RFC9498: The GNU Name System

Download in text format

Related keywords:  (name systems)




Independent Submission                                   M. Schanzenbach
Request for Comments: 9498                              Fraunhofer AISEC
Category: Informational                                      C. Grothoff
ISSN: 2070-1721                                    Berner Fachhochschule
                                                                  B. Fix
                                                             GNUnet e.V.
                                                           November 2023


                          The GNU Name System

Abstract

   This document provides the GNU Name System (GNS) technical
   specification.  GNS is a decentralized and censorship-resistant
   domain name resolution protocol that provides a privacy-enhancing
   alternative to the Domain Name System (DNS) protocols.

   This document defines the normative wire format of resource records,
   resolution processes, cryptographic routines, and security and
   privacy considerations for use by implementers.

   This specification was developed outside the IETF and does not have
   IETF consensus.  It is published here to inform readers about the
   function of GNS, guide future GNS implementations, and ensure
   interoperability among implementations (for example, pre-existing
   GNUnet implementations).

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc9498.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction
     1.1.  Requirements Notation
   2.  Terminology
   3.  Overview
     3.1.  Names and Zones
     3.2.  Publishing Binding Information
     3.3.  Resolving Names
   4.  Zones
     4.1.  Zone Top-Level Domain (zTLD)
     4.2.  Zone Revocation
   5.  Resource Records
     5.1.  Zone Delegation Records
       5.1.1.  PKEY
       5.1.2.  EDKEY
     5.2.  Redirection Records
       5.2.1.  REDIRECT
       5.2.2.  GNS2DNS
     5.3.  Auxiliary Records
       5.3.1.  LEHO
       5.3.2.  NICK
       5.3.3.  BOX
   6.  Record Encoding for Remote Storage
     6.1.  The Storage Key
     6.2.  Plaintext Record Data (RDATA)
     6.3.  The Resource Record Block
   7.  Name Resolution
     7.1.  Start Zones
     7.2.  Recursion
     7.3.  Record Processing
       7.3.1.  REDIRECT
       7.3.2.  GNS2DNS
       7.3.3.  BOX
       7.3.4.  Zone Delegation Records
       7.3.5.  NICK
   8.  Internationalization and Character Encoding
   9.  Security and Privacy Considerations
     9.1.  Availability
     9.2.  Agility
     9.3.  Cryptography
     9.4.  Abuse Mitigation
     9.5.  Zone Management
     9.6.  DHTs as Remote Storage
     9.7.  Revocations
     9.8.  Zone Privacy
     9.9.  Zone Governance
     9.10. Namespace Ambiguity
   10. GANA Considerations
     10.1.  GNUnet Signature Purposes Registry
     10.2.  GNS Record Types Registry
     10.3.  .alt Subdomains Registry
   11. IANA Considerations
   12. Implementation and Deployment Status
   13. References
     13.1.  Normative References
     13.2.  Informative References
   Appendix A.  Usage and Migration
     A.1.  Zone Dissemination
     A.2.  Start Zone Configuration
     A.3.  Globally Unique Names and the Web
     A.4.  Migration Paths
   Appendix B.  Example Flows
     B.1.  AAAA Example Resolution
     B.2.  REDIRECT Example Resolution
     B.3.  GNS2DNS Example Resolution
   Appendix C.  Base32GNS
   Appendix D.  Test Vectors
     D.1.  Base32GNS Encoding/Decoding
     D.2.  Record Sets
     D.3.  Zone Revocation
   Acknowledgements
   Authors' Addresses

1.  Introduction

   This specification describes the GNU Name System (GNS), a censorship-
   resistant, privacy-preserving, and decentralized domain name
   resolution protocol.  GNS cryptographically secures the binding of
   names to arbitrary tokens, enabling it to double in some respects as
   an alternative to some of today's public key infrastructures.

   Per Domain Name System (DNS) terminology [RFC1035], GNS roughly
   follows the idea of a local root zone deployment (see [RFC8806]),
   with the difference that the design encourages alternative roots and
   does not expect all deployments to use the same or any specific root
   zone.  In the GNS reference implementation, users can autonomously
   and freely delegate control of names to zones through their local
   configurations.  GNS expects each user to be in control of their
   setup.  By following the guidelines in Section 9.10, users should
   manage to avoid any confusion as to how names are resolved.

   Name resolution and zone dissemination are based on the principle of
   a petname system where users can assign local names to zones.  The
   GNS has its roots in ideas from the Simple Distributed Security
   Infrastructure [SDSI], enabling the decentralized mapping of secure
   identifiers to memorable names.  One of the first academic
   descriptions of the cryptographic ideas behind GNS can be found in
   [GNS].

   This document defines the normative wire format of resource records,
   resolution processes, cryptographic routines, and security and
   privacy considerations for use by implementers.

1.1.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Terminology

   Apex Label:  This type of label is used to publish resource records
      in a zone that can be resolved without providing a specific label.
      It is the GNS method for providing what is called the "zone apex"
      in DNS [RFC4033].  The apex label is represented using the
      character U+0040 ("@" without the quotes).

   Application:  An application is a component that uses a GNS
      implementation to resolve names into records and processes its
      contents.

   Blinded Zone Key:  A blinded zone key is a key derived from a zone
      key and a label.  The zone key and any blinded zone key derived
      from it are unlinkable without knowledge of the specific label
      used for the derivation.

   Extension Label:  This type of label is used to refer to the
      authoritative zone that the record is in.  The primary use for the
      extension label is in redirections where the redirection target is
      defined relative to the authoritative zone of the redirection
      record (see Section 5.2).  The extension label is represented
      using the character U+002B ("+" without the quotes).

   Label Separator:  Labels in a name are separated using the label
      separator U+002E ("." without the quotes).  In GNS, except for
      zone Top-Level Domains (zTLDs) (see below) and boxed records (see
      Section 5.3.3), every label separator in a name indicates
      delegation to another zone.

   Label:  A GNS label is a label as defined in [RFC8499].  Labels are
      UTF-8 strings in Unicode Normalization Form C (NFC)
      [Unicode-UAX15].  The apex label and the extension label have
      special purposes in the resolution protocol that are defined in
      the rest of this document.  Zone administrators MAY disallow
      certain labels that might be easily confused with other labels
      through registration policies (see also Section 9.4).

   Name:  A name in GNS is a domain name as defined in [RFC8499]: names
      are UTF-8 strings [RFC3629] consisting of an ordered list of
      labels concatenated with a label separator.  Names are resolved
      starting from the rightmost label.  GNS does not impose length
      restrictions on names or labels.  However, applications MAY ensure
      that name and label lengths are compatible with DNS and, in
      particular, Internationalized Domain Names for Applications (IDNA)
      [RFC5890].  In the spirit of [RFC5895], applications MAY
      preprocess names and labels to ensure compatibility with DNS or
      support specific user expectations -- for example, according to
      [Unicode-UTS46].  A GNS name may be indistinguishable from a DNS
      name, and care must be taken by applications and implementers when
      handling GNS names (see Section 9.10).  In order to avoid
      misinterpretation of example domains with (reserved) DNS domains,
      this document uses the suffix ".gns.alt" in compliance with
      [RFC9476].  ".gns.alt" is also registered in the GANA ".alt
      Subdomains" registry [GANA].

   Resolver:  In this document, a resolver is the component of a GNS
      implementation that provides the recursive name resolution logic
      defined in Section 7.

   Resource Record:  A GNS resource record is the information associated
      with a label in a GNS zone.  A GNS resource record contains
      information as defined by its resource record type.

   Start Zone:  In order to resolve any given GNS name, an initial Start
      Zone must be determined for this name.  The Start Zone can be
      explicitly defined as part of the name using a zTLD.  Otherwise,
      it is determined through a local suffix-to-zone mapping (see
      Section 7.1).

   Top-Level Domain (TLD):  The rightmost part of a GNS name is a GNS
      TLD.  A GNS TLD can consist of one or more labels.  Unlike DNS
      TLDs (defined in [RFC8499]), GNS does not expect all users to use
      the same global root zone.  Instead, with the exception of zTLDs
      (see Section 4.1), GNS TLDs are typically part of the
      configuration of the local resolver (see Section 7.1) and thus
      might not be globally unique.

   Zone:  A GNS zone contains authoritative information (resource
      records).  A zone is uniquely identified by its zone key.  Unlike
      DNS zones, a GNS zone does not need to have an SOA record under
      the apex label.

   Zone Key:  The zone key is a key that uniquely identifies a zone.  It
      is usually a public key of an asymmetric key pair.  However, the
      established technical term "public key" is misleading, as in GNS a
      zone key may be a shared secret that should not be disclosed to
      unauthorized parties.

   Zone Key Derivation Function:  The zone key derivation function
      (ZKDF) blinds a zone key using a label.

   Zone Publisher:  The zone publisher is the component of a GNS
      implementation that provides local zone management and publication
      as defined in Section 6.

   Zone Owner:  The zone owner is the holder of the secret (typically a
      private key), which (together with a label and a value to sign)
      allows the creation of zone signatures that can be validated
      against the respective blinded zone key.

   Zone Top-Level Domain (zTLD):  A GNS zTLD is a sequence of GNS labels
      at the end of a GNS name.  The zTLD encodes a zone type and zone
      key of a zone (see Section 4.1).  Due to the statistical
      uniqueness of zone keys, zTLDs are also globally unique.  A zTLD
      label sequence can only be distinguished from ordinary TLD label
      sequences by attempting to decode the labels into a zone type and
      zone key.

   Zone Type:  The type of a GNS zone determines the cipher system and
      binary encoding format of the zone key, blinded zone keys, and
      cryptographic signatures.

3.  Overview

   GNS exhibits the three properties that are commonly used to describe
   a petname system:

   Global names through the concept of zTLDs:
      As zones can be uniquely identified by their zone keys and are
      statistically unique, zTLDs are globally unique mappings to zones.
      Consequently, GNS domain names with a zTLD suffix are also
      globally unique.  Names with zTLD suffixes are not memorable.

   Memorable petnames for zones:
      Users can configure local, memorable references to zones.  Such
      petnames serve as zTLD monikers that provide convenient names for
      zones to the local operator.  The petnames may also be published
      as suggestions for other users searching for a good label to use
      when referencing the respective zone.

   A secure mapping from names to records:
      GNS allows zone owners to map labels to resource records or to
      delegate authority of names in the subdomain induced by a label to
      other zones.  Zone owners may choose to publish this information
      to make it available to other users.  Mappings are encrypted and
      signed using keys derived from the respective label before being
      published in remote storage.  When names are resolved, signatures
      on resource records, including delegations, are verified by the
      recursive resolver.

   In the remainder of this document, the "implementer" refers to the
   developer building a GNS implementation that includes the resolver,
   zone publisher, and supporting configuration such as Start Zones (see
   Section 7.1).

3.1.  Names and Zones

   It follows from the above that GNS does not support names that are
   simultaneously global, secure, and memorable.  Instead, names are
   either global and not memorable or not globally unique and memorable.
   An example for a global name pointing to the record "example" in a
   zone is as follows:

   example.000G006K2TJNMD9VTCYRX7BRVV3HAEPS15E6NHDXKPJA1KAJJEG9AFF884

   Now consider the case where a user locally configured the petname
   "pet.gns.alt" for the zone with the "example" record of the name
   above.  The name "example.pet.gns.alt" would then point to the same
   record as the globally unique name above, but name resolution would
   only work on the local system where the "pet.gns.alt" petname is
   configured.

   The delegation of petnames and subsequent resolution of delegation
   build on ideas from the Simple Distributed Security Infrastructure
   [SDSI].  In GNS, any user can create and manage any number of zones
   (see Section 4) if their system provides a zone publisher
   implementation.  For each zone, the zone type determines the
   respective set of cryptographic operations and the wire formats for
   encrypted data, public keys, and signatures.  A zone can be populated
   with mappings from labels to resource records (see Section 5) by its
   owner.  A label can be mapped to a delegation record; this results in
   the corresponding subdomain being delegated to another zone.
   Circular delegations are explicitly allowed, including delegating a
   subdomain to its immediate parent zone.  In order to support (legacy)
   applications as well as to facilitate the use of petnames, GNS
   defines auxiliary record types in addition to supporting existing DNS
   records.

3.2.  Publishing Binding Information

   Zone contents are encrypted and signed before being published in
   remote key-value storage (see Section 6), as illustrated in Figure 1.
   In this process, unique zone identification is hidden from the
   network through the use of key blinding.  Key blinding allows the
   creation of signatures for zone contents using a blinded public/
   private key pair.  This blinding is realized using a deterministic
   key derivation from the original zone key and corresponding private
   key using record label values as inputs from which blinding factors
   are derived.  Specifically, the zone owner can derive blinded private
   keys for each record set published under a label, and a resolver can
   derive the corresponding blinded public keys.  It is expected that
   GNS implementations use decentralized remote storage entities, such
   as distributed hash tables (DHTs), in order to facilitate
   availability within a network without the need for dedicated
   infrastructure.  The specification of such a distributed or
   decentralized storage entity is out of scope for this document, but
   possible existing implementations include those based on [RFC7363],
   [Kademlia], or [R5N].

          Host A           |     Remote      |      Host B
                           |     Storage     |
                           |                 |
                           |    +---------+  |
                           |   /         /|  |
                  Publish  |  +---------+ |  |  Publish
    +-----------+ Records  |  |         | |  |  Records +-----------+
    |   Zone    |----------|->| Record  | |<-|----------|   Zone    |
    | Publisher |          |  | Storage | |  |          | Publisher |
    +-----------+          |  |         |/   |          +-----------+
         A                 |  +---------+    |               A
         |                 |                 |               |
      +---------+          |                 |           +---------+
     /   |     /|          |                 |          /    |    /|
    +---------+ |          |                 |         +---------+ |
    |         | |          |                 |         |         | |
    |  Local  | |          |                 |         |  Local  | |
    |  Zones  | |          |                 |         |  Zones  | |
    |         |/           |                 |         |         |/
    +---------+            |                 |         +---------+

       Figure 1: An Example Diagram of Two Hosts Publishing GNS Zones

   A zone publisher implementation SHOULD be provided as part of a GNS
   implementation to enable users to create and manage zones.  If this
   functionality is not implemented, names can still be resolved if zone
   keys for the initial step in the name resolution have been configured
   (see Section 7) or if the names end with a zTLD suffix.

3.3.  Resolving Names

   Applications use the resolver to look up GNS names.  Starting from a
   configurable Start Zone, names are resolved by following zone
   delegations recursively, as illustrated in Figure 2.  For each label
   in a name, the recursive GNS resolver fetches the respective record
   set from the storage layer (see Section 7).  Without knowledge of the
   label values and the zone keys, the different derived keys are
   unlinkable to both the original zone key and each other.  This
   prevents zone enumeration (except via expensive online brute-force
   attacks): to confirm the affiliation of a query or the corresponding
   encrypted record set with a specific zone requires knowledge of both
   the zone key and the label, neither of which is disclosed to remote
   storage by the protocol.  At the same time, the blinded zone key and
   digital signatures associated with each encrypted record set allow
   resolvers and oblivious remote storage to verify the integrity of the
   published information without disclosing anything about the
   originating zone or the record sets.

                              Local Host           |   Remote
                                                   |   Storage
                                                   |
                                                   |    +---------+
                                                   |   /         /|
                                                   |  +---------+ |
   +-----------+ Name     +----------+ Recursive   |  |         | |
   |           | Lookup   |          | Resolution  |  | Record  | |
   |Application|--------->| Resolver |-------------|->| Storage | |
   |           |<---------|          |<------------|--|         |/
   +-----------+ Results  +----------+ Intermediate|  +---------+
                             A         Results     |
                             |                     |
                          +---------+              |
                         /   |     /|              |
                        +---------+ |              |
                        |         | |              |
                        |  Start  | |              |
                        |  Zones  | |              |
                        |         |/               |
                        +---------+                |

          Figure 2: High-Level View of the GNS Resolution Process

4.  Zones

   A zone in GNS is uniquely identified by its zone type (ztype) and
   zone key.  Each zone can be referenced by its zTLD (see Section 4.1),
   which is a string that encodes the zone type and zone key.  The ztype
   is a unique 32-bit number that corresponds to a resource record type
   number identifying a delegation record type in the GANA "GNS Record
   Types" registry [GANA].  The ztype is a unique identifier for the set
   cryptographic functions of the zone and the format of the delegation
   record type.  Any ztype registration MUST define the following set of
   cryptographic functions:

   KeyGen() -> d, zkey
      A function for generating a new private key d and the
      corresponding public zone key zkey.

   ZKDF(zkey, label) -> zkey'
      A ZKDF that blinds a zone key zkey using a label.  zkey and zkey'
      must be unlinkable.  Furthermore, blinding zkey with different
      values for the label must result in different, unlinkable zkey'
      values.

   S-Encrypt(zkey, label, expiration, plaintext) -> ciphertext
      A symmetric encryption function that encrypts the plaintext to
      derive ciphertext based on key material derived from the zone key
      zkey, a label, and an expiration timestamp.  In order to leverage
      performance-enhancing caching features of certain underlying
      storage entities -- in particular, DHTs -- a deterministic
      encryption scheme is recommended.

   S-Decrypt(zkey, label, expiration, ciphertext) -> plaintext
      A symmetric decryption function that decrypts the ciphertext into
      plaintext based on key material derived from the zone key, a
      label, and an expiration timestamp.

   Sign(d, message) -> signature
      A function for signing a message using the private key d, yielding
      an unforgeable cryptographic signature.  In order to leverage
      performance-enhancing caching features of certain underlying
      storage entities -- in particular, DHTs -- a deterministic
      signature scheme is recommended.

   Verify(zkey, message, signature) -> boolean
      A function for verifying that the signature was created using the
      private key d corresponding to the zone key zkey where d,zkey :=
      KeyGen().  The function returns a boolean value of "TRUE" if the
      signature is valid and "FALSE" otherwise.

   SignDerived(d, label, message) -> signature
      A function for signing a message (typically encrypted record data)
      that can be verified using the derived zone key zkey' :=
      ZKDF(zkey, label).  In order to leverage performance-enhancing
      caching features of certain underlying storage entities -- in
      particular, DHTs -- a deterministic signature scheme is
      recommended.

   VerifyDerived(zkey', message, signature) -> boolean
      A function for verifying the signature using the derived zone key
      zkey' := ZKDF(zkey, label).  The function returns a boolean value
      of "TRUE" if the signature is valid and "FALSE" otherwise.
      Depending on the signature scheme used, this function can be
      identical to the Verify() function.

