone Type

   The zone type ztype is the unique zone type of the zone as registered
   in the GNUnet Assigned Numbers Authority [GANA].  The zone type
   determines which cryptosystem is used for the asymmetric and
   symmetric key operations of the zone.  The zone type is identified by
   a 32-bit number.  It always corresponds to a resource record type
   number identifying a delegation into a zone of this type.

   For any zone, d is the private zone key. zk is the public zone key.
   The specific formats depends on the zone type.  The creation of zone
   keys for the default zone types are specificed in Section 4.1.  New
   zone types may be specified in the future, for example if the
   cryptographic mechanisms used in this document are broken.  Any zone
   type MUST define the following set of cryptographic functions:

   Private-KeyGen() -> d  is a function to generate a fresh private zone
      key d.

Schanzenbach, et al.      Expires 25 June 2022                  [Page 5]
Internet-Draft             The GNU Name System             December 2021

   Public-KeyGen(d) -> zk  is a function to derive a public zone key zk
      from a private key d.

   ZKDF-Private(d,label) -> d'  is a zone key derivation function which
      blinds a private zone key d using label, resulting in another
      private key which can be used to create cryptographic signatures.

   ZKDF-Public(zk,label) -> zk'  is a zone key derivation function which
      blinds a public zone key zk using a label. zk and zk' must be
      unlinkable.  Furthermore, blinding zk with different values for
      the label must result in unlinkable different resulting values for
      zk'.

   S-Encrypt(zk,label,nonce,expiration,message) -> ciphertext  is a dete
      rministic symmetric encryption function which encrypts the record
      data based on key material derived from the public zone key, a
      label, a nonce and an expiration.  In order to leverage
      performance-enhancing caching features of certain underlying
      storages, in particular DHTs, a deterministic encryption scheme is
      recommended.

   S-Decrypt(zk,label,nonce,expiration,ciphertext) -> message  is a
      symmetric encryption function which decrypts the encrypted record
      data based on key material derived from the public zone key, a
      label, a nonce an expiration.

   Sign(d',message) -> signature  is a function to sign encrypted record
      data using the (blinded) private key d', yielding an unforgable
      cryptographic signature.

   Verify(zk',message,signature) -> valid  is a function to verify the
      signature was created by the a private key d' derived from d and a
      label if zk' was derived from the corresponding zone key zk :=
      Public-Keygen(d) and same label.  The function returns a boolean
      value of "TRUE" if the signature is valid, and otherwise "FALSE".

3.2.  Zone ID

   The zone ID zid is a unique public identifier of a zone.  It consists
   of the ztype and the public zone key zk.  The wire format is
   illustrated in Figure 1.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       ZONE TYPE       |      PUBLIC ZONE KEY  /
   +-----+-----+-----+-----+                       /
   /                                               /
   /                                               /

Schanzenbach, et al.      Expires 25 June 2022                  [Page 6]
Internet-Draft             The GNU Name System             December 2021

                                  Figure 1

3.3.  Zone Top-Level Domain

   The zTLD is the Zone Top-Level Domain.  It is a string which encodes
   the zone key into a domain name.  The zTLD is used as a globally
   unique reference to a specific namespace in the process of name
   resolution.  To encode the zone key, a zone key label zkl is derived
   from the zone ID using the Crockford Base32 encoding [CrockfordB32]
   but the letter "U" is decoded to the same Base32 value as the letter
   "V" in order to further increase tolerance for failures in character
   recognition.  The encoding and decoding symbols for Crockford Base32
   including this modification are defined in Figure 2.  The functions
   for encoding and decoding based on this table are called
   GNSCrockfordEncode and GNSCrockfordDecode, respectively.

Schanzenbach, et al.      Expires 25 June 2022                  [Page 7]
Internet-Draft             The GNU Name System             December 2021

   Symbol      Decode            Encode
   Value       Symbol            Symbol
   0           0 O o             0
   1           1 I i L l         1
   2           2                 2
   3           3                 3
   4           4                 4
   5           5                 5
   6           6                 6
   7           7                 7
   8           8                 8
   9           9                 9
   10          A a               A
   11          B b               B
   12          C c               C
   13          D d               D
   14          E e               E
   15          F f               F
   16          G g               G
   17          H h               H
   18          J j               J
   19          K k               K
   20          M m               M
   21          N n               N
   22          P p               P
   23          Q q               Q
   24          R r               R
   25          S s               S
   26          T t               T
   27          V v               V U
   28          W w               W
   29          X x               X
   30          Y y               Y
   31          Z z               Z

                                  Figure 2

   The Base32-Crockford Alphabet Including the Additional U Encode
   Symbol.

   For the string representation of a zone identifier we define:

   zkl := GNSCrockfordEncode(zid)
   zid := GNSCrockfordDecode(zkl)

   If zkl is less than 63 characters, it can directly be used as a zTLD.
   If zkl is be longer than 63 characters, the zTLD is constructed by
   dividing zkl into smaller labels separated by the label separator

Schanzenbach, et al.      Expires 25 June 2022                  [Page 8]
Internet-Draft             The GNU Name System             December 2021

   ".".  Here, the most significant bytes of the "zid" must be contained
   in the rightmost label of the resulting string and the least
   significant bytes in the leftmost label of the resulting string.
   This allows the resolver to determine the zone type and zkl length
   from the rightmost label.  For example, assuming a zkl of 130
   characters, the encoding would be:

   zTLD := zkl[126:129].zkl[63:125].zkl[0:62]

3.4.  Zone Revocation

   Whenever a resolver encounters a new GNS zone, it MUST check against
   the local revocation list whether the respective zone key has been
   revoked.  If the zone key was revoked, the resolution MUST fail with
   an empty result set.

   In order to revoke a zone key, a signed revocation object MUST be
   published.  This object MUST be signed using the private zone key.
   The revocation object is broadcast to the network.  The specification
   of the broadcast mechanism is out of scope of this document.  A
   possible broadcast mechanism for efficient flooding in a distributed
   network is implemented in [GNUnet].  Alternatively, revocation
   objects could also be distributed via a distributed ledger or a
   trusted central server.  To prevent flooding attacks, the revocation
   message MUST contain a proof of work (PoW).  The revocation message
   including the PoW MAY be calculated ahead of time to support timely
   revocation.

   For all occurences below, "Argon2id" is the Password-based Key
   Derivation Function as defined in [RFC9106].  For the PoW
   calculations the algorithm is instantiated with the following
   parameters:

   S  The salt.  Fixed 16-byte string: "GnsRevocationPow".

   t  Number of iterations: 3

   m  Memory size in KiB: 1024

   T  Output length of hash in bytes: 64

   p  Parallelization parameter: 1

   v  Algorithm version: 0x13

   y  Algorithm type (Argon2id): 2

   X  Unused

Schanzenbach, et al.      Expires 25 June 2022                  [Page 9]
Internet-Draft             The GNU Name System             December 2021

   K  Unused

   Figure 3 illustrates the wire format of the message string "P" on
   which the PoW is calculated.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      POW                      |
   +-----------------------------------------------+
   |                   TIMESTAMP                   |
   +-----------------------------------------------+
   |       ZONE TYPE       |    PUBLIC ZONE KEY    |
   +-----+-----+-----+-----+                       |
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 3

   The Wire Format of the PoW Message String.

   POW  A 64-bit solution to the PoW.  In network byte order.

   TIMESTAMP  denotes the absolute 64-bit date when the revocation was
      computed.  In microseconds since midnight (0 hour), January 1,
      1970 in network byte order.

   PUBLIC KEY  is the 256-bit public key zk of the zone which is being
      revoked and the key to be used to verify SIGNATURE.  The wire
      format of this value is defined in [RFC8032], Section 5.1.5.

   Traditionally, PoW schemes require to find a POW such that at least D
   leading zeroes are found in the hash result.  D is then referred to
   as the difficulty of the PoW.  In order to reduce the variance in
   time it takes to calculate the PoW, we require that a number Z
   different PoWs must be found that on average have D leading zeroes.

   The resulting proofs may then published and disseminated.  The
   concrete dissemination and publication methods are out of scope of
   this document.  Given an average difficulty of D, the proofs have an
   expiration time of EPOCH.  With each additional bit difficulty, the
   lifetime of the proof is prolonged for another EPOCH.  Consequently,
   by calculating a more difficult PoW, the lifetime of the proof can be
   increased on demand by the zone owner.

   The parameters are defined as follows:

   Z  The number of PoWs required is fixed at 32.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 10]
Internet-Draft             The GNU Name System             December 2021

   D  The difficulty is fixed at 22.

   EPOCH  A single epoch is fixed at 365 days.

   The revocation message wire format is illustrated in Figure 4.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   TIMESTAMP                   |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      TTL                      |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                     POW_0                     |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                       ...                     |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                     POW_Z-1                   |
   +-----------------------------------------------+
   |       ZONE TYPE       |    PUBLIC ZONE KEY    |
   +-----+-----+-----+-----+                       |
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   SIGNATURE                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 4

   The Revocation Message Wire Format.

   TIMESTAMP  denotes the absolute 64-bit date when the revocation was
      computed.  In microseconds since midnight (0 hour), January 1,
      1970 in network byte order.  This is the same value as the
      timestamp used in the individual PoW calculations.

