[ANN] NamecoinControl - Manage namecoin services

[phelix]

I just want to point out my pull request here:

https://github.com/khalahan/nmcontrol/pull/3

This fixes up the nmcontrol DNS server so it handles subdomains properly.

Additionally it implements .tor lookups, which return the onion address as a CNAME:

dig lolicore.tor
lolicore.tor. 5 IN CNAME lolicore75rq3tm5.onion.

I'm wondering what is the right way this should actually be done? From here it would be relatively easy to do this lookup/resolution with a browser plugin.

Additionally I quite prefer the format .tor.bit and .ip4.bit, so perhaps I should implement it that way instead...

Nice. Check out Biolizard89's browser plugin: http://dot-bit.org/forum/viewtopic.php?f=2&t=552

[biolizard89]

I just want to point out my pull request here:

https://github.com/khalahan/nmcontrol/pull/3

This fixes up the nmcontrol DNS server so it handles subdomains properly.

Additionally it implements .tor lookups, which return the onion address as a CNAME:

dig lolicore.tor
lolicore.tor. 5 IN CNAME lolicore75rq3tm5.onion.

I'm wondering what is the right way this should actually be done? From here it would be relatively easy to do this lookup/resolution with a browser plugin.

Additionally I quite prefer the format .tor.bit and .ip4.bit, so perhaps I should implement it that way instead...

We had some discussion of Onion domains a month or two ago. The general conclusion was that Onion domains should be specified via the d/ namespace (same as IPv4/IPv6), not the tor/ namespace. There was some disagreement about the TLD that should be used, but I believe most people supported the use of a separate TLD (e.g. .bittor) to indicate that only Onion resolution is acceptable, while another TLD (e.g. .bitany) would automatically choose either IPv4/IPv6/Onion/I2P based on user settings, and .bit would restrict to IPv4/IPv6. Making 2nd-level domains (e.g. tor.bit) for a resolver is not safe, because there is a question of whether wikileaks.tor.bit should be looked up in the map field of d/tor, or the tor field of d/wikileaks.

I've been planning to implement Onion support in Convergence, just haven't had the time yet.

As for using a CNAME... I'm not at all sure that this will work securely or at all. For Onion domains to be resolved, the DNS has to go through the Tor SOCKS proxy. Presumably if you're using NMControl as your DNS, you've configured your browser to use local DNS lookup. I have no idea what a browser will do when it gets a CNAME from its local DNS... my guess is that it will probably try to resolve the Onion domain via NMControl, which will then leak the Onion domain you're visiting to whatever public DNS NMControl is configured to use for non-.bit queries (Google by default). When Google then fails, the browser might plausibly try routing the DNS through Tor, which would make the webpage load, but there would still be a leak. (I have no empirical evidence that this will occur; this is just an educated guess.)

[Pagel1928]

From my testing, the browser does a lookup, and when it gets the CNAME response it discards it and there is no resolution and it tries nothing else.

I decided to return it in CNAME as an assumption it will be easier to tie it in with a plugin (for those who might use a remote DNS server)

I don't think .tor.bit etc, would be a risk, there is very little confusion if .bit by itself would not be directly usable. For example, nobody is getting confused with .com.uk .co.uk etc

This obviously just means you would need a very strict change to what is currently in use...

[domob]

Maybe a dumb question, but does NMControl support delegate/import? It seems not from a quick glance at the code, although there are comments hinting that it is planned (and where it will be added). Is there work going on? If not, is the proposal already worked out and agreed upon enough so that it is a good idea to try to add support myself?

I ask because I'm right now in the process of setting up some .bit domains for my new server, and it would be great if I could reuse the configuration value for all but one name instead of duplicating it. But it seems that my only option right now is to copy the value, right?

[biolizard89]

Maybe a dumb question, but does NMControl support delegate/import? It seems not from a quick glance at the code, although there are comments hinting that it is planned (and where it will be added). Is there work going on? If not, is the proposal already worked out and agreed upon enough so that it is a good idea to try to add support myself?

I ask because I'm right now in the process of setting up some .bit domains for my new server, and it would be great if I could reuse the configuration value for all but one name instead of duplicating it. But it seems that my only option right now is to copy the value, right?

To my knowledge it does not, and the spec is not clear enough on how exactly it should work. I think we should have a discussion in a separate thread regarding exactly how these features should work.

[phelix]

http://nf.bit/viewtopic.php?p=6710&sid= ... 4974#p6710 "import" specification