   The cryptographic functions of the default ztypes are specified with
   their corresponding delegation records as discussed in Section 5.1.
   In order to support cryptographic agility, additional ztypes MAY be
   defined in the future that replace or update the default ztypes
   defined in this document.  All ztypes MUST be registered as dedicated
   zone delegation record types in the GANA "GNS Record Types" registry
   (see [GANA]).  When defining new record types, the cryptographic
   security considerations of this document -- in particular,
   Section 9.3 -- apply.

4.1.  Zone Top-Level Domain (zTLD)

   A zTLD is a string that encodes the zone type and zone key into a
   domain name suffix.  A zTLD is used as a globally unique reference to
   a zone in the process of name resolution.  It is created by encoding
   a binary concatenation of the zone type and zone key (see Figure 3).
   The used encoding is a variation of the Crockford Base32 encoding
   [CrockfordB32] called Base32GNS.  The encoding and decoding symbols
   for Base32GNS, including this variation, are defined in Table 4,
   found in Appendix C.  The functions for encoding and decoding based
   on Table 4 are called Base32GNS-Encode and Base32GNS-Decode,
   respectively.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       ZONE TYPE       |      ZONE KEY         /
   +-----+-----+-----+-----+                       /
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

              Figure 3: The Binary Representation of the zTLD

   The ZONE TYPE MUST be encoded in network byte order.  The format of
   the ZONE KEY depends entirely on the ZONE TYPE.

   Consequently, a zTLD is encoded and decoded as follows:

   zTLD := Base32GNS-Encode(ztype||zkey)
   ztype||zkey := Base32GNS-Decode(zTLD)

   where "||" is the concatenation operator.

   The zTLD can be used "as is" as a rightmost label in a GNS name.  If
   an application wants to ensure DNS compatibility of the name, it MAY
   also represent the zTLD as follows: if the zTLD is less than or equal
   to 63 characters, it can be used as a zTLD as is.  If the zTLD is
   longer than 63 characters, the zTLD is divided into smaller labels
   separated by the label separator.  Here, the most significant bytes
   of the "ztype||zkey" concatenation must be contained in the rightmost
   label of the resulting string and the least significant bytes in the
   leftmost label of the resulting string.  This allows the resolver to
   determine the ztype and zTLD length from the rightmost label and to
   subsequently determine how many labels the zTLD should span.  A GNS
   implementation MUST support the division of zTLDs in DNS-compatible
   label lengths.  For example, assuming a zTLD of 130 characters, the
   division is as follows:

   zTLD[126..129].zTLD[63..125].zTLD[0..62]

4.2.  Zone Revocation

   In order to revoke a zone key, a signed revocation message MUST be
   published.  This message MUST be signed using the private key of the
   zone.  The revocation message is broadcast to the network.  The
   specification of the broadcast mechanism is out of scope for this
   document.  A possible broadcast mechanism for efficient flooding in a
   distributed network is implemented in [GNUnet].  Alternatively,
   revocation messages could also be distributed via a distributed
   ledger or a trusted central server.  To prevent flooding attacks, the
   revocation message MUST contain a proof of work (PoW).  The
   revocation message, including the PoW, MAY be calculated ahead of
   time to support timely revocation.

   For all occurrences below, "Argon2id" is the password-based key
   derivation function as defined in [RFC9106].  For the PoW
   calculations, the algorithm is instantiated with the following
   parameters:

   S:  The salt.  Fixed 16-byte string: "GnsRevocationPow"

   t:  Number of iterations: 3

   m:  Memory size in KiB: 1024

   T:  Output length of hash in bytes: 64

   p:  Parallelization parameter: 1

   v:  Algorithm version: 0x13

   y:  Algorithm type (Argon2id): 2

   X:  Unused

   K:  Unused

   Figure 4 illustrates the format of the data "P" on which the PoW is
   calculated.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      POW                      |
   +-----------------------------------------------+
   |                   TIMESTAMP                   |
   +-----------------------------------------------+
   |       ZONE TYPE       |    ZONE KEY           /
   +-----+-----+-----+-----+                       /
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

                    Figure 4: The Format of the PoW Data

   POW:  A 64-bit value that is a solution to the PoW.  In network byte
      order.

   TIMESTAMP:  Denotes the absolute 64-bit date when the revocation was
      computed.  In microseconds since midnight (0 hour), January 1,
      1970 UTC in network byte order.

   ZONE TYPE:  The 32-bit zone type in network byte order.

   ZONE KEY:  The 256-bit public key zkey of the zone that is being
      revoked.  The wire format of this value is defined by the ZONE
      TYPE.

   Usually, PoW schemes require that one POW value be found, such that a
   specific number of leading zeroes are found in the hash result.  This
   number is then referred to as the difficulty of the PoW.  In order to
   reduce the variance in time it takes to calculate the PoW, a valid
   GNS revocation requires that a number of different PoWs (Z, as
   defined below) must be found that on average have at least D leading
   zeroes.

   Given an average difficulty of D, the proofs have an expiration time
   of EPOCH.  Applications MAY calculate proofs with a difficulty that
   is higher than D by providing POW values where there are (on average)
   more than D bits of leading zeroes.  With each additional bit of
   difficulty, the lifetime of the proof is prolonged by another EPOCH.
   Consequently, by calculating a more difficult PoW, the lifetime of
   the proof -- and thus the persistence of the revocation message --
   can be increased on demand by the zone owner.

   The parameters are defined as follows:

   Z:  The number of PoWs that are required.  Its value is fixed at 32.

   D:  The lower limit of the average difficulty.  Its value is fixed at
      22.

   EPOCH:  A single epoch.  Its value is fixed at 365 days in
      microseconds.

   The revocation message wire format is illustrated in Figure 5.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   TIMESTAMP                   |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      TTL                      |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                     POW_0                     |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                       ...                     |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                    POW_(Z-1)                  |
   +-----------------------------------------------+
   |       ZONE TYPE       |    ZONE KEY           /
   +-----+-----+-----+-----+                       /
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+
   /                   SIGNATURE                   /
   /                                               /
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

                Figure 5: The Revocation Message Wire Format

   TIMESTAMP:  Denotes the absolute 64-bit date when the revocation was
      computed.  In microseconds since midnight (0 hour), January 1,
      1970 UTC in network byte order.  This is the same value as the
      timestamp used in the individual PoW calculations.

   TTL:  Denotes the relative 64-bit time to live of the record in
      microseconds in network byte order.  The field SHOULD be set to
      EPOCH * 1.1.  Given an average number of leading zeroes D', then
      the field value MAY be increased up to (D'-D+1) * EPOCH * 1.1.
      Validators MAY reject messages with lower or higher values when
      received.

   POW_i:  The values calculated as part of the PoW, in network byte
      order.  Each POW_i MUST be unique in the set of POW values.  To
      facilitate fast verification of uniqueness, the POW values MUST be
      given in strictly monotonically increasing order in the message.

   ZONE TYPE:  The 32-bit zone type corresponding to the zone key in
      network byte order.

   ZONE KEY:  The public key zkey of the zone that is being revoked and
      the key to be used to verify SIGNATURE.

   SIGNATURE:  A signature over a timestamp and the zone zkey of the
      zone that is revoked and corresponds to the key used in the PoW.
      The signature is created using the Sign() function of the
      cryptosystem of the zone and the private key (see Section 4).

   The signature in the revocation message covers a 32-bit header
   prefixed to the TIMESTAMP, ZONE TYPE, and ZONE KEY fields.  The
   header includes the key length and signature purpose.  The wire
   format is illustrated in Figure 6.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |         SIZE          |       PURPOSE (0x03)  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   TIMESTAMP                   |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |       ZONE TYPE       |     ZONE KEY          /
   +-----+-----+-----+-----+                       /
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

        Figure 6: The Wire Format of the Revocation Data for Signing

   SIZE:  A 32-bit value containing the length of the signed data in
      bytes in network byte order.

   PURPOSE:  A 32-bit signature purpose flag.  The value of this field
      MUST be 3.  The value is encoded in network byte order.  It
      defines the context in which the signature is created so that it
      cannot be reused in other parts of the protocol that might include
      possible future extensions.  The value of this field corresponds
      to an entry in the GANA "GNUnet Signature Purposes" registry
      [GANA].

   TIMESTAMP:  Field as defined in the revocation message above.

   ZONE TYPE:  Field as defined in the revocation message above.

   ZONE KEY:  Field as defined in the revocation message above.

   In order to validate a revocation, the following steps MUST be taken:

   1.  The signature MUST be verified against the zone key.

   2.  The set of POW values MUST NOT contain duplicates; this MUST be
       checked by verifying that the values are strictly monotonically
       increasing.

   3.  The average number of leading zeroes D' resulting from the
       provided POW values MUST be greater than or equal to D.
       Implementers MUST NOT use an integer data type to calculate or
       represent D'.

   The TTL field in the revocation message is informational.  A
   revocation MAY be discarded without checking the POW values or the
   signature if the TTL (in combination with TIMESTAMP) indicates that
   the revocation has already expired.  The actual validity period of
   the revocation MUST be determined by examining the leading zeroes in
   the POW values.

   The validity period of the revocation is calculated as (D'-D+1) *
   EPOCH * 1.1.  The EPOCH is extended by 10% in order to deal with
   poorly synchronized clocks.  The validity period added on top of the
   TIMESTAMP yields the expiration date.  If the current time is after
   the expiration date, the revocation is considered stale.

   Verified revocations MUST be stored locally.  The implementation MAY
   discard stale revocations and evict them from the local store at any
   time.

   It is important that implementations broadcast received revocations
   if they are valid and not stale.  Should the calculated validity
   period differ from the TTL field value, the calculated value MUST be
   used as the TTL field value when forwarding the revocation message.
   Systems might disagree on the current time, so implementations MAY
   use stale but otherwise valid revocations but SHOULD NOT broadcast
   them.  Forwarded stale revocations MAY be discarded by the receiver.

   Any locally stored revocation MUST be considered during delegation
   record processing (see Section 7.3.4).

5.  Resource Records

   A GNS implementation SHOULD provide a mechanism for creating and
   managing local zones as well as a persistence mechanism (such as a
   local database) for resource records.  A new local zone is
   established by selecting a zone type and creating a zone key pair.
   If this mechanism is not implemented, no zones can be published in
   storage (see Section 6) and name resolution is limited to non-local
   Start Zones (see Section 7.1).

   A GNS resource record holds the data of a specific record in a zone.
   The resource record format is illustrated in Figure 7.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |    SIZE   |   FLAGS   |          TYPE         |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      DATA                     /
   /                                               /
   /                                               /

                 Figure 7: The Resource Record Wire Format

   EXPIRATION:  Denotes the absolute 64-bit expiration date of the
      record.  In microseconds since midnight (0 hour), January 1, 1970
      UTC in network byte order.

   SIZE:  Denotes the 16-bit size of the DATA field in bytes in network
      byte order.

   FLAGS:  A 16-bit field indicating special properties of the resource
      record.  The semantics of the different bits are defined below.

   TYPE:  The 32-bit resource record type in network byte order.  This
      type can be one of the GNS resource records as defined in
      Section 5, a DNS record type as defined in [RFC1035], or any of
      the complementary standardized DNS resource record types.  Note
      that values below 2^16 are reserved for 16-bit DNS resource record
      types allocated by IANA [RFC6895].  Values above 2^16 are
      allocated by the GANA "GNS Record Types" registry [GANA].

   DATA:  The variable-length resource record data payload.  The content
      is defined by the respective type of the resource record.

   The FLAGS field is used to indicate special properties of the
   resource record.  An application creating resource records MUST set
   all bits in FLAGS to 0 unless it specifically understands and wants
   to set the respective flag.  As additional flags can be defined in
   future protocol versions, if an application or implementation
   encounters a flag that it does not recognize, the flag MUST be
   ignored.  However, all implementations MUST understand the SHADOW and
   CRITICAL flags defined below.  Any combination of the flags specified
   below is valid.  Figure 8 illustrates the flag distribution in the
   16-bit FLAGS field of a resource record:

   0           13            14      15
   +--------...+-------------+-------+---------+
   | Reserved  |SUPPLEMENTAL |SHADOW |CRITICAL |
   +--------...+-------------+-------+---------+

               Figure 8: The Resource Record Flag Wire Format

   CRITICAL:  If this flag is set, it indicates that processing is
      critical.  Implementations that do not support the record type or
      are otherwise unable to process the record MUST abort resolution
      upon encountering the record in the resolution process.

   SHADOW:  If this flag is set, this record MUST be ignored by
      resolvers unless all (other) records of the same record type have
      expired.  Used to allow zone publishers to facilitate good
      performance when records change by allowing them to put future
      values of records into storage.  This way, future values can
      propagate and can be cached before the transition becomes active.

   SUPPLEMENTAL:  This is a supplemental record.  It is provided in
      addition to the other records.  This flag indicates that this
      record is not explicitly managed alongside the other records under
      the respective name but might be useful for the application.

5.1.  Zone Delegation Records

   This section defines the initial set of zone delegation record types.
   Any implementation SHOULD support all zone types defined here and MAY
   support any number of additional delegation records defined in the
   GANA "GNS Record Types" registry (see [GANA]).  Not supporting some
   zone types will result in resolution failures if the respective zone
   type is encountered.  This can be a valid choice if some zone
   delegation record types have been determined to be cryptographically
   insecure.  Zone delegation records MUST NOT be stored or published
   under the apex label.  A zone delegation record type value is the
   same as the respective ztype value.  The ztype defines the
   cryptographic primitives for the zone that is being delegated to.  A
   zone delegation record payload contains the public key of the zone to
   delegate to.  A zone delegation record MUST have the CRITICAL flag
   set and MUST be the only non-supplemental record under a label.
   There MAY be inactive records of the same type that have the SHADOW
   flag set in order to facilitate smooth key rollovers.

   In the following, "||" is the concatenation operator of two byte
   strings.  The algorithm specification uses character strings such as
   GNS labels or constant values.  When used in concatenations or as
   input to functions, the zero terminator of the character strings MUST
   NOT be included.

5.1.1.  PKEY

   In GNS, a delegation of a label to a zone of type "PKEY" is
   represented through a PKEY record.  The PKEY DATA entry wire format
   is illustrated in Figure 9.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   PUBLIC KEY                  |
   |                                               |
   |                                               |
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                       Figure 9: The PKEY Wire Format

   PUBLIC KEY:  A 256-bit Ed25519 public key.

   For PKEY zones, the zone key material is derived using the curve
   parameters of the twisted Edwards representation of Curve25519
   [RFC7748] (the reasoning behind choosing this curve can be found in
   Section 9.3) with the ECDSA scheme [RFC6979].  The following naming
   convention is used for the cryptographic primitives of PKEY zones:

   d:  A 256-bit Ed25519 private key (clamped private scalar).

   zkey:  The Ed25519 public zone key corresponding to d.

   p:  The prime of edwards25519 as defined in [RFC7748], i.e., 2^255 -
      19.

   G:  The group generator (X(P),Y(P)).  With X(P),Y(P) of edwards25519
      as defined in [RFC7748].

   L:  The order of the prime-order subgroup of edwards25519 as defined
      in [RFC7748].

   KeyGen():  The generation of the private scalar d and the curve point
      zkey := d*G (where G is the group generator of the elliptic curve)
      as defined in Section 2.2 of [RFC6979] represents the KeyGen()
      function.

   The zone type and zone key of a PKEY are 4 + 32 bytes in length.
   This means that a zTLD will always fit into a single label and does
   not need any further conversion.  Given a label, the output zkey' of
   the ZKDF(zkey, label) function is calculated as follows for PKEY
   zones:

   ZKDF(zkey, label):
     PRK_h := HKDF-Extract("key-derivation", zkey)
     h := HKDF-Expand(PRK_h, label || "gns", 512 / 8)
     zkey' := (h mod L) * zkey
     return zkey'

   The PKEY cryptosystem uses an HMAC-based key derivation function
   (HKDF) as defined in [RFC5869], using SHA-512 [RFC6234] for the
   extraction phase and SHA-256 [RFC6234] for the expansion phase.
   PRK_h is key material retrieved using an HKDF that uses the string
   "key-derivation" as the salt and the zone key as the initial keying
   material.  h is the 512-bit HKDF expansion result and must be
   interpreted in network byte order.  The expansion information input
   is a concatenation of the label and the string "gns".  The
   multiplication of zkey with h in ZKDF() is a point multiplication,
   while the multiplication of d with h in SignDerived() below is a
   scalar multiplication.

   The Sign() and Verify() functions for PKEY zones are implemented
   using 512-bit ECDSA deterministic signatures as specified in
   [RFC6979].  The same functions can be used for derived keys:

   SignDerived(d, label, message):
     zkey := d * G
     PRK_h := HKDF-Extract("key-derivation", zkey)
     h := HKDF-Expand(PRK_h, label || "gns", 512 / 8)
     d' := (h * d) mod L
     return Sign(d', message)

   A signature is valid for the derived public key zkey' := ZKDF(zkey,
   label) if the following holds:

   VerifyDerived(zkey', message, signature):
     return Verify(zkey', message, signature)

   The S-Encrypt() and S-Decrypt() functions use AES in counter mode as
   defined in [MODES] (CTR-AES256):

   S-Encrypt(zkey, label, expiration, plaintext):
     PRK_k := HKDF-Extract("gns-aes-ctx-key", zkey)
     PRK_n := HKDF-Extract("gns-aes-ctx-iv", zkey)
     K := HKDF-Expand(PRK_k, label, 256 / 8)
     NONCE := HKDF-Expand(PRK_n, label, 32 / 8)
     BLOCK_COUNTER := 0x0000000000000001
     IV := NONCE || expiration || BLOCK_COUNTER
     return CTR-AES256(K, IV, plaintext)

   S-Decrypt(zkey, label, expiration, ciphertext):
     PRK_k := HKDF-Extract("gns-aes-ctx-key", zkey)
     PRK_n := HKDF-Extract("gns-aes-ctx-iv", zkey)
     K := HKDF-Expand(PRK_k, label, 256 / 8)
     NONCE := HKDF-Expand(PRK_n, label, 32 / 8)
     BLOCK_COUNTER := 0x0000000000000001
     IV := NONCE || expiration || BLOCK_COUNTER
     return CTR-AES256(K, IV, ciphertext)

   The key K and counter Initialization Vector (IV) are derived from the
   record label and the zone key zkey, using an HKDF as defined in
   [RFC5869].  SHA-512 [RFC6234] is used for the extraction phase and
   SHA-256 [RFC6234] for the expansion phase.  The output keying
   material is 32 bytes (256 bits) for the symmetric key and 4 bytes (32
   bits) for the NONCE.  The symmetric key K is a 256-bit AES key
   [RFC3826].

