commit e8df759cbca55064d919233e5249a8197612d886
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Mon, 2 Mar 2026 14:42:19 +0100
lsd0016
Diffstat:
4 files changed, 319 insertions(+), 0 deletions(-)
diff --git a/.buildbot/build.sh b/.buildbot/build.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+make
diff --git a/.buildbot/firefly-x86_64-amdepyc_deploy.sh b/.buildbot/firefly-x86_64-amdepyc_deploy.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Deploy rest api from buildbot
+
+if [ -e index.html ]; then
+ rm index.html
+fi
+ln -s draft-schanzen-gns-split-rrset.html index.html
+chmod -R ag+rX draft-schanzen-gns-split-rrset.* index.html .
+rsync --exclude=".*" --exclude="Makefile" -a --delete ./ lsd@firefly.gnunet.org:~/public/lsd0016/
diff --git a/Makefile b/Makefile
@@ -0,0 +1,10 @@
+NAME=draft-schanzen-gns-split-rrset
+
+all: txt html
+
+html:
+ xml2rfc --html --css style.css ${NAME}.xml
+
+txt:
+ xml2rfc ${NAME}.xml
+
diff --git a/draft-schanzen-gns-split-rrset.xml b/draft-schanzen-gns-split-rrset.xml
@@ -0,0 +1,296 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE rfc [
+<!ENTITY RFC1034 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml">
+<!ENTITY RFC1035 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
+<!ENTITY RFC2119 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
+<!ENTITY RFC2782 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2782.xml">
+<!ENTITY RFC3629 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3629.xml">
+<!ENTITY RFC3686 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3686.xml">
+<!ENTITY RFC3826 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3826.xml">
+<!ENTITY RFC3912 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3912.xml">
+<!ENTITY RFC5869 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml">
+<!ENTITY RFC5890 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml">
+<!ENTITY RFC5891 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5891.xml">
+<!ENTITY RFC6781 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6781.xml">
+<!ENTITY RFC6895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml">
+<!ENTITY RFC6979 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6979.xml">
+<!ENTITY RFC7748 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7748.xml">
+<!ENTITY RFC8032 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8032.xml">
+<!ENTITY RFC8126 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8126.xml">
+]>
+<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
+<?rfc strict="yes" ?>
+<?rfc toc="yes" ?>
+<?rfc symrefs="yes"?>
+<?rfc sortrefs="yes" ?>
+<?rfc compact="yes" ?>
+<?rfc subcompact="no" ?>
+<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info" docName="draft-schanzen-gns-split-rrset-00" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" xml:lang="en" version="3">
+ <!-- xml2rfc v2v3 conversion 2.26.0 -->
+ <front>
+ <title abbrev="gns_split_rrset">
+ The GNS Split Resource Record Set
+ </title>
+ <seriesInfo name="Internet-Draft" value="draft-schanzen-gns-split-rrset-00"/>
+ <author fullname="Martin Schanzenbach" initials="M." surname="Schanzenbach">
+ <organization>GNUnet e.V.</organization>
+ <address>
+ <postal>
+ <street>Boltzmannstrasse 3</street>
+ <city>Garching</city>
+ <code>85748</code>
+ <country>DE</country>
+ </postal>
+ <email>schanzen@gnunet.org</email>
+ </address>
+ </author>
+ <author fullname="Thomas Bellebaum" initials="T." surname="Bellebaum">
+ <organization>Fraunhofer AISEC</organization>
+ <address>
+ <postal>
+ <street>Lichtenbergstrasse 11</street>
+ <city>Garching</city>
+ <code>85748</code>
+ <country>DE</country>
+ </postal>
+ <email>thomas.bellebaum@aisec.fraunhofer.de</email>
+ </address>
+ </author>
+ <!-- Meta-data Declarations -->
+ <area>General</area>
+ <workgroup>Independent Stream</workgroup>
+ <keyword>gnu name system</keyword>
+ <abstract>
+ <t>This document contains the technical specification of the GNS Split Resource Record Set.</t>
+ </abstract>
+ </front>
+ <middle>
+ <section anchor="introduction" numbered="true" toc="default">
+ <name>Introduction</name>
+ <t>
+ In GNS, resource record set sizes are limited by the underlying storage
+ component.
