You are here

Frequently Asked Questions

GNU Name System

Questions related to the GNU Name System (GNS), a decentfully decentralized PKI and censorship-resistant replacement for DNS.

  1. What is the ".gnu" top level domain?
  2. Who runs the ".gnu" top level domain?
  3. What is the ".zkey" top level domain?
  4. Who runs the ".zkey" TLD?
  5. What is a zone in GNS?
  6. What are the different zones in GNS for?
  7. What record types are supported by GNS?
  8. Is there a graphical user interface?
  9. Do you really expect normal users to use the GNS zone editor?
  10. Where is the per-user GNS database kept?
  11. What is the expected average size of a GNS namestore database?
  12. Is GNS resistant to the attacks on DNS used by the US?
  13. What is the difference between GNS and CoDoNS?
  14. What is the difference between GNS and SocialDNS?
  15. How does GNS compare to ODDNS?
  16. Does GNS require real-world introduction (secure PKEY exchange) in the style of the PGP web of trust?
  17. How can a legitimate domain owner tell other people to not use his name in GNS?
  18. Why do you only allow one pseudonym (PSEU record) per user in GNS?
  19. What can I do if name shortening is not desired for a particular zone (such as ai.mit.gnu)?
  20. Did you consider the privacy implications of making your personal GNS zone visible?
  21. In GNS, does shortening to pseudonyms picked by other users facilitate phishing attacks?
  22. Are "Legacy Host" (LEHO) records not going to be obsolete with IPv6?
  23. Why does GNS not use a trust metric or consensus to determine globally unique names?
  24. How do you handle compromised zone keys in GNS?
  25. Could the signing algorithm of GNS be upgraded in the future?
  26. Does GNS require a zone's signing keys to be online?
  27. How can a GNS zone maintain several name servers, e.g. for load balancing?
  28. Why are you intercepting DNS queries instead of running a DNS resolver?
  29. Does translating names in GNS break browser's same-origin policy?
  30. Will GNS work with cookies?
  31. How will existing network protocols cope with a transition from DNS to GNS?
  32. Why do you believe it is worth giving up unique names for censorship resistance?
  33. Why do you say that DNS is 'centralized' and 'distributed'?
  34. How does GNS compare to TrickleDNS?
  35. How does GNS protect against layer-3 censorship?
  36. Does GNS work with search engines?
  37. How does GNS compare to the Unmanaged Internet Architecture (UIA)?
  38. Doesn't GNS increase the trusted-computing base compared to DNS(SEC)?
  39. How does GNS handle SRV/TLSA records where service and protocol are part of the domain name?

GNUnet VPN/PT

Questions related to the GNUnet Virtual Public Network (IP over GNUnet) and the GNUnet Protocol Translation (IPv4/IPv6 migration via P2P) application.

English

There is currently no proxy (like fproxy in Freenet) for GNUnet that would make it accessible with a browser. It is possible to build such a proxy and all one needs to know is the protocol used between browser and proxy and a swift look at the GNUnet code for file-sharing.

English
Taxonomy: 

As opposed to Napster, Gnutella, Kazaa, FastTrack, eDonkey and most other P2P networks, GNUnet was designed with security in mind as the highest priority. We intend on producing a network with comprehensive security features. Many other P2P networks are open to a wide variety of attacks, and users have little privacy. GNUnet is also free software and thus the source code is available, so you do not have to worry about being spied upon by the software. The following table summarises the main differences between GNUnet and other systems. The information is accurate to the best of our knowledge. The comparison is difficult since there are sometimes differences between various implementations of (almost) the same protocol. In general, we pick a free implementation as the reference implementation since it is possible to inspect the free code. Also, all of these systems are changing over time and thus the data below may not be up-to-date. If you find any flaws, please let us know. Finally, the table is not saying terribly much (it is hard to compare these systems this briefly), so if you want the real differences, read the research papers (and probably the code).

English

Generally, there is the possibility of a known plaintext attack on keywords, but since the user has control over the keywords that are associated with the content he inserts, the user can take advantage of the same techniques used to generate reasonable passwords to defend against such an attack. In any event, we are not trying to hide content; thus, unless the user is trying to insert information into the network that can only be shared with a small group of people, there is no real reason to try to obfuscate the content by choosing a difficult keyword anyway.

English
Taxonomy: 

Yes, except for image previews pretty much all features can be accessed with various command line tools. Use gnunet-search to search for content:

English

There are actually a few graphical user interfaces for different functions.
gnunet-setup is to configure GNUnet, and gnunet-fs-gtk is for file-sharing. There are a few other gnunet-XXX-gtk GUIs of lesser importance. Note that in order to obtain the GUI, you need to install the gnunet-gtk package, which is a separate download.

gnunet-gtk is a meta GUI that integrates most of the other GUIs in one window. One exception is gnunet-setup, which must still be run separately at this time (as setup requires the peer to be stopped).