   The nonce is combined with a 64-bit IV and a 32-bit block counter as
   defined in [RFC3686].  The block counter begins with a value of 1,
   and it is incremented to generate subsequent portions of the key
   stream.  The block counter is a 32-bit integer value in network byte
   order.  The format of the counter IV used by the S-Encrypt() and
   S-Decrypt() functions is illustrated in Figure 10.

   0     8     16    24    32
   +-----+-----+-----+-----+
   |         NONCE         |
   +-----+-----+-----+-----+
   |       EXPIRATION      |
   |                       |
   +-----+-----+-----+-----+
   |      BLOCK COUNTER    |
   +-----+-----+-----+-----+

     Figure 10: Structure of the Counter IV as Used in S-Encrypt() and
                                S-Decrypt()

5.1.2.  EDKEY

   In GNS, a delegation of a label to a zone of type "EDKEY" is
   represented through an EDKEY record.  The EDKEY DATA entry wire
   format is illustrated in Figure 11.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   PUBLIC KEY                  |
   |                                               |
   |                                               |
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                   Figure 11: The EDKEY DATA Wire Format

   PUBLIC KEY:  A 256-bit EdDSA zone key.

   For EDKEY zones, the zone key material is derived using the curve
   parameters of the twisted Edwards representation of Curve25519
   [RFC7748] (a.k.a. Ed25519) with the Ed25519 scheme [ed25519] as
   specified in [RFC8032].  The following naming convention is used for
   the cryptographic primitives of EDKEY zones:

   d:  A 256-bit EdDSA private key.

   a:  An integer derived from d using the SHA-512 hash function as
      defined in [RFC8032].

   zkey:  The EdDSA public key corresponding to d.  It is defined as the
      curve point a*G where G is the group generator of the elliptic
      curve as defined in [RFC8032].

   p:  The prime of edwards25519 as defined in [RFC8032], i.e., 2^255 -
      19.

   G:  The group generator (X(P),Y(P)).  With X(P),Y(P) of edwards25519
      as defined in [RFC8032].

   L:  The order of the prime-order subgroup of edwards25519 as defined
      in [RFC8032].

   KeyGen():  The generation of the private key d and the associated
      public key zkey := a*G (where G is the group generator of the
      elliptic curve and a is an integer derived from d using the
      SHA-512 hash function) as defined in Section 5.1.5 of [RFC8032]
      represents the KeyGen() function.

   The zone type and zone key of an EDKEY are 4 + 32 bytes in length.
   This means that a zTLD will always fit into a single label and does
   not need any further conversion.

   The "EDKEY" ZKDF instantiation is based on [Tor224].  As noted above
   for KeyGen(), a is calculated from d using the SHA-512 hash function
   as defined in Section 5.1.5 of [RFC8032].  Given a label, the output
   of the ZKDF function is calculated as follows:

   ZKDF(zkey, label):
     /* Calculate the blinding factor */
     PRK_h := HKDF-Extract("key-derivation", zkey)
     h := HKDF-Expand(PRK_h, label || "gns", 512 / 8)
     /* Ensure that h == h mod L */
     h := h mod L

     zkey' := h * zkey
     return zkey'

   Implementers SHOULD employ a constant-time scalar multiplication for
   the constructions above to protect against timing attacks.
   Otherwise, timing attacks could leak private key material if an
   attacker can predict when a system starts the publication process.

   The EDKEY cryptosystem uses an HKDF as defined in [RFC5869], using
   SHA-512 [RFC6234] for the extraction phase and HMAC-SHA-256 [RFC6234]
   for the expansion phase.  PRK_h is key material retrieved using an
   HKDF that uses the string "key-derivation" as the salt and the zone
   key as the initial keying material.  The blinding factor h is the
   512-bit HKDF expansion result.  The expansion information input is a
   concatenation of the label and the string "gns".  The result of the
   HKDF must be clamped and interpreted in network byte order.  a is the
   256-bit integer corresponding to the 256-bit private key d.  The
   multiplication of zkey with h is a point multiplication.

   The Sign(d, message) and Verify(zkey, message, signature) procedures
   MUST be implemented as defined in [RFC8032].

   Signatures for EDKEY zones use a derived private scalar d'; this is
   not compliant with [RFC8032].  As the private key that corresponds to
   the derived private scalar is not known, it is not possible to
   deterministically derive the signature part R according to [RFC8032].
   Instead, signatures MUST be generated as follows for any given
   message and private zone key: a nonce is calculated from the highest
   32 bytes of the expansion of the private key d and the blinding
   factor h.  The nonce is then hashed with the message to r.  This way,
   the full derivation path is included in the calculation of the R
   value of the signature, ensuring that it is never reused for two
   different derivation paths or messages.

   SignDerived(d, label, message):
     /* Key expansion */
     dh := SHA-512(d)
     /* EdDSA clamping */
     a := dh[0..31]
     a[0] := a[0] & 248
     a[31] := a[31] & 127
     a[31] := a[31] | 64
     /* Calculate zkey corresponding to d */
     zkey := a * G

     /* Calculate blinding factor */
     PRK_h := HKDF-Extract("key-derivation", zkey)
     h := HKDF-Expand(PRK_h, label || "gns", 512 / 8)
     /* Ensure that h == h mod L */
     h := h mod L

     d' := (h * a) mod L
     nonce := SHA-256(dh[32..63] || h)
     r := SHA-512(nonce || message)
     R := r * G
     S := r + SHA-512(R || zkey' || message) * d' mod L
     return (R,S)

   A signature (R,S) is valid for the derived public key zkey' :=
   ZKDF(zkey, label) if the following holds:

   VerifyDerived(zkey', message, signature):
     (R,S) := signature
     return S * G == R + SHA-512(R, zkey', message) * zkey'

   The S-Encrypt() and S-Decrypt() functions use XSalsa20 as defined in
   [XSalsa20] and use the XSalsa20-Poly1305 encryption function:

   S-Encrypt(zkey, label, expiration, plaintext):
     PRK_k := HKDF-Extract("gns-xsalsa-ctx-key", zkey)
     PRK_n := HKDF-Extract("gns-xsalsa-ctx-iv", zkey)
     K := HKDF-Expand(PRK_k, label, 256 / 8)
     NONCE := HKDF-Expand(PRK_n, label, 128 / 8)
     IV := NONCE || expiration
     return XSalsa20-Poly1305(K, IV, plaintext)

   S-Decrypt(zkey, label, expiration, ciphertext):
     PRK_k := HKDF-Extract("gns-xsalsa-ctx-key", zkey)
     PRK_n := HKDF-Extract("gns-xsalsa-ctx-iv", zkey)
     K := HKDF-Expand(PRK_k, label, 256 / 8)
     NONCE := HKDF-Expand(PRK_n, label, 128 / 8)
     IV := NONCE || expiration
     return XSalsa20-Poly1305(K, IV, ciphertext)

   The result of the XSalsa20-Poly1305 encryption function is the
   encrypted ciphertext followed by the 128-bit authentication tag.
   Accordingly, the length of encrypted data equals the length of the
   data plus the 16 bytes of the authentication tag.

   The key K and counter IV are derived from the record label and the
   zone key zkey using an HKDF as defined in [RFC5869].  SHA-512
   [RFC6234] is used for the extraction phase and SHA-256 [RFC6234] for
   the expansion phase.  The output keying material is 32 bytes (256
   bits) for the symmetric key and 16 bytes (128 bits) for the NONCE.
   The symmetric key K is a 256-bit XSalsa20 key [XSalsa20].  No
   additional authenticated data (AAD) is used.

   The nonce is combined with an 8-byte IV.  The IV is the expiration
   time of the resource record block in network byte order.  The
   resulting counter (IV) wire format is illustrated in Figure 12.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                     NONCE                     |
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+

             Figure 12: The Counter Block Initialization Vector

5.2.  Redirection Records

   Redirection records are used to redirect resolution.  Any
   implementation SHOULD support all redirection record types defined
   here and MAY support any number of additional redirection records
   defined in the GANA "GNS Record Types" registry [GANA].  Redirection
   records MUST have the CRITICAL flag set.  Not supporting some record
   types can result in resolution failures.  This can be a valid choice
   if some redirection record types have been determined to be insecure,
   or if an application has reasons to not support redirection to DNS
   for reasons such as complexity or security.  Redirection records MUST
   NOT be stored or published under the apex label.

5.2.1.  REDIRECT

   A REDIRECT record is the GNS equivalent of a CNAME record in DNS.  A
   REDIRECT record MUST be the only non-supplemental record under a
   label.  There MAY be inactive records of the same type that have the
   SHADOW flag set in order to facilitate smooth changes of redirection
   targets.  No other records are allowed.  Details on the processing of
   this record are provided in Section 7.3.1.  A REDIRECT DATA entry is
   illustrated in Figure 13.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   REDIRECT NAME               |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                  Figure 13: The REDIRECT DATA Wire Format

   REDIRECT NAME:  The name to continue with.  This value can be a
      regular name or a relative name.  Relative GNS names are indicated
      by an extension label (U+002B ("+")) as the rightmost label.  The
      string is UTF-8 encoded and zero terminated.

5.2.2.  GNS2DNS

   A GNS2DNS record delegates resolution to DNS.  The resource record
   contains a DNS name for the resolver to continue with in DNS followed
   by a DNS server.  Both names are in the format defined in [RFC1034]
   for DNS names.  There MAY be multiple GNS2DNS records under a label.
   There MAY also be DNSSEC DS records or any other records used to
   secure the connection with the DNS servers under the same label.
   There MAY be inactive records of the same type or types that have the
   SHADOW flag set in order to facilitate smooth changes of redirection
   targets.  No other non-supplemental record types are allowed in the
   same record set.  A GNS2DNS DATA entry is illustrated in Figure 14.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      NAME                     |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                 DNS SERVER NAME               |
   /                                               /
   /                                               /
   |                                               |
   +-----------------------------------------------+

                  Figure 14: The GNS2DNS DATA Wire Format

   NAME:  The name to continue with in DNS.  The value is UTF-8 encoded
      and zero terminated.

   DNS SERVER NAME:  The DNS server to use.  This value can be an IPv4
      address in dotted-decimal form, an IPv6 address in colon-
      hexadecimal form, or a DNS name.  It can also be a relative GNS
      name ending with a "+" as the rightmost label.  The implementation
      MUST check the string syntactically for an IP address in the
      respective notation before checking for a relative GNS name.  If
      all three checks fail, the name MUST be treated as a DNS name.
      The value is UTF-8 encoded and zero terminated.

   NOTE: If an application uses DNS names obtained from GNS2DNS records
   in a DNS request, they MUST first be converted to an IDNA-compliant
   representation [RFC5890].

5.3.  Auxiliary Records

   This section defines the initial set of auxiliary GNS record types.
   Any implementation SHOULD be able to process the specified record
   types according to Section 7.3.

5.3.1.  LEHO

   The LEHO (LEgacy HOstname) record is used to provide a hint for
   legacy hostnames: applications can use the GNS to look up IPv4 or
   IPv6 addresses of Internet services.  However, connecting to such
   services sometimes not only requires the knowledge of an IP address
   and port but also requires the canonical DNS name of the service to
   be transmitted over the transport protocol.  In GNS, legacy hostname
   records provide applications the DNS name that is required to
   establish a connection to such a service.  The most common use case
   is HTTP virtual hosting and TLS Server Name Indication [RFC6066],
   where a DNS name must be supplied in the HTTP "Host"-header and the
   TLS handshake, respectively.  Using a GNS name in those cases might
   not work, as it might not be globally unique.  Furthermore, even if
   uniqueness is not an issue, the legacy service might not even be
   aware of GNS.

   A LEHO resource record is expected to be found together with A or
   AAAA resource records with IPv4 or IPv6 addresses.  A LEHO DATA entry
   is illustrated in Figure 15.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                 LEGACY HOSTNAME               |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                    Figure 15: The LEHO DATA Wire Format

   LEGACY HOSTNAME:  A UTF-8 string (which is not zero terminated)
      representing the legacy hostname.

   NOTE: If an application uses a LEHO value in an HTTP request header
   (e.g., a "Host"-header), it MUST be converted to an IDNA-compliant
   representation [RFC5890].

5.3.2.  NICK

   Nickname records can be used by zone administrators to publish a
   label that a zone prefers to have used when it is referred to.  This
   is a suggestion for other zones regarding what label to use when
   creating a delegation record (Section 5.1) containing this zone key.
   This record SHOULD only be stored locally under the apex label "@"
   but MAY be returned with record sets under any label as a
   supplemental record.  Section 7.3.5 details how a resolver must
   process supplemental and non-supplemental NICK records.  A NICK DATA
   entry is illustrated in Figure 16.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                  NICKNAME                     |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                    Figure 16: The NICK DATA Wire Format

   NICKNAME:  A UTF-8 string (which is not zero terminated) representing
      the preferred label of the zone.  This string MUST be a valid GNS
      label.

5.3.3.  BOX

   GNS lookups are expected to return all of the required useful
   information in one record set.  This avoids unnecessary additional
   lookups and cryptographically ties together information that belongs
   together, making it impossible for an adversarial storage entity to
   provide partial answers that might omit information critical for
   security.

   This general strategy is incompatible with the special labels used by
   DNS for SRV and TLSA records.  Thus, GNS defines the BOX record
   format to box up SRV and TLSA records and include them in the record
   set of the label they are associated with.  For example, a TLSA
   record for "_https._tcp.example.org" will be stored in the record set
   of "example.org" as a BOX record with service (SVC) 443 (https),
   protocol (PROTO) 6 (tcp), and record TYPE "TLSA".  For reference, see
   also [RFC2782].  A BOX DATA entry is illustrated in Figure 17.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |   PROTO   |    SVC    |       TYPE            |
   +-----------+-----------------------------------+
   |                 RECORD DATA                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+

                    Figure 17: The BOX DATA Wire Format

   PROTO:  The 16-bit protocol number in network byte order.  Values
      below 2^8 are reserved for 8-bit Internet Protocol numbers
      allocated by IANA [RFC5237] (e.g., 6 for TCP).  Values above 2^8
      are allocated by the GANA "GNUnet Overlay Protocols" registry
      [GANA].

   SVC:  The 16-bit service value of the boxed record in network byte
      order.  In the case of TCP and UDP, it is the port number.

   TYPE:  The 32-bit record type of the boxed record in network byte
      order.

   RECORD DATA:  A variable-length field containing the "DATA" format of
      TYPE as defined for the respective TYPE.  Thus, for TYPE values
      below 2^16, the format is the same as the respective record type's
      binary format in DNS.

6.  Record Encoding for Remote Storage

   Any API that allows storing a block under a 512-bit key and
   retrieving one or more blocks from a key can be used by an
   implementation for remote storage.  To be useful, and to be able to
   support the defined zone delegation record encodings, the API MUST
   permit storing blocks of size 176 bytes or more and SHOULD allow
   blocks of size 1024 bytes or more.  In the following, it is assumed
   that an implementation realizes two procedures on top of storage:

   PUT(key, block)
   GET(key) -> block

   A GNS implementation publishes blocks in accordance with the
   properties and recommendations of the underlying remote storage.
   This can include a periodic refresh operation to preserve the
   availability of published blocks.

   There is no mechanism for explicitly deleting individual blocks from
   remote storage.  However, blocks include an EXPIRATION field, which
   guides remote storage implementations to decide when to delete
   blocks.  Given multiple blocks for the same key, remote storage
   implementations SHOULD try to preserve and return the block with the
   largest EXPIRATION value.

   All resource records from the same zone sharing the same label are
   encrypted and published together in a single resource record block
   (RRBLOCK) in the remote storage under a key q, as illustrated in
   Figure 18.  A GNS implementation MUST NOT include expired resource
   records in blocks.  An implementation MUST use the PUT storage
   procedure when record sets change to update the zone contents.
   Implementations MUST ensure that the EXPIRATION fields of RRBLOCKs
   increase strictly monotonically for every change, even if the
   smallest expiration time of records in the block does not increase.

                               Local Host           |   Remote
                                                    |   Storage
                                                    |
                                                    |    +---------+
                                                    |   /         /|
                                                    |  +---------+ |
   +-----------+                                    |  |         | |
   |           |       +-----------+PUT(q, RRBLOCK) |  | Record  | |
   |    User   |       |   Zone    |----------------|->| Storage | |
   |           |       | Publisher |                |  |         |/
   +-----------+       +-----------+                |  +---------+
        |                     A                     |
        |                     | Zone records        |
        |                     | grouped by label    |
        |                     |                     |
        |                 +---------+               |
        |Create / Delete /    |    /|               |
        |and Update     +---------+ |               |
        |Local Zones    |         | |               |
        |               |  Local  | |               |
        +-------------->|  Zones  | |               |
                        |         |/                |
                        +---------+                 |

          Figure 18: Management and Publication of Local Zones in
                            Distributed Storage

   Storage key derivation and record block creation are specified in the
   following sections and illustrated in Figure 19.

   +----------+ +-------+ +------------+ +-------------+
   | Zone Key | | Label | | Record Set | | Private Key |
   +----------+ +-------+ +------------+ +-------------+
       |          |            |               |
       |          |            v               |
       |          |           +-----------+    |
       |          +---------->| S-Encrypt |    |
       +----------|---------->+-----------+    |
       |          |               |    |       |
       |          |               |    v       v
       |          |               |   +-------------+
       |          +---------------|-->| SignDerived |
       |          |               |   +-------------+
       |          |               |        |
       |          v               v        v
       |      +------+        +--------------+
       +----->| ZKDF |------->| Record Block |
              +------+        +--------------+
                 |
                 v
              +------+        +-------------+
              | Hash |------->| Storage Key |
              +------+        +-------------+

         Figure 19: Storage Key and Record Block Creation Overview

6.1.  The Storage Key

   The storage key is derived from the zone key and the respective label
   of the contained records.  The required knowledge of both the zone
   key and the label in combination with the similarly derived symmetric
   secret keys and blinded zone keys ensures query privacy (see
   [RFC8324], Section 3.5).

   Given a label, the storage key q is derived as follows:

   q := SHA-512(ZKDF(zkey, label))

   label:  A UTF-8 string under which the resource records are
      published.

   zkey:  The zone key.

   q:  The 512-bit storage key under which the resource record block is
      published.  It is the SHA-512 hash [RFC6234] over the derived zone
      key.

6.2.  Plaintext Record Data (RDATA)

   GNS records from a zone are grouped by their labels such that all
   records under the same label are published together as a single block
   in storage.  Such grouped record sets MAY be paired with supplemental
   records.

