Okay, as Khal kindly explained to me, there is no known way to reliably achieve full domain name transclusion purely in DNS without the use of a dedicated IP address. This means that you cannot just register foo.bit and have it transclude foo.com without either excluding the use of subdomains or using a dedicated IP address for both.
Map -> no DNS equivalent
Alias -> CNAME
Translate -> DNAME
This sounds like exactly what we want, however, if you read further down in the spec,The DNAME record provides redirection for a subtree of the domain name tree in the DNS. That is, all names that end with a particular suffix are redirected to another part of the DNS.
Which means that while you CNAMEs/subdomains will work, foo.tld ≠ bar.tld. You need to use a nameserver and other server-side tricks for full domain name transclusion. If you have a dedicated IP address for bar.tld, you can set DNAME to handle all of the subdomains and point foo.tld to the same IP address but you have to have a dedicated IP address.If a DNAME record is present at the zone apex, there is still a need to have the customary SOA and NS resource records there as well. Such a DNAME cannot be used to mirror a zone completely, as it does not mirror the zone apex.
I would like to axe translate altogether and and propose a new entry for full domain transclusion: link. By default, a single entry it would transcendent the domain of the record with that to the linked domain. If any other entries for CNAMEs present, they are given priority:
Code: Select all
name: foo
value : {
link : bar.tld
}
Code: Select all
name: foo
value : {
link : {
sub.foo.tld : bar.tld
}
}
However, this needs to be extended outside of just domains and allow application-level routing. But before I get into that, let me explain why this is needed. One of the things that Speech.js tries to accomplish is being resistant to passive censorship, that is, censorship in countries for which there are no consequences for bypassing the censorship.
To do that, I want to support per-domain overrides that allow for private endpoints for each user which are transmitted out-of-band. The censor can't block IP's and URLS they don't know about and as long as the user can contact the website owner (through a DHT, Twitter, Email, or manually) they can connect.
Thus, wikileaks.bit can be transcluded through kittens.tld but the browser would display wikileaks.bit. However, a government censor should suspect that poniesandkittens.com is a relay so they could scan the website at regular intervals, Instead of just bare DNS entries, the transclusion must allow for application level tricks:
Code: Select all
name: wikileaks
value : {
link : kittens.tld/nonce
}
Code: Select all
name: wikileaks
value : {
link : username:pass@kittens.tld
}
Code: Select all
name: wikileaks
value : {
link : kittens.tld/nonce#ponies:rainbows@wikileaks.tld
}
Furthermore, such overrides must require a public-key which can authenticate messages passed out-of-band. I think it would be wise to include a default ECC public key with each domain record so the user can generate out-of-band overrides. They can, of course, substitute this for the TLS fingerprints as well.