   TTL  denotes the relative 64-bit time to live of of the record in
      microseconds also in network byte order.  This field is
      informational for a verifier.  The verifier may discard revocation
      if the TTL indicates that it is already expired.  However, the
      actual TTL of the revocation must be determined by examining the
      leading zeros in the proof of work calculation.

   POW_i  The values calculated as part of the PoW, in network byte

Schanzenbach, et al.      Expires 25 June 2022                 [Page 11]
Internet-Draft             The GNU Name System             December 2021

      order.  Each POW_i MUST be unique in the set of POW values.  To
      facilitate fast verification of uniqueness, the POW values must be
      given in strictly monotonically increasing order in the message.

   ZONE TYPE  The 32-bit zone type corresponding to the zone public key.

   ZONE PUBLIC KEY  is the public key zk of the zone which is being
      revoked and the key to be used to verify SIGNATURE.

   SIGNATURE  A signature over a timestamp and the public zone zk of the
      zone which is revoked and corresponds to the key used in the PoW.
      The signature is created using the Sign() function of the
      cryptosystem of the zone and the private zone key (see
      Section 3.1).

   The signature over the public key covers a 32-bit pseudo header
   conceptually prefixed to the public key.  The pseudo header includes
   the key length and signature purpose.  The wire format is illustrated
   in Figure 5.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |         SIZE (0x30)   |       PURPOSE (0x03)  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   TIMESTAMP                   |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       ZONE TYPE       |     ZONE PUBLIC KEY   |
   +-----+-----+-----+-----+                       |
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 5

   The Wire Format of the Revocation Data for Signing.

   SIZE  A 32-bit value containing the length of the signed data in
      bytes in network byte order.

   PURPOSE  A 32-bit signature purpose flag.  This field MUST be 3 (in
      network byte order).

   ZONE TYPE  The 32-bit zone type corresponding to the zone public key.

   ZONE PUBLIC KEY / TIMESTAMP  Both values as defined in the revocation
      data object above.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 12]
Internet-Draft             The GNU Name System             December 2021

   In order to verify a revocation the following steps must be taken, in
   order:

   1.  The current time MUST be between TIMESTAMP and TIMESTAMP+TTL.

   2.  The signature MUST match the public key.

   3.  The set of POW values MUST NOT contain duplicates.

   4.  The average number of leading zeroes resulting from the provided
       POW values D' MUST be greater than D.

   5.  The validation period (TTL) of the revocation is calculated as
       (D'-D) * EPOCH * 1.1.  The EPOCH is extended by 10% in order to
       deal with unsynchronized clocks.  The TTL added on top of the
       TIMESTAMP yields the expiration date.

4.  Resource Records

   A GNS implementer MUST provide a mechanism to create and manage
   resource records for local zones.  A local zone is established by
   selecting a zone type and creating a zone key pair.  As records may
   be added to each created zone, a (local) persistency mechanism such
   as a database for resource records and zones must be provided.  This
   local zone database is used by the name resolution logic and serves
   as a basis for publishing zones into the GNS storage (see Section 5).

   A GNS resource record holds the data of a specific record in a zone.
   The resource record format is defined in Figure 6.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       DATA SIZE       |          TYPE         |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |           FLAGS       |        DATA           /
   +-----+-----+-----+-----+                       /
   /                                               /
   /                                               /

                                  Figure 6

   The Resource Record Wire Format.

   EXPIRATION  denotes the absolute 64-bit expiration date of the
      record.  In microseconds since midnight (0 hour), January 1, 1970
      in network byte order.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 13]
Internet-Draft             The GNU Name System             December 2021

   DATA SIZE  denotes the 32-bit size of the DATA field in bytes and in
      network byte order.

   TYPE  is the 32-bit resource record type.  This type can be one of
      the GNS resource records as defined in Section 4 or a DNS record
      type as defined in [RFC1035] or any of the complementary
      standardized DNS resource record types.  This value must be stored
      in network byte order.  Note that values below 2^16 are reserved
      for allocation via IANA ([RFC6895]), while values above 2^16 are
      allocated by the GNUnet Assigned Numbers Authority [GANA].

   FLAGS  is a 32-bit resource record flags field (see below).

   DATA  the variable-length resource record data payload.  The contents
      are defined by the respective type of the resource record.

   Flags indicate metadata surrounding the resource record.  A flag
   value of 0 indicates that all flags are unset.  Applications creating
   resource records MUST set all bits which are not defined as a flag to
   0.  Additional flags may be defined in future protocol versions.  If
   an application or implementation encounters a flag which it does not
   recognize, it MUST be ignored.  Figure 7 illustrates the flag
   distribution in the 32-bit flag value of a resource record:

    0        1        2        3        4        5...
   +--------+--------+--------+--------+--------+----
   |RESERVED|PRIVATE |SUPPL   |EXPREL  | SHADOW | ...
   +--------+--------+--------+--------+--------+----

                                  Figure 7

   The Resource Record Flag Wire Format.

   SHADOW  If this flag is set, this record should be ignored by
      resolvers unless all (other) records of the same record type have
      expired.  Used to allow zone publishers to facilitate good
      performance when records change by allowing them to put future
      values of records into the storage.  This way, future values can
      propagate and may be cached before the transition becomes active.

   EXPREL  The expiration time value of the record is a relative time
      (still in microseconds) and not an absolute time.  This flag
      should never be encountered by a resolver for records obtained
      from the storage, but might be present when a resolver looks up
      private records of a zone hosted locally.

   SUPPL  This is a supplemental record.  It is provided in addition to

Schanzenbach, et al.      Expires 25 June 2022                 [Page 14]
Internet-Draft             The GNU Name System             December 2021

      the other records.  This flag indicates that this record is not
      explicitly managed alongside the other records under the
      respective name but may be useful for the application.  This flag
      should only be encountered by a resolver for records obtained from
      the storage.

   PRIVATE  This is a private record of this peer and it should thus not
      be published.  Thus, this flag should never be encountered by a
      resolver for records obtained from the storage.  Private records
      should still be considered just like regular records when
      resolving labels in local zones.

4.1.  Zone Delegation Records

   This section defines the initial set of zone delegation record types.
   Any implementation MUST support at least one of the zone types and
   MAY support any number of additional delegation records defined in
   the GNU Name System Record Types registry Section 9.  Zone delegation
   records MUST NOT be stored and published under the empty label.

4.1.1.  PKEY

   In GNS, a delegation of a label to a zone of type "PKEY" is
   represented through a PKEY record.  The PKEY number is a zone type
   and thus also implies the cryptosystem for the zone that is being
   delegated to.  A PKEY resource record contains the public key of the
   zone to delegate to.  A PKEY record MUST be the only record under a
   label.  No other records are allowed.  The PKEY DATA entry wire
   format can be found found in Figure 8.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   PUBLIC KEY                  |
   |                                               |
   |                                               |
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                  Figure 8

   The PKEY Wire Format.

   PUBLIC KEY  A 256-bit ECDSA zone key.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 15]
Internet-Draft             The GNU Name System             December 2021

   For PKEY zones the zone key material is derived using the curve
   parameters of the twisted edwards representation of Curve25519
   [RFC7748] (a.k.a. edwards25519) with the ECDSA scheme ([RFC6979]).
   Consequently, we use the following naming convention for our
   cryptographic primitives for PKEY zones:

   d  is a 256-bit ECDSA private zone key.  The generation of the
      private scalar as defined in Section 2.2. of [RFC6979] represents
      the Private-KeyGen() function.

   zk  is the ECDSA public zone key corresponding to d.  Its generation
      is defined in Section 2.2. of [RFC6979] as the curve point d*G
      where G is the group generator of the elliptic curve.  This
      generation represents the Public-KeyGen(d) function.

   p  is the prime of edwards25519 as defined in [RFC7748], i.e.  2^255
      - 19.

   G  is the group generator (X(P),Y(P)) of edwards25519 as defined in
      [RFC7748].

   L  is the prime-order subgroup of edwards25519 in [RFC7748].

   The zone identifier of a PKEY is 32 + 4 bytes in length.  This means
   that a zTLD will always fit into a single label and does not need any
   further conversion.

   Given a label, the output d' of the ZKDF-Private(d,label) function
   for zone key blinding is calculated as follows for PKEY zones:

   zk := d * G
   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
   d' := h * d mod L

   Equally, given a label, the output zk' of the ZKDF-Public(zk,label)
   function is calculated as follows for PKEY zones:

   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
   zk' := h mod L * zk

   The PKEY cryptosystem uses a hash-based key derivation function
   (HKDF) as defined in [RFC5869], using HMAC-SHA512 for the extraction
   phase and HMAC-SHA256 for the expansion phase.  PRK_h is key material
   retrieved using an HKDF using the string "key-derivation" as salt and
   the public zone key as initial keying material.  h is the 512-bit
   HKDF expansion result and must be interpreted in network byte order.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 16]
Internet-Draft             The GNU Name System             December 2021

   The expansion information input is a concatenation of the label and
   the string "gns".  The label is a UTF-8 string under which the
   resource records are published.  The multiplication of zk with h is a
   point multiplication, while the multiplication of d with h is a
   scalar multiplication.

   The Sign() and Verify() functions for PKEY zones are implemented
   using 512-bit ECDSA deterministic signatures as specified in
   [RFC6979].