English
Taxonomy: 

Anonymity is the lack of distinction of an individual from a (large) group. A central goal for anonymous file-sharing in GNUnet is to make all users (peers) form a group and to make communications in that group anonymous, that is, nobody (but the initiator) should be able to tell which of the peers in the group originated the message. In other words, it should be difficult to impossible for an adversary to distinguish between the originating peer and all other peers.

English
Taxonomy: 

In GNUnet you set up a node (a peer). It is identified by an ID (hash of its public key) and has a number of addresses it is reachable by (may have no addresses, for instance when it's behind a NAT). You specify bandwidth limits (how much traffic GNUnet is allowed to consume) and datastore quote (how large your on-disk block storage is). Your node will then proceed to connect to other nodes, becoming part of the network.

English
Taxonomy: 

There are many other sources of information. You can read additional documentation or ask the question on the help-gnunet@gnu.org mailing list or the #gnunet IRC on irc.freenode.net.

Consider being careful with personal information that you are
submitting to help-gnunet@gnu.org. The mailing list's content is
distributed widely -- including getting mirrored on the Web (see
http://lists.gnu.org/archive/html/help-gnunet/).

English
Taxonomy: 

The general answer is, when it is ready. A better answer may be: earlier if you contribute (test, debug, code, document). Every release will be anounced on the info-gnunet@gnu.org mailing list and on freshmeat. You can subscribe to the mailing list or to the GNUnet project on freshmeat to automatically receive a notification.

English
Taxonomy: 

GNUnet is free software, available under the GNU Public License (GPL).

English
Taxonomy: 

The list of currently known bugs is available in the Mantis system.

Some bugs are occasionally reported directly to developers or the developer mailing list. This is discouraged since developers often do not have the time to feed these bugs back into the Mantis database. Please report bugs directly to the bug tracking system. If you believe a bug is sensitive, you can set its view status to private (this should be the exception)

English

There are actually a few graphical user interfaces for different functions.
gnunet-setup is to configure GNUnet, and gnunet-fs-gtk is for file-sharing. There are a few other gnunet-XXX-gtk GUIs of lesser importance. Note that in order to obtain the GUI, you need to install the gnunet-gtk package, which is a separate download.

gnunet-gtk is a meta GUI that integrates most of the other GUIs in one window. One exception is gnunet-setup, which must still be run separately at this time (as setup requires the peer to be stopped).

English

Sadly, we had to disable commenting even for authenticated users as we still got literally hundreds of spam-posts per day. However, we do still want real users to post comments! So if you want to post comments, please contact us on IRC or via e-mail and we will be happy to mark your account as "real user", which will enable you to interact more broadly with the site. We're sorry for the inconvenience, but without this, you would not be able to find real comments due to the high volume of automated spam. (And yes, we tried captchas and moderation, neither method worked.)

English
Taxonomy: 

The gnunet-service-nse process will initially compute a so-called "proof-of-work" which is used to convince the network that your peer is real (or, rather, make it expensive for an adversary to mount a Sybil attack on the network size estimator). The calculation is expected to take a few days, depending on how fast your CPU is. If the CPU load is creating a problem for you, you can set the value "WORKDELAY" in the "nse" section of your configuration file to a higher value. The default is "5 ms".

English
Taxonomy: 

Tor focuses on anonymous communication and censorship-resistance for TCP connections and, with the Tor Browser Bundle, for the Web in particular. GNUnet does not really have one focus; our theme is secure decentralized networking, but that is too broad to be called a focus.

English
Taxonomy: 

Both GNUnet and I2P want to build a better, more secure, more decentralized Internet. However, on the technical side, there are almost no overlaps.

I2P is written in Java, and has (asymmetric) tunnels using onion (or garlic) routing as the basis for various (anonymized) applications. I2P is largely used via a Web frontend.

English
Taxonomy: 

The ".gnu" top level domain (TLD) is the root of each user's personal namespace. All GNS names have this TLD. The use of ".gnu" as a TLD is really just a trick to combine the existing DNS hierarchy with the GNS graph as it is seen from an individual user's point of view.

English
Taxonomy: 

Each individual GNS user will run his own personal ".gnu" top level domain (TLD).

To be more specific, for each user, his own zone is authoritative for the ".gnu" pseudo-TLD (".gnu" is a pseudo-TLD or pTLD, not a normal TLD).

English
Taxonomy: 

The ".zkey" top level domain (TLD) provides a way to name a zone directly by using the corresponding public key for the name. A record in the ".zkey" TLD would look like HEK9TEBUQ5AT5V3FLL0HHNDA12HGH6BIM04TN7RDVOQ5B7TIEU80.zkey and a lookup for this name would return a delegation to the zone of the respective public key. As public keys are used for the names, the ".zkey" TLD is not memorable (but globally unique and secure).

