Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
DNSChain deprecates Certificate Authorities and fixes HTTPS 
Author Message

Posts: 110
Post DNSChain deprecates Certificate Authorities and fixes HTTPS
Edit: DNSNMC has been renamed to DNSChain!
EDIT February 7, 2014: First public DNSChain server went live yesterday! Woohoo!!! :-D

Just announced on http://okturtles.com

To quote the paper:

Quote:
DNSNMC fixes the authentication problems previously described, and it addresses all of the problems that with the previously mentioned proposals. It does this first by combining DNS with Namecoin (NMC), and then by encouraging a "trust only those you know" policy.[footnote 5]

"Namecoin is an open source decentralized key/value registration and transfer system based on Bitcoin technology".[16] Namecoin "squares Zooko’s Triangle", meaning, it makes it possible to have domain names (and other types of identifiers) that are:

  • Authenticated: users can be certain that they are not speaking to an impostor
  • Decentralized: there is no central authority controlling all the names
  • Human-readable: names look just like today’s domain names

However, by itself, Namecoin does not provide the means by which ordinary users can take advantage of the features it provides. Using Namecoin is far too cumbersome for the vast majority of internet users, even those with years of computer expertise. For one, it cannot be used on mobile devices (like iPhones) in its current state because of its network requirements.

DNSNMC provides the missing "glue" to the Namecoin blockchain that makes it immediately accessible to clients of all types with zero configuration. A network administrator need only enter the IP address of a DNSNMC-compliant DNS server to instantly make the information within the blockchain accessible to all of the users that she (or he) provides internet access to.


Please see this paper for details:

http://okturtles.com/other/dnsnmc_oktur ... erview.pdf

GitHub repo: https://github.com/okTurtles/dnsnmc


Last edited by sugarpuff on Sat Feb 08, 2014 1:56 am, edited 4 times in total.



Thu Dec 12, 2013 9:03 pm
Profile

Posts: 255
Post Re: Introducing DNSNMC, your connection Namecoin’s blockchai
Following.

Edit: previously similar proposal systems to secure dns using namecoin has been referred to as NMCSEC ... just something to consider at your early stage of dev when it is easy to change to avoid future confusing mixing of terminologies. Also, great that you make a reference to Aaron, thanks for that. We NEED systems like this.

Edit2: ok just read the paper, good work, great start, good foundations and looks like you got the chops and concepts to make this thing work as it was meant, go for it.

Let me know how I can help.


Last edited by moa on Fri Dec 13, 2013 7:51 pm, edited 2 times in total.



Thu Dec 12, 2013 10:29 pm
Profile

Posts: 1833
os: linux
Post Re: Introducing DNSNMC, your connection Namecoin’s blockchai
Cool stuff.

Quote:
To be assured of the authenticity of answers provided by a DNSNMC server, clients must have its public key fingerprint. With these two pieces (the server’s IP address and the server’s fingerprint), users are given strong authentication for all of the information that resides within the blockchain. Of course, we do not claim that this system provides perfect authentication, but rather it provides authentication that is meaningful. Once this relationship has been established between the DNSNMC server and its clients, the clients are guaranteed to receive accurate values from the blockchain, so long as the software involved (both server & client) and their respective keys (public and private) are not compromised.


I'm a bit confused by this. The text seems to imply that if the server is malicious or compromised, then the client has no way to verify that the data actually came from the blockchain. Is this correct? If so, isn't this quite a bit weaker than checking the blockchain locally? If that's the case, I guess this project would benefit from the lite-client proposals which allow a single name to be verified as from the current blockchain without needing an entire copy of the blockchain.

_________________
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5


Thu Dec 12, 2013 10:55 pm
Profile

Posts: 110
Post Re: Introducing DNSNMC, your connection Namecoin’s blockchai
biolizard89 wrote:
Cool stuff.


Thanks. :)

Quote:
Quote:
To be assured of the authenticity of answers provided by a DNSNMC server, clients must have its public key fingerprint. With these two pieces (the server’s IP address and the server’s fingerprint), users are given strong authentication for all of the information that resides within the blockchain. Of course, we do not claim that this system provides perfect authentication, but rather it provides authentication that is meaningful. Once this relationship has been established between the DNSNMC server and its clients, the clients are guaranteed to receive accurate values from the blockchain, so long as the software involved (both server & client) and their respective keys (public and private) are not compromised.


I'm a bit confused by this. The text seems to imply that if the server is malicious or compromised, then the client has no way to verify that the data actually came from the blockchain. Is this correct? If so, isn't this quite a bit weaker than checking the blockchain locally?


If the server does not belong to you then it's certainly weaker than checking the blockchain locally. Checking the blockchain locally, however, just isn't practical in most circumstances for most people.

Quote:
If that's the case, I guess this project would benefit from the lite-client proposals which allow a single name to be verified as from the current blockchain without needing an entire copy of the blockchain.


You mean having a partial copy of the blockchain stored locally? DNSNMC is designed for mass adoption, so I don't know how useful a lite client would be for most people. It would depend on what device they were using it on, how big of a cache it stored, etc. Generally speaking, there is no need for lite-clients with a trustworthy DNSNMC.


