[SPEC] Domain name specification

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

Re: [SPEC] Domain name specification

Post by sugarpuff »

biolizard89 wrote:Are you aware of Convergence for Namecoin? It implements the .bit TLS specification and doesn't use CA's.
Nope, wasn't aware. Thanks much for mentioning. I'll be studying it in depth now. You can probably expect to get feedback in the next few days. ^_^

Great job btw (I hope)!

pmc
Posts: 73
Joined: Thu Oct 03, 2013 8:50 pm
Location: Germany
Contact:

Re: [SPEC] Domain name specification

Post by pmc »

sugarpuff wrote:
itsnotlupus wrote:SSL certificate verification

Another aspect is support for SSL-enabled sites. There isn't much chance that the SSL root certificate issuers are going to be willing to hand out valid certificates for the *.bit TLD. Yet without SSL, your data is not just trivial to sniff, but also to modify in transit. That's not okay.
I think supporting the traditional PKI/Certificate Authority system is a terrible idea. The idea of root certificates and all that is outdated, especially in the face of Namecoin.
Are you aware of DANE ( http://tools.ietf.org/html/rfc6698 )? Basically, the idea is that domain owners can publish their server certificates as DNS RRs. So, if you have authenticated DNS as in DNSSEC (or Namecoin), you don't need certificate authorities anymore.

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

Re: [SPEC] Domain name specification

Post by sugarpuff »

pmc wrote:Are you aware of DANE ( http://tools.ietf.org/html/rfc6698 )? Basically, the idea is that domain owners can publish their server certificates as DNS RRs. So, if you have authenticated DNS as in DNSSEC (or Namecoin), you don't need certificate authorities anymore.
I had heard of DANE, but I only heard it mentioned in the context of DNSSEC and therefore ignored it (as I quite dislike DNSSEC).

The RFC is quite long, and the wiki is too short; perhaps you could help clarify something: what extra functionality does DANE offer that Namecoin by itself does not already provide?

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [SPEC] Domain name specification

Post by biolizard89 »

sugarpuff wrote:
pmc wrote:Are you aware of DANE ( http://tools.ietf.org/html/rfc6698 )? Basically, the idea is that domain owners can publish their server certificates as DNS RRs. So, if you have authenticated DNS as in DNSSEC (or Namecoin), you don't need certificate authorities anymore.
I had heard of DANE, but I only heard it mentioned in the context of DNSSEC and therefore ignored it (as I quite dislike DNSSEC).

The RFC is quite long, and the wiki is too short; perhaps you could help clarify something: what extra functionality does DANE offer that Namecoin by itself does not already provide?
DANE basically allows software which was designed for DNSSEC to interoperate with Namecoin. I believe there's a Firefox/Chrome extension which attempts to verify certs via DANE; if a Namecoin DNS server supported DANE, you would be able to use that extension with Namecoin. That said, I looked at the source of the Firefox extension in question and while I'm not 100% sure, it looks like it doesn't have as good security as what Convergence provides.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

Re: [SPEC] Domain name specification

Post by sugarpuff »

biolizard89 wrote:DANE basically allows software which was designed for DNSSEC to interoperate with Namecoin.
That's not clear to me. DANE has nothing to do with Namecoin, it was not designed with Namecoin in mind, so saying that it "allows software [..] to interoperate with Namecoin" sounds misleading to me.

I'm still not clear as to what it does, i.e. how it works in practice.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [SPEC] Domain name specification

Post by biolizard89 »

sugarpuff wrote:
biolizard89 wrote:DANE basically allows software which was designed for DNSSEC to interoperate with Namecoin.
That's not clear to me. DANE has nothing to do with Namecoin, it was not designed with Namecoin in mind, so saying that it "allows software [..] to interoperate with Namecoin" sounds misleading to me.

I'm still not clear as to what it does, i.e. how it works in practice.
Let me rephrase that: A DNS server which supports Namecoin and DANE basically allows software which was designed for DNSSEC to interoperate with Namecoin.

My understanding is that there's a branch of nmcontrol which supports DANE, I haven't tried it out though.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

Re: [SPEC] Domain name specification

Post by sugarpuff »

biolizard89 wrote:Let me rephrase that: A DNS server which supports Namecoin and DANE basically allows software which was designed for DNSSEC to interoperate with Namecoin.

My understanding is that there's a branch of nmcontrol which supports DANE, I haven't tried it out though.
OK thanks, that clears some of it up, but I still don't understand what DANE does. What would it do with a DNSNMC server?

Also, is anyone else not getting email notifications of replies? I have "notify me when a reply is posted" checked, but am getting no emails. Nm.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [SPEC] Domain name specification

Post by biolizard89 »

sugarpuff wrote:
biolizard89 wrote:Let me rephrase that: A DNS server which supports Namecoin and DANE basically allows software which was designed for DNSSEC to interoperate with Namecoin.

My understanding is that there's a branch of nmcontrol which supports DANE, I haven't tried it out though.
OK thanks, that clears some of it up, but I still don't understand what DANE does. What would it do with a DNSNMC server?

Also, is anyone else not getting email notifications of replies? I have "notify me when a reply is posted" checked, but am getting no emails. Nm.
DANE specifies a "TLSA" record for DNS, which contains a TLS fingerprint. Basically the same concept as the "fingerprint" or "tls" field in Namecoin's d/ namespace. It usually only is useful in the context of DNSSEC, but if you're running your own DNS server with namecoind as a data source, it should be fine.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

Re: [SPEC] Domain name specification

Post by sugarpuff »

biolizard89 wrote:DANE specifies a "TLSA" record for DNS, which contains a TLS fingerprint. Basically the same concept as the "fingerprint" or "tls" field in Namecoin's d/ namespace. It usually only is useful in the context of DNSSEC, but if you're running your own DNS server with namecoind as a data source, it should be fine.
Kthx, so is the answer to my original question: "what extra functionality does DANE offer that Namecoin by itself does not already provide?": nothing?

Or perhaps it's merely a means through which the DNSNMC authentication can be achieved?

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: [SPEC] Domain name specification

Post by biolizard89 »

sugarpuff wrote:
biolizard89 wrote:DANE specifies a "TLSA" record for DNS, which contains a TLS fingerprint. Basically the same concept as the "fingerprint" or "tls" field in Namecoin's d/ namespace. It usually only is useful in the context of DNSSEC, but if you're running your own DNS server with namecoind as a data source, it should be fine.
Kthx, so is the answer to my original question: "what extra functionality does DANE offer that Namecoin by itself does not already provide?": nothing?

Or perhaps it's merely a means through which the DNSNMC authentication can be achieved?
It does not provide any functionality which Namecoin's d/ namespace does not provide. It just makes Namecoin's d/ namespace somewhat more interoperable with DNSSEC-supporting software.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

Post Reply