English
Taxonomy: 

Nobody runs the ".zkey" TLD, as names in the ".zkey" TLD are public keys, no authority is needed. The ".zkey" TLD is essentially a very simple mapping mechanism where there are only public key 'PKEY' records --- each name is mapped to the corresponding PKEY value (which is again the name). Given this, no actual authority is needed: ".zkey" lookups never involve any network operation but rather only consist of a trival conversion from ASCII to binary. The ".zkey" TLD is really only a way for users to explicitly say that they want to access the zone of a given public key.

English
Taxonomy: 

A zone in GNS (like DNS) is a portion of the namespace that a single entity (usually a user) is responsible for. For example, GNU is responsible for the "gnu.org" zone and thus all names ending with ".gnu.org".

English
Taxonomy: 

In GNS, each user controls three zones:

  • Master zone
    This zone is your personal .gnu Top-Level-Domain zone. Any record mapped directly into this zone (such as www.gnu) is controlled directly by you.
  • Private zone
    This zone can be used by users to add private records they don't ever want to make public. Very useful if you don't want to 'accidently' make some records public for privacy reasons (bank.private.gnu)
English
Taxonomy: 

With GNS you have most of the record types you know from legacy DNS plus some GNS specific record types.

  • A, NS, CNAME, PTR, MX, TXT, AAAA, SRV
  • PKEY: the hash over a public key
  • NICK: the desired pseudonym the user picked for his zone
  • LEHO: a legacy hostname, used for SSL validation or virtual hosting. Usually found in compination with a corresponding A/AAAA records under the same name
  • VPN: record used for VPN (Virtual Public Network) service information (peer, service name, port)
English

There are actually a few graphical user interfaces for different functions.
gnunet-setup is to configure GNUnet, and gnunet-fs-gtk is for file-sharing. There are a few other gnunet-XXX-gtk GUIs of lesser importance. Note that in order to obtain the GUI, you need to install the gnunet-gtk package, which is a separate download.

gnunet-gtk is a meta GUI that integrates most of the other GUIs in one window. One exception is gnunet-setup, which must still be run separately at this time (as setup requires the peer to be stopped).

English
Taxonomy: 

We expect that the GNS zone editor will be used by roughly the same user base as equivalent DNS zone editors: administrators that run servers and services as well as advanced (or curious) users. Normal users should have no real need for the GNS zone editor, as they also do not host services.

English
Taxonomy: 

The short answer is that the database is kept at the user's GNUnet peer. Now, a user may run multiple GNUnet peers, in which case the database could be kept at each peer (however, we don't have code for convenient replication). Similarly, multiple GNUnet peers can share one instance of the database --- the "gnunet-service-namestore" can be accessed from remote (via TCP). The actual data can be stored in a Postgres database, for which various replication options are again applicable. Ultimately, there are many options for how users can store (and secure) their GNS database.

English
Taxonomy: 

Pretty small. Based on our user study where we looked at browser histories and the number of domains visited, we expect that GNS databases will only grow to a few tens of thousands of entries, small enough to fit even on mobile devices.

English

We believe so, as there is no entity that any government could force to change the mapping for a name except for each individual user (and then the changes would only apply to the names that this user is the authority for). So if everyone used GNS, the only practical attack of a government would be to force the operator of a server to change the GNS records for his server to point elsewhere. However, if the owner of the private key for a zone is unavailable for enforcement, the respective zone cannot be changed and any other zone delegating to this zone will achieve proper resolution.

English
Taxonomy: 

CoDoNS decentralizes the DNS database (using a DHT) but preserves the authority structure of DNS. With CoDoNS, IANA/ICANN are still in charge, and there are still registrars that determine who owns a name.

With GNS, we decentralize the database and also decentralize the responsibility for naming: each user runs his own personal root zone and is thus in complete control of the names he uses. GNS also has many additional features (to keep names short and enable migration) which don't even make sense in the context of CoDoNS.

English
Taxonomy: 

Like GNS, SocialDNS allows each user to create DNS mappings. However, with SocialDNS the mappings are shared through the social network and subjected to ranking. As the social relationships evolve, names can thus change in surprising ways.

With GNS, names are primarily shared via delegation, and thus mappings will only change if the user responsible for the name (the authority) manually changes the record.

English
Taxonomy: 

ODDNS is primarily designed to bypass the DNS root zone and the TLD registries (such as those for ".com" and ".org"). Instead of using those, each user is expected to maintain a database of (second-level) domains (like "gnu.org") and the IP addresses of the respective name servers. Resolution will fail if the target name servers change IPs.

English
Taxonomy: 

For security, it is well known that an initial trust path between the two parties must exist. However, for applications where this is not required, weaker mechanisms can be used. For example, we have implemented a first-come-first-served (FCFS) authority which allows arbitrary users to register arbitrary names. The key of this authority is included with every GNUnet installation. Thus, any name registered with FCFS is in fact global and requires no further introduction. However, the security of these names depends entirely on the trustworthiness of the FCFS authority.