   The S-Encrypt() and S-Decrypt() functions use AES in counter mode as
   defined in [MODES] (CTR-AES-256):

   DATA := CTR-AES256(K, IV, CIPHERTEXT)
   CIPHERTEXT := CTR-AES256(K, IV, DATA)

   The key K and counter IV are derived from the record label and the
   zone key zk as follows:

   PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
   PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
   K := HKDF-Expand (PRK_k, label, 256 / 8);
   NONCE := HKDF-Expand (PRK_n, label, 32 / 8)

   HKDF is a hash-based key derivation function as defined in [RFC5869].
   Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-
   SHA256 for the expansion phase.  The output keying material is 32
   bytes (256 bits) for the symmetric key and 4 bytes (32 bits) for the
   nonce.  The symmetric key K is a 256-bit AES [RFC3826] key.

   The nonce is combined with a 64-bit initialization vector and a
   32-bit block counter as defined in [RFC3686].  The block counter
   begins with the value of 1, and it is incremented to generate
   subsequent portions of the key stream.  The block counter is a 32-bit
   integer value in network byte order.  The initialization vector is
   the expiration time of the resource record block in network byte
   order.  The resulting counter (IV) wire format can be found in
   Figure 9.

   0     8     16    24    32
   +-----+-----+-----+-----+
   |         NONCE         |
   +-----+-----+-----+-----+
   |       EXPIRATION      |
   |                       |
   +-----+-----+-----+-----+
   |      BLOCK COUNTER    |
   +-----+-----+-----+-----+

Schanzenbach, et al.      Expires 25 June 2022                 [Page 17]
Internet-Draft             The GNU Name System             December 2021

                                  Figure 9

   The Block Counter Wire Format.

4.1.2.  EDKEY

   In GNS, a delegation of a label to a zone of type "EDKEY" is
   represented through a EDKEY record.  The EDKEY number is a zone type
   and thus also implies the cryptosystem for the zone that is being
   delegated to.  An EDKEY resource record contains the public key of
   the zone to delegate to.  A EDKEY record MUST be the only record
   under a label.  No other records are allowed.  The EDKEY DATA entry
   wire format is illustrated in Figure 10.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   PUBLIC KEY                  |
   |                                               |
   |                                               |
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 10

   The EDKEY DATA Wire Format.

   PUBLIC KEY  A 256-bit EdDSA zone key.

   For EDKEY zones the zone key material is derived using the curve
   parameters of the twisted edwards representation of Curve25519
   [RFC7748] (a.k.a. edwards25519) with the Ed25519-SHA-512 scheme
   [ed25519].  Consequently, we use the following naming convention for
   our cryptographic primitives for EDKEY zones:

   d  is a 256-bit EdDSA private zone key.  The generation as defined in
      Section 3.2. of [RFC8032] and represents the Private-KeyGen()
      function.

   a  is is an integer derived from d using the SHA512 hash function as
      defined in [ed25519].

   zk  is the EdDSA public zone key corresponding to d.  It is defined
      in Section 3.2 of [RFC8032] as the curve point a*G where G is the
      group generator of the elliptic curve and a is an integer derived
      from d using the SHA512 hash function.  This generation including
      the derivation of a represents the Public-KeyGen(d) function.

   p  is the prime of edwards25519 as defined in [RFC7748], i.e.  2^255

Schanzenbach, et al.      Expires 25 June 2022                 [Page 18]
Internet-Draft             The GNU Name System             December 2021

      - 19.

   G  is the group generator (X(P),Y(P)) of edwards25519 as defined in
      [RFC7748].

   L  is the prime-order subgroup of edwards25519 in [RFC7748].

   The zone identifier of an EDKEY is 32 + 4 bytes in length.  This
   means that a zTLD will always fit into a single label and does not
   need any further conversion.

   The "EDKEY" ZKDF instantiation is based on [Tor224].  Given a label,
   the output of the ZKDF-Private function for zone key blinding is
   calculated as follows for EDKEY zones:

   zk := a * G
   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
   h[31] &= 7
   a1 := a / 8 /* 8 is the cofactor of Curve25519 */
   a2 := h * a1 mod L
   a' = a2 * 8 /* 8 is the cofactor of Curve25519 */

   Equally, given a label, the output of the ZKDF-Public function is
   calculated as follows for PKEY zones:

   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
   h[31] &= 7  // Implies h mod L == h
   zk' := h * zk

   We note that implementers must employ a constant time scalar
   multiplication for the constructions above.  Also, implementers must
   ensure that the private key a is an ed25519 private key and
   specifically that "a[0] & 7 == 0" holds.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 19]
Internet-Draft             The GNU Name System             December 2021

   The EDKEY cryptosystem uses a hash-based key derivation function
   (HKDF) as defined in [RFC5869], using HMAC-SHA512 for the extraction
   phase and HMAC-SHA256 for the expansion phase.  PRK_h is key material
   retrieved using an HKDF using the string "key-derivation" as salt and
   the public zone key as initial keying material.  The blinding factor
   h is the 512-bit HKDF expansion result.  The expansion information
   input is a concatenation of the label and the string "gns".  The
   result of the HKDF must be clamped and interpreted in network byte
   order.  a is the 256-bit integer corresponding to the 256-bit private
   zone key d.  The label is a UTF-8 string under which the resource
   records are published.  The multiplication of zk with h is a point
   multiplication, while the division and multiplication of a and a1
   with the cofactor are integer operations.

   Signatures for EDKEY zones using the derived private key a' are not
   compliant with [ed25519].  As the corresponding private key to the
   derived private scalar a' is not known, it is not possible to
   deterministically derive the signature part R according to [ed25519].
   Instead, signatures MUST be generated as follows for any given
   message M: A nonce is calculated from the highest 32 bytes of the
   expansion of the private key d and the blinding factor h.  The nonce
   is then hashed with the message M to r.  This way, we include the
   full derivation path in the calculation of the R value of the
   signature, ensuring that it is never reused for two different
   derivation paths or messages.

   dh := SHA512 (d)
   nonce := SHA256 (dh[32..63] | h)
   r := SHA512 (nonce | M)
   R := r * G
   S := r + SHA512(R | zk' | M) * a' mod L

   A signature (R,S) is valid if the following holds:

   S * G == R + SHA512(R, zk', M) * zk'

   The S-Encrypt() and S-Decrypt() functions use XSalsa20 as defined in
   [XSalsa20] (XSalsa20-Poly1305):

   DATA := XSalsa20(K, IV, CIPHERTEXT)
   CIPHERTEXT := XSalsa20(K, IV, DATA) = CIPHERTEXT | TAG

   The result of the XSalsa20 encryption function is the encrypted
   ciphertext concatenated with the 128-bit authentication tag TAG.
   Accordingly, the length of encrypted data equals the length of the
   data plus the 16 bytes of the authentication tag.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 20]
Internet-Draft             The GNU Name System             December 2021

   The key K and counter IV are derived from the record label and the
   zone key zk as follows:

   PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
   PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
   K := HKDF-Expand (PRK_k, label, 256 / 8);
   NONCE := HKDF-Expand (PRK_n, label, 32 / 8)

   HKDF is a hash-based key derivation function as defined in [RFC5869].
   Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-
   SHA256 for the expansion phase.  The output keying material is 32
   bytes (256 bits) for the symmetric key and 16 bytes (128 bits) for
   the NONCE.  The symmetric key K is a 256-bit XSalsa20 [XSalsa20] key.
   No additional authenticated data (AAD) is used.

   The nonce is combined with an 8 byte initialization vector.  The
   initialization vector is the expiration time of the resource record
   block in network byte order.  The resulting counter (IV) wire format
   is illustrated in Figure 11.

   0     8     16    24    32
   +-----+-----+-----+-----+
   |         NONCE         |
   |                       |
   |                       |
   |                       |
   +-----+-----+-----+-----+
   |       EXPIRATION      |
   |                       |
   +-----+-----+-----+-----+

                                 Figure 11

   The Counter Block Initialization Vector

4.1.3.  GNS2DNS

   It is possible to delegate a label back into DNS through a GNS2DNS
   record.  The resource record contains a DNS name for the resolver to
   continue with in DNS followed by a DNS server.  Both names are in the
   format defined in [RFC1034] for DNS names.  A GNS2DNS DATA entry is
   illustrated in Figure 12.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 21]
Internet-Draft             The GNU Name System             December 2021

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                    DNS NAME                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                 DNS SERVER NAME               |
   /                                               /
   /                                               /
   |                                               |
   +-----------------------------------------------+

                                 Figure 12

   The GNS2DNS DATA Wire Format

   DNS NAME  The name to continue with in DNS.  The value is UTF-8
      encoded and 0-terminated.

   DNS SERVER NAME  The DNS server to use.  May be an IPv4/IPv6 address
      in dotted decimal form or a DNS name.  It may also be a relative
      GNS name ending with a "+" top-level domain.  The value is UTF-8
      encoded and 0-terminated.

4.2.  Auxiliary Records

   This section defines the initial set of auxiliary GNS record types.
   Any implementation MUST be able to process the specified record types
   according to Section 6.3.