+ For example, in the current instantion in GNUnet on top of R<sup>5</sup>N,
+ Resource record sets must fit into around 64 kilobytes.
+ This includes all records in the set as well as signatures and encryption overhead
+ (e.g. the authentication tag).
+ This prohibits use cases that require some large records or a lot of small records, but also
+ makes post-quantum signature schemes more difficult to integrate.
+ </t>
+ <t>
+ This document defines a new record type that allows record sets to be split
+ across multiple record sets in GNS.
+ The new record type is backwards compatible with the existing GNS,
+ but resolver that do not conform to this specification will be unable to
+ fully retrieve the split record set.
+ In this case, the applicatin must take care and collect all entries of the record
+ set in the zone.
+ </t>
+ <t>
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
+ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described
+ in <xref target="RFC2119"/>.
+ </t>
+ </section>
+ <section anchor="gnsrecords_split" numbered="true" toc="default">
+ <name>LEHO</name>
+ <t>
+ This record consists of a list of resource record types that should
+ exist and belong to this record set.
+ </t>
+ <t>
+ A LEHO resource record is expected to be found together in a single
+ resource record with an IPv4 or IPv6 address.
+ A LEHO DATA entry is illustrated in <xref target="figure_lehorecord"/>.
+ </t>
+ <figure anchor="figure_lehorecord" title="The LEHO DATA Wire Format.">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+0 8 16 24 32
++-----+-----+-----+-----+
+| RECORD TYPE 0 |
++-----------------------+
+| RECORD TYPE 1 |
++-----------------------+
+/ ... /
+/ /
++-----------------------+
+| RECORD TYPE N-1 |
++-----+-----+-----+-----+
+ ]]></artwork>
+ </figure>
+ <dl>
+ <dt>RECORD TYPE X</dt>
+ <dd>
+ The 32-bit record type number (as defined in GANA) in network byte order.
+ </dd>
+ </dl>
+ <t>
+ The record types indicate to the resolve that it <bcp14>SHOULD</bcp14> try to resolve
+ further resource record sets of the specified type(s) if the record type is being
+ asked for as part of the resolution.
+ Otherwise, the record type can be ignored.
+ </t>
+ </section>
+ <section numbered="true" toc="default">
+ <name>Resolver behaviour</name>
+ <t>
+ When a resolver encounters a SPLIT record in a record set for
+ a label L in zone Z, it <bcp14>SHOULD</bcp14> process it as follows.
+ For reach record type T encountered in the SPLIT record, and in the
+ set of record types that is currently of interest, calculate the
+ next label as L' := Base32-GNS(SHA-256(Z,T,L)) with:
+ </t>
+ <t>
+ The resolver then queries L' in Z to retrieve the next part of the
+ record set for this record type.
+ The resulting record set <bcp14>MAY</bcp14> contain other record types
+ than the record type indicated by the SPLIT record, but those records
+ should only consist of supplemental or auxiliary records.
+ Otherwise, efficient resolution of record types is not possible.
+ </t>
+ </section>
+
+ <section anchor="security" numbered="true" toc="default">
+ <name>Security Considerations</name>
+ <section anchor="resolver_loop" numbered="true" toc="default">
+ <name>Loops</name>
+ <t>
+ Resolvers must take care to avoid loops.
+ While statistically unlikely due to the use of a collision-resistant hash function
+ in the derivation label, a resolver could accidentally be caught in a resolution loop.