English
Taxonomy: 

Names have no owners in GNS, so there cannot be a "legitimate" domain owner. Any user can claim any name (as his preferred name or 'pseudonym') in his NICK record. Similarly, all other users can choose to ignore this preference and use a name of their choice (or even assign no name) for this user.

English
Taxonomy: 

The basic idea behind the question is that one should allow users to suggest multiple pseudonyms (possibly with a ranking), and if one of the names is already taken (for shortening) GNS should use one of the alternative names.

English
Taxonomy: 

If the NICK record is left out, GNS will not apply shortening. This can be done in the GNS zone editor by leaving the pseudonym blank. If this is done for the 'ai' zone, then a delegation from the 'mit' zone to the 'ai' zone will never be shortened to 'ai.short.gnu'. However, other users can still manually give the 'ai' zone any name they wish (for example, 'ki-mit.gnu') --- it just won't happen automatically.

English

Each record in GNS has a flag "private". Records are shared with other users (via DHT or zone transfers) only if this flag is not set. Thus, users have full control over what information about their zones is made public.

In particular, records that GNS automatically adds (i.e. via name shortening) are always marked 'private' by default. Otherwise, other users might indeed be able to obtain sensitive private information about one's online behavior.

English

To a limited degree, yes. I can pick my pseudonym to be "bank" and then if then someone else's peer learns about my identity his client would refer to me as "bank", even though I'm unlikely to be the bank of the other user. However, GNS mitigates this problem by placing all shortened records into the shorten zone, so the name will occur as bank.shorten.gnu, not bank.gnu. This hopefully will give most users a strong visual hint. If you believe that this is insufficient, shortening can be disabled.

English
Taxonomy: 

The question presumes that (a) virtual hosting is only necessary because of IPv4 address scarcity, and (b) that LEHOs are only useful in the context of virtual hosting. However, LEHOs are also useful to help with X.509 certificate validation (as they specify for which legacy hostname the certificate should be valid). Also, even with IPv6 fully deployed and "infinite" IP addresses being available, we're not sure that virtual hosting would disappear. Finally, we don't want to have to wait for IPv6 to become commonplace, GNS should work with today's networks.

English
Taxonomy: 

Trust metrics have the fundamental problem that they have thresholds. As trust relationships evolve, mappings would change their meaning as they cross each others thresholds. We decided that the resulting unpredictability of the resolution process was not acceptable. Furthermore, trust and consensus might be easy to manipulate by adversaries.

English

The owner of a private key can create a revocation message. This one can then be flooded throughout the overlay network, creating a copy at all peers. Before using a public key, peers check if that key has been revoked. All names that involve delegation (PKEY) via a revoked zone will then fail to resolve. Peers always automatically check for the existence of a revocation message when resolving names.

English

Yes, we believe so. Naturally, deployed GNS implementations would have to be updated to support the new signature scheme. The new scheme could then be run in parallel with the existing system by using a new record type (PKEY2) to indicate the use of a different cipher system.

English
Taxonomy: 

Right now, the simple answer is yes. The reason is that if a relative expiration time is given for a records (i.e. 1 week from now), each time a request for that name is received, a signature is created with an absolute expiration time of 1 week into the future. The simplest implementation for this uses a signing key that is directly available to the resolver.

English
Taxonomy: 

We don't expect this to be necessary, as GNS records are stored (and replicated) in the R5N DHT. Thus the authority will typically not be contacted whenever clients perform a lookup. Even if the authority goes (temporarily) off-line, the DHT will cache the records for some time. However, should having multiple servers for a zone be considered truly necessary, the owner of the zone can simply run multiple peers (and share the zone's key and database among them).

English
Taxonomy: 

Yes, it would be feasible to run a DNS server instead. However, in order to run a personal zone, we would need to run a DNS server for each user, not just for each host (which is at least a theoretical problem on multi-user systems, as most operating systems only allow one DNS server to be configured per host). Note that the firewall-based DNS interception suffers from the same problem.

English
Taxonomy: 

The usual mapping of names in GNS is unproblematic as the browser either does not really see it (with the GNS proxy) or does it itself (in which case policy code would just have to be adjusted). However, there are issues in particular cases which the GNS proxy needs to handle.

English
Taxonomy: 

GNS should work fine with cookies in most cases. The GNS proxy translates cookies set by the browser for "gnu.org" to the domain name the browser expects (i.e. gnu.gnu). Similarly, if the webserver believes it is 'alice.gnu' the GNS proxy can translate cookies to 'alice.bob.gnu'.

English
Taxonomy: 

This depends of course largely on the protocol. Our documentation and implementation efforts have largely focused on HTTP/HTTPS as this is the dominant protocol in use and here the devil is sometimes in the details. Some other protocols --- such as most P2P protocols --- do not really use DNS and would thus not be affected by a DNS-GNS transition.

