You are here

GNU Name System

Questions related to the GNU Name System (GNS), a decentfully decentralized PKI and censorship-resistant replacement for DNS.

How does GNS handle SRV/TLSA records where service and protocol are part of the domain name?

English
Taxonomy: 

In SRV/TLSA, domain names have the form _Service._Proto.(label.)*tld. How is this concept represented in GNS?

When GNS splits a domain name into labels for resolution, it detects the "_Service._Proto" syntax, converts "Service" to the corresponding port number and "Proto" to the corresponding protocol number. The rest of the name is resolved as usual. Then, when the result is presented, GNS looks for the GNS-specific "BOX" record type. A BOX record is a record that contains another record (such as SRV or TLSA records) and adds a service and protocol number (and the original boxed record type) to it.

Doesn't GNS increase the trusted-computing base compared to DNS(SEC)?

English
Taxonomy: 

Resolving names with GADS potentially involves the extended social network. While there is a trade-off between a human trust between social contacts and trust in external institutions, this trade-off can be problematic when we are talking about friends-of-friends-of-friends-of-friends. Having a few (note: more than one) trusted institutions that serve name-value bindings might be better: all a user needs to do to
is learn which of the institutions offering alternative services is more trustable and point their name resolvers at them. Eg., GoogleDNS (offers name-translation services) and OpenDNS. Would this scheme (although less decentralized) not have a smaller TCB?

First of all, in GNS you can explicitly see the trust chain, so you know if a name you are resolving belongs to a friend, or a friend-of-a-friend, and can thus decide how much you trust the result. Naturally, the trusted-computing base (TCB) can become arbitrarily large this way --- however, given the name length restriction, for an individual name it is always less than about 128 entities.

How does GNS compare to the Unmanaged Internet Architecture (UIA)?

English
Taxonomy: 

In UIA, "users can assign personal names to each of their devices, and can also name other users and access their friends' namespaces.", is that not the same model as GNS?

UIA and GNS both share the same basic naming model, which actually originated with Rivest's SDSI. However, UIA is not concerned about integration with legacy applications and instead focuses on universal connectivity between a user's many machines.

In contrast, GNS was designed to interoperate with DNS as much as possible, and to also work as much as possible with the existing Web infrastructure. UIA is not at all concerned about legacy systems (clean slate).

Does GNS work with search engines?

English
Taxonomy: 

Users do not just discover resources by typing in names, but mostly by sharing and following links in social graphs and using search engines. Does GNS support this?

GNS creates no significant problems for search engines, as they can use GNS to perform name resolution as well as any normal user. Naturally, while we typically expect normal users to install custom software for name resolution, this is unlikely to work for search engines today. However, the DNS2GNS gateway allows search engines to use DNS to resolve GNS names, so they can still index GNS resources. However, as using DNS2GNS gateways breaks the cryptographic chain of trust, legacy search engines will obviously not obtain censorship-resistant names.

How does GNS protect against layer-3 censorship?

English
Taxonomy: 

Governments have enforced censorship at even lower levels --- for e.g., blocking routes to certain IP addresses (recent incident: Pakistan's block of youtube). How does thie system help here?

GNS does not directly help with layer-3 censorship, but it does help indirectly in three ways:

1) Many websites today use virtual hosting, so blocking a particular IP address causes much more collateral damage than blocking a DNS name. It thus raises the cost of censorship.

2) Existing layer-3 circumvention solutions (such as Tor) would benefit from a censorship resistant naming system. Accessing Tor's ".onion" namespace currently requires users to use unmemorable cryptographic identifiers. With nicer names, Tor and tor2web-like services would be even easier to use.

How does GNS compare to TrickleDNS?

English
Taxonomy: 

TrickleDNS pushes ("critical") DNS records between DNS resolvers of participating domains to provide "better availability, lower query resolution times, and faster update propagation". Thus TrickleDNS is focused on defeating attacks on the availability (and performance) of record propagation in DNS, for example via DDoS attacks on DNS root servers. TrickleDNS is thus concerned with how to ensure distribution of authoritative records, and authority remains derived from the DNS hierarchy.

Why do you say that DNS is 'centralized' and 'distributed'?

English
Taxonomy: 

We say that DNS is 'centralized' because it has a central component / central point of failure --- the root zone and its management by IANA/ICANN. This centralization creates vulnerabilities. For example, the US government was able to reassign the management of the country-TLDs of Afganistan and Iraq during the wars at the beginning of the 21st century.

Why do you believe it is worth giving up unique names for censorship resistance?

English
Taxonomy: 

The GNU Name system offers an alternative to DNS that is censorship resistant. As with any security mechanism, this comes at a cost (names are not globally unique). To draw a parallel, HTTPS connections use more bandwidth and have higher latency than HTTP connections. Depending on your application, HTTPS may not be worth the cost. However, for users that are experiencing censorship (or are concerned about it), giving up globally unique names may very well be worth the cost. After all, what is a "globally" unique name worth, if it does not resolve?

¿Necesita GNS las claves firmadas de una zona para estar online?

Spanish
Taxonomy: 

Ahora mismo, la respuesta simple es sí. La razón es que, si se le da a un registro un periodo de expiración relativo (por ejemplo, de una semana a partir de ese momento), cada vez que se recibe una petición de ese nombre, se va a crear una firma que tendrá un periodo de expiración de una semana. La implementación más simple que hace eso emplea una clave de firmado accesible de forma directa desde el resolver.

¿Cómo puede una zona GNS mantener varios servidores de nombre, por ejemplo, para equilibrar la carga?

Spanish
Taxonomy: 

No creemos que vaya a ser necesario, dado que los registros de GNS se almacenan (y duplican) en el DHT R5N. Por tanto, la autoridad normalmente no va a ser contactada cuando un cliente realice una búsqueda. Incluso si la autoridad se desconecta (temporalmente), la DHT realizará un caché de los registros durante algún tiempo. Sin embargo, si se considerara necesario tener varios servidores para una zona, el propietario de la misma podría simplemente ejecutar a la vez múltiples peers (los cuales compartirían entre ellos la clave de zona y la base de datos).

Pages

Subscribe to RSS - GNU Name System