   Record data (RDATA) is the format used to encode such a group of GNS
   records.  The binary format of RDATA is illustrated in Figure 20.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                 EXPIRATION                    |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |    SIZE   |    FLAGS  |        TYPE           |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                      DATA                     /
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |    SIZE   |    FLAGS  |        TYPE           |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                     DATA                      /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                     PADDING                   /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

                      Figure 20: The RDATA Wire Format

   EXPIRATION, SIZE, TYPE, FLAGS, and DATA:  Definitions for these
      fields are provided below Figure 7 in Section 5.

   PADDING:  When serializing records into RDATA, a GNS implementation
      MUST ensure that the size of the RDATA is a power of two using
      this field.  The field MUST be set to zero and MUST be ignored on
      receipt.  As a special exception, record sets with (only) a zone
      delegation record type are never padded.

6.3.  The Resource Record Block

   The resource records grouped in an RDATA are encrypted using the
   S-Encrypt() function defined by the zone type of the zone to which
   the resource records belong and prefixed with metadata into a
   resource record block (RRBLOCK) for remote storage.  The GNS RRBLOCK
   wire format is illustrated in Figure 21.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |          SIZE         |    ZONE TYPE          |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                  ZONE KEY                     /
   /                  (BLINDED)                    /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   SIGNATURE                   |
   /                                               /
   /                                               /
   |                                               |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                    BDATA                      |
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

                     Figure 21: The RRBLOCK Wire Format

   SIZE:  A 32-bit value containing the length of the block in bytes in
      network byte order.  Despite the message format's use of a 32-bit
      value, implementations MAY refuse to publish blocks beyond a
      certain size significantly below the theoretical block size limit
      of 4 GB.

   ZONE TYPE:  The 32-bit ztype in network byte order.

   ZONE KEY (BLINDED):  The blinded zone key "ZKDF(zkey, label)" to be
      used to verify SIGNATURE.  The length and format of the blinded
      public key depend on the ztype.

   SIGNATURE:  The signature is computed over the EXPIRATION and BDATA
      fields as shown in Figure 22.  The length and format of the
      signature depend on the ztype.  The signature is created using the
      SignDerived() function of the cryptosystem of the zone (see
      Section 4).

   EXPIRATION:  Specifies when the RRBLOCK expires and the encrypted
      block SHOULD be removed from storage and caches, as it is likely
      stale.  However, applications MAY continue to use non-expired
      individual records until they expire.  The RRBLOCK expiration
      value MUST be computed by first determining for each record type
      present in the RRBLOCK the maximum expiration time of all records
      of that type, including shadow records.  Then, the minimum of all
      of these expiration times is taken.  The final expiration time is
      then the larger value of (1) the previous EXPIRATION value of a
      previous RRBLOCK for the same storage key plus one (if any) and
      (2) the computed minimum expiration time across the contained
      record types.  This ensures strict monotonicity (see Section 9.3).
      This is a 64-bit absolute date in microseconds since midnight (0
      hour), January 1, 1970 UTC in network byte order.

   BDATA:  The encrypted RDATA computed using S-Encrypt() with the zone
      key, label, and expiration time as additional inputs.  Its
      ultimate size and content are determined by the S-Encrypt()
      function of the ztype.

   The signature over the public key covers a 32-bit pseudo header
   conceptually prefixed to the EXPIRATION and BDATA fields.  The wire
   format is illustrated in Figure 22.

   0     8     16    24    32    40    48    56
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |         SIZE          |       PURPOSE (0x0F)  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                   EXPIRATION                  |
   +-----+-----+-----+-----+-----+-----+-----+-----+
   |                    BDATA                      |
   /                                               /
   /                                               /
   +-----+-----+-----+-----+-----+-----+-----+-----+

     Figure 22: The Wire Format Used for Creating the Signature of the
                                  RRBLOCK

   SIZE:  A 32-bit value containing the length of the signed data in
      bytes in network byte order.

   PURPOSE:  A 32-bit signature purpose flag in network byte order.  The
      value of this field MUST be 15.  It defines the context in which
      the signature is created so that it cannot be reused in other
      parts of the protocol that might include possible future
      extensions.  The value of this field corresponds to an entry in
      the GANA "GNUnet Signature Purposes" registry [GANA].

   EXPIRATION:  Field as defined in the RRBLOCK message above.

   BDATA:  Field as defined in the RRBLOCK message above.

7.  Name Resolution

   Names in GNS are resolved by recursively querying the record storage.
   Recursive in this context means that a resolver does not provide
   intermediate results for a query to the application.  Instead, it
   MUST respond to a resolution request with either the requested
   resource record or an error message if resolution fails.  Figure 23
   illustrates how an application requests the lookup of a GNS name (1).
   The application MAY provide a desired record type to the resolver.
   Subsequently, a Start Zone is determined (2) and the recursive
   resolution process started.  This is where the desired record type is
   used to guide processing.  For example, if a zone delegation record
   type is requested, the resolution of the apex label in that zone must
   be skipped, as the desired record is already found.  Details on how
   the resolution process is initiated and each iterative result (3a,3b)
   in the resolution is processed are provided in the sections below.
   The results of the lookup are eventually returned to the application
   (4).  The implementation MUST NOT filter the returned resource record
   sets according to the desired record type.  Filtering of record sets
   is typically done by the application.

                              Local Host             |   Remote
                                                     |   Storage
                                                     |
                                                     |    +---------+
                                                     |   /         /|
                                                     |  +---------+ |
   +-----------+ (1) Name +----------+               |  |         | |
   |           | Lookup   |          | (3a) GET(q)   |  | Record  | |
   |Application|----------| Resolver |---------------|->| Storage | |
   |           |<---------|          |<--------------|--|         |/
   +-----------+ (4)      +----------+ (3b) RRBLOCK  |  +---------+
                 Records     A                       |
                             |                       |
        (2) Determination of |                       |
            Start Zone       |                       |
                             |                       |
                          +---------+                |
                         /   |     /|                |
                        +---------+ |                |
                        |         | |                |
                        |  Start  | |                |
                        |  Zones  | |                |
                        |         |/                 |
                        +---------+                  |

              Figure 23: The Recursive GNS Resolution Process

7.1.  Start Zones

   The resolution of a GNS name starts by identifying the Start Zone
   suffix.  Once the Start Zone suffix is identified, recursive
   resolution of the remainder of the name is initiated (see
   Section 7.2).  There are two types of Start Zone suffixes: zTLDs and
   local suffix-to-zone mappings.  The choice of available suffix-to-
   zone mappings is at the sole discretion of the local system
   administrator or user.  This property addresses the issue of a single
   hierarchy with a centrally controlled root and the related issue of
   distribution and management of root servers in DNS (see Sections 3.12
   and 3.10 of [RFC8324], respectively).

   For names ending with a zTLD, the Start Zone is explicitly given in
   the suffix of the name to resolve.  In order to ensure uniqueness of
   names with zTLDs, any implementation MUST use the given zone as the
   Start Zone.  An implementation MUST first try to interpret the
   rightmost label of the given name as the beginning of a zTLD (see
   Section 4.1).  If the rightmost label cannot be (partially) decoded
   or if it does not indicate a supported ztype, the name is treated as
   a normal name and Start Zone discovery MUST continue with finding a
   local suffix-to-zone mapping.  If a valid ztype can be found in the
   rightmost label, the implementation MUST try to synthesize and decode
   the zTLD to retrieve the Start Zone key according to Section 4.1.  If
   the zTLD cannot be synthesized or decoded, the resolution of the name
   fails and an error is returned to the application.  Otherwise, the
   zone key MUST be used as the Start Zone:

   Example name: www.example.<zTLD>
   => Start Zone: zkey of type ztype
   => Name to resolve from Start Zone: www.example

   For names not ending with a zTLD, the resolver MUST determine the
   Start Zone through a local suffix-to-zone mapping.  Suffix-to-zone
   mappings MUST be configurable through a local configuration file or
   database by the user or system administrator.  A suffix MAY consist
   of multiple GNS labels concatenated with a label separator.  If
   multiple suffixes match the name to resolve, the longest matching
   suffix MUST be used.  The suffix length of two results MUST NOT be
   equal.  This indicates a misconfiguration, and the implementation
   MUST return an error.  The following is a non-normative example
   mapping of Start Zones:

   Example name: www.example.xyz.gns.alt
   Local suffix mappings:
   xyz.gns.alt = zTLD0 := Base32GNS(ztype0||zkey0)
   example.xyz.gns.alt = zTLD1 := Base32GNS(ztype1||zkey1)
   example.com.gns.alt = zTLD2 := Base32GNS(ztype2||zkey2)
   ...
   => Start Zone: zkey1
   => Name to resolve from Start Zone: www

   The process given above MAY be supplemented with other mechanisms if
   the particular application requires a different process.  If no Start
   Zone can be identified, resolution MUST fail and an error MUST be
   returned to the application.

7.2.  Recursion

   In each step of the recursive name resolution, there is an
   authoritative zone zkey and a name to resolve.  The name MAY be
   empty.  If the name is empty, it is interpreted as the apex label
   "@".  Initially, the authoritative zone is the Start Zone.

   From here, the following steps are recursively executed, in order:

   1.  Extract the rightmost label from the name to look up.

   2.  Calculate q using the label and zkey as defined in Section 6.1.

   3.  Perform a storage query GET(q) to retrieve the RRBLOCK.

   4.  Check that (a) the block is not expired, (b) the SHA-512 hash of
       the derived authoritative zone key zkey' from the RRBLOCK matches
       the query q, and (c) the signature is valid.  If any of these
       tests fail, the RRBLOCK MUST be ignored and, if applicable, the
       storage lookup GET(q) MUST continue to look for other RRBLOCKs.

   5.  Obtain the RDATA by decrypting the BDATA contained in the RRBLOCK
       using S-Decrypt() as defined by the zone type, effectively
       inverting the process described in Section 6.3.

   Once a well-formed block has been decrypted, the records from RDATA
   are subjected to record processing.

7.3.  Record Processing

   In record processing, only the valid records obtained are considered.
   To filter records by validity, the resolver MUST at least check the
   expiration time and the FLAGS field of the respective record.
   Specifically, the resolver MUST disregard expired records.
   Furthermore, SHADOW and SUPPLEMENTAL flags can also exclude records
   from being considered.  If the resolver encounters a record with the
   CRITICAL flag set and does not support the record type, the
   resolution MUST be aborted and an error MUST be returned.
   Information indicating that the critical record could not be
   processed SHOULD be returned in the error description.  The
   implementation MAY choose not to return the reason for the failure,
   merely complicating troubleshooting for the user.

   The next steps depend on the context of the name that is being
   resolved:

   Case 1:  If the filtered record set consists of a single REDIRECT
      record, the remainder of the name is prepended to the REDIRECT
      DATA and the recursion is started again from the resulting name.
      Details are provided in Section 7.3.1.

   Case 2:  If the filtered record set consists exclusively of one or
      more GNS2DNS records, resolution continues with DNS.  Details are
      provided in Section 7.3.2.

   Case 3:  If the remainder of the name to be resolved is of the format
      "_SERVICE._PROTO" and the record set contains one or more matching
      BOX records, the records in the BOX records are the final result
      and the recursion is concluded as described in Section 7.3.3.

   Case 4:  If the current record set consists of a single delegation
      record, resolution of the remainder of the name is delegated to
      the target zone as described in Section 7.3.4.

   Case 5:  If the remainder of the name to resolve is empty, the record
      set is the final result.  If any NICK records are in the final
      result set, they MUST first be processed according to
      Section 7.3.5.  Otherwise, the record result set is directly
      returned as the final result.

   Finally, if none of the above cases are applicable, resolution fails
   and the resolver MUST return an empty record set.

7.3.1.  REDIRECT

   If the remaining name is empty and the desired record type is
   REDIRECT, the resolution concludes with the REDIRECT record.  If the
   rightmost label of the REDIRECT NAME is the extension label (U+002B
   ("+")), resolution continues in GNS with the new name in the current
   zone.  Otherwise, the resulting name is resolved via the default
   operating system name resolution process.  This can in turn trigger a
   GNS name resolution process, depending on the system configuration.
   If resolution continues in DNS, the name MUST first be converted to
   an IDNA-compliant representation [RFC5890].

   In order to prevent infinite loops, the resolver MUST implement loop
   detection or limit the number of recursive resolution steps.  The
   loop detection MUST be effective even if a REDIRECT found in GNS
   triggers subsequent GNS lookups via the default operating system name
   resolution process.

7.3.2.  GNS2DNS

   A resolver returns GNS2DNS records when all of the following
   conditions are met:

   1.  The resolver encounters one or more GNS2DNS records;

   2.  The remaining name is empty; and

   3.  The desired record type is GNS2DNS.

   Otherwise, it is expected that the resolver first resolves the IP
   addresses of the specified DNS name servers.  The DNS name MUST be
   converted to an IDNA-compliant representation [RFC5890] for
   resolution in DNS.  GNS2DNS records MAY contain numeric IPv4 or IPv6
   addresses, allowing the resolver to skip this step.  The DNS server
   names might themselves be names in GNS or DNS.  If the rightmost
   label of the DNS server name is the extension label (U+002B ("+")),
   the rest of the name is to be interpreted relative to the zone of the
   GNS2DNS record.  If the DNS server name ends in a label
   representation of a zone key, the DNS server name is to be resolved
   against the GNS zone zkey.

   Multiple GNS2DNS records can be stored under the same label, in which
   case the resolver MUST try all of them.  The resolver MAY try them in
   any order or even in parallel.  If multiple GNS2DNS records are
   present, the DNS name MUST be identical for all of them.  Otherwise,
   it is not clear which name the resolver is supposed to follow.  If
   different DNS names are present, the resolution fails and an
   appropriate error SHOULD be returned to the application.

   If there are DNSSEC DS records or any other records used to secure
   the connection with the DNS servers stored under the label, the DNS
   resolver SHOULD use them to secure the connection with the DNS
   server.

   Once the IP addresses of the DNS servers have been determined, the
   DNS name from the GNS2DNS record is appended to the remainder of the
   name to be resolved and is resolved by querying the DNS name
   server(s).  The synthesized name has to be converted to an IDNA-
   compliant representation [RFC5890] for resolution in DNS.  If such a
   conversion is not possible, the resolution MUST be aborted and an
   error MUST be returned.  Information indicating that the critical
   record could not be processed SHOULD be returned in the error
   description.  The implementation MAY choose not to return the reason
   for the failure, merely complicating troubleshooting for the user.

   As the DNS servers specified are possibly authoritative DNS servers,
   the GNS resolver MUST support recursive DNS resolution and MUST NOT
   delegate this to the authoritative DNS servers.  The first successful
   recursive name resolution result is returned to the application.  In
   addition, the resolver SHOULD return the queried DNS name as a
   supplemental LEHO record (see Section 5.3.1) with a relative
   expiration time of one hour.

   Once the transition from GNS to DNS is made through a GNS2DNS record,
   there is no "going back".  The (possibly recursive) resolution of the
   DNS name MUST NOT delegate back into GNS and should only follow the
   DNS specifications.  For example, names contained in DNS CNAME
   records MUST NOT be interpreted by resolvers that support both DNS
   and GNS as GNS names.

   GNS resolvers SHOULD offer a configuration option to disable DNS
   processing to avoid information leakage and provide a consistent
   security profile for all name resolutions.  Such resolvers would
   return an empty record set upon encountering a GNS2DNS record during
   the recursion.  However, if GNS2DNS records are encountered in the
   record set for the apex label and a GNS2DNS record is explicitly
   requested by the application, such records MUST still be returned,
   even if DNS support is disabled by the GNS resolver configuration.

7.3.3.  BOX

   When a BOX record is received, a GNS resolver must unbox it if the
   name to be resolved continues with "_SERVICE._PROTO".  Otherwise, the
   BOX record is to be left untouched.  This way, TLSA (and SRV) records
   do not require a separate network request, and TLSA records become
   inseparable from the corresponding address records.

7.3.4.  Zone Delegation Records

   When the resolver encounters a record of a supported zone delegation
   record type (such as PKEY or EDKEY) and the remainder of the name is
   not empty, resolution continues recursively with the remainder of the
   name in the GNS zone specified in the delegation record.

   Whenever a resolver encounters a new GNS zone, it MUST check against
   the local revocation list (see Section 4.2) to see whether the
   respective zone key has been revoked.  If the zone key was revoked,
   the resolution MUST fail with an empty result set.

   Implementations MUST NOT allow multiple different zone delegations
   under a single label (except if some are shadow records).
   Implementations MAY support any subset of ztypes.  Implementations
   MUST NOT process zone delegation records stored under the apex label
   ("@").  If a zone delegation record is encountered under the apex
   label, resolution fails and an error MUST be returned.  The
   implementation MAY choose not to return the reason for the failure,
   merely impacting troubleshooting information for the user.

   If the remainder of the name to resolve is empty and a record set was
   received containing only a single delegation record, the recursion is
   continued with the record value as the authoritative zone and the
   apex label "@" as the remaining name.  The exception is the case
   where the desired record type as specified by the application is
   equal to the ztype, in which case the delegation record is returned.

7.3.5.  NICK

   NICK records are only relevant to the recursive resolver if the
   record set in question is the final result, which is to be returned
   to the application.  The encountered NICK records can be either
   supplemental (see Section 5) or non-supplemental.  If the NICK record
   is supplemental, the resolver only returns the record set if one of
   the non-supplemental records matches the queried record type.  It is
   possible that one record set contains both supplemental and non-
   supplemental NICK records.

   The differentiation between a supplemental and non-supplemental NICK
   record allows the application to match the record to the
   authoritative zone.  Consider the following example:

   Query: alice.example.gns.alt (type=A)
   Result:
   A: 192.0.2.1
   NICK: eve (non-supplemental)

   In this example, the returned NICK record is non-supplemental.  For
   the application, this means that the NICK belongs to the zone
   "alice.example.gns.alt" and is published under the apex label along
   with an A record.  The NICK record is interpreted as follows: the
   zone defined by "alice.example.gns.alt" wants to be referred to as
   "eve".  In contrast, consider the following:

   Query: alice.example.gns.alt (type=AAAA)
   Result:
   AAAA: 2001:db8::1
   NICK: john (supplemental)

   In this case, the NICK record is marked as supplemental.  This means
   that the NICK record belongs to the zone "example.gns.alt" and is
   published under the label "alice" along with a AAAA record.  Here,
   the NICK record should be interpreted as follows: the zone defined by
   "example.gns.alt" wants to be referred to as "john".  This
   distinction is likely useful for other records published as
   supplemental.