English
Taxonomy: 

The GNU Name system offers an alternative to DNS that is censorship resistant. As with any security mechanism, this comes at a cost (names are not globally unique). To draw a parallel, HTTPS connections use more bandwidth and have higher latency than HTTP connections. Depending on your application, HTTPS may not be worth the cost. However, for users that are experiencing censorship (or are concerned about it), giving up globally unique names may very well be worth the cost. After all, what is a "globally" unique name worth, if it does not resolve?

English
Taxonomy: 

We say that DNS is 'centralized' because it has a central component / central point of failure --- the root zone and its management by IANA/ICANN. This centralization creates vulnerabilities. For example, the US government was able to reassign the management of the country-TLDs of Afganistan and Iraq during the wars at the beginning of the 21st century.

English
Taxonomy: 

TrickleDNS pushes ("critical") DNS records between DNS resolvers of participating domains to provide "better availability, lower query resolution times, and faster update propagation". Thus TrickleDNS is focused on defeating attacks on the availability (and performance) of record propagation in DNS, for example via DDoS attacks on DNS root servers. TrickleDNS is thus concerned with how to ensure distribution of authoritative records, and authority remains derived from the DNS hierarchy.

English
Taxonomy: 

GNS does not directly help with layer-3 censorship, but it does help indirectly in three ways:

1) Many websites today use virtual hosting, so blocking a particular IP address causes much more collateral damage than blocking a DNS name. It thus raises the cost of censorship.

2) Existing layer-3 circumvention solutions (such as Tor) would benefit from a censorship resistant naming system. Accessing Tor's ".onion" namespace currently requires users to use unmemorable cryptographic identifiers. With nicer names, Tor and tor2web-like services would be even easier to use.

English
Taxonomy: 

GNS creates no significant problems for search engines, as they can use GNS to perform name resolution as well as any normal user. Naturally, while we typically expect normal users to install custom software for name resolution, this is unlikely to work for search engines today. However, the DNS2GNS gateway allows search engines to use DNS to resolve GNS names, so they can still index GNS resources. However, as using DNS2GNS gateways breaks the cryptographic chain of trust, legacy search engines will obviously not obtain censorship-resistant names.

English
Taxonomy: 

UIA and GNS both share the same basic naming model, which actually originated with Rivest's SDSI. However, UIA is not concerned about integration with legacy applications and instead focuses on universal connectivity between a user's many machines.

In contrast, GNS was designed to interoperate with DNS as much as possible, and to also work as much as possible with the existing Web infrastructure. UIA is not at all concerned about legacy systems (clean slate).

English
Taxonomy: 

First of all, in GNS you can explicitly see the trust chain, so you know if a name you are resolving belongs to a friend, or a friend-of-a-friend, and can thus decide how much you trust the result. Naturally, the trusted-computing base (TCB) can become arbitrarily large this way --- however, given the name length restriction, for an individual name it is always less than about 128 entities.

English
Taxonomy: 

When GNS splits a domain name into labels for resolution, it detects the "_Service._Proto" syntax, converts "Service" to the corresponding port number and "Proto" to the corresponding protocol number. The rest of the name is resolved as usual. Then, when the result is presented, GNS looks for the GNS-specific "BOX" record type. A BOX record is a record that contains another record (such as SRV or TLSA records) and adds a service and protocol number (and the original boxed record type) to it.

English

If you get this error message, the solution is simple. Issue the following commands (as root) to create the required device file

mkdir /dev/net
mknod /dev/net/tun c 10 200

English

For GNUnet DNS, your iptables needs to have "owner" match support.

This is accomplished by having the correct kernel options. Check if your kernel has CONFIG_NETFILTER_XT_MATCH_OWNER set to either 'y' or 'm' (and the module is loaded).

English

If you get an error stating that the VPN timeout was reached, like the one below, check if your firewall is enabled and blocking the connections.


curl_multi_perform failed at test_gnunet_vpn.c:215: `Timeout was reached'
test-gnunet-vpn-12145 ERROR Assertion failed at test_gnunet_vpn.c:226.
test-gnunet-vpn-12145 ERROR Assertion failed at test_gnunet_vpn.c:231.
mesh-api-12170 WARNING Received NULL msg on 0x177c7a0

English
Taxonomy: 

GNUnet is a peer-to-peer framework, by which we mostly mean that it can do more than just one thing. Naturally, the implementation and documentation of some of the features that exist are more advanced than others.

For users, GNUnet offers anonymous and non-anonymous file-sharing, a fully decentralized and censorship-resistant replacement for DNS and a mechanism for IPv4-IPv6 protocol translation and tunneling (NAT-PT with DNS-ALG). Additional applications are planned or available as extensions (see links).

English
Taxonomy: 

It is not possible use GNUnet for anonymous browsing at this point. We recommend that you use Tor for anonymous surfing.

English

There is currently no proxy (like fproxy in Freenet) for GNUnet that would make it accessible with a browser. It is possible to build such a proxy and all one needs to know is the protocol used between browser and proxy and a swift look at the GNUnet code for file-sharing.