4.2.1.  LEHO

   Applications can use the GNS to lookup IPv4 or IPv6 addresses of
   internet services.  However, sometimes connecting to such services
   does not only require the knowledge of an address and port, but also
   requires the canonical DNS name of the service to be transmitted over
   the transport protocol.  In GNS, legacy hostname records provide
   applications the DNS name that is required to establish a connection
   to such a service.  The most common use case is HTTP virtual hosting,
   where a DNS name must be supplied in the HTTP "Host"-header.  Using a
   GNS name for the "Host"-header may not work as it may not be globally
   unique.  A LEHO resource record is expected to be found together in a
   single resource record with an IPv4 or IPv6 address.  A LEHO DATA
   entry is illustrated in Figure 13.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 22]
Internet-Draft             The GNU Name System             December 2021

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                 LEGACY HOSTNAME               |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 13

   The LEHO DATA Wire Format.

   LEGACY HOSTNAME  A UTF-8 string (which is not 0-terminated)
      representing the legacy hostname.

   NOTE: If an application uses a LEHO value in an HTTP request header
   (e.g.  "Host:" header) it must be converted to a punycode
   representation [RFC5891].

4.2.2.  NICK

   Nickname records can be used by zone administrators to publish an the
   label that a zone prefers to have used when it is referred to.  This
   is a suggestion to other zones what label to use when creating a
   delegation record (Section 4.1) containing this zone's public zone
   key.  This record SHOULD only be stored under the empty label "@" but
   MAY be returned with record sets under any label as a supplemental
   record.  Section 6.3.6 details how a resolver must process
   supplemental and non-supplemental NICK records.  A NICK DATA entry is
   illustrated in Figure 14.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                  NICKNAME                     |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 14

   The NICK DATA Wire Format.

   NICKNAME  A UTF-8 string (which is not 0-terminated) representing the
      preferred label of the zone.  This string MUST NOT include a "."
      character.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 23]
Internet-Draft             The GNU Name System             December 2021

4.2.3.  BOX

   In GNS, with the notable exception of zTLDs, every "." in a name
   delegates to another zone, and GNS lookups are expected to return all
   of the required useful information in one record set.  This is
   incompatible with the special labels used by DNS for SRV and TLSA
   records.  Thus, GNS defines the BOX record format to box up SRV and
   TLSA records and include them in the record set of the label they are
   associated with.  For example, a TLSA record for
   "_https._tcp.example.org" will be stored in the record set of
   "example.org" as a BOX record with service (SVC) 443 (https) and
   protocol (PROTO) 6 (tcp) and record TYPE "TLSA".  For reference, see
   also [RFC2782].  A BOX DATA entry is illustrated in Figure 15.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |   PROTO   |    SVC    |       TYPE            |
   +-----------+-----------------------------------+
   |                 RECORD DATA                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 15

   The BOX DATA Wire Format.

   PROTO  the 16-bit protocol number, e.g. 6 for tcp.  In network byte
      order.

   SVC  the 16-bit service value of the boxed record, i.e. the port
      number.  In network byte order.

   TYPE  is the 32-bit record type of the boxed record.  In network byte
      order.

   RECORD DATA  is a variable length field containing the "DATA" format
      of TYPE as defined for the respective TYPE in DNS.

4.2.4.  GTS

   The GNUnet Tunnel Service record is used by applications to establish
   a tunnel between two peers in the peer-to-peer network (see
   [GNUnet]).  In order to facilitate the use of such tunnels, the The
   GTS record serves as an example to how resolvers may automatically
   initiate tunnel establishment and provide IP address information in
   the resolution process as specified in Section 6.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 24]
Internet-Draft             The GNU Name System             December 2021

   A GTS DATA entry wire format is illustrated in Figure 16.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |          HOSTING PEER PUBLIC KEY              |
   |                (256 bits)                     |
   |                                               |
   |                                               |
   +-----------+-----------------------------------+
   |   PROTO   |    SERVICE  NAME                  |
   +-----------+                                   +
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 16

   The GTS DATA Wire Format.

   HOSTING PEER PUBLIC KEY  is a 256-bit EdDSA public key identifying
      the peer hosting the service.

   PROTO  the 16-bit tunnel protocol number.  In network byte order.
      The possible values are defined by the GNUnet Tunnel Service.

   SERVICE NAME  a shared secret used to identify the service at the
      hosting peer, used to derive the port number requird to connect to
      the service.  The service name MUST be a 0-terminated UTF-8
      string.

5.  Record Storage

   Any API which allows storing a value under a key and retrieving a
   value from the key can be used by an implementation for record
   storage.  We assume that an implementation realizes two procedures on
   top of a storage:

   PUT(key,value)
   GET(key) -> value

Schanzenbach, et al.      Expires 25 June 2022                 [Page 25]
Internet-Draft             The GNU Name System             December 2021

   Resource records are grouped by their respective labels, encrypted
   and published together in a single resource records block (RRBLOCK)
   in the storage under a key q: PUT(q, RRBLOCK).  The key q is derived
   from the zone key and the respective label of the contained records.
   The storage key derivation and records block creation is specified in
   the following sections.  A client implementation MUST enable the user
   the manage zones.  The implementation MUST use the PUT storage
   procedure in order to update the zone contents accordingly.

5.1.  The Storage Key

   Given a label, the storage key q is derived as follows:

   q := SHA512 (HDKD-Public(zk, label))

   label  is a UTF-8 string under which the resource records are
      published.

   zk  is the public zone key.

   q  Is the 512-bit storage key under which the resource records block
      is published.  It is the SHA512 hash over the derived public zone
      key.

5.2.  The Records Block (RRBLOCK)

   GNS records are grouped by their labels and published as a single
   block in the storage.  The grouped record sets MAY be paired with any
   number of supplemental records.  Supplemental records must have the
   supplemental flag set (See Section 4).  The contained resource
   records are encrypted using a symmetric encryption scheme.  A GNS
   implementation must publish RRBLOCKs in accordance to the properties
   and recommendations of the underlying storage.  This may include a
   periodic refresh publication.  The GNS RRBLOCK wire format is
   illustrated in Figure 17.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 26]
Internet-Draft             The GNU Name System             December 2021

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       ZONE TYPE       |    PUBLIC ZONE KEY    |
   +-----+-----+-----+-----+       (BLINDED)       |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   SIGNATURE                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |         SIZE          |       PURPOSE         |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                    BDATA                      /
   /                                               /
   /                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                                 Figure 17

   The RRBLOCK Wire Format.

   ZONE TYPE  is the 32-bit zone type.

   ZONE PUBLIC KEY  is the blinded public zone key "ZKDF-Public(zk,
      label)" to be used to verify SIGNATURE.

   SIGNATURE  The signature is computed over the data following the
      PUBLIC KEY field.  The signature is created using the Sign()
      function of the cryptosystem of the zone and the derived private
      key "ZKDF-Private(d, label)" (see Section 3.1).

   SIZE  A 32-bit value containing the length of the signed data
      following the PUBLIC KEY field in network byte order.  This value
      always includes the length of the fields SIZE (4), PURPOSE (4) and
      EXPIRATION (8) in addition to the length of the BDATA.  While a
      32-bit value is used, implementations MAY refuse to publish blocks
      beyond a certain size significantly below 4 GB.  However, a
      minimum block size of 62 kilobytes MUST be supported.

   PURPOSE  A 32-bit signature purpose flag.  For a RRBLOCK the value of
      this field MUST be 15.  The value is encoded in network byte
      order.  The value of this field corresponds to an entry in the
      GANA "GNUnet Signature Purpose" registry.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 27]
Internet-Draft             The GNU Name System             December 2021

   EXPIRATION  Specifies when the RRBLOCK expires and the encrypted
      block SHOULD be removed from the storage and caches as it is
      likely stale.  However, applications MAY continue to use non-
      expired individual records until they expire.  The value MUST be
      set to the expiration time of the resource record contained within
      this block with the smallest expiration time.  If a records block
      includes shadow records, then the maximum expiration time of all
      shadow records with matching type and the expiration times of the
      non-shadow records is considered.  This is a 64-bit absolute date
      in microseconds since midnight (0 hour), January 1, 1970 in
      network byte order.

   BDATA  The encrypted RDATA with a total size of SIZE - 16.

   A symmetric encryption scheme is used to encrypt the resource records
   set RDATA into the BDATA field of a GNS RRBLOCK.  The wire format of
   the RDATA is illustrated in Figure 18.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |     RR COUNT          |        EXPIRA-        /
   +-----+-----+-----+-----+-----+-----+-----+-----+
   /         -TION         |       DATA SIZE       |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |         TYPE          |          FLAGS        |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      DATA                     /
   /                                               /
   /                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       DATA SIZE       |          TYPE         |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |           FLAGS       |        DATA           /
   +-----+-----+-----+-----+                       /
   /                       +-----------------------/
   /                       |                       /
   +-----------------------+                       /
   /                     PADDING                   /
   /                                               /

                                 Figure 18

   The RDATA Wire Format.

   RR COUNT  A 32-bit value containing the number of variable-length

Schanzenbach, et al.      Expires 25 June 2022                 [Page 28]
Internet-Draft             The GNU Name System             December 2021

      resource records which are following after this field in network
      byte order.

   EXPIRATION, DATA SIZE, TYPE, FLAGS and DATA  These fields were
      defined in the resource record format in Section 4.  There MUST be
      a total of RR COUNT of these resource records present.

   PADDING  When publishing an RDATA block, the implementation MUST
      ensure that the size of the RDATA WITHOUT the RR COUNT field is a
      power of two using the padding field.  The field MUST be set to
      zero and MUST be ignored on receipt.  As a special exception,
      record sets with (only) a zone delegation record type are never
      padded.  Note that a record set with a delegation record MUST NOT
      contain other records.  If other records are encountered, the
      whole record block MUST be discarded.