8.  Internationalization and Character Encoding

   All names in GNS are encoded in UTF-8 [RFC3629].  Labels MUST be
   canonicalized using Normalization Form C (NFC) [Unicode-UAX15].  This
   does not include any DNS names found in DNS records, such as CNAME
   record data, which is internationalized through the IDNA
   specifications; see [RFC5890].

9.  Security and Privacy Considerations

9.1.  Availability

   In order to ensure availability of records beyond their absolute
   expiration times, implementations MAY allow relative expiration time
   values of records to be locally defined.  Records can then be
   published recurringly with updated absolute expiration times by the
   implementation.

   Implementations MAY allow users to manage private records in their
   zones that are not published in storage.  Private records are treated
   just like regular records when resolving labels in local zones, but
   their data is completely unavailable to non-local users.

9.2.  Agility

   The security of cryptographic systems depends on both the strength of
   the cryptographic algorithms chosen and the strength of the keys used
   with those algorithms.  This security also depends on the engineering
   of the protocol used by the system to ensure that there are no non-
   cryptographic ways to bypass the security of the overall system.
   This is why developers of applications managing GNS zones SHOULD
   select a default ztype considered secure at the time of releasing the
   software.  For applications targeting end users that are not expected
   to understand cryptography, the application developer MUST NOT leave
   the ztype selection of new zones to end users.

   This document concerns itself with the selection of cryptographic
   algorithms used in GNS.  The algorithms identified in this document
   are not known to be broken (in the cryptographic sense) at the
   current time, and cryptographic research so far leads us to believe
   that they are likely to remain secure into the foreseeable future.
   However, this is not necessarily forever, and it is expected that new
   revisions of this document will be issued from time to time to
   reflect the current best practices in this area.

   In terms of crypto-agility, whenever the need for an updated
   cryptographic scheme arises to, for example, replace ECDSA over
   Ed25519 for PKEY records, it can simply be introduced through a new
   record type.  Zone administrators can then replace the delegation
   record type for future records.  The old record type remains, and
   zones can iteratively migrate to the updated zone keys.  To ensure
   that implementations correctly generate an error message when
   encountering a ztype that they do not support, current and future
   delegation records must always have the CRITICAL flag set.

9.3.  Cryptography

   The following considerations provide background on the design choices
   of the ztypes specified in this document.  When specifying new ztypes
   as per Section 4, the same considerations apply.

   GNS PKEY zone keys use ECDSA over Ed25519.  This is an unconventional
   choice, as ECDSA is usually used with other curves.  However,
   standardized ECDSA curves are problematic for a range of reasons, as
   described in the Curve25519 and EdDSA papers [RFC7748] [ed25519].
   Using EdDSA directly is also not possible, as a hash function is used
   on the private key and will destroy the linearity that the key
   blinding in GNS depends upon.  We are not aware of anyone suggesting
   that using Ed25519 instead of another common curve of similar size
   would lower the security of ECDSA.  GNS uses 256-bit curves; that
   way, the encoded (public) keys fit into a single DNS label, which is
   good for usability.

   In order to ensure ciphertext indistinguishability, care must be
   taken with respect to the IV in the counter block.  In our design,
   the IV always includes the expiration time of the record block.  When
   applications store records with relative expiration times,
   monotonicity is implicitly ensured because each time a block is
   published in storage, its IV is unique, as the expiration time is
   calculated dynamically and increases monotonically with the system
   time.  Still, an implementation MUST ensure that when relative
   expiration times are decreased, the expiration time of the next
   record block MUST be after the last published block.  For records
   where an absolute expiration time is used, the implementation MUST
   ensure that the expiration time is always increased when the record
   data changes.  For example, the expiration time on the wire could be
   increased by a single microsecond even if the user did not request a
   change.  In the case of deletion of all resource records under a
   label, the implementation MUST keep track of the last absolute
   expiration time of the last published resource block.
   Implementations MAY define and use a special record type as a
   tombstone that preserves the last absolute expiration time but then
   MUST take care to not publish a block with such a tombstone record.
   When new records are added under this label later, the implementation
   MUST ensure that the expiration times are after the last published
   block.  Finally, in order to ensure monotonically increasing
   expiration times, the implementation MUST keep a local record of the
   last time obtained from the system clock, so as to construct a
   monotonic clock if the system clock jumps backwards.

9.4.  Abuse Mitigation

   GNS names are UTF-8 strings.  Consequently, GNS faces issues with
   respect to name spoofing similar to those for DNS with respect to
   internationalized domain names.  In DNS, attackers can register
   similar-sounding or similar-looking names (see above) in order to
   execute phishing attacks.  GNS zone administrators must take into
   account this attack vector and incorporate rules in order to mitigate
   it.

   Further, DNS can be used to combat illegal content on the Internet by
   having the respective domains seized by authorities.  However, the
   same mechanisms can also be abused in order to impose state
   censorship.  Avoiding that possibility is one of the motivations
   behind GNS.  In GNS, TLDs are not enumerable.  By design, the Start
   Zone of the resolver is defined locally, and hence such a seizure is
   difficult and ineffective in GNS.

9.5.  Zone Management

   In GNS, zone administrators need to manage and protect their zone
   keys.  Once a private zone key is lost, it cannot be recovered, and
   the zone revocation message cannot be computed anymore.  Revocation
   messages can be precalculated if revocation is required in cases
   where a private zone key is lost.  Zone administrators, and for GNS
   this includes end users, are required to responsibly and diligently
   protect their cryptographic keys.  GNS supports signing records in
   advance ("offline") in order to support processes (such as air gaps)
   that aim to protect private keys.

   Similarly, users are required to manage their local Start Zone
   configuration.  In order to ensure the integrity and availability of
   names, users must ensure that their local Start Zone information is
   not compromised or outdated.  It can be expected that the processing
   of zone revocations and an initial Start Zone are provided with a GNS
   implementation ("drop shipping").  Shipping an initial Start Zone
   configuration effectively establishes a root zone.  Extension and
   customization of the zone are at the full discretion of the user.

   While implementations following this specification will be
   interoperable, if two implementations connect to different remote
   storage entities, they are mutually unreachable.  This can lead to a
   state where a record exists in the global namespace for a particular
   name, but the implementation is not communicating with the remote
   storage entity that contains the respective block and is hence unable
   to resolve it.  This situation is similar to a split-horizon DNS
   configuration.  The remote storage entity used will most likely
   depend on the specific application context using GNS resolution.  For
   example, one application is the resolution of hidden services within
   the Tor network [TorRendSpec], which would suggest using Tor routers
   for remote storage.  Implementations of "aggregated" remote storage
   entities are conceivable but are expected to be the exception.

9.6.  DHTs as Remote Storage

   This document does not specify the properties of the underlying
   remote storage, which is required by any GNS implementation.  It is
   important to note that the properties of the underlying remote
   storage are directly inherited by the GNS implementation.  This
   includes both security and other non-functional properties such as
   scalability and performance.  Implementers should take great care
   when selecting or implementing a DHT for use as remote storage in a
   GNS implementation.  DHTs with reasonable security and performance
   properties exist [R5N].  It should also be taken into consideration
   that GNS implementations that build upon different DHT overlays are
   unlikely to be mutually reachable.

9.7.  Revocations

   Zone administrators are advised to pregenerate zone revocations and
   to securely store the revocation information if the zone key is lost,
   compromised, or replaced in the future.  Precalculated revocations
   can cease to be valid due to expirations or protocol changes such as
   epoch adjustments.  Consequently, implementers and users must take
   precautions in order to manage revocations accordingly.

   Revocation payloads do not include a "new" key for key replacement.
   Inclusion of such a key would have two major disadvantages:

   1.  If a revocation is published after a private key was compromised,
       allowing key replacement would be dangerous: if an adversary took
       over the private key, the adversary could then broadcast a
       revocation with a key replacement.  For the replacement, the
       compromised owner would have no chance to issue a revocation.
       Thus, allowing a revocation message to replace a private key
       makes dealing with key compromise situations worse.

   2.  Sometimes, key revocations are used with the objective of
       changing cryptosystems.  Migration to another cryptosystem by
       replacing keys via a revocation message would only be secure as
       long as both cryptosystems are still secure against forgery.
       Such a planned, non-emergency migration to another cryptosystem
       should be done by running zones for both cipher systems in
       parallel for a while.  The migration would conclude by revoking
       the legacy zone key only when it is deemed no longer secure and,
       hopefully, after most users have migrated to the replacement.

9.8.  Zone Privacy

   GNS does not support authenticated denial of existence of names
   within a zone.  Record data is published in encrypted form using keys
   derived from the zone key and record label.  Zone administrators
   should carefully consider whether (1) a label and zone key are public
   or (2) one or both of these should be used as a shared secret to
   restrict access to the corresponding record data.  Unlike public zone
   keys, low-entropy labels can be guessed by an attacker.  If an
   attacker knows the public zone key, the use of well-known or
   guessable labels effectively threatens the disclosure of the
   corresponding records.

   It should be noted that the guessing attack on labels only applies if
   the zone key is somehow disclosed to the adversary.  GNS itself does
   not disclose it during a lookup or when resource records are
   published (as only the blinded zone keys are used on the network).
   However, zone keys do become public during revocation.

   It is thus RECOMMENDED to use a label with sufficient entropy to
   prevent guessing attacks if any data in a resource record set is
   sensitive.

9.9.  Zone Governance

   While DNS is distributed, in practice it relies on centralized,
   trusted registrars to provide globally unique names.  As awareness of
   the central role DNS plays on the Internet increases, various
   institutions are using their power (including legal means) to engage
   in attacks on the DNS, thus threatening the global availability and
   integrity of information on the Internet.  While a wider discussion
   of this issue is out of scope for this document, analyses and
   investigations can be found in recent academic research works,
   including [SecureNS].

   GNS is designed to provide a secure, privacy-enhancing alternative to
   the DNS name resolution protocol, especially when censorship or
   manipulation is encountered.  In particular, it directly addresses
   concerns in DNS with respect to query privacy.  However, depending on
   the governance of the root zone, any deployment will likely suffer
   from the issue of a single hierarchy with a centrally controlled root
   and the related issue of distribution and management of root servers
   in DNS, as raised in Sections 3.12 and 3.10 of [RFC8324],
   respectively.  In DNS, those issues directly result from the
   centralized root zone governance at the Internet Corporation for
   Assigned Names and Numbers (ICANN), which allows it to provide
   globally unique names.

   In GNS, Start Zones give users local authority over their preferred
   root zone governance.  It enables users to replace or enhance a
   trusted root zone configuration provided by a third party (e.g., the
   implementer or a multi-stakeholder governance body like ICANN) with
   secure delegation of authority using local petnames while operating
   under a very strong adversary model.  In combination with zTLDs, this
   provides users of GNS with a global, secure, and memorable mapping
   without a trusted authority.

   Any GNS implementation MAY provide a default governance model in the
   form of an initial Start Zone mapping.

9.10.  Namespace Ambiguity

   Technically, the GNS protocol can be used to resolve names in the
   namespace of the global DNS.  However, this would require the
   respective governance bodies and stakeholders (e.g., the IETF and
   ICANN) to standardize the use of GNS for this particular use case.

   This capability implies that GNS names may be indistinguishable from
   DNS names in their respective common display format [RFC8499] or
   other special-use domain names [RFC6761] if a local Start Zone
   configuration maps suffixes from the global DNS to GNS zones.  For
   applications, which name system should be used in order to resolve a
   given name will then be ambiguous.  This poses a risk when trying to
   resolve a name through DNS when it is actually a GNS name, as
   discussed in [RFC8244].  In such a case, the GNS name is likely to be
   leaked as part of the DNS resolution.

   In order to prevent disclosure of queried GNS names, it is
   RECOMMENDED that GNS-aware applications try to resolve a given name
   in GNS before any other method, taking into account potential suffix-
   to-zone mappings and zTLDs.  Suffix-to-zone mappings are expected to
   be configured by the user or local administrator, and as such the
   resolution in GNS is in line with user expectations even if the name
   could also be resolved through DNS.  If no suffix-to-zone mapping for
   the name exists and no zTLD is found, resolution MAY continue with
   other methods such as DNS.  If a suffix-to-zone mapping for the name
   exists or the name ends with a zTLD, it MUST be resolved using GNS,
   and resolution MUST NOT continue by any other means independent of
   the GNS resolution result.

   Mechanisms such as the Name Service Switch (NSS) of UNIX-like
   operating systems are an example of how such a resolution process can
   be implemented and used.  The NSS allows system administrators to
   configure hostname resolution precedence and is integrated with the
   system resolver implementation.

   For use cases where GNS names may be confused with names of other
   name resolution mechanisms (in particular, DNS), the ".gns.alt"
   domain SHOULD be used.  For use cases like implementing sinkholes to
   block malware sites or serving DNS domains via GNS to bypass
   censorship, GNS MAY be deliberately used in ways that interfere with
   resolution of another name system.

10.  GANA Considerations

10.1.  GNUnet Signature Purposes Registry

   GANA [GANA] has assigned signature purposes in its "GNUnet Signature
   Purposes" registry as listed in Table 1.

   +=========+=================+============+==========================+
   | Purpose | Name            | References | Comment                  |
   +=========+=================+============+==========================+
   | 3       | GNS_REVOCATION  | RFC 9498   | GNS zone key revocation  |
   +---------+-----------------+------------+--------------------------+
   | 15      | GNS_RECORD_SIGN | RFC 9498   | GNS record set           |
   |         |                 |            | signature                |
   +---------+-----------------+------------+--------------------------+

            Table 1: The GANA GNUnet Signature Purposes Registry

10.2.  GNS Record Types Registry

   GANA [GANA] manages the "GNS Record Types" registry.

   Each entry has the following format:

   Name:  The name of the record type (case-insensitive ASCII string,
      restricted to alphanumeric characters).  For zone delegation
      records, the assigned number represents the ztype value of the
      zone.

   Number:  A 32-bit number above 65535.

   Comment:  Optionally, brief English text describing the purpose of
      the record type (in UTF-8).

   Contact:  Optionally, the contact information for a person to contact
      for further information.

   References:  Optionally, references (such as an RFC) describing the
      record type.

   The registration policy for this registry is "First Come First
   Served".  This policy is modeled on that described in [RFC8126] and
   describes the actions taken by GANA:

   *  Adding new entries is possible after review by any authorized GANA
      contributor, using a first-come-first-served policy for unique
      name allocation.  Reviewers are responsible for ensuring that the
      chosen "Name" is appropriate for the record type.  The registry
      will define a unique number for the entry.

   *  Authorized GANA contributors for review of new entries are
      reachable at <gns-registry@gnunet.org>.

   *  Any request MUST contain a unique name and a point of contact.
      The contact information MAY be added to the registry, with the
      consent of the requester.  The request MAY optionally also contain
      relevant references as well as a descriptive comment, as defined
      above.

   GANA has assigned numbers for the record types defined in this
   specification in the "GNS Record Types" registry as listed in
   Table 2.

     +========+==========+=========+============+====================+
     | Number | Name     | Contact | References | Comment            |
     +========+==========+=========+============+====================+
     | 65536  | PKEY     | (*)     | RFC 9498   | GNS zone           |
     |        |          |         |            | delegation (PKEY)  |
     +--------+----------+---------+------------+--------------------+
     | 65537  | NICK     | (*)     | RFC 9498   | GNS zone nickname  |
     +--------+----------+---------+------------+--------------------+
     | 65538  | LEHO     | (*)     | RFC 9498   | GNS legacy         |
     |        |          |         |            | hostname           |
     +--------+----------+---------+------------+--------------------+
     | 65540  | GNS2DNS  | (*)     | RFC 9498   | Delegation to DNS  |
     +--------+----------+---------+------------+--------------------+
     | 65541  | BOX      | (*)     | RFC 9498   | Box records        |
     +--------+----------+---------+------------+--------------------+
     | 65551  | REDIRECT | (*)     | RFC 9498   | Redirection record |
     +--------+----------+---------+------------+--------------------+
     | 65556  | EDKEY    | (*)     | RFC 9498   | GNS zone           |
     |        |          |         |            | delegation (EDKEY) |
     +--------+----------+---------+------------+--------------------+
     | (*): gns-registry@gnunet.org                                  |
     +---------------------------------------------------------------+

                Table 2: The GANA GNS Record Types Registry

10.3.  .alt Subdomains Registry

   GANA [GANA] manages the ".alt Subdomains" registry.  This GANA-
   operated .alt registry may or may not be taken into account by any
   particular implementer, and it is not in any way associated with or
   sanctioned by the IETF or ICANN.

   Each entry has the following format:

   Label:  The label of the subdomain (in DNS "letters, digits, hyphen"
      (LDH) format as defined in Section 2.3.1 of [RFC5890]).

   Description:  Optionally, brief English text describing the purpose
      of the subdomain (in UTF-8).

   Contact:  Optionally, the contact information for a person to contact
      for further information.

   References:  Optionally, references (such as an RFC) describing the
      record type.

   The registration policy for this registry is "First Come First
   Served".  This policy is modeled on that described in [RFC8126] and
   describes the actions taken by GANA:

   *  Adding new entries is possible after review by any authorized GANA
      contributor, using a first-come-first-served policy for unique
      subdomain allocation.  Reviewers are responsible for ensuring that
      the chosen "Subdomain" is appropriate for the purpose.

   *  Authorized GANA contributors for review of new entries are
      reachable at <alt-registry@gnunet.org>.

   *  Any request MUST contain a unique subdomain and a point of
      contact.  The contact information MAY be added to the registry,
      with the consent of the requester.  The request MAY optionally
      also contain relevant references as well as a descriptive comment,
      as defined above.

   GANA has assigned the subdomain defined in this specification in the
   ".alt Subdomains" registry as listed in Table 3.

       +=======+=========+============+============================+
       | Label | Contact | References | Description                |
       +=======+=========+============+============================+
       | gns   | (*)     | RFC 9498   | The .alt subdomain for GNS |
       +-------+---------+------------+----------------------------+
       | (*): alt-registry@gnunet.org                              |
       +-----------------------------------------------------------+

                 Table 3: The GANA .alt Subdomains Registry

11.  IANA Considerations

   This document has no IANA actions.

12.  Implementation and Deployment Status

   There are two implementations conforming to this specification,
   written in C and Go, respectively.  The C implementation as part of
   GNUnet [GNUnetGNS] represents the original and reference
   implementation.  The Go implementation [GoGNS] demonstrates how two
   implementations of GNS are interoperable if they are built on top of
   the same underlying DHT storage.