English

There are actually a few graphical user interfaces for different functions.
gnunet-setup is to configure GNUnet, and gnunet-fs-gtk is for file-sharing. There are a few other gnunet-XXX-gtk GUIs of lesser importance. Note that in order to obtain the GUI, you need to install the gnunet-gtk package, which is a separate download.

gnunet-gtk is a meta GUI that integrates most of the other GUIs in one window. One exception is gnunet-setup, which must still be run separately at this time (as setup requires the peer to be stopped).

English
Taxonomy: 

GNUnet is being developed and tested primarily under Debian GNU/Linux. Furthermore, we regularly build and test GNUnet on Fedora, Ubuntu, Arch, FreeBSD, OS X and Windows 7.

We have reports of working versions on many other GNU/Linux distributions; in the past we had reports of working versions on NetBSD, OpenBSD and Solaris. However, not all of those reports are recent, so if you cannot get GNUnet to work on those systems please let us know.

English
Taxonomy: 

In terms of processors GNUnet should work on big-endian and little-endian architectures. Our testsuites are run on ARM, Sparc, PowerPC, x86 and AMD64 architectures.

In terms of system memory, depending on the configuration about 16 MB of total system memory can be sufficient. The recommended amount is 128 MB or more.
With care, GNUnet alone can run in as little as 6-8 MB of RAM per peer.

English
Taxonomy: 

The short answer is, that we cannot really tell you. The reason is, that this depends a lot on your distribution. For example, we use libgcrypt, which in turn requires libgpg-error. However, most distributions would put these two libraries into one package. Similarly, dependencies for GTK and MySQL are not always identical. Finally, where does the list end? Should we list libc6, zlib, xlib, glib? Also, many dependencies are optional. You can use GNUnet without a graphical user interface.

English

There are actually a few graphical user interfaces for different functions.
gnunet-setup is to configure GNUnet, and gnunet-fs-gtk is for file-sharing. There are a few other gnunet-XXX-gtk GUIs of lesser importance. Note that in order to obtain the GUI, you need to install the gnunet-gtk package, which is a separate download.

gnunet-gtk is a meta GUI that integrates most of the other GUIs in one window. One exception is gnunet-setup, which must still be run separately at this time (as setup requires the peer to be stopped).

English

The root-cause of the error is a change in your operating system, either due to a package update (i.e. apt-get update) or because you re-installed the entire system. An "older" installation of the respective library package included the '.la' file mentioned in the error message. The "newer" installation of the binary package does not include the ".la" file anymore. This is by itself NOT an issue. The issue is that *some* file (possible multiple) on your system include a reference to the ".la" file and tell libtool to inspect the ".la" file for linker information. So libtool tries to access it and fails.

English
Taxonomy: 

The configure runs fine, libglade und libgtk are detected, but I get an compile error like the following one:

In file included from /usr/include/libgladeui-1.0/gladeui/glade-command.h:5:0,
from /usr/include/libgladeui-1.0/gladeui/glade-project.h:6,
from /usr/include/libgladeui-1.0/gladeui/glade.h:30,
from ../../src/include/gnunet_gtk.h:41,
from about.c:27:
/usr/include/libgladeui-1.0/gladeui/glade-placeholder.h:47:2: error: expected specifier-qualifier-list before ‘GdkPixmap’

English
Taxonomy: 

If you have to compile libgnurl from source since the version included in your distribution is to old, you perhaps get an error message while running the configure script:


$ configure
...
checking for 64-bit curl_off_t data type... unknown
checking for 32-bit curl_off_t data type... unknown
checking for 16-bit curl_off_t data type... unknown
configure: error: cannot find data type for curl_off_t.

Solution:

Before running the configure script, set:

English

This error usually occurs when your linker fails to locate one of GNUnet's libraries. This can have two causes. First, it is theoretically possible that the library is not installed on your system; however, if you compiled GNUnet the normal way and/or used a binary package, that is highly unlikely. The more common cause is that you installed GNUnet to a directory that your linker does not search. There are several ways to fix this that are described below.

English
Taxonomy: 

If you are not experienced with databases or GNUnet, you should stick to the default which is sqlite.

Postgres has the advantage of being a "real" database which has some security, reliability and availability advantages, especially after system crashes. However, Postgres is currently slower than both sqlite and MySQL and requires some additional manual configuration.

English
Taxonomy: 

In general, it is not strictly necessary to change configurations with most firewalls and NAT-boxes. However, GNUnet connectivity and performance can often be improved with proper configuration.

English
Taxonomy: 

GNUnet accounting decides who to serve when the system is loaded. Packets are sent and dropped based on their priority and current load. External shapers (like token bucket filter) can’t make this distinction and treat all GNUnet traffic as equal. You should set GNUnets internal bandwidth limits to reflect your true configuration and what you can afford and not use any external shaping for GNUnet. It’s much better to have the limits enforced by gnunetd than by an external mechanism.