6.  Name Resolution

   Names in GNS are resolved by recursively querying the record storage.
   Recursive in this context means that a resolver does not provide
   iterative results for a query (as is the case with iterative DNS
   resolution).  Instead, it MUST respond to a resolution request with
   either the requested resource record or an error message in case the
   resolution fails.  In the following, we define how resolution is
   initiated and each iteration in the resolution is processed.

   GNS resolution of a name must start in a given starting zone
   indicated using a zone public key.  Details on how the starting zone
   may be determined is discussed in Section 6.1.

   When GNS name resolution is requested, a desired record type MAY be
   provided by the client.  The GNS resolver will use the desired record
   type to guide processing, for example by providing conversion of GTS
   records to A or AAAA records.  However, filtering of record sets
   according to the required record types MUST still be done by the
   client after the resource record set is retrieved.

6.1.  Root Zone

   The resolution of a GNS name must start in a given start zone
   indicated to the resolver using any public zone key.  The local
   resolver may have a local start zone configured/hard-coded which
   points to a local or remote start zone key.  A resolver client may
   also determine the start zone from the suffix of the name given for
   resolution or using information retrieved out of band.  The
   governance model of any zone is at the sole discretion of the zone
   owner.  However, the choice of start zone(s) is at the sole
   discretion of the local system administrator or user.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 29]
Internet-Draft             The GNU Name System             December 2021

   In the following, we give examples how a local client resolver SHOULD
   discover the start zone.  The process given is not exhaustive and
   clients MAY supplement it with other mechanisms or ignore it if the
   particular application requires a different process.

   GNS clients MUST first try to interpret the top-level domain of a GNS
   name as a zone key representation (i.e. a zTLD).  If the top-level
   domain is indicated to be a label representation of a public zone key
   with a supported zone type value, the root zone of the resolution
   process is implicitly given by the suffix of the name:

   Example name: www.example.<zTLD>
   => Root zone: zk of type ztype
   => Name to resolve from root zone: www.example

   In GNS, users MAY own and manage their own zones.  Each local zone
   SHOULD be associated with a single GNS label, but users MAY choose to
   use longer names consisting of multiple labels.  If the name of a
   locally managed zone matches the suffix of the name to be resolved,
   resolution MUST start from the respective local zone:

   Example name: www.example.org
   Local zones:
   fr = (d0,zk0)
   org = (d1,zk1)
   com = (d2,zk2)
   ...
   => Root zone: zk1
   => Name to resolve from root zone: www.example

   Finally, additional "suffix-to-zone" mappings MAY be configured.
   Suffix to zone key mappings MUST be configurable through a local
   configuration file or database by the user or system administrator.
   The suffix MAY consist of multiple GNS labels concatenated with a
   ".".  If multiple suffixes match the name to resolve, the longest
   matching suffix MUST be used.  The suffix length of two results MUST
   NOT be equal.  This indicates a misconfiguration and the
   implementation MUST return an error.  If both a locally managed zone
   and a configuration entry exist for the same suffix, the locally
   managed zone MUST have priority.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 30]
Internet-Draft             The GNU Name System             December 2021

   Example name: www.example.org
   Local suffix mappings:
   gnu = zk0
   example.org = zk1
   example.com = zk2
   ...
   => Root zone: zk1
   => Name to resolve from root zone: www

6.2.  Recursion

   In each step of the recursive name resolution, there is an
   authoritative zone zk and a name to resolve.  The name may be empty.
   Initially, the authoritative zone is the start zone.  If the name is
   empty, it is interpreted as the apex label "@".

   From here, the following steps are recursively executed, in order:

   1.  Extract the right-most label from the name to look up.

   2.  Calculate q using the label and zk as defined in Section 5.1.

   3.  Perform a storage query GET(q) to retrieve the RRBLOCK.

   4.  Verify and process the RRBLOCK and decrypt the BDATA contained in
       it as defined by its zone type (see also Section 5.2).

   Upon receiving the RRBLOCK from the storage, apart from verifying the
   provided signature, the resolver MUST check that the authoritative
   zone key was used to sign the record: The derived zone key zk' MUST
   match the public key provided in the RRBLOCK, otherwise the RRBLOCK
   MUST be ignored and the storage lookup GET(q) MUST continue.

6.3.  Record Processing

   Record processing occurs at the end of a single recursion.  We assume
   that the RRBLOCK has been cryptographically verified and decrypted.
   At this point, we must first determine if we have received a valid
   record set in the context of the name we are trying to resolve:

   *  Case 1: If the remainder of the name to resolve is empty and the
      record set does not consist of a delegation, CNAME or DNS2GNS
      record, the record set is the result and the recursion is
      concluded.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 31]
Internet-Draft             The GNU Name System             December 2021

   *  Case 2: If the name to be resolved is of the format
      "_SERVICE._PROTO" and the record set contains one or more matching
      BOX records, the records in the BOX records are the result and the
      recusion is concluded (Section 6.3.4).

   *  Case 3: If the remainder of the name to resolve is not empty and
      does not match the "_SERVICE._PROTO" syntax, then the current
      record set MUST consist of a single delegation record
      (Section 6.3.1), a single CNAME record (Section 6.3.3), or one or
      more GNS2DNS records (Section 6.3.2), which are processed as
      described in the respective sections below.  The record set may
      include any number of supplemental records.  Otherwise, resolution
      fails and the resolver MUST return an empty record set.  Finally,
      after the recursion terminates, the client preferences for the
      record type MUST be considered and possible conversions such as
      defined in Section 6.3.5 MUST be performed.

6.3.1.  Zone Delegation Records

   When the resolver encounters a record of a supported zone delegation
   record type (such as PKEY or EDKEY) and the remainder of the name is
   not empty, resolution continues recursively with the remainder of the
   name in the GNS zone specified in the delegation record.
   Implementations MUST NOT allow multiple different zone type
   delegations under a single label.  Implementations MAY support any
   subset of zone types.  If an unsupported zone type is encountered,
   resolution fails and an error MUST be returned.  The information that
   the zone type is unknown SHOULD be returned in the error description.
   The implementation MAY choose not to return the reason for the
   failure, merely impacting troubleshooting information for the user.
   Implementations MUST NOT process zone delegation for the empty apex
   label "@".  Upon encountering a zone delegation record under this
   label, resolution fails and an error MUST be returned.  The
   implementation MAY choose not to return the reason for the failure,
   merely impacting troubleshooting information for the user.

   If the remainder of the name to resolve is empty and we have received
   a record set containing only a single delegation record, the
   recursion is continued with the record value as authoritative zone
   and the empty apex label "@" as remaining name, except in the case
   where the desired record type is equal to the zone type, in which
   case the delegation record is returned and the resolution is
   concluded without resolving the empty apex label.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 32]
Internet-Draft             The GNU Name System             December 2021

6.3.2.  GNS2DNS

   When a resolver encounters one or more GNS2DNS records and the
   remaining name is empty and the desired record type is GNS2DNS, the
   GNS2DNS records are returned.

   Otherwise, it is expected that the resolver first resolves the IP
   addresses of the specified DNS name servers.  GNS2DNS records MAY
   contain numeric IPv4 or IPv6 addresses, allowing the resolver to skip
   this step.  The DNS server names may themselves be names in GNS or
   DNS.  If the DNS server name ends in ".+", the rest of the name is to
   be interpreted relative to the zone of the GNS2DNS record.  If the
   DNS server name ends in a label representation of a zone key, the DNS
   server name is to be resolved against the GNS zone zk.

   Multiple GNS2DNS records may be stored under the same label, in which
   case the resolver MUST try all of them.  The resolver MAY try them in
   any order or even in parallel.  If multiple GNS2DNS records are
   present, the DNS name MUST be identical for all of them, if not the
   resolution fails and an emtpy record set is returned as the record
   set is invalid.

   Once the IP addresses of the DNS servers have been determined, the
   DNS name from the GNS2DNS record is appended to the remainder of the
   name to be resolved, and resolved by querying the DNS name server(s).
   As the DNS servers specified are possibly authoritative DNS servers,
   the GNS resolver MUST support recursive resolution and MUST NOT
   delegate this to the authoritative DNS servers.  The first successful
   recursive name resolution result is returned to the client.  In
   addition, the resolver returns the queried DNS name as a supplemental
   LEHO record (Section 4.2.1) with a relative expiration time of one
   hour.

   GNS resolvers MUST offer a configuration option to disable DNS
   processing to avoid information leakage and provide a consistent
   security profile for all name resolutions.  Such resolvers would
   return an empty record set upon encountering a GNS2DNS record during
   the recursion.  However, if GNS2DNS records are encountered in the
   record set for the apex and a GNS2DNS record is expicitly requested
   by the application, such records MUST still be returned, even if DNS
   support is disabled by the GNS resolver configuration.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 33]
Internet-Draft             The GNU Name System             December 2021

6.3.3.  CNAME

   If a CNAME record is encountered, the canonical name is appended to
   the remaining name, except if the remaining name is empty and the
   desired record type is CNAME, in which case the resolution concludes
   with the CNAME record.  If the canonical name ends in ".+",
   resolution continues in GNS with the new name in the current zone.
   Otherwise, the resulting name is resolved via the default operating
   system name resolution process.  This may in turn again trigger a GNS
   resolution process depending on the system configuration.

