.bit Spec & NMControl: remove external NS lookups

phelix
Posts: 1625
Joined: Thu Aug 18, 2011 6:59 am

Re: .bit Spec & NMControl: remove external NS lookups

Post by phelix » Tue Sep 15, 2015 12:33 pm

biolizard89 wrote:
phelix wrote:
biolizard89 wrote:
phelix wrote:
biolizard89 wrote: Well, we need Unbound and madns anyway since we need interoperability with client software that supports DNSSEC, and there aren't any native Python libraries that support DNSSEC.
Could you elaborate on your plans with DNSSEC?
Client software that supports TLS fingerprints specified by DNS, only accepts them if they're secured by DNSSEC (AD=1). It's pretty easy to do this for Namecoin, by generating a user-specific DNSSEC key, signing all .bit records with it, and adding that key to the Unbound trust store. Python doesn't have any library for this.
If I understand correctly this is your plan for TLS support. Does it work with popular browser out of the box?
It will, once browsers support the TLSA DNS record. So far no major browsers support it (Chromium used to support it, but then removed support for reasons that I think are faulty). At the moment I'm using a Mozilla API that gives us what we need, but it requires installing a browser extension. I'm pretty sure it will work with any Mozilla-based software, including Firefox/Thunderbird/Seamonkey/TorBrowser, but I've only tested in Firefox.
I have doubts we really need DNSSEC. Particularly since it does not look like major browsers will support it anytime soon.

Also there is criticism: http://sockpuppet.org/blog/2015/01/15/against-dnssec/

E.g. tor browser and i2p support seem to benefit us way more.
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

hla
Posts: 46
Joined: Mon Nov 10, 2014 12:01 am
os: linux
Contact:

Re: .bit Spec & NMControl: remove external NS lookups

Post by hla » Tue Sep 15, 2015 6:17 pm

That criticism of DNSSEC is badly constructed. A rebuttal is available somewhere. I think it's titled 'For DNSSEC'.

DNSSEC is necessary for secure delegation from Namecoin. This is necessary for large zones. Even if it were not, it would be the only sane way to manage large zones.

The problems getting browser deployment of DNSSEC are essentially the same as the problems getting browser deployment of Namecoin TLS certificate validation. To solve one is to more or less solve the other. To suppose that browser deployment of DNSSEC will never happen is essentially to suppose that in-browser Namecoin TLS certificate validation won't ever happen either.

Postfix has now implemented support for DANE, which allows it to use DNSSEC to secure inter-MTA SMTP TLS sessions and check that the certificate is valid. (Currently the domain names on TLS certificates used for SMTP tend not to be checked. This also prevents STARTTLS-stripping attacks.) This is a nice enhancement to the Internet e. mail system's security. DNSSEC is happening and it makes no sense not to interoperate with it and the considerable funding it's received, in the form of implementations, etc.

biolizard89
Posts: 1932
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: .bit Spec & NMControl: remove external NS lookups

Post by biolizard89 » Wed Sep 16, 2015 3:10 am

My general take is that with current technology, we cannot scale to ICANN levels and remain decentralized unless we allow delegation via DNSSEC. In 5 years it may be different, in which case we can always deprecate DNSSEC delegation then. For now, I support leaving it in. However, I am strongly against trusting the ICANN root key for any request that was initiated by a user who thought they were going to a .bit domain. (Meaning that I think CNAME/DNAME delegation to ICANN should be AD=0.) While I am concerned about replay attacks against DNSSEC, we simply do not have capacity to keep everything on the blockchain, and a well-placed warning for domain owners seems sufficient for the short term. A lot of domain owners can keep things on the blockchain, and it will work fine -- as long as they're not running a dynamic IP or something. (And a dynamic IP isn't subject to replay attacks anyway.)
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1625
Joined: Thu Aug 18, 2011 6:59 am

Re: .bit Spec & NMControl: remove external NS lookups

Post by phelix » Wed Sep 16, 2015 9:21 am

hla wrote: DNSSEC is necessary for secure delegation from Namecoin. This is necessary for large zones. Even if it were not, it would be the only sane way to manage large zones.
Large zones are not really of concern to us today.

The problems getting browser deployment of DNSSEC are essentially the same as the problems getting browser deployment of Namecoin TLS certificate validation. To solve one is to more or less solve the other. To suppose that browser deployment of DNSSEC will never happen is essentially to suppose that in-browser Namecoin TLS certificate validation won't ever happen either.
[/quote]
It does not have to happen in browser but can happen in a proxy.
biolizard89 wrote:My general take is that with current technology, we cannot scale to ICANN levels and remain decentralized unless we allow delegation via DNSSEC. In 5 years it may be different, in which case we can always deprecate DNSSEC delegation then. For now, I support leaving it in.
It's the other way round. In 5 years we can think about supporting it. We need to take one step after the other.
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

Post Reply