[nabla9]

A distributed naming system intended to work with mesh networks like GNUnet.

GNS does not support names which are simultaneously global, secure and human-readable. Instead, names are either global and not human-readable or not globally unique and human-readable. In GNS, each user manages their own zones and can delegate subdomains to zones managed by other users.

For example, ICANN could just create 'DNS zone' that would embed DNS as a zone into GNS.

[zcw100]

Zooko's triangle https://en.wikipedia.org/wiki/Zooko%27s_triangle You can't have it all.

[schanzen]

Indeed that would work. In theory. Especially since we thought of that use case (delegation into DNS) with the GNS2DNS record type.

There is a BUT: You need an initial label for ICANN zone to resolve the names. Unless you have a resolver implementation that "hides" the zkey of ICANN in the UI. But technically, under the hood, a name for this ICANN zone would look like:

www.example.com.THEICANNZKEY...

ICANN could also publish the TLDs individually as zones, however, and you could have an "ICANN Start Zone" (see Start Zone in the RFC) consisting of the TLD/zone key mappings.

[remram]

Since the TLDs are multiplying with no end in sight, using a zone key seems smart.

[tecleandor]

Or, I guess, "someone" could apply for a custom gTLD and link it. Of course, that "someone" would need the $200K needed to review the application and all that stuff :P

[grothoff]

Eh, you realize that this very work on the GNU Name System prompted IETF to create the ".alt" zone for this purpose already, minus the $200k fee? Registration is open at https://gana.gnunet.org/dot-alt/dot_alt.html

[extraduder_ire]

I'd settle for global and not human readable, if it means I get a domain I can use as a CNAME on a nicer domain.

Dynamic dns services are nice and all, but needing to pre-register gets kind of annoying.

[nine_k]

It can't possibly work, if you want your nicer domain to be globally unique.

If you don't, it depends on how local your domain needs to be; maybe all you need is a record in /etc/hosts on your home router.

[pavon]

If I understand they want a (globally unique, secure) GNS name and a (globally unique, human friendly) traditional DNS name which acts as an alias for the GNS name via CNAME.

This can work, and sounds like a good compromise in that it lets machines and people who care deeply about security use your secure name (which is more portable than an IP address), while providing a human friendly name for people who don't care and just want things to work.

[schanzen]

These are all valid deployment questions, which we tried to address in Appendix A.

In a nutshell, we expect that resolvers would ship with a (large) set of default "suffix-to-zone" mappings, that can be overridden by the user to provide a usable and convenient out-of-the box experience. Not that "we expect" means that this would be the ideal scenario, not something to expect when installing our reference implementation right now.

[nine_k]

But what's the point? Federation, I suppose?

Because if globally unique, human-readable DNS still works, I see no point in migrating off it. If the point is smoother migration, then we should start forgetting about human-readability, because it's going to disappear anyway.

[Karrot_Kream]

TLS certs without having to buy a domain? Create a GNS domain, set a LEHO record with the necessary Host name, and make your cert based on that? Obviously you'll need a CA that's willing to issue certs for GNS LEHO names, but that way you can use the current TLS CA system to a domain without having to actually spend money on one. Alternatively, have the CA issue wildcard certs for zTLDs and then you can manage your own zTLD without issue.

[nine_k]

Letsencrypt allows to produce TLS certificates for free, under a reasonable, globally trusted CA.

If we wanted to go away from centralization here, that would require a serious breakthrough, the magnitude of Bitcoin.

[extraduder_ire]

Would <UUID>.example.com not work? With first to register getting priority. Or <pubkey>.example.com with the corresponding private key needed to do updates.

The "nicer" domain I am referring to would be a normal domain from a registrar.