   The recursive DNS resolution process may yield a CNAME as well which
   in turn may either point into the DNS or GNS namespace (if it ends in
   a label representation of a zone key).  In order to prevent infinite
   loops, the resolver MUST implement loop detections or limit the
   number of recursive resolution steps.  If the last CNAME was a DNS
   name, the resolver returns the DNS name as a supplemental LEHO record
   (Section 4.2.1) with a relative expiration time of one hour.

6.3.4.  BOX

   When a BOX record is received, a GNS resolver must unbox it if the
   name to be resolved continues with "_SERVICE._PROTO".  Otherwise, the
   BOX record is to be left untouched.  This way, TLSA (and SRV) records
   do not require a separate network request, and TLSA records become
   inseparable from the corresponding address records.

6.3.5.  GTS

   At the end of the recursion, if the queried record type is either A
   or AAAA and the retrieved record set contains at least one GTS
   record, the resolver SHOULD open a tunnel and return the IPv4 or IPv6
   tunnel address, respectively.  If the implementation does not have
   the capacity to establish a GTS tunnel, for example because it is not
   connected to the GNUnet network, the record set MUST be returned as
   retrieved from the network.

6.3.6.  NICK

   NICK records are only relevant to the recursive resolver if the
   record set in question is the final result which is to be returned to
   the client.  The encountered NICK records may either be supplemental
   (see Section 4) or non-supplemental.  If the NICK record is
   supplemental, the resolver only returns the record set if one of the
   non-supplemental records matches the queried record type.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 34]
Internet-Draft             The GNU Name System             December 2021

   The differentiation between a supplemental and non-supplemental NICK
   record allows the client to match the record to the authoritative
   zone.  Consider the following example:

   Query: alice.example (type=A)
   Result:
   A: 192.0.2.1
   NICK: eve

   In this example, the returned NICK record is non-supplemental.  For
   the client, this means that the NICK belongs to the zone "alice.doe"
   and is published under the empty label along with an A record.  The
   NICK record should be interpreted as: The zone defined by "alice.doe"
   wants to be referred to as "eve".  In contrast, consider the
   following:

   Query: alice.example (type=AAAA)
   Result:
   AAAA: 2001:DB8::1
   NICK: john (Supplemental)

   In this case, the NICK record is marked as supplemental.  This means
   that the NICK record belongs to the zone "doe" and is published under
   the label "alice" along with an A record.  The NICK record should be
   interpreted as: The zone defined by "doe" wants to be referred to as
   "john".  This distinction is likely useful for other records
   published as supplemental.

7.  Internationalization and Character Encoding

   All labels in GNS are encoded in UTF-8 [RFC3629].  This does not
   include any DNS names found in DNS records, such as CNAME records,
   which are internationalized through the IDNA specifications
   [RFC5890].

8.  Security and Privacy Considerations

8.1.  Cryptography

   The security of cryptographic systems depends on both the strength of
   the cryptographic algorithms chosen and the strength of the keys used
   with those algorithms.  The security also depends on the engineering
   of the protocol used by the system to ensure that there are no non-
   cryptographic ways to bypass the security of the overall system.
   This is why developers of applications managing GNS zones SHOULD
   select a default zone type considered secure at the time of releasing
   the software.  For applications targetting end users that are not
   expected to understand cryptography, the application developer MUST

Schanzenbach, et al.      Expires 25 June 2022                 [Page 35]
Internet-Draft             The GNU Name System             December 2021

   NOT leave the zone type selection of new zones to end users.

   This document concerns itself with the selection of cryptographic
   algorithms for use in GNS.  The algorithms identified in this
   document are not known to be broken (in the cryptographic sense) at
   the current time, and cryptographic research so far leads us to
   believe that they are likely to remain secure into the foreseeable
   future.  However, this isn't necessarily forever, and it is expected
   that new revisions of this document will be issued from time to time
   to reflect the current best practices in this area.

   GNS PKEY zone keys use ECDSA over Curve25519.  This is an
   unconventional choice, as ECDSA is usually used with other curves.
   However, traditional ECDSA curves are problematic for a range of
   reasons described in the Curve25519 and EdDSA papers.  Using EdDSA
   directly is also not possible, as a hash function is used on the
   private key which destroys the linearity that the GNU Name System
   depends upon.  We are not aware of anyone suggesting that using
   Curve25519 instead of another common curve of similar size would
   lower the security of ECDSA.  GNS uses 256-bit curves because that
   way the encoded (public) keys fit into a single DNS label, which is
   good for usability.

   In terms of crypto-agility, whenever the need for an updated
   cryptographic scheme arises to, for example, replace ECDSA over
   Curve25519 for PKEY records it may simply be introduced through a new
   record type.  Such a new record type may then replace the delegation
   record type for future records.  The old record type remains and
   zones can iteratively migrate to the updated zone keys.

   In order to ensure ciphertext indistinguishability, care must be
   taken with respect to the initialization vector in the counter block.
   In our design, the IV is always the expiration time of the record
   block.  For blocks with relative expiration times it is implicitly
   ensured that each time a block is published into the storage, its IV
   is unique as the expiration time is calculated dynamically and
   increases monotonically.  For blocks with absolute expiration times,
   the implementation MUST ensure that the expiration time is modified
   when the record data changes.  For example. the expiration time may
   be increased by a single microsecond.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 36]
Internet-Draft             The GNU Name System             December 2021

8.2.  Abuse Mitigation

   GNS names are UTF-8 strings.  Consequently, GNS faces similar issues
   with respect to name spoofing as DNS does for internationalized
   domain names.  In DNS, attackers may register similar sounding or
   looking names (see above) in order to execute phishing attacks.  GNS
   zone administrators must take into account this attack vector and
   incorporate rules in order to mitigate it.

   Further, DNS can be used to combat illegal content on the internet by
   having the respective domains seized by authorities.  However, the
   same mechanisms can also be abused in order to impose state
   censorship, which ist one of the motivations behind GNS.  Hence, such
   a seizure is, by design, difficult to impossible in GNS.  In
   particular, GNS does not support WHOIS ([RFC3912]).

8.3.  Zone Management

   In GNS, zone administrators need to manage and protect their zone
   keys.  Once a zone key is lost it cannot be recovered.  Once it is
   compromised it cannot be revoked (unless a revocation message was
   pre-calculated and is still available).  Zone administrators, and for
   GNS this includes end-users, are required to responsibly and
   dilligently protect their cryptographic keys.  Offline signing is in
   principle possible, but GNS does not support separate zone signing
   and key-signing keys (as in [RFC6781]) in order to provide usable
   security.

   Similarly, users are required to manage their local root zone.  In
   order to ensure integrity and availability or names, users must
   ensure that their local root zone information is not compromised or
   outdated.  It can be expected that the processing of zone revocations
   and an initial root zone is provided with a GNS client implementation
   ("drop shipping").  Extension and customization of the zone is at the
   full discretion of the user.

8.4.  Impact of DHTs as Underlying Storage

   This document does not specifiy the properties of the underlying
   storage which is required by any GNS implementation.  For
   implementers using a DHT as underlying storage, it is important to
   note that the properties of the DHT are directly inherited by the GNS
   implementation.  This includes both security as well as other non-
   functional properties such as scalability and performance.
   Implementers should take great care when selecting or implementing a
   DHT for use in a GNS implementation.  DHTs with strong security and
   performance guarantees exist [R5N].  It should also be taken into
   consideration that GNS implementations which build upon different DHT

Schanzenbach, et al.      Expires 25 June 2022                 [Page 37]
Internet-Draft             The GNU Name System             December 2021

   overlays are unlikely to be interoperable with each other.

8.5.  Revocations

   Zone administrators are advised to pre-generate zone revocations and
   securely store the revocation information in case the zone key is
   lost, compromised or replaced in the furture.  Pre-calculated
   revocations may become invalid due to expirations or protocol changes
   such as epoch adjustments.  Consequently, implementers and users must
   make precautions in order to manage revocations accordingly.

   Revocation payloads do NOT include a 'new' key for key replacement.
   Inclusion of such a key would have two major disadvantages:

   If revocation is used after a private key was compromised, allowing
   key replacement would be dangerous: if an adversary took over the
   private key, the adversary could then broadcast a revocation with a
   key replacement.  For the replacement, the compromised owner would
   have no chance to issue even a revocation.  Thus, allowing a
   revocation message to replace a private key makes dealing with key
   compromise situations worse.

   Sometimes, key revocations are used with the objective of changing
   cryptosystems.  Migration to another cryptosystem by replacing keys
   via a revocation message would only be secure as long as both
   cryptosystems are still secure against forgery.  Such a planned, non-
   emergency migration to another cryptosystem should be done by running
   zones for both ciphersystems in parallel for a while.  The migration
   would conclude by revoking the legacy zone key only once it is deemed
   no longer secure, and hopefully after most users have migrated to the
   replacement.

