DNS transclusion woes: a fix for domain name spec 3.0

Post Reply
indolering
Posts: 801
Joined: Sun Aug 18, 2013 8:26 pm
os: mac

DNS transclusion woes: a fix for domain name spec 3.0

Post by indolering »

First, let me start off by saying that I'm using transclusion because I'm running out of synonyms for .... sigh, synonyms.

Okay, as Khal kindly explained to me, there is no known way to reliably achieve full domain name transclusion purely in DNS without the use of a dedicated IP address. This means that you cannot just register foo.bit and have it transclude foo.com without either excluding the use of subdomains or using a dedicated IP address for both.

Map -> no DNS equivalent
Alias -> CNAME
Translate -> DNAME
The DNAME record provides redirection for a subtree of the domain name tree in the DNS. That is, all names that end with a particular suffix are redirected to another part of the DNS.
This sounds like exactly what we want, however, if you read further down in the spec,
If a DNAME record is present at the zone apex, there is still a need to have the customary SOA and NS resource records there as well. Such a DNAME cannot be used to mirror a zone completely, as it does not mirror the zone apex.
Which means that while you CNAMEs/subdomains will work, foo.tld ≠ bar.tld. You need to use a nameserver and other server-side tricks for full domain name transclusion. If you have a dedicated IP address for bar.tld, you can set DNAME to handle all of the subdomains and point foo.tld to the same IP address but you have to have a dedicated IP address.

I would like to axe translate altogether and and propose a new entry for full domain transclusion: link. By default, a single entry it would transcendent the domain of the record with that to the linked domain. If any other entries for CNAMEs present, they are given priority:

Code: Select all

name: foo
value : {
  link : bar.tld
  }
More narrowly defined ranges could be handled by a more complex object:

Code: Select all

name: foo
value : {
    link : {
        sub.foo.tld : bar.tld 
      }
    }
As I don't know how to even get BIND running, let alone how to go about debugging it, I asked ryan-c to try and find any sort of hack that he could feed BIND to get it working. If he can, then NamecoinToBIND should use it when possible.

However, this needs to be extended outside of just domains and allow application-level routing. But before I get into that, let me explain why this is needed. One of the things that Speech.js tries to accomplish is being resistant to passive censorship, that is, censorship in countries for which there are no consequences for bypassing the censorship.

To do that, I want to support per-domain overrides that allow for private endpoints for each user which are transmitted out-of-band. The censor can't block IP's and URLS they don't know about and as long as the user can contact the website owner (through a DHT, Twitter, Email, or manually) they can connect.

Thus, wikileaks.bit can be transcluded through kittens.tld but the browser would display wikileaks.bit. However, a government censor should suspect that poniesandkittens.com is a relay so they could scan the website at regular intervals, Instead of just bare DNS entries, the transclusion must allow for application level tricks:

Code: Select all

name: wikileaks
value : {
    link : kittens.tld/nonce
    }
While this would defeat trivial OpenDNS-style filtering, a government could scan in real-time. HTTP auth work defeat this:

Code: Select all

name: wikileaks
value : {
    link : username:pass@kittens.tld
    }
But they could just get wise to HTTP authentication, so we must throw it into the opaque part of the URL:

Code: Select all

name: wikileaks
value : {
    link : kittens.tld/nonce#ponies:rainbows@wikileaks.tld
    }
Obviously, this breaks DNS entirely, and there should be a warning issued when the software detects something that NamecoinToBind can't translate into a DNS compliant entry.

Furthermore, such overrides must require a public-key which can authenticate messages passed out-of-band. I think it would be wise to include a default ECC public key with each domain record so the user can generate out-of-band overrides. They can, of course, substitute this for the TLS fingerprints as well.
DNS is much more than a key->value datastore.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: DNS transclusion woes: a fix for domain name spec 3.0

Post by biolizard89 »

So I'm low on sleep, but I don't fully understand what functionality you're trying to achieve. Have you seen the "http" field I proposed? How is that different from what you're describing? Can you give some examples on exactly what functionality would be achieved by your code samples?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

indolering
Posts: 801
Joined: Sun Aug 18, 2013 8:26 pm
os: mac

Re: DNS transclusion woes: a fix for domain name spec 3.0

Post by indolering »

It would use the entry listed in the link field as a stand-in for the FQDN while still displaying the FQDN.

No, I have not read your HTTP proposal, link? :D
DNS is much more than a key->value datastore.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: DNS transclusion woes: a fix for domain name spec 3.0

Post by biolizard89 »

indolering wrote:It would use the entry listed in the link field as a stand-in for the FQDN while still displaying the FQDN.

No, I have not read your HTTP proposal, link? :D
I think this is the best summary.

https://nf.bit/viewtopic.php?p=6861&sid ... 43d5#p6861
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

indolering
Posts: 801
Joined: Sun Aug 18, 2013 8:26 pm
os: mac

Re: DNS transclusion woes: a fix for domain name spec 3.0

Post by indolering »

I wrote an initial spec here.
DNS is much more than a key->value datastore.

Post Reply