   Currently, the GNUnet peer-to-peer network [GNUnet] is an active
   deployment of GNS on top of its DHT [R5N].  The Go implementation
   [GoGNS] uses this deployment by building on top of the GNUnet DHT
   services available on any GNUnet peer.  It shows how GNS
   implementations can attach to this existing deployment and
   participate in name resolution as well as zone publication.

   The self-sovereign identity system re:claimID [reclaim] is using GNS
   in order to selectively share identity attributes and attestations
   with third parties.

   The Ascension tool [Ascension] facilitates the migration of DNS zones
   to GNS zones by translating information retrieved from a DNS zone
   transfer into a GNS zone.

13.  References

13.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
              <https://www.rfc-editor.org/info/rfc1034>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the location of services (DNS SRV)", RFC 2782,
              DOI 10.17487/RFC2782, February 2000,
              <https://www.rfc-editor.org/info/rfc2782>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <https://www.rfc-editor.org/info/rfc3629>.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004,
              <https://www.rfc-editor.org/info/rfc3686>.

   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826,
              DOI 10.17487/RFC3826, June 2004,
              <https://www.rfc-editor.org/info/rfc3826>.

   [RFC5237]  Arkko, J. and S. Bradner, "IANA Allocation Guidelines for
              the Protocol Field", BCP 37, RFC 5237,
              DOI 10.17487/RFC5237, February 2008,
              <https://www.rfc-editor.org/info/rfc5237>.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC5895]  Resnick, P. and P. Hoffman, "Mapping Characters for
              Internationalized Domain Names in Applications (IDNA)
              2008", RFC 5895, DOI 10.17487/RFC5895, September 2010,
              <https://www.rfc-editor.org/info/rfc5895>.

   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234,
              DOI 10.17487/RFC6234, May 2011,
              <https://www.rfc-editor.org/info/rfc6234>.

   [RFC6895]  Eastlake 3rd, D., "Domain Name System (DNS) IANA
              Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
              April 2013, <https://www.rfc-editor.org/info/rfc6895>.

   [RFC6979]  Pornin, T., "Deterministic Usage of the Digital Signature
              Algorithm (DSA) and Elliptic Curve Digital Signature
              Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
              2013, <https://www.rfc-editor.org/info/rfc6979>.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032,
              DOI 10.17487/RFC8032, January 2017,
              <https://www.rfc-editor.org/info/rfc8032>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

   [RFC9106]  Biryukov, A., Dinu, D., Khovratovich, D., and S.
              Josefsson, "Argon2 Memory-Hard Function for Password
              Hashing and Proof-of-Work Applications", RFC 9106,
              DOI 10.17487/RFC9106, September 2021,
              <https://www.rfc-editor.org/info/rfc9106>.

   [GANA]     GNUnet e.V., "GNUnet Assigned Numbers Authority (GANA)",
              2023, <https://gana.gnunet.org/>.

   [MODES]    Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Methods and Techniques", NIST Special
              Publication 800-38A, DOI 10.6028/NIST.SP.800-38A, December
              2001, <https://doi.org/10.6028/NIST.SP.800-38A>.

   [CrockfordB32]
              Crockford, D., "Base 32", March 2019,
              <https://www.crockford.com/base32.html>.

   [XSalsa20] Bernstein, D. J., "Extending the Salsa20 nonce", 2011,
              <https://cr.yp.to/papers.html#xsalsa>.

   [Unicode-UAX15]
              Davis, M., Whistler, K., and M. Dürst, "Unicode Standard
              Annex #15: Unicode Normalization Forms", Revision 31, The
              Unicode Consortium, Mountain View, September 2009,
              <https://www.unicode.org/reports/tr15/tr15-31.html>.

   [Unicode-UTS46]
              Davis, M. and M. Suignard, "Unicode Technical Standard
              #46: Unicode IDNA Compatibility Processing", Revision 31,
              The Unicode Consortium, Mountain View, September 2023,
              <https://www.unicode.org/reports/tr46>.

13.2.  Informative References

   [RFC1928]  Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and
              L. Jones, "SOCKS Protocol Version 5", RFC 1928,
              DOI 10.17487/RFC1928, March 1996,
              <https://www.rfc-editor.org/info/rfc1928>.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, DOI 10.17487/RFC4033, March 2005,
              <https://www.rfc-editor.org/info/rfc4033>.

   [RFC6066]  Eastlake 3rd, D., "Transport Layer Security (TLS)
              Extensions: Extension Definitions", RFC 6066,
              DOI 10.17487/RFC6066, January 2011,
              <https://www.rfc-editor.org/info/rfc6066>.

   [RFC7363]  Maenpaa, J. and G. Camarillo, "Self-Tuning Distributed
              Hash Table (DHT) for REsource LOcation And Discovery
              (RELOAD)", RFC 7363, DOI 10.17487/RFC7363, September 2014,
              <https://www.rfc-editor.org/info/rfc7363>.

   [RFC8324]  Klensin, J., "DNS Privacy, Authorization, Special Uses,
              Encoding, Characters, Matching, and Root Structure: Time
              for Another Look?", RFC 8324, DOI 10.17487/RFC8324,
              February 2018, <https://www.rfc-editor.org/info/rfc8324>.

   [RFC8806]  Kumari, W. and P. Hoffman, "Running a Root Server Local to
              a Resolver", RFC 8806, DOI 10.17487/RFC8806, June 2020,
              <https://www.rfc-editor.org/info/rfc8806>.

   [RFC6761]  Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
              RFC 6761, DOI 10.17487/RFC6761, February 2013,
              <https://www.rfc-editor.org/info/rfc6761>.

   [RFC8244]  Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain
              Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244,
              October 2017, <https://www.rfc-editor.org/info/rfc8244>.

   [RFC9476]  Kumari, W. and P. Hoffman, "The .alt Special-Use Top-Level
              Domain", RFC 9476, DOI 10.17487/RFC9476, September 2023,
              <https://www.rfc-editor.org/info/rfc9476>.

   [TorRendSpec]
              Tor Project, "Tor Rendezvous Specification - Version 3",
              commit b345ca0, June 2023,
              <https://github.com/torproject/torspec/blob/main/rend-
              spec-v3.txt>.

   [Tor224]   Goulet, D., Kadianakis, G., and N. Mathewson, "Next-
              Generation Hidden Services in Tor", Appendix A.2 ("Tor's
              key derivation scheme"), November 2013,
              <https://gitweb.torproject.org/torspec.git/tree/
              proposals/224-rend-spec-ng.txt#n2135>.

   [SDSI]     Rivest, R. L. and B. Lampson, "SDSI - A Simple Distributed
              Security Infrastructure", October 1996,
              <https://citeseerx.ist.psu.edu/document?repid=rep1&type=pd
              f&doi=3837e0206bf73e5e8f0ba6db767a2f714ea7c367>.

   [Kademlia] Maymounkov, P. and D. Mazières, "Kademlia: A Peer-to-peer
              Information System Based on the XOR Metric",
              DOI 10.1007/3-540-45748-8_5, 2002,
              <https://css.csail.mit.edu/6.824/2014/papers/
              kademlia.pdf>.

   [ed25519]  Bernstein, D. J., Duif, N., Lange, T., Schwabe, P., and
              B-Y. Yang, "High-speed high-security signatures",
              DOI 10.1007/s13389-012-0027-1, 2011,
              <https://ed25519.cr.yp.to/ed25519-20110926.pdf>.

   [GNS]      Wachs, M., Schanzenbach, M., and C. Grothoff, "A
              Censorship-Resistant, Privacy-Enhancing and Fully
              Decentralized Name System", 13th International Conference
              on Cryptology and Network Security (CANS),
              DOI 10.13140/2.1.4642.3044, October 2014,
              <https://sci-hub.st/10.1007/978-3-319-12280-9_9>.

   [R5N]      Evans, N. S. and C. Grothoff, "R5N: Randomized Recursive
              Routing for Restricted-Route Networks", 5th International
              Conference on Network and System Security (NSS),
              DOI 10.1109/ICNSS.2011.6060022, September 2011,
              <https://sci-hub.st/10.1109/ICNSS.2011.6060022>.

   [SecureNS] Grothoff, C., Wachs, M., Ermert, M., and J. Appelbaum,
              "Toward secure name resolution on the Internet", Computers
              and Security, Volume 77, Issue C, pp. 694-708,
              DOI 10.1016/j.cose.2018.01.018, August 2018, <https://sci-
              hub.st/https://doi.org/10.1016/j.cose.2018.01.018>.

   [GNUnetGNS]
              GNUnet e.V., "gnunet.git - GNUnet core repository", 2023,
              <https://git.gnunet.org/gnunet.git>.

   [Ascension]
              GNUnet e.V., "ascension.git - DNS zones to GNS migrating
              using incremental zone transfer (AXFR/IXFR)", 2023,
              <https://git.gnunet.org/ascension.git>.

   [GNUnet]   GNUnet e.V., "The GNUnet Project (Home Page)", 2023,
              <https://gnunet.org>.

   [reclaim]  GNUnet e.V., "re:claimID - Self-sovereign, Decentralised
              Identity Management and Personal Data Sharing", 2023,
              <https://reclaim.gnunet.org>.

   [GoGNS]    Fix, B., "gnunet-go (Go GNS)", commit 5c815ba, July 2023,
              <https://github.com/bfix/gnunet-
              go/tree/master/src/gnunet/service/gns>.

   [nsswitch] GNU Project, "System Databases and Name Service Switch
              (Section 29)",
              <https://www.gnu.org/software/libc/manual/html_node/Name-
              Service-Switch.html>.

Appendix A.  Usage and Migration

   This section outlines a number of specific use cases that may help
   readers of this technical specification better understand the
   protocol.  The considerations below are not meant to be normative for
   the GNS protocol in any way.  Instead, they are provided in order to
   give context and to provide some background on what the intended use
   of the protocol is by its designers.  Further, this section provides
   pointers to migration paths.

A.1.  Zone Dissemination

   In order to become a zone owner, it is sufficient to generate a zone
   key and a corresponding secret key using a GNS implementation.  At
   this point, the zone owner can manage GNS resource records in a local
   zone database.  The resource records can then be published by a GNS
   implementation as defined in Section 6.  For other users to resolve
   the resource records, the respective zone information must be
   disseminated first.  The zone owner may decide to make the zone key
   and labels known to a selected set of users only or to make this
   information available to the general public.

   Sharing zone information directly with specific users not only allows
   an implementation to potentially preserve zone and record privacy but
   also allows the zone owner and the user to establish strong trust
   relationships.  For example, a bank may send a customer letter with a
   QR code that contains the GNS zone of the bank.  This allows the user
   to scan the QR code and establish a strong link to the zone of the
   bank and with it, for example, the IP address of the online banking
   web site.

   Most Internet services likely want to make their zones available to
   the general public in the most efficient way possible.  First, it is
   reasonable to assume that zones that are commanding high levels of
   reputation and trust are likely included in the default suffix-to-
   zone mappings of implementations.  Hence, dissemination of a zone
   through delegation under such zones can be a viable path in order to
   disseminate a zone publicly.  For example, it is conceivable that
   organizations such as ICANN or country-code TLD registrars also
   manage GNS zones and offer registration or delegation services.

   Following best practices, particularly those related to security and
   abuse mitigation, are methods that allow zone owners and aspiring
   registrars to gain a good reputation and, eventually, trust.  This
   includes, of course, diligent protection of private zone key
   material.  Formalizing such best practices is out of scope for this
   specification and should be addressed in a separate document that
   takes Section 9 of this document into account.

A.2.  Start Zone Configuration

   A user is expected to install a GNS implementation if it is not
   already provided through other means such as the operating system or
   the browser.  It is likely that the implementation ships with a
   default Start Zone configuration.  This means that the user is able
   to resolve GNS names ending on a zTLD or ending on any suffix-to-name
   mapping that is part of the default Start Zone configuration.  At
   this point, the user may delete or otherwise modify the
   implementation's default configuration:

   *  Deletion of suffix-to-zone mappings may become necessary if the
      zone owner referenced by the mapping has lost the trust of the
      user.  For example, this could be due to lax registration policies
      resulting in phishing activities.  Modification and addition of
      new mappings are means to heal the namespace perforation that
      would occur in the case of a deletion or to simply establish a
      strong direct trust relationship.  However, this requires the
      user's knowledge of the respective zone keys.  This information
      must be retrieved out of band, as illustrated in Appendix A.1: a
      bank may send the user a letter with a QR code that contains the
      GNS zone of the bank.  The user scans the QR code and adds a new
      suffix-to-name mapping using a chosen local name for their bank.
      Other examples include scanning zone information off the device of
      a friend, from a storefront, or from an advertisement.  The level
      of trust in the respective zone is contextual and likely varies
      from user to user.  Trust in a zone provided through a letter from
      a bank that may also include a credit card is certainly different
      from a zone found on a random advertisement on the street.
      However, this trust is immediately tangible to the user and can be
      reflected in the local naming as well.

   *  Users that are also clients should facilitate the modification of
      the Start Zone configuration -- for example, by providing a QR
      code reader or other import mechanisms.  Implementations are
      ideally implemented according to best practices and addressing
      applicable points from Section 9.  Formalizing such best practices
      is out of scope for this specification.

A.3.  Globally Unique Names and the Web

   HTTP virtual hosting and TLS Server Name Indication (SNI) are common
   use cases on the Web.  HTTP clients supply a DNS name in the HTTP
   "Host"-header or as part of the TLS handshake, respectively.  This
   allows the HTTP server to serve the indicated virtual host with a
   matching TLS certificate.  The global uniqueness of DNS names is a
   prerequisite of those use cases.

   Not all GNS names are globally unique.  However, any resource record
   in GNS can be represented as a concatenation of a GNS label and the
   zTLD of the zone.  While not memorable, this globally unique GNS name
   can be leveraged in order to facilitate the same use cases.  Consider
   the GNS name "www.example.gns.alt" entered in a GNS-aware HTTP
   client.  At first, "www.example.gns.alt" is resolved using GNS,
   yielding a record set.  Then, the HTTP client determines the virtual
   host as follows:

   If there is a LEHO record (Section 5.3.1) containing
   "www.example.com" in the record set, then the HTTP client uses this
   as the value of the "Host"-header field of the HTTP request:

   GET / HTTP/1.1
   Host: www.example.com

   In the absence of a LEHO record, an additional GNS resolution is
   required to check whether "www.example.gns.alt" itself points to a
   zone delegation record, which implies that the record set that was
   originally resolved is published under the apex label.

   If it does, the unique GNS name is simply the zTLD representation of
   the delegated zone:

   GET / HTTP/1.1
   Host: 000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W

   On the other hand, if there is no zone delegation record for
   "www.example.gns.alt", then the unique GNS name is the concatenation
   of the leftmost label (e.g., "www") and the zTLD representation of
   the zone:

   GET / HTTP/1.1
   Host: www.000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W

   Note that this second GNS resolution does not require any additional
   network operation, as only the local record processing differs as per
   the exception mentioned in the last sentence of Section 7.3.4.

   If the HTTP client is a browser, the use of a unique GNS name for
   virtual hosting or TLS SNI does not necessarily have to be shown to
   the user.  For example, the name in the URL bar may remain as
   "www.example.gns.alt" even if the used unique name in the "Host"-
   header differs.

A.4.  Migration Paths

   DNS resolution is built into a variety of existing software
   components -- most significantly, operating systems and HTTP clients.
   This section illustrates possible migration paths for both in order
   to enable legacy applications to resolve GNS names.

   One way to efficiently facilitate the resolution of GNS names is via
   GNS-enabled DNS server implementations.  Local DNS queries are
   thereby either rerouted or explicitly configured to be resolved by a
   "DNS-to-GNS" server that runs locally.  This DNS server tries to
   interpret any incoming query for a name as a GNS resolution request.
   If no Start Zone can be found for the name and it does not end in a
   zTLD, the server tries to resolve the name in DNS.  Otherwise, the
   name is resolved in GNS.  In the latter case, the resulting record
   set is converted to a DNS answer packet and is returned accordingly.
   An implementation of a DNS-to-GNS server can be found in [GNUnet].

   A similar approach is to use operating system extensions such as the
   NSS [nsswitch].  It allows the system administrator to configure
   plugins that are used for hostname resolution.  A GNS nsswitch plugin
   can be used in a fashion similar to that used for the DNS-to-GNS
   server.  An implementation of a glibc-compatible nsswitch plugin for
   GNS can be found in [GNUnet].

   The methods above are usually also effective for HTTP client
   software.  However, HTTP clients are commonly used in combination
   with TLS.  TLS certificate validation, and SNI in particular, require
   additional logic in HTTP clients when GNS names are in play
   (Appendix A.3).  In order to transparently enable this functionality
   for migration purposes, a local GNS-aware SOCKS5 proxy [RFC1928] can
   be configured to resolve domain names.  The SOCKS5 proxy, similar to
   the DNS-to-GNS server, is capable of resolving both GNS and DNS
   names.  In the event of a TLS connection request with a GNS name, the
   SOCKS5 proxy can terminate the TLS connection and establish a secure
   connection against the requested host.  In order to establish a
   secure connection, the proxy may use LEHO and TLSA records stored in
   the record set under the GNS name.  The proxy must provide a locally
   trusted certificate for the GNS name to the HTTP client; this usually
   requires the generation and configuration of a local trust anchor in
   the browser.  An implementation of this SOCKS5 proxy can be found in
   [GNUnet].