8.6.  Label Guessing

   Record blocks are published encrypted using keys derived from the
   zone public key and record label.  Zone administrators should
   carefully consider if the label and zone key may be public or if
   those should be used and considered as a shared secret.  Unlike zone
   keys, labels can also be guessed by an attacker in the network
   observing queries and responses.  Given a known and targeted zone
   public key, the use of well known or easily guessable labels
   effectively result in general disclosure of the records to the
   public.  If the labels and hence the records should be kept secret
   except to those knowing a secret label and the zone in which to look,
   the label must be chosen accordingly.  It is recommended to then use
   a label with sufficient entropy as to prevent guessing attacks.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 38]
Internet-Draft             The GNU Name System             December 2021

   It should be noted that this attack on labels only applies if the
   zone public key is somehow disclosed to the adversary.  GNS itself
   does not disclose it during a lookup or when resource records are
   published as the zone keys are blinded beforehand.

9.  GANA Considerations

   GANA [GANA] is requested to create an "GNU Name System Record Types"
   registry.  The registry shall record for each entry:

   *  Name: The name of the record type (case-insensitive ASCII string,
      restricted to alphanumeric characters.  For zone delegation
      records, the assigned number represents the ztype value of the
      zone.

   *  Number: 32-bit, above 65535

   *  Comment: Optionally, a brief English text describing the purpose
      of the record type (in UTF-8)

   *  Contact: Optionally, the contact information of a person to
      contact for further information.

   *  References: Optionally, references describing the record type
      (such as an RFC)

   The registration policy for this sub-registry is "First Come First
   Served".  This policy is modeled on that described in [RFC8126], but
   describes the actions taken by GANA.

   Adding records is possible after expert review, using a first-come-
   first-served policy for unique name allocation.  Experts are
   responsible to ensure that the chosen "Name" is appropriate for the
   record type.  The registry will assign a unique number for the entry.

   The current contact(s) for expert review are reachable at gns-
   registry@gnunet.org.

   Any request MUST contain a unique name and a point of contact.  The
   contact information MAY be added to the registry given the consent of
   the requestor.  The request MAY optionally also contain relevant
   references as well as a descriptive comment as defined above.

   GANA is requested to populate this registry as listed in Figure 19.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 39]
Internet-Draft             The GNU Name System             December 2021

   Number | Name    | Contact | References | Comment
   -------+---------+---------+------------+-------------------------
   65536  | PKEY    | N/A     | [This.I-D] | GNS zone delegation (PKEY)
   65537  | NICK    | N/A     | [This.I-D] | GNS zone nickname
   65538  | LEHO    | N/A     | [This.I-D] | GNS legacy hostname
   65539  | GTS     | N/A     | [This.I-D] | GTS tunnel metadata
   65540  | GNS2DNS | N/A     | [This.I-D] | Delegation to DNS
   65556  | EDKEY   | N/A     | [This.I-D] | GNS zone delegation (EDKEY)

                                 Figure 19

   The GANA Resource Record Registry.

   GANA is requested to amend the "GNUnet Signature Purpose" registry as
   illustrated in Figure 20.

   Purpose | Name            | References | Comment
   --------+-----------------+------------+--------------------------
     3     | GNS_REVOCATION  | [This.I-D] | GNS zone key revocation
    15     | GNS_RECORD_SIGN | [This.I-D] | GNS record set signature

                                 Figure 20

   Requested Changes in the GANA GNUnet Signature Purpose Registry.

10.  IANA Considertations

   This document makes no requests for IANA action.  This section may be
   removed on publication as an RFC.

11.  Implementation and Deployment Status

   There are two implementations conforming to this specification
   written in C and Go, respectively.  The C implementation as part of
   GNUnet [GNUnetGNS] represents the original and reference
   implementation.  The Go implementation [GoGNS] demonstrates how two
   implementations of GNS are interoperable given that they are built on
   top of the same underlying DHT storage.

   Currently, the GNUnet peer-to-peer network [GNUnet] is an active
   deployment of GNS on top of its [R5N] DHT.  The [GoGNS]
   implementation uses this deployment by building on top of the GNUnet
   DHT services available on any GNUnet peer.  It shows how GNS
   implementations and client resolvers can attach to this existing
   deployment and participate in name resolution as well as zone
   publication.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 40]
Internet-Draft             The GNU Name System             December 2021

12.  Test Vectors

   The following represents a test vector for a record set with a DNS
   record of type "A" as well as a GNS record of type "PKEY" under the
   label "test".

   Zone private key (d, little-endian, with ztype prepended):
   00010000c004a6d4
   9668ff30d8316b9c
   2c1f242d16985f48
   e7467aff2d4d06c9
   1bd00c73

   Zone identifier (zid):
   00010000de93f193
   8df85f1918a35c6d
   d0f3ae70f94692a7
   1fe1fbffb75ee185
   9c444a44

   Encoded zone identifier (zkl = zTLD):
   000G006YJFRS73FRBWCHH8TWDQ8F7BKGZ53959RZW7XZZDTYW62SRH2A8G

   Label: test
   RRCOUNT: 2

   Record #0
   EXPIRATION: 1620285180789328
   DATA_SIZE: 4
   TYPE: 1
   FLAGS: 0
   DATA:
   01020304

   Record #1
   EXPIRATION: 1620285180789328
   DATA_SIZE: 32
   TYPE: 65536
   FLAGS: 2
   DATA:
   00010000be1cd4e7
   0dc7cff6cb446f77
   fe4fd36b19a33718
   d7c2331be6550836

   RDATA:
   0005c1a40aa2c250

Schanzenbach, et al.      Expires 25 June 2022                 [Page 41]
Internet-Draft             The GNU Name System             December 2021

   0000000400000001
   0000000001020304
   0005c1a40aa2c250
   0000002000010000
   0000000200010000
   be1cd4e70dc7cff6
   cb446f77fe4fd36b
   19a33718d7c2331b
   e655083600000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000

   BDATA:
   79995bb1a99f2dc2
   dd91757a929d57bc
   5e87f2bbc8a475a1
   549d7e5e4a9d4076
   e2c676f139bb2b85
   b4c09443b5724ee0
   511283bb2bf08401
   3c72ad3c518e7b34
   e52e526fa78ae192
   1a9ac03db4d69e94
   81e9a8c04a326f0a
   db2c35296bad0707
   bcd00ff668f605ab
   16589841870831b2
   43b87b37fc360e33
   512b75de819822e7
   9d989a92

   RRBLOCK:
   0001000069fb663f
   f40b0ffb883d5777
   6c61fd3a5bab11ce
   8d1e92fadda21720
   c5bc6e7f0fb47c68
   3bed6fc190c53501
   c321199117a01c31
   4f02d7456e878166
   7ed8a9fc0fb370b5
   30dfab2597907cfb
   7f4b6ea6381abb89
   b004ad7c55fdb426

Schanzenbach, et al.      Expires 25 June 2022                 [Page 42]
Internet-Draft             The GNU Name System             December 2021

   639b22dc00000094
   0000000f0005c1a4
   0aa2c25079995bb1
   a99f2dc2dd91757a
   929d57bc5e87f2bb
   c8a475a1549d7e5e
   4a9d4076e2c676f1
   39bb2b85b4c09443
   b5724ee0511283bb
   2bf084013c72ad3c
   518e7b34e52e526f
   a78ae1921a9ac03d
   b4d69e9481e9a8c0
   4a326f0adb2c3529
   6bad0707bcd00ff6
   68f605ab16589841
   870831b243b87b37
   fc360e33512b75de
   819822e79d989a92

   The following represents a test vector for a record set with a DNS
   record of type "A" as well as a GNS record of type "EDKEY" under the
   label "test".

   Zone private key (d, little-endian, with ztype prepended):
   000100144d704a54
   e439e4cd1139a4bf
   476fe7497164ec2e
   cb74318c3abd331a
   488e30f6

   Zone identifier (zid):
   000100140f833e26
   fed15c9e6c03f31c
   fb724e9ebf6889e9
   d080c8aeff2d8528
   e42b599c

   Encoded zone identifier (zkl = zTLD):
   000G050FGCZ2DZPHBJF6R0ZK3KXQ4KMYQXM8KTEGG34AXZSDGMME8ATSKG

   Label: test
   RRCOUNT: 2

   Record #0
   EXPIRATION: 1620285180795764

Schanzenbach, et al.      Expires 25 June 2022                 [Page 43]
Internet-Draft             The GNU Name System             December 2021

   DATA_SIZE: 4
   TYPE: 1
   FLAGS: 0
   DATA:
   01020304

   Record #1
   EXPIRATION: 1620285180795764
   DATA_SIZE: 32
   TYPE: 65556
   FLAGS: 2
   DATA:
   0001001439f0fc1a
   eec45cf22cbd87a2
   82bd6321ee90ebfc
   f542b5e2aabf25bf

   RDATA:
   0005c1a40aa2db74
   0000000400000001
   0000000001020304
   0005c1a40aa2db74
   0000002000010014
   0000000200010014
   39f0fc1aeec45cf2
   2cbd87a282bd6321
   ee90ebfcf542b5e2
   aabf25b00000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000
   0000000000000000

   BDATA:
   b1230c25642caef0
   a8fbaea6edff9852
   6d5f40fc4e7d088f
   ab3d2986acbc7f5d
   cd8684dbad707761
   4ee346c18f3daae2
   9f3c4de2d626ce85
   8e729d2cc69a2842
   a73346ea38ac7196
   6f8104f78439f34b
   56c2cd0a3bd5f073
   3790f45a942a1cb9

