I've discussed this with some people on IRC, and they suggested I post my thoughts here.
I like being able to delegate my .bit domain to traditional DNS servers - this allows a lot of flexibility to change things without spamming the block chain. Sadly, this sacrifices integrity protection.
I think we should add the ability to add hashes of DNSSEC KSKs (key signing keys, which sign zone signing keys, which sign responses) to namecoin domains. DNSSEC handles this with DS records, but those seem to be a little more complicated than they strictly need to be.
DS records contain four fields (see http://www.ietf.org/rfc/rfc3658.txt for details):
* "key tag" - a 16 non-cryptographic hash of the key data
* "algorithm" - the algorithm number in the DNSKEY record
* "hash type" - 1 for sha1 or 2 for sha256
* "hash" - hash(domain | DNSKEY RRDATA)
For simplicity's sake, I'm proposing that we just translate this more-or-less directly into namecoin. I've set up dnssec.bit as an example with the following data:
Code: Select all
{
"ds": [
[31381,8,1,"pA1WbHXqk1VlZcdbIwzzXAeceTI="],
[31381,8,2,"toHBU1NKO9wx0NbcHLtWv9XWYGsSvOOUndexitQ6j8E="]
],
"ns":["prgmr.ryanc.org"]
}
Code: Select all
dnssec.bit. IN DS 31381 8 1 A40D566C75EA93556565C75B230CF35C079C7932
dnssec.bit. IN DS 31381 8 2 B681C153534A3BDC31D0D6DC1CBB56BFD5D6606B12BCE3949DD7B18A D43A8FC1