Appendix B.  Example Flows

B.1.  AAAA Example Resolution

                              Local Host             |   Remote
                                                     |   Storage
                                                     |
                                                     |    +---------+
                                                     |   /         /|
                                                     |  +---------+ |
   +-----------+ (1)      +----------+               |  |         | |
   |           |          |          |      (4,6)    |  | Record  | |
   |Application|----------| Resolver |---------------|->| Storage | |
   |           |<---------|          |<--------------|--|         |/
   +-----------+ (8)      +----------+      (5,7)    |  +---------+
                             A                       |
                             |                       |
                       (2,3) |                       |
                             |                       |
                             |                       |
                          +---------+                |
                         /   v     /|                |
                        +---------+ |                |
                        |         | |                |
                        |  Start  | |                |
                        |  Zones  | |                |
                        |         |/                 |
                        +---------+                  |

              Figure 24: Example Resolution of an IPv6 Address

   1.  Look up AAAA record for name: "www.example.gnu.gns.alt".

   2.  Determine Start Zone for "www.example.gnu.gns.alt".

   3.  Start Zone: zkey0 - Remainder: "www.example".

   4.  Calculate q0=SHA512(ZKDF(zkey0, "example")) and initiate GET(q0).

   5.  Retrieve and decrypt RRBLOCK consisting of a single PKEY record
       containing zkey1.

   6.  Calculate q1=SHA512(ZKDF(zkey1, "www")) and initiate GET(q1).

   7.  Retrieve RRBLOCK consisting of a single AAAA record containing
       the IPv6 address 2001:db8::1.

   8.  Return record set to application.

B.2.  REDIRECT Example Resolution

                              Local Host              |   Remote
                                                      |   Storage
                                                      |
                                                      |    +---------+
                                                      |   /         /|
                                                      |  +---------+ |
   +-----------+ (1)      +----------+                |  |         | |
   |           |          |          |      (4,6,8)   |  | Record  | |
   |Application|----------| Resolver |----------------|->| Storage | |
   |           |<---------|          |<---------------|--|         |/
   +-----------+ (10)     +----------+      (5,7,9)   |  +---------+
                             A                        |
                             |                        |
                       (2,3) |                        |
                             |                        |
                             |                        |
                          +---------+                 |
                         /   v     /|                 |
                        +---------+ |                 |
                        |         | |                 |
                        |  Start  | |                 |
                        |  Zones  | |                 |
                        |         |/                  |
                        +---------+                   |

       Figure 25: Example Resolution of an IPv6 Address with Redirect

   1.   Look up AAAA record for name: "www.example.tld.gns.alt".

   2.   Determine Start Zone for "www.example.tld.gns.alt".

   3.   Start Zone: zkey0 - Remainder: "www.example".

   4.   Calculate q0=SHA512(ZKDF(zkey0, "example")) and initiate
        GET(q0).

   5.   Retrieve and decrypt RRBLOCK consisting of a single PKEY record
        containing zkey1.

   6.   Calculate q1=SHA512(ZKDF(zkey1, "www")) and initiate GET(q1).

   7.   Retrieve and decrypt RRBLOCK consisting of a single REDIRECT
        record containing "www2.+".

   8.   Calculate q2=SHA512(ZKDF(zkey1, "www2")) and initiate GET(q2).

   9.   Retrieve and decrypt RRBLOCK consisting of a single AAAA record
        containing the IPv6 address 2001:db8::1.

   10.  Return record set to application.

B.3.  GNS2DNS Example Resolution

                              Local Host                |   Remote
                                                        |   Storage
                                                        |
                                                        |    +---------+
                                                        |   /         /|
                                                        |  +---------+ |
   +-----------+ (1)      +----------+                  |  |         | |
   |           |          |          |      (4)         |  | Record  | |
   |Application|----------| Resolver |------------------|->| Storage | |
   |           |<---------|          |<-----------------|--|         |/
   +-----------+ (8)      +----------+      (5)         |  +---------+
                             A    A                     |
                             |    |    (6,7)            |
                       (2,3) |    +----------+          |
                             |               |          |
                             |               v          |
                          +---------+    +------------+ |
                         /   v     /|    | System DNS | |
                        +---------+ |    | Resolver   | |
                        |         | |    +------------+ |
                        |  Start  | |                   |
                        |  Zones  | |                   |
                        |         |/                    |
                        +---------+                     |

     Figure 26: Example Resolution of an IPv6 Address with DNS Handover

   1.  Look up AAAA record for name: "www.example.gnu.gns.alt".

   2.  Determine Start Zone for "www.example.gnu.gns.alt".

   3.  Start Zone: zkey0 - Remainder: "www.example".

   4.  Calculate q0=SHA512(ZKDF(zkey0, "example")) and initiate GET(q0).

   5.  Retrieve and decrypt RRBLOCK consisting of a single GNS2DNS
       record containing the name "example.com" and the DNS server IPv4
       address 192.0.2.1.

   6.  Use system resolver to look up a AAAA record for the DNS name
       "www.example.com".

   7.  Retrieve a DNS reply consisting of a single AAAA record
       containing the IPv6 address 2001:db8::1.

   8.  Return record set to application.

Appendix C.  Base32GNS

   Encoding converts a byte array into a string of symbols.  Decoding
   converts a string of symbols into a byte array.  Decoding fails if
   the input string has symbols outside the defined set.

   Table 4 defines the encoding and decoding symbols for a given symbol
   value.  Each symbol value encodes 5 bits.  It can be used to
   implement the encoding by reading it as follows: a symbol "A" or "a"
   is decoded to a 5-bit value 10 when decoding.  A 5-bit block with a
   value of 18 is encoded to the character "J" when encoding.  If the
   bit length of the byte string to encode is not a multiple of 5, it is
   padded to the next multiple with zeroes.  In order to further
   increase tolerance for failures in character recognition, the letter
   "U" MUST be decoded to the same value as the letter "V" in Base32GNS.

           +==============+=================+=================+
           | Symbol Value | Decoding Symbol | Encoding Symbol |
           +==============+=================+=================+
           | 0            | 0 O o           | 0               |
           +--------------+-----------------+-----------------+
           | 1            | 1 I i L l       | 1               |
           +--------------+-----------------+-----------------+
           | 2            | 2               | 2               |
           +--------------+-----------------+-----------------+
           | 3            | 3               | 3               |
           +--------------+-----------------+-----------------+
           | 4            | 4               | 4               |
           +--------------+-----------------+-----------------+
           | 5            | 5               | 5               |
           +--------------+-----------------+-----------------+
           | 6            | 6               | 6               |
           +--------------+-----------------+-----------------+
           | 7            | 7               | 7               |
           +--------------+-----------------+-----------------+
           | 8            | 8               | 8               |
           +--------------+-----------------+-----------------+
           | 9            | 9               | 9               |
           +--------------+-----------------+-----------------+
           | 10           | A a             | A               |
           +--------------+-----------------+-----------------+
           | 11           | B b             | B               |
           +--------------+-----------------+-----------------+
           | 12           | C c             | C               |
           +--------------+-----------------+-----------------+
           | 13           | D d             | D               |
           +--------------+-----------------+-----------------+
           | 14           | E e             | E               |
           +--------------+-----------------+-----------------+
           | 15           | F f             | F               |
           +--------------+-----------------+-----------------+
           | 16           | G g             | G               |
           +--------------+-----------------+-----------------+
           | 17           | H h             | H               |
           +--------------+-----------------+-----------------+
           | 18           | J j             | J               |
           +--------------+-----------------+-----------------+
           | 19           | K k             | K               |
           +--------------+-----------------+-----------------+
           | 20           | M m             | M               |
           +--------------+-----------------+-----------------+
           | 21           | N n             | N               |
           +--------------+-----------------+-----------------+
           | 22           | P p             | P               |
           +--------------+-----------------+-----------------+
           | 23           | Q q             | Q               |
           +--------------+-----------------+-----------------+
           | 24           | R r             | R               |
           +--------------+-----------------+-----------------+
           | 25           | S s             | S               |
           +--------------+-----------------+-----------------+
           | 26           | T t             | T               |
           +--------------+-----------------+-----------------+
           | 27           | V v U u         | V               |
           +--------------+-----------------+-----------------+
           | 28           | W w             | W               |
           +--------------+-----------------+-----------------+
           | 29           | X x             | X               |
           +--------------+-----------------+-----------------+
           | 30           | Y y             | Y               |
           +--------------+-----------------+-----------------+
           | 31           | Z z             | Z               |
           +--------------+-----------------+-----------------+

              Table 4: The Base32GNS Alphabet, Including the
                      Additional Encoding Symbol "U"

Appendix D.  Test Vectors

   The following test vectors can be used by implementations to test for
   conformance with this specification.  Unless indicated otherwise, the
   test vectors are provided as hexadecimal byte arrays.

D.1.  Base32GNS Encoding/Decoding

   The following are test vectors for the Base32GNS encoding used for
   zTLDs.  The input strings are encoded without the zero terminator.

   Base32GNS-Encode:
     Input string: "Hello World"
     Output string: "91JPRV3F41BPYWKCCG"

     Input bytes: 474e55204e616d652053797374656d
     Output string: "8X75A82EC5PPA82KF5SQ8SBD"

   Base32GNS-Decode:
     Input string: "91JPRV3F41BPYWKCCG"
     Output string: "Hello World"

     Input string: "91JPRU3F41BPYWKCCG"
     Output string: "Hello World"

D.2.  Record Sets

   The test vectors include record sets with a variety of record types
   and flags for both PKEY and EDKEY zones.  This includes labels with
   UTF-8 characters to demonstrate internationalized labels.

   *(1) PKEY zone with ASCII label and one delegation record*

   Zone private key (d, big-endian):
     50 d7 b6 52 a4 ef ea df
     f3 73 96 90 97 85 e5 95
     21 71 a0 21 78 c8 e7 d4
     50 fa 90 79 25 fa fd 98

   Zone identifier (ztype|zkey):
     00 01 00 00 67 7c 47 7d
     2d 93 09 7c 85 b1 95 c6
     f9 6d 84 ff 61 f5 98 2c
     2c 4f e0 2d 5a 11 fe df
     b0 c2 90 1f

   zTLD:
   000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W

   Label:
     74 65 73 74 64 65 6c 65
     67 61 74 69 6f 6e

   Number of records (integer): 1

   Record #0 := (
     EXPIRATION: 8143584694000000 us
     00 1c ee 8c 10 e2 59 80

     DATA_SIZE:
     00 20

     TYPE:
     00 01 00 00

     FLAGS:   00 01

     DATA:
     21 e3 b3 0f f9 3b c6 d3
     5a c8 c6 e0 e1 3a fd ff
     79 4c b7 b4 4b bb c7 48
     d2 59 d0 a0 28 4d be 84

   )

   RDATA:
     00 1c ee 8c 10 e2 59 80
     00 20 00 01 00 01 00 00
     21 e3 b3 0f f9 3b c6 d3
     5a c8 c6 e0 e1 3a fd ff
     79 4c b7 b4 4b bb c7 48
     d2 59 d0 a0 28 4d be 84

   Encryption NONCE|EXPIRATION|BLOCK COUNTER:
     e9 0a 00 61 00 1c ee 8c
     10 e2 59 80 00 00 00 01

   Encryption key (K):
     86 4e 71 38 ea e7 fd 91
     a3 01 36 89 9c 13 2b 23
     ac eb db 2c ef 43 cb 19
     f6 bf 55 b6 7d b9 b3 b3

   Storage key (q):
     4a dc 67 c5 ec ee 9f 76
     98 6a bd 71 c2 22 4a 3d
     ce 2e 91 70 26 c9 a0 9d
     fd 44 ce f3 d2 0f 55 a2
     73 32 72 5a 6c 8a fb bb
     b0 f7 ec 9a f1 cc 42 64
     12 99 40 6b 04 fd 9b 5b
     57 91 f8 6c 4b 08 d5 f4

   ZKDF(zkey, label):
     18 2b b6 36 ed a7 9f 79
     57 11 bc 27 08 ad bb 24
     2a 60 44 6a d3 c3 08 03
     12 1d 03 d3 48 b7 ce b6

   Derived private key (d', big-endian):
     0a 4c 5e 0f 00 63 df ce
     db c8 c7 f2 b2 2c 03 0c
     86 28 b2 c2 cb ac 9f a7
     29 aa e6 1f 89 db 3e 9c

   BDATA:
     0c 1e da 5c c0 94 a1 c7
     a8 88 64 9d 25 fa ee bd
     60 da e6 07 3d 57 d8 ae
     8d 45 5f 4f 13 92 c0 74
     e2 6a c6 69 bd ee c2 34
     62 b9 62 95 2c c6 e9 eb

   RRBLOCK:
     00 00 00 a0 00 01 00 00
     18 2b b6 36 ed a7 9f 79
     57 11 bc 27 08 ad bb 24
     2a 60 44 6a d3 c3 08 03
     12 1d 03 d3 48 b7 ce b6
     0a d1 0b c1 3b 40 3b 5b
     25 61 26 b2 14 5a 6f 60
     c5 14 f9 51 ff a7 66 f7
     a3 fd 4b ac 4a 4e 19 90
     05 5c b8 7e 8d 1b fd 19
     aa 09 a4 29 f7 29 e9 f5
     c6 ee c2 47 0a ce e2 22
     07 59 e9 e3 6c 88 6f 35
     00 1c ee 8c 10 e2 59 80
     0c 1e da 5c c0 94 a1 c7
     a8 88 64 9d 25 fa ee bd
     60 da e6 07 3d 57 d8 ae
     8d 45 5f 4f 13 92 c0 74
     e2 6a c6 69 bd ee c2 34
     62 b9 62 95 2c c6 e9 eb

   *(2) PKEY zone with UTF-8 label and three records*

   Zone private key (d, big-endian):
     50 d7 b6 52 a4 ef ea df
     f3 73 96 90 97 85 e5 95
     21 71 a0 21 78 c8 e7 d4
     50 fa 90 79 25 fa fd 98

   Zone identifier (ztype|zkey):
     00 01 00 00 67 7c 47 7d
     2d 93 09 7c 85 b1 95 c6
     f9 6d 84 ff 61 f5 98 2c
     2c 4f e0 2d 5a 11 fe df
     b0 c2 90 1f

   zTLD:
   000G0037FH3QTBCK15Y8BCCNRVWPV17ZC7TSGB1C9ZG2TPGHZVFV1GMG3W

   Label:
     e5 a4 a9 e4 b8 8b e7 84
     a1 e6 95 b5

   Number of records (integer): 3

   Record #0 := (
     EXPIRATION: 8143584694000000 us
     00 1c ee 8c 10 e2 59 80

     DATA_SIZE:
     00 10

     TYPE:
     00 00 00 1c

     FLAGS:   00 00

     DATA:
     00 00 00 00 00 00 00 00
     00 00 00 00 de ad be ef

   )

   Record #1 := (
     EXPIRATION: 17999736901000000 us
     00 3f f2 aa 54 08 db 40

     DATA_SIZE:
     00 06

     TYPE:
     00 01 00 01

     FLAGS:   00 00

     DATA:
     e6 84 9b e7 a7 b0

   )

   Record #2 := (
     EXPIRATION: 11464693629000000 us
     00 28 bb 13 ff 37 19 40

     DATA_SIZE:
     00 0b

     TYPE:
     00 00 00 10

     FLAGS:   00 04

     DATA:
     48 65 6c 6c 6f 20 57 6f
     72 6c 64

   )

   RDATA:
     00 1c ee 8c 10 e2 59 80
     00 10 00 00 00 00 00 1c
     00 00 00 00 00 00 00 00
     00 00 00 00 de ad be ef
     00 3f f2 aa 54 08 db 40
     00 06 00 00 00 01 00 01
     e6 84 9b e7 a7 b0 00 28
     bb 13 ff 37 19 40 00 0b
     00 04 00 00 00 10 48 65
     6c 6c 6f 20 57 6f 72 6c
     64 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00

   Encryption NONCE|EXPIRATION|BLOCK COUNTER:
     ee 96 33 c1 00 1c ee 8c
     10 e2 59 80 00 00 00 01

   Encryption key (K):
     fb 3a b5 de 23 bd da e1
     99 7a af 7b 92 c2 d2 71
     51 40 8b 77 af 7a 41 ac
     79 05 7c 4d f5 38 3d 01

   Storage key (q):
     af f0 ad 6a 44 09 73 68
     42 9a c4 76 df a1 f3 4b
     ee 4c 36 e7 47 6d 07 aa
     64 63 ff 20 91 5b 10 05
     c0 99 1d ef 91 fc 3e 10
     90 9f 87 02 c0 be 40 43
     67 78 c7 11 f2 ca 47 d5
     5c f0 b5 4d 23 5d a9 77

   ZKDF(zkey, label):
     a5 12 96 df 75 7e e2 75
     ca 11 8d 4f 07 fa 7a ae
     55 08 bc f5 12 aa 41 12
     14 29 d4 a0 de 9d 05 7e

   Derived private key (d', big-endian):
     0a be 56 d6 80 68 ab 40
     e1 44 79 0c de 9a cf 4d
     78 7f 2d 3c 63 b8 53 05
     74 6e 68 03 32 15 f2 ab

   BDATA:
     d8 c2 8d 2f d6 96 7d 1a
     b7 22 53 f2 10 98 b8 14
     a4 10 be 1f 59 98 de 03
     f5 8f 7e 7c db 7f 08 a6
     16 51 be 4d 0b 6f 8a 61
     df 15 30 44 0b d7 47 dc
     f0 d7 10 4f 6b 8d 24 c2
     ac 9b c1 3d 9c 6f e8 29
     05 25 d2 a6 d0 f8 84 42
     67 a1 57 0e 8e 29 4d c9
     3a 31 9f cf c0 3e a2 70
     17 d6 fd a3 47 b4 a7 94
     97 d7 f6 b1 42 2d 4e dd
     82 1c 19 93 4e 96 c1 aa
     87 76 57 25 d4 94 c7 64
     b1 55 dc 6d 13 26 91 74

   RRBLOCK:
     00 00 00 f0 00 01 00 00
     a5 12 96 df 75 7e e2 75
     ca 11 8d 4f 07 fa 7a ae
     55 08 bc f5 12 aa 41 12
     14 29 d4 a0 de 9d 05 7e
     08 5b d6 5f d4 85 10 51
     ba ce 2a 45 2a fc 8a 7e
     4f 6b 2c 1f 74 f0 20 35
     d9 64 1a cd ba a4 66 e0
     00 ce d6 f2 d2 3b 63 1c
     8e 8a 0b 38 e2 ba e7 9a
     22 ca d8 1d 4c 50 d2 25
     35 8e bc 17 ac 0f 89 9e
     00 1c ee 8c 10 e2 59 80
     d8 c2 8d 2f d6 96 7d 1a
     b7 22 53 f2 10 98 b8 14
     a4 10 be 1f 59 98 de 03
     f5 8f 7e 7c db 7f 08 a6
     16 51 be 4d 0b 6f 8a 61
     df 15 30 44 0b d7 47 dc
     f0 d7 10 4f 6b 8d 24 c2
     ac 9b c1 3d 9c 6f e8 29
     05 25 d2 a6 d0 f8 84 42
     67 a1 57 0e 8e 29 4d c9
     3a 31 9f cf c0 3e a2 70
     17 d6 fd a3 47 b4 a7 94
     97 d7 f6 b1 42 2d 4e dd
     82 1c 19 93 4e 96 c1 aa
     87 76 57 25 d4 94 c7 64
     b1 55 dc 6d 13 26 91 74

   *(3) EDKEY zone with ASCII label and one delegation record*

   Zone private key (d):
     5a f7 02 0e e1 91 60 32
     88 32 35 2b bc 6a 68 a8
     d7 1a 7c be 1b 92 99 69
     a7 c6 6d 41 5a 0d 8f 65