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+CreateTid(AUDIENCE_PK):
+ x := rand()
+ ETK := X25519 (x, AUDIENCE_PK)
+ dhs := X25519 (x, G)
+ TID := Base64 (SHA-512 (dhs))
+ return (TID,ETK)
+ ]]></artwork>
+ <t>
+ This allows to the user to only transfer the ETK which can in turn be
+ used by the relying party to calculate the ticket identifier (TID)
+ using its private key:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+CalculateTid(AUDIENCE_SK,ETK):
+ dhs := X25519 (AUDIENCE_SK, G)
+ return TID := Base64 (SHA-512 (dhs))
+ ]]></artwork>
+ </section>
+ </section>
+ <section anchor="gana" numbered="true" toc="default">
+ <name>GANA Considerations</name>
+ <t>
+ GANA is requested to populate this registry as follows:
+ </t>
+ <figure anchor="figure_rrtypenums">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+Number: 65549
+Name: RECLAIM_TICKET
+Contact: N/A
+References: [This.I-D]
+Description: Ticket
+
+Number: 65549
+Name: RECLAIM_ATTRIBUTE
+Contact: N/A
+References: [This.I-D]
+Description: Identity attribute
+
+Number: 65550
+Name: RECLAIM_ATTRIBUTE_REF
+Contact: N/A
+References: [This.I-D]
+Description: Refrerence to identity attribute
+
+Number: 65551
+Name: RECLAIM_OIDC_CLIENT
+Contact: N/A
+References: [This.I-D]
+Description: OIDC client description
+
+Number: 65552
+Name: RECLAIM_OIDC_REDIRECT
+Contact: N/A
+References: [This.I-D]
+Description: OIDC client redirect(s)
+
+Number: 65553
+Name: RECLAIM_CREDENTIAL
+Contact: N/A
+References: [This.I-D]
+Description: Credential
+
+Number: 65554
+Name: RECLAIM_PRESENTATION
+Contact: N/A
+References: [This.I-D]
+Description: Credential presentation
+ ]]></artwork>
+ </figure>
+ <t>
+ GANA is requested to amend the "GNUnet Signature Purpose" registry
+ as follows:
+ </t>
+ <figure anchor="figure_purposenums">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+Purpose: 27
+Name: RECLAIM_CODE_SIGN
+References: [This.I-D]
+Description: Signature in OIDC authorization code
+ ]]></artwork>
+ </figure>
+ </section>
+ <!-- gana -->
+ <section>
+ <name>Test Vectors</name>
+ </section>
+ </middle>
+ <back>
+ <references>
+ <name>Normative References</name>
+
+ &RFC2119;
+ &RFC3629;
+
+ <reference anchor="GNS" target="https://lsd.gnunet.org/lsd0001">
+ <front>
+ <title>The GNU Name System</title>
+ <author initials="M." surname="Schanzenbach" fullname="Martin Schanzenbach">
+ <organization>GNUnet e.V.</organization>
+ </author>
+
+ <author initials="C." surname="Grothoff" fullname="Christian Grothoff">
+ <organization>GNUnet e.V.</organization>
+ </author>
+
+ <author initials="B." surname="Fix"
+ fullname="Bernd Fix">
+ <organization>GNUnet e.V.</organization>
+ </author>
+ <date year="2020" month="March"/>
+ </front>
+ </reference>
+ <reference anchor="Unicode-UAX15" target="https://www.unicode.org/reports/tr15/tr15-31.html">
+ <front>
+ <title>
+ Unicode Standard Annex #15: Unicode Normalization Forms
+ </title>
+ <author initials="M." surname="Davis" fullname="Mark Davis">
+ <organization/>
+ </author>
+ <author initials="K." surname="Whistler" fullname="Ken Whistler">
+ <organization/>
+ </author>
+ <author initials="M." surname="Dürst" fullname="Martin Dürst">
+ <organization/>
+ </author>
+ <date year="2009" month="September"/>
+ </front>
+ <refcontent>Revision 31, The Unicode Consortium, Mountain View</refcontent>
+ </reference>
+ </references>
+ </back>
+ </rfc>