Fri Dec 13, 2013 7:06 am
Profile

Posts: 1080
Post Re: Introducing DNSNMC, your connection Namecoin’s blockchai
sugarpuff wrote:
Quote:
If that's the case, I guess this project would benefit from the lite-client proposals which allow a single name to be verified as from the current blockchain without needing an entire copy of the blockchain.


You mean having a partial copy of the blockchain stored locally? DNSNMC is designed for mass adoption, so I don't know how useful a lite client would be for most people. It would depend on what device they were using it on, how big of a cache it stored, etc. Generally speaking, there is no need for lite-clients with a trustworthy DNSNMC.

Yes, that's the idea. For a light client, you basically only need the block headers plus some limited additional data. BitcoinJ in SPV-mode works very well on mobile devices, and needs only a couple MiB of data for the Bitcoin blockchain (and note that the size depends only on the number of blocks, so people storing lots of data with Namecoin isn't going to increase the size). I think that would be feasible. However, it would probably also be a useful compromise to have even lighter clients if the user trusts a DNSNMC server fully, if they decide to do that.

_________________
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/


Fri Dec 13, 2013 7:18 am
Profile WWW

Posts: 541
Post Re: Introducing DNSNMC, your connection to Namecoin’s blockc
Cool site.
Still didn't read all but it seems that it took a lot of work.

_________________
http://namecoinia.org/
Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba | NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S


Fri Dec 13, 2013 11:51 am
Profile WWW

Posts: 110
Post Re: Introducing DNSNMC, your connection Namecoin’s blockchai
moa wrote:
Following.

Edit: previously similar proposal systems to secure dns using namecoin has been referred to as NMCSEC ... just something to consider at your early stage of dev when it is easy to change to avoid future confusing mixing of terminologies. Also, great that you make a reference to Aaron, thanks for that. We NEED systems like this.


Thanks so much for the kind words of encouragement moa! :D

Do you have some links to NMCSEC that you could share? I'd love to read more about it, but I'd love to see what you (specifically) are thinking of. Off the top of your head, what differences (if any) do you see between it and DNSNMC?

Quote:
Edit2: ok just read the paper, good work, great start, good foundations and looks like you got the chops and concepts to make this thing work as it was meant, go for it.

Let me know how I can help.


Sure thing!

Which project are you more interested in working on btw, okTurtles or DNSNMC? I'll be working on DNSNMC first (since okT needs it). Right now I'm preparing the full specification draft as well as a github repo so that others can join in.


Sun Dec 22, 2013 5:23 am
Profile

Posts: 27
Post Re: DNSNMC deprecates Certificate Authorities and fixes HTTP
I just want to point out, that right now if you use https://cloudns.com.au/ as your resolver, by using DNSCrypt you have authenticated the cloudns.com.au resolver and you are encrypting your DNS queries.

The cloudns.com.au resolver also resolves .bit addresses and returns TLS data for TLSA records. This ends up hitting all your DNSNMC security points (i think?), except for the fact its using DNS as a transport.


Mon Dec 23, 2013 1:29 am
Profile

Posts: 110
Post Re: DNSNMC deprecates Certificate Authorities and fixes HTTP
Pagel1928 wrote:
I just want to point out, that right now if you use https://cloudns.com.au/ as your resolver, by using DNSCrypt you have authenticated the cloudns.com.au resolver and you are encrypting your DNS queries.

The cloudns.com.au resolver also resolves .bit addresses and returns TLS data for TLSA records. This ends up hitting all your DNSNMC security points (i think?), except for the fact its using DNS as a transport.


What is this? Any more info on it? Where's the code?


Mon Dec 23, 2013 5:30 am
Profile

Posts: 27
Post Re: DNSNMC deprecates Certificate Authorities and fixes HTTP
sugarpuff wrote:
Pagel1928 wrote:
I just want to point out, that right now if you use https://cloudns.com.au/ as your resolver, by using DNSCrypt you have authenticated the cloudns.com.au resolver and you are encrypting your DNS queries.

The cloudns.com.au resolver also resolves .bit addresses and returns TLS data for TLSA records. This ends up hitting all your DNSNMC security points (i think?), except for the fact its using DNS as a transport.


What is this? Any more info on it? Where's the code?


What do you mean? Its just using existing technology...

DNSCrypt for authentication/encryption of DNS queries:
http://dnscrypt.org/

The cloudns.com.au server is using nmcontrol for lookups into namecoin:
https://github.com/khalahan/nmcontrol

You can use the DNSSEC/TLSA browser extension to validate TLSA records:
https://www.dnssec-validator.cz/

I've been using the cloudns.com.au dns server for awhile without any problems, I setup my router to use it so now all my computers can query .bit domains, and after I installed the dnssec-validator plugin I can validate TLSA records.

The downside is cloudns.com.au could potentially be sniffing or tampering with my DNS queries, although they promise not to, and I havn't noticed anything weird.


Tue Dec 24, 2013 1:04 am
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 12 posts ]  Go to page 1, 2  Next

Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware for PTF.