   Zone identifier (ztype|zkey):
     00 01 00 14 3c f4 b9 24
     03 20 22 f0 dc 50 58 14
     53 b8 5d 93 b0 47 b6 3d
     44 6c 58 45 cb 48 44 5d
     db 96 68 8f

   zTLD:
   000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW

   Label:
     74 65 73 74 64 65 6c 65
     67 61 74 69 6f 6e

   Number of records (integer): 1

   Record #0 := (
     EXPIRATION: 8143584694000000 us
     00 1c ee 8c 10 e2 59 80

     DATA_SIZE:
     00 20

     TYPE:
     00 01 00 00

     FLAGS:   00 01

     DATA:
     21 e3 b3 0f f9 3b c6 d3
     5a c8 c6 e0 e1 3a fd ff
     79 4c b7 b4 4b bb c7 48
     d2 59 d0 a0 28 4d be 84

   )

   RDATA:
     00 1c ee 8c 10 e2 59 80
     00 20 00 01 00 01 00 00
     21 e3 b3 0f f9 3b c6 d3
     5a c8 c6 e0 e1 3a fd ff
     79 4c b7 b4 4b bb c7 48
     d2 59 d0 a0 28 4d be 84

   Encryption NONCE|EXPIRATION:
     98 13 2e a8 68 59 d3 5c
     88 bf d3 17 fa 99 1b cb
     00 1c ee 8c 10 e2 59 80

   Encryption key (K):
     85 c4 29 a9 56 7a a6 33
     41 1a 96 91 e9 09 4c 45
     28 16 72 be 58 60 34 aa
     e4 a2 a2 cc 71 61 59 e2

   Storage key (q):
     ab aa ba c0 e1 24 94 59
     75 98 83 95 aa c0 24 1e
     55 59 c4 1c 40 74 e2 55
     7b 9f e6 d1 54 b6 14 fb
     cd d4 7f c7 f5 1d 78 6d
     c2 e0 b1 ec e7 60 37 c0
     a1 57 8c 38 4e c6 1d 44
     56 36 a9 4e 88 03 29 e9

   ZKDF(zkey, label):
     9b f2 33 19 8c 6d 53 bb
     db ac 49 5c ab d9 10 49
     a6 84 af 3f 40 51 ba ca
     b0 dc f2 1c 8c f2 7a 1a

   nonce := SHA-256(dh[32..63] || h):
     14 f2 c0 6b ed c3 aa 2d
     f0 71 13 9c 50 39 34 f3
     4b fa 63 11 a8 52 f2 11
     f7 3a df 2e 07 61 ec 35

   Derived private key (d', big-endian):
     3b 1b 29 d4 23 0b 10 a8
     ec 4d a3 c8 6e db 88 ea
     cd 54 08 5c 1d db 63 f7
     a9 d7 3f 7c cb 2f c3 98

   BDATA:
     57 7c c6 c9 5a 14 e7 04
     09 f2 0b 01 67 e6 36 d0
     10 80 7c 4f 00 37 2d 69
     8c 82 6b d9 2b c2 2b d6
     bb 45 e5 27 7c 01 88 1d
     6a 43 60 68 e4 dd f1 c6
     b7 d1 41 6f af a6 69 7c
     25 ed d9 ea e9 91 67 c3

   RRBLOCK:
     00 00 00 b0 00 01 00 14
     9b f2 33 19 8c 6d 53 bb
     db ac 49 5c ab d9 10 49
     a6 84 af 3f 40 51 ba ca
     b0 dc f2 1c 8c f2 7a 1a
     9f 56 a8 86 ea 73 9d 59
     17 50 8f 9b 75 56 39 f3
     a9 ac fa ed ed ca 7f bf
     a7 94 b1 92 e0 8b f9 ed
     4c 7e c8 59 4c 9f 7b 4e
     19 77 4f f8 38 ec 38 7a
     8f 34 23 da ac 44 9f 59
     db 4e 83 94 3f 90 72 00
     00 1c ee 8c 10 e2 59 80
     57 7c c6 c9 5a 14 e7 04
     09 f2 0b 01 67 e6 36 d0
     10 80 7c 4f 00 37 2d 69
     8c 82 6b d9 2b c2 2b d6
     bb 45 e5 27 7c 01 88 1d
     6a 43 60 68 e4 dd f1 c6
     b7 d1 41 6f af a6 69 7c
     25 ed d9 ea e9 91 67 c3

   *(4) EDKEY zone with UTF-8 label and three records*

   Zone private key (d):
     5a f7 02 0e e1 91 60 32
     88 32 35 2b bc 6a 68 a8
     d7 1a 7c be 1b 92 99 69
     a7 c6 6d 41 5a 0d 8f 65

   Zone identifier (ztype|zkey):
     00 01 00 14 3c f4 b9 24
     03 20 22 f0 dc 50 58 14
     53 b8 5d 93 b0 47 b6 3d
     44 6c 58 45 cb 48 44 5d
     db 96 68 8f

   zTLD:
   000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW

   Label:
     e5 a4 a9 e4 b8 8b e7 84
     a1 e6 95 b5

   Number of records (integer): 3

   Record #0 := (
     EXPIRATION: 8143584694000000 us
     00 1c ee 8c 10 e2 59 80

     DATA_SIZE:
     00 10

     TYPE:
     00 00 00 1c

     FLAGS:   00 00

     DATA:
     00 00 00 00 00 00 00 00
     00 00 00 00 de ad be ef

   )

   Record #1 := (
     EXPIRATION: 17999736901000000 us
     00 3f f2 aa 54 08 db 40

     DATA_SIZE:
     00 06

     TYPE:
     00 01 00 01

     FLAGS:   00 00

     DATA:
     e6 84 9b e7 a7 b0

   )

   Record #2 := (
     EXPIRATION: 11464693629000000 us
     00 28 bb 13 ff 37 19 40

     DATA_SIZE:
     00 0b

     TYPE:
     00 00 00 10

     FLAGS:   00 04

     DATA:
     48 65 6c 6c 6f 20 57 6f
     72 6c 64

   )

   RDATA:
     00 1c ee 8c 10 e2 59 80
     00 10 00 00 00 00 00 1c
     00 00 00 00 00 00 00 00
     00 00 00 00 de ad be ef
     00 3f f2 aa 54 08 db 40
     00 06 00 00 00 01 00 01
     e6 84 9b e7 a7 b0 00 28
     bb 13 ff 37 19 40 00 0b
     00 04 00 00 00 10 48 65
     6c 6c 6f 20 57 6f 72 6c
     64 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00

   Encryption NONCE|EXPIRATION:
     bb 0d 3f 0f bd 22 42 77
     50 da 5d 69 12 16 e6 c9
     00 1c ee 8c 10 e2 59 80

   Encryption key (K):
     3d f8 05 bd 66 87 aa 14
     20 96 28 c2 44 b1 11 91
     88 c3 92 56 37 a4 1e 5d
     76 49 6c 29 45 dc 37 7b

   Storage key (q):
     ba f8 21 77 ee c0 81 e0
     74 a7 da 47 ff c6 48 77
     58 fb 0d f0 1a 6c 7f bb
     52 fc 8a 31 be f0 29 af
     74 aa 0d c1 5a b8 e2 fa
     7a 54 b4 f5 f6 37 f6 15
     8f a7 f0 3c 3f ce be 78
     d3 f9 d6 40 aa c0 d1 ed

   ZKDF(zkey, label):
     74 f9 00 68 f1 67 69 53
     52 a8 a6 c2 eb 98 48 98
     c5 3a cc a0 98 04 70 c6
     c8 12 64 cb dd 78 ad 11

   nonce := SHA-256(dh[32..63] || h):
     f8 6a b5 33 8a 74 d7 a1
     d2 77 ea 11 ff 95 cb e8
     3a cf d3 97 3b b4 ab ca
     0a 1b 60 62 c3 7a b3 9c

   Derived private key (d', big-endian):
     17 c0 68 a6 c3 f7 20 de
     0e 1b 69 ff 3f 53 e0 5d
     3f e5 c5 b0 51 25 7a 89
     a6 3c 1a d3 5a c4 35 58

   BDATA:
     4e b3 5a 50 d4 0f e1 a4
     29 c7 f4 b2 67 a0 59 de
     4e 2c 8a 89 a5 ed 53 d3
     d4 92 58 59 d2 94 9f 7f
     30 d8 a2 0c aa 96 f8 81
     45 05 2d 1c da 04 12 49
     8f f2 5f f2 81 6e f0 ce
     61 fe 69 9b fa c7 2c 15
     dc 83 0e a9 b0 36 17 1c
     cf ca bb dd a8 de 3c 86
     ed e2 95 70 d0 17 4b 82
     82 09 48 a9 28 b7 f0 0e
     fb 40 1c 10 fe 80 bb bb
     02 76 33 1b f7 f5 1b 8d
     74 57 9c 14 14 f2 2d 50
     1a d2 5a e2 49 f5 bb f2
     a6 c3 72 59 d1 75 e4 40
     b2 94 39 c6 05 19 cb b1

   RRBLOCK:
     00 00 01 00 00 01 00 14
     74 f9 00 68 f1 67 69 53
     52 a8 a6 c2 eb 98 48 98
     c5 3a cc a0 98 04 70 c6
     c8 12 64 cb dd 78 ad 11
     75 6d 2c 15 7a d2 ea 4f
     c0 b1 b9 1c 08 03 79 44
     61 d3 de f2 0d d1 63 6c
     fe dc 03 89 c5 49 d1 43
     6c c3 5b 4e 1b f8 89 5a
     64 6b d9 a6 f4 6b 83 48
     1d 9c 0e 91 d4 e1 be bb
     6a 83 52 6f b7 25 2a 06
     00 1c ee 8c 10 e2 59 80
     4e b3 5a 50 d4 0f e1 a4
     29 c7 f4 b2 67 a0 59 de
     4e 2c 8a 89 a5 ed 53 d3
     d4 92 58 59 d2 94 9f 7f
     30 d8 a2 0c aa 96 f8 81
     45 05 2d 1c da 04 12 49
     8f f2 5f f2 81 6e f0 ce
     61 fe 69 9b fa c7 2c 15
     dc 83 0e a9 b0 36 17 1c
     cf ca bb dd a8 de 3c 86
     ed e2 95 70 d0 17 4b 82
     82 09 48 a9 28 b7 f0 0e
     fb 40 1c 10 fe 80 bb bb
     02 76 33 1b f7 f5 1b 8d
     74 57 9c 14 14 f2 2d 50
     1a d2 5a e2 49 f5 bb f2
     a6 c3 72 59 d1 75 e4 40
     b2 94 39 c6 05 19 cb b1

D.3.  Zone Revocation

   The following is an example revocation for a PKEY zone:

   Zone private key (d, big-endian):
     6f ea 32 c0 5a f5 8b fa
     97 95 53 d1 88 60 5f d5
     7d 8b f9 cc 26 3b 78 d5
     f7 47 8c 07 b9 98 ed 70

   Zone identifier (ztype|zkey):
     00 01 00 00 2c a2 23 e8
     79 ec c4 bb de b5 da 17
     31 92 81 d6 3b 2e 3b 69
     55 f1 c3 77 5c 80 4a 98
     d5 f8 dd aa

   zTLD:
   000G001CM8HYGYFCRJXXXDET2WRS50EP7CQ3PTANY71QEQ409ACDBY6XN8

   Difficulty (5 base difficulty + 2 epochs): 7

   Signed message:
     00 00 00 34 00 00 00 03
     00 05 ff 1c 56 e4 b2 68
     00 01 00 00 2c a2 23 e8
     79 ec c4 bb de b5 da 17
     31 92 81 d6 3b 2e 3b 69
     55 f1 c3 77 5c 80 4a 98
     d5 f8 dd aa

   Proof:
     00 05 ff 1c 56 e4 b2 68
     00 00 39 5d 18 27 c0 00
     38 0b 54 aa 70 16 ac a2
     38 0b 54 aa 70 16 ad 62
     38 0b 54 aa 70 16 af 3e
     38 0b 54 aa 70 16 af 93
     38 0b 54 aa 70 16 b0 bf
     38 0b 54 aa 70 16 b0 ee
     38 0b 54 aa 70 16 b1 c9
     38 0b 54 aa 70 16 b1 e5
     38 0b 54 aa 70 16 b2 78
     38 0b 54 aa 70 16 b2 b2
     38 0b 54 aa 70 16 b2 d6
     38 0b 54 aa 70 16 b2 e4
     38 0b 54 aa 70 16 b3 2c
     38 0b 54 aa 70 16 b3 5a
     38 0b 54 aa 70 16 b3 9d
     38 0b 54 aa 70 16 b3 c0
     38 0b 54 aa 70 16 b3 dd
     38 0b 54 aa 70 16 b3 f4
     38 0b 54 aa 70 16 b4 42
     38 0b 54 aa 70 16 b4 76
     38 0b 54 aa 70 16 b4 8c
     38 0b 54 aa 70 16 b4 a4
     38 0b 54 aa 70 16 b4 c9
     38 0b 54 aa 70 16 b4 f0
     38 0b 54 aa 70 16 b4 f7
     38 0b 54 aa 70 16 b5 79
     38 0b 54 aa 70 16 b6 34
     38 0b 54 aa 70 16 b6 8e
     38 0b 54 aa 70 16 b7 b4
     38 0b 54 aa 70 16 b8 7e
     38 0b 54 aa 70 16 b8 f8
     38 0b 54 aa 70 16 b9 2a
     00 01 00 00 2c a2 23 e8
     79 ec c4 bb de b5 da 17
     31 92 81 d6 3b 2e 3b 69
     55 f1 c3 77 5c 80 4a 98
     d5 f8 dd aa 08 ca ff de
     3c 6d f1 45 f7 e0 79 81
     15 37 b2 b0 42 2d 5e 1f
     b2 01 97 81 ec a2 61 d1
     f9 d8 ea 81 0a bc 2f 33
     47 7f 04 e3 64 81 11 be
     71 c2 48 82 1a d6 04 f4
     94 e7 4d 0b f5 11 d2 c1
     62 77 2e 81

   The following is an example revocation for an EDKEY zone:

   Zone private key (d):
     5a f7 02 0e e1 91 60 32
     88 32 35 2b bc 6a 68 a8
     d7 1a 7c be 1b 92 99 69
     a7 c6 6d 41 5a 0d 8f 65

   Zone identifier (ztype|zkey):
     00 01 00 14 3c f4 b9 24
     03 20 22 f0 dc 50 58 14
     53 b8 5d 93 b0 47 b6 3d
     44 6c 58 45 cb 48 44 5d
     db 96 68 8f

   zTLD:
   000G051WYJWJ80S04BRDRM2R2H9VGQCKP13VCFA4DHC4BJT88HEXQ5K8HW

   Difficulty (5 base difficulty + 2 epochs): 7

   Signed message:
     00 00 00 34 00 00 00 03
     00 05 ff 1c 57 35 42 bd
     00 01 00 14 3c f4 b9 24
     03 20 22 f0 dc 50 58 14
     53 b8 5d 93 b0 47 b6 3d
     44 6c 58 45 cb 48 44 5d
     db 96 68 8f

   Proof:
     00 05 ff 1c 57 35 42 bd
     00 00 39 5d 18 27 c0 00
     58 4c 93 3c b0 99 2a 08
     58 4c 93 3c b0 99 2d f7
     58 4c 93 3c b0 99 2e 21
     58 4c 93 3c b0 99 2e 2a
     58 4c 93 3c b0 99 2e 53
     58 4c 93 3c b0 99 2e 8e
     58 4c 93 3c b0 99 2f 13
     58 4c 93 3c b0 99 2f 2d
     58 4c 93 3c b0 99 2f 3c
     58 4c 93 3c b0 99 2f 41
     58 4c 93 3c b0 99 2f fd
     58 4c 93 3c b0 99 30 33
     58 4c 93 3c b0 99 30 82
     58 4c 93 3c b0 99 30 a2
     58 4c 93 3c b0 99 30 e1
     58 4c 93 3c b0 99 31 ce
     58 4c 93 3c b0 99 31 de
     58 4c 93 3c b0 99 32 12
     58 4c 93 3c b0 99 32 4e
     58 4c 93 3c b0 99 32 9f
     58 4c 93 3c b0 99 33 31
     58 4c 93 3c b0 99 33 87
     58 4c 93 3c b0 99 33 8c
     58 4c 93 3c b0 99 33 e5
     58 4c 93 3c b0 99 33 f3
     58 4c 93 3c b0 99 34 26
     58 4c 93 3c b0 99 34 30
     58 4c 93 3c b0 99 34 68
     58 4c 93 3c b0 99 34 88
     58 4c 93 3c b0 99 34 8a
     58 4c 93 3c b0 99 35 4c
     58 4c 93 3c b0 99 35 bd
     00 01 00 14 3c f4 b9 24
     03 20 22 f0 dc 50 58 14
     53 b8 5d 93 b0 47 b6 3d
     44 6c 58 45 cb 48 44 5d
     db 96 68 8f 04 ae 26 f7
     63 56 5a b7 aa ab 01 71
     72 4f 3c a8 bc c5 1a 98
     b7 d4 c9 2e a3 3c d9 34
     4c a8 b6 3e 04 53 3a bf
     1a 3c 05 49 16 b3 68 2c
     5c a8 cb 4d d0 f8 4c 3b
     77 48 7a ac 6e ce 38 48
     0b a9 d5 00

Acknowledgements

   The authors thank all reviewers for their comments.  In particular,
   we thank D. J. Bernstein, S. Bortzmeyer, A. Farrel, E. Lear, and
   R. Salz for their insightful and detailed technical reviews.  We
   thank J. Yao and J. Klensin for the internationalization reviews.  We
   thank Dr. J. Appelbaum for suggesting the name "GNU Name System" and
   Dr. Richard Stallman for approving its use.  We thank T. Lange and
   M. Wachs for their earlier contributions to the design and
   implementation of GNS.  We thank NLnet and NGI DISCOVERY for funding
   work on the GNU Name System.

Authors' Addresses

   Martin Schanzenbach
   Fraunhofer AISEC
   Lichtenbergstrasse 11
   85748 Garching
   Germany
   Email: martin.schanzenbach@aisec.fraunhofer.de


   Christian Grothoff
   Berner Fachhochschule
   Hoeheweg 80
   CH-2501 Biel/Bienne
   Switzerland
   Email: christian.grothoff@bfh.ch


   Bernd Fix
   GNUnet e.V.
   Boltzmannstrasse 3
   85748 Garching
   Germany
   Email: fix@gnunet.org