commit ccb3afc38e16f6bc177a9dfaaf47449f09be1af8
parent e4bc2bac415cf2c9b8c9c0fa3d04c2460459a2dc
Author: Christian Grothoff <christian@grothoff.org>
Date: Tue, 1 Feb 2022 20:51:41 +0100
expand motivation
Diffstat:
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -1425,9 +1425,15 @@ NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
<name>BOX</name>
<t>
In GNS, with the notable exception of zTLDs, every "." in a name
- delegates to another zone, and
+ delegates to another zone. Furthermore,
GNS lookups are expected to return all of the required useful
- information in one record set. This is incompatible with the
+ information in one record set. This avoids unnecessary additional
+ lookups and cryptographically ties together information that belongs
+ together, making it impossible for an adversarial storage to provide
+ partial answers that might omit information critical for security.
+ </t>
+ <t>
+ However, this general strategy of is incompatible with the
special labels used by DNS for SRV and TLSA records. Thus, GNS
defines the BOX record format to box up SRV and TLSA records and
include them in the record set of the label they are associated