Schanzenbach, et al.      Expires 25 June 2022                 [Page 44]
Internet-Draft             The GNU Name System             December 2021

   a593ff5776378ba4
   d9df7b1d820585c0
   7958928090d18361
   c36778b316c14f91
   f5a3ad502d6fdc9a
   009e1169723dd158
   da32920f

   RRBLOCK:
   00010014d880b5e8
   c09f479d7b8c8c57
   7cb498b60d7b1e86
   d066daa57089f985
   f86ccdd51f20583c
   e826f12b42cf2153
   9d9f32048f909535
   fb7cc36d586c15fc
   91fcfdeb9136c8ff
   8775e1e9ed892a4c
   d1b1f761e96f33d7
   e9cc91c727f5bfb1
   e12d220d000000a4
   0000000f0005c1a4
   0aa2db74b1230c25
   642caef0a8fbaea6
   edff98526d5f40fc
   4e7d088fab3d2986
   acbc7f5dcd8684db
   ad7077614ee346c1
   8f3daae29f3c4de2
   d626ce858e729d2c
   c69a2842a73346ea
   38ac71966f8104f7
   8439f34b56c2cd0a
   3bd5f0733790f45a
   942a1cb9a593ff57
   76378ba4d9df7b1d
   820585c079589280
   90d18361c36778b3
   16c14f91f5a3ad50
   2d6fdc9a009e1169
   723dd158da32920f

   The following is an example revocation for a zone:

Schanzenbach, et al.      Expires 25 June 2022                 [Page 45]
Internet-Draft             The GNU Name System             December 2021

   Zone private key (d, little-endian scalar, with ztype prepended):
   00010000a065bf68
   07cb3d90d10394a9
   a56693e07087ad35
   24f8e303931d4ade
   946dc447

   Zone identifier (zid):
   00010000d06ab6d9
   14e8a8064609b2b3
   cb661c586042adcb
   0dc5faeb61994d25
   5ebdca72

   Encoded zone identifier (zkl = zTLD):
   000G006GDAVDJ578N034C2DJPF5PC72RC11AVJRDRQXEPRCS9MJNXFEAE8

   Difficulty (5 base difficulty + 2 epochs): 7

   Proof:
   0005b13f536e2b0e
   0000395d1827c000
   5caaeaa2b955d82c
   5caaeaa2b955da02
   5caaeaa2b955daf0
   5caaeaa2b955db20
   5caaeaa2b955db2d
   5caaeaa2b955dba1
   5caaeaa2b955dba9
   5caaeaa2b955dbc2
   5caaeaa2b955dbc8
   5caaeaa2b955dbd1
   5caaeaa2b955dbf7
   5caaeaa2b955dc0e
   5caaeaa2b955dc54
   5caaeaa2b955dc8c
   5caaeaa2b955dca5
   5caaeaa2b955dcb5
   5caaeaa2b955dcf8
   5caaeaa2b955dd47
   5caaeaa2b955dd91
   5caaeaa2b955dd98
   5caaeaa2b955dd99
   5caaeaa2b955ddc4
   5caaeaa2b955de7f
   5caaeaa2b955de80
   5caaeaa2b955de92
   5caaeaa2b955ded3

Schanzenbach, et al.      Expires 25 June 2022                 [Page 46]
Internet-Draft             The GNU Name System             December 2021

   5caaeaa2b955df1a
   5caaeaa2b955df77
   5caaeaa2b955dfdf
   5caaeaa2b955e06e
   5caaeaa2b955e08d
   5caaeaa2b955e0c4
   00010000d06ab6d9
   14e8a8064609b2b3
   cb661c586042adcb
   0dc5faeb61994d25
   5ebdca7206b11f93
   41f4e1649976c421
   b1efe668a44becbe
   5a9f76804adb6f6e
   2cd16de00d81841d
   cbd135aacad3bdab
   3f2209bd10d55cc1
   c7aed9a9bd53a1f6
   cae1789d

13.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
              <https://www.rfc-editor.org/info/rfc1034>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC2693]  Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas,
              B., and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
              DOI 10.17487/RFC2693, September 1999,
              <https://www.rfc-editor.org/info/rfc2693>.

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the location of services (DNS SRV)", RFC 2782,
              DOI 10.17487/RFC2782, February 2000,
              <https://www.rfc-editor.org/info/rfc2782>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 47]
Internet-Draft             The GNU Name System             December 2021

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <https://www.rfc-editor.org/info/rfc3629>.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004,
              <https://www.rfc-editor.org/info/rfc3686>.

   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826,
              DOI 10.17487/RFC3826, June 2004,
              <https://www.rfc-editor.org/info/rfc3826>.

   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
              DOI 10.17487/RFC3912, September 2004,
              <https://www.rfc-editor.org/info/rfc3912>.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC5891]  Klensin, J., "Internationalized Domain Names in
              Applications (IDNA): Protocol", RFC 5891,
              DOI 10.17487/RFC5891, August 2010,
              <https://www.rfc-editor.org/info/rfc5891>.

   [RFC6781]  Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
              Operational Practices, Version 2", RFC 6781,
              DOI 10.17487/RFC6781, December 2012,
              <https://www.rfc-editor.org/info/rfc6781>.

   [RFC6895]  Eastlake 3rd, D., "Domain Name System (DNS) IANA
              Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
              April 2013, <https://www.rfc-editor.org/info/rfc6895>.

   [RFC6979]  Pornin, T., "Deterministic Usage of the Digital Signature
              Algorithm (DSA) and Elliptic Curve Digital Signature
              Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
              2013, <https://www.rfc-editor.org/info/rfc6979>.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 48]
Internet-Draft             The GNU Name System             December 2021

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032,
              DOI 10.17487/RFC8032, January 2017,
              <https://www.rfc-editor.org/info/rfc8032>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC9106]  Biryukov, A., Dinu, D., Khovratovich, D., and S.
              Josefsson, "Argon2 Memory-Hard Function for Password
              Hashing and Proof-of-Work Applications", RFC 9106,
              DOI 10.17487/RFC9106, September 2021,
              <https://www.rfc-editor.org/info/rfc9106>.

   [GANA]     GNUnet e.V., "GNUnet Assigned Numbers Authority (GANA)",
              April 2020, <https://gana.gnunet.org/>.

   [MODES]    Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Methods and Techniques", December 2001,
              <https://doi.org/10.6028/NIST.SP.800-38A>.

   [CrockfordB32]
              Douglas, D., "Base32", March 2019,
              <https://www.crockford.com/base32.html>.

   [XSalsa20] Bernstein, D., "Extending the Salsa20 nonce", 2011,
              <https://cr.yp.to/snuffle/xsalsa-20110204.pdf>.

14.  Informative References

   [RFC7363]  Maenpaa, J. and G. Camarillo, "Self-Tuning Distributed
              Hash Table (DHT) for REsource LOcation And Discovery
              (RELOAD)", RFC 7363, DOI 10.17487/RFC7363, September 2014,
              <https://www.rfc-editor.org/info/rfc7363>.

Schanzenbach, et al.      Expires 25 June 2022                 [Page 49]
Internet-Draft             The GNU Name System             December 2021

   [Tor224]   Goulet, D., Kadianakis, G., and N. Mathewson, "Next-
              Generation Hidden Services in Tor", November 2013,
              <https://gitweb.torproject.org/torspec.git/tree/
              proposals/224-rend-spec-ng.txt#n2135>.

   [Kademlia] Maymounkov, P. and D. Mazieres, "Kademlia: A peer-to-peer
              information system based on the xor metric.", 2002,
              <http://css.csail.mit.edu/6.824/2014/papers/kademlia.pdf>.

   [ed25519]  Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B.
              Yang, "High-Speed High-Security Signatures", 2011,
              <http://link.springer.com/
              chapter/10.1007/978-3-642-23951-9_9>.

   [GNS]      Wachs, M., Schanzenbach, M., and C. Grothoff, "A
              Censorship-Resistant, Privacy-Enhancing and Fully
              Decentralized Name System", 2014,
              <https://sci-hub.st/10.1007/978-3-319-12280-9_9>.

   [R5N]      Evans, N. S. and C. Grothoff, "R5N: Randomized recursive
              routing for restricted-route networks", 2011,
              <https://sci-hub.st/10.1109/ICNSS.2011.6060022>.

   [GNUnetGNS]
              GNUnet e.V., "The GNUnet GNS Implementation",
              <https://git.gnunet.org/gnunet.git/tree/src/gns>.

   [GNUnet]   GNUnet e.V., "The GNUnet Project", <https://gnunet.org>.

   [GoGNS]    Fix, B., "The Go GNS Implementation",
              <https://github.com/bfix/gnunet-
              go/tree/master/src/gnunet/service/gns>.

Authors' Addresses

   Martin Schanzenbach
   GNUnet e.V.
   Boltzmannstrasse 3
   85748 Garching
   Germany

   Email: schanzen@gnunet.org

Schanzenbach, et al.      Expires 25 June 2022                 [Page 50]
Internet-Draft             The GNU Name System             December 2021

   Christian Grothoff
   Berner Fachhochschule
   Hoeheweg 80
   CH-2501 Biel/Bienne
   Switzerland

   Email: grothoff@gnunet.org

   Bernd Fix
   GNUnet e.V.
   Boltzmannstrasse 3
   85748 Garching
   Germany

   Email: fix@gnunet.org

Schanzenbach, et al.      Expires 25 June 2022                 [Page 51]