English
Taxonomy: 

If you get DNS replies on your virtual gnunet-dns interface (you can check with tcpdump/wireshark), but your application never receives the reply, chances are that reverse path filtering is enabled on your system.
Recent version of the gns service try to fix this on startup. But if this still occurs make sure that /proc/sys/net/ipv4/conf/gnunet-dns/rp_filter is set to 0.


# echo 0 > /proc/sys/net/ipv4/conf/gnunet-dns/rp_filter

English
Taxonomy: 

We use a generic error message in GNUnet to indicate that something went wrong. The cause is usually a bug or some data corruption on the network. Note that the bug does not necessarily have to be in the current version -- the problem could be caused by another peer running a different version of GNUnet. Similarly, the problem might be anything from completely harmless to rendering your peer useless. In a stable, production release we would disable these messages, but for now we want to know about those problems.

English
Taxonomy: 

Error messages flagged as "DEBUG" should be disabled in binaries build for end-users and can always be ignored.

Error messages flagged as "INFO" always refer to harmless events that require no action. For example, GNUnet may use an INFO message to indicate that it is currently performing an expensive operation that will take some time. GNUnet will also use INFO messages to display information about important configuration values.

English
Taxonomy: 

Under certain circumstances, gnunetd will print warnings indicating checksum errors in messages that were received from other nodes. This is most of the time not a bug and not a problem. Everything is working ok. What has happened most of the time is the following. Each node on GNUnet has a secret, public key. When hosts start, they look at the data/hosts/ directory looking for keys and addresses of other nodes on the network.

English
Taxonomy: 

This warning is shown if GNUnet was configured without libglpk (or its header files) being installed or found. As a result, GNUnet will not use the LP-solver for determining which transport mechanism to use at what speed to communicate with other peers. Instead, GNUnet will use a cheaper, possibly less performant, heuristic. This is generally harmless. However, in the future we may make the use of GLPK mandatory.

English

The root-cause of the error is a change in your operating system, either due to a package update (i.e. apt-get update) or because you re-installed the entire system. An "older" installation of the respective library package included the '.la' file mentioned in the error message. The "newer" installation of the binary package does not include the ".la" file anymore. This is by itself NOT an issue. The issue is that *some* file (possible multiple) on your system include a reference to the ".la" file and tell libtool to inspect the ".la" file for linker information. So libtool tries to access it and fails.

English

If you get this error message, the solution is simple. Issue the following commands (as root) to create the required device file

mkdir /dev/net
mknod /dev/net/tun c 10 200

English

For GNUnet DNS, your iptables needs to have "owner" match support.

This is accomplished by having the correct kernel options. Check if your kernel has CONFIG_NETFILTER_XT_MATCH_OWNER set to either 'y' or 'm' (and the module is loaded).

English

This error usually occurs when your linker fails to locate one of GNUnet's libraries. This can have two causes. First, it is theoretically possible that the library is not installed on your system; however, if you compiled GNUnet the normal way and/or used a binary package, that is highly unlikely. The more common cause is that you installed GNUnet to a directory that your linker does not search. There are several ways to fix this that are described below.

English

If you get an error stating that the VPN timeout was reached, like the one below, check if your firewall is enabled and blocking the connections.


curl_multi_perform failed at test_gnunet_vpn.c:215: `Timeout was reached'
test-gnunet-vpn-12145 ERROR Assertion failed at test_gnunet_vpn.c:226.
test-gnunet-vpn-12145 ERROR Assertion failed at test_gnunet_vpn.c:231.
mesh-api-12170 WARNING Received NULL msg on 0x177c7a0

English

Generally, there is the possibility of a known plaintext attack on keywords, but since the user has control over the keywords that are associated with the content he inserts, the user can take advantage of the same techniques used to generate reasonable passwords to defend against such an attack. In any event, we are not trying to hide content; thus, unless the user is trying to insert information into the network that can only be shared with a small group of people, there is no real reason to try to obfuscate the content by choosing a difficult keyword anyway.

English
Taxonomy: 

Anonymity is the lack of distinction of an individual from a (large) group. A central goal for anonymous file-sharing in GNUnet is to make all users (peers) form a group and to make communications in that group anonymous, that is, nobody (but the initiator) should be able to tell which of the peers in the group originated the message. In other words, it should be difficult to impossible for an adversary to distinguish between the originating peer and all other peers.

English
Taxonomy: 

The answer to this is, that encryption is incredibly fast. GNUnet uses mostly AES-256, a fast and secure cipher. What really often makes anonymous file-sharing slow are artificial delays that were introduced to make timing analysis hard and to group messages into larger packets. The reason is, that this makes it harder to correlate actions. GNUnet must wait for enough traffic from other peers to make it plausible that the traffic did not originate from the local peer. Larger delays also allow for more reordering of messages by the individual peer.

English
Taxonomy: 

The list of currently known bugs is available in the Mantis system.

Some bugs are occasionally reported directly to developers or the developer mailing list. This is discouraged since developers often do not have the time to feed these bugs back into the Mantis database. Please report bugs directly to the bug tracking system. If you believe a bug is sensitive, you can set its view status to private (this should be the exception)

English

To a limited degree, yes. I can pick my pseudonym to be "bank" and then if then someone else's peer learns about my identity his client would refer to me as "bank", even though I'm unlikely to be the bank of the other user. However, GNS mitigates this problem by placing all shortened records into the shorten zone, so the name will occur as bank.shorten.gnu, not bank.gnu. This hopefully will give most users a strong visual hint. If you believe that this is insufficient, shortening can be disabled.

English

Each record in GNS has a flag "private". Records are shared with other users (via DHT or zone transfers) only if this flag is not set. Thus, users have full control over what information about their zones is made public.

In particular, records that GNS automatically adds (i.e. via name shortening) are always marked 'private' by default. Otherwise, other users might indeed be able to obtain sensitive private information about one's online behavior.

English

We believe so, as there is no entity that any government could force to change the mapping for a name except for each individual user (and then the changes would only apply to the names that this user is the authority for). So if everyone used GNS, the only practical attack of a government would be to force the operator of a server to change the GNS records for his server to point elsewhere. However, if the owner of the private key for a zone is unavailable for enforcement, the respective zone cannot be changed and any other zone delegating to this zone will achieve proper resolution.

English

The owner of a private key can create a revocation message. This one can then be flooded throughout the overlay network, creating a copy at all peers. Before using a public key, peers check if that key has been revoked. All names that involve delegation (PKEY) via a revoked zone will then fail to resolve. Peers always automatically check for the existence of a revocation message when resolving names.

English

Yes, we believe so. Naturally, deployed GNS implementations would have to be updated to support the new signature scheme. The new scheme could then be run in parallel with the existing system by using a new record type (PKEY2) to indicate the use of a different cipher system.

English
Taxonomy: 

First, you need to register an account with the content management system. Once you have done this, please send an e-mail with the desired target language to translators@gnunet.org or ask for help on the #gnunet chat on irc.freenode.net. Typically someone with sufficient permissions will then grant you access. Naturally, any abuse will result in the loss of permissions.

English
Taxonomy: 

GNUnet uses buildbot to test portability on various platforms. You can find the current set of platforms by clicking on the link "check portability" in the secondary menu. If your platform is not listed, you can likely help.

English
Taxonomy: 

Sadly, we have many more feature requests than we can possibly implement. The best way to actually get a new feature implemented is to do it yourself --- and to then send us a patch.

English
Taxonomy: 

Good bug reports enable developers to find and hopefully fix problems faster. Nobody can or will fix a “GNUnet does not work for me.” bug. Please try to follow the following guidelines as far as they are applicable to the bug at hand.

English

Sadly, we had to disable commenting even for authenticated users as we still got literally hundreds of spam-posts per day. However, we do still want real users to post comments! So if you want to post comments, please contact us on IRC or via e-mail and we will be happy to mark your account as "real user", which will enable you to interact more broadly with the site. We're sorry for the inconvenience, but without this, you would not be able to find real comments due to the high volume of automated spam. (And yes, we tried captchas and moderation, neither method worked.)

English
Taxonomy: 

The build system puts the actual binaries into the hidden ".libs/" directory; the "test_XXX" is just a shell script wrapper that sets environment variables to ensure that the libraries are found. If you run "make install" first and install to a directory where your linker is looking, you don't need it, so you can run

$ gdb .libs/test_XXX

for debugging.

English
Taxonomy: 

Actually, the code is not really stuck. You created a service, which is a daemon that listens on a network socket waiting for requests. So once it is at "select", it is waiting for requests to arrive via the network. If this is not what you want, you may want to try using "GNUNET_PROGRAM_run" instead of "GNUNET_SERVICE_run".

Note that you can still be stuck in the same place ("select") if your program is waiting for the network as a client (trying to read or write) or has scheduled a task with a particular delay.

English
Taxonomy: 

The short answer is that the "void *cls" argument is used to enable users of the API to pass a single arbitrary (pointer) argument to a function. "void *cls" arguments are always paired with one or more function pointers. Whenever these pairs are used in an API, the underlying library will call the given function on some data at some point. In addition to the data which is generated by the library, the value given in "cls" will also be passed to that function. The API does not care what the function will do with "cls".

English
Taxonomy: 

They should be started using functions from the gnunet_arm_service.h header. Your binary will have to link against libgnunetarm. Generally, it should be safe to assume that ARM itself is already running. Some services should be started by default; still, it should not hurt to manually ask for them to be started (and stopped).

English
Taxonomy: 

There are a few reasons. First, we want to be open to new developes and make the learning curve as simple as possible. Learning DVCS is a bit of a significant step for some developers. Second, as a maintainer I want developers to commit ('push' in Git terminology) often, so we have an integrated version and run automated regression tests, portability analysis, static analysis tools, etc. on the code all the time. Sure, git does not prevent this, but it makes it too easy to keep code "private".