DNSChain deprecates Certificate Authorities and fixes HTTPS

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

DNSChain deprecates Certificate Authorities and fixes HTTPS

Post by sugarpuff »

Edit: DNSNMC has been renamed to DNSChain!
EDIT February 7, 2014: First public DNSChain server went live yesterday! Woohoo!!! :-D

Just announced on http://okturtles.com

To quote the paper:
DNSNMC fixes the authentication problems previously described, and it addresses all of the problems that with the previously mentioned proposals. It does this first by combining DNS with Namecoin (NMC), and then by encouraging a "trust only those you know" policy.[footnote 5]

"Namecoin is an open source decentralized key/value registration and transfer system based on Bitcoin technology".[16] Namecoin "squares Zooko’s Triangle", meaning, it makes it possible to have domain names (and other types of identifiers) that are:
  • Authenticated: users can be certain that they are not speaking to an impostor
  • Decentralized: there is no central authority controlling all the names
  • Human-readable: names look just like today’s domain names
However, by itself, Namecoin does not provide the means by which ordinary users can take advantage of the features it provides. Using Namecoin is far too cumbersome for the vast majority of internet users, even those with years of computer expertise. For one, it cannot be used on mobile devices (like iPhones) in its current state because of its network requirements.

DNSNMC provides the missing "glue" to the Namecoin blockchain that makes it immediately accessible to clients of all types with zero configuration. A network administrator need only enter the IP address of a DNSNMC-compliant DNS server to instantly make the information within the blockchain accessible to all of the users that she (or he) provides internet access to.
Please see this paper for details:

http://okturtles.com/other/dnsnmc_oktur ... erview.pdf

GitHub repo: https://github.com/okTurtles/dnsnmc
Last edited by sugarpuff on Sat Feb 08, 2014 1:56 am, edited 4 times in total.

moa
Posts: 255
Joined: Mon May 23, 2011 6:13 am

Re: Introducing DNSNMC, your connection Namecoin’s blockchai

Post by moa »

Following.

Edit: previously similar proposal systems to secure dns using namecoin has been referred to as NMCSEC ... just something to consider at your early stage of dev when it is easy to change to avoid future confusing mixing of terminologies. Also, great that you make a reference to Aaron, thanks for that. We NEED systems like this.

Edit2: ok just read the paper, good work, great start, good foundations and looks like you got the chops and concepts to make this thing work as it was meant, go for it.

Let me know how I can help.
Last edited by moa on Fri Dec 13, 2013 7:51 pm, edited 2 times in total.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Introducing DNSNMC, your connection Namecoin’s blockchai

Post by biolizard89 »

Cool stuff.
To be assured of the authenticity of answers provided by a DNSNMC server, clients must have its public key fingerprint. With these two pieces (the server’s IP address and the server’s fingerprint), users are given strong authentication for all of the information that resides within the blockchain. Of course, we do not claim that this system provides perfect authentication, but rather it provides authentication that is meaningful. Once this relationship has been established between the DNSNMC server and its clients, the clients are guaranteed to receive accurate values from the blockchain, so long as the software involved (both server & client) and their respective keys (public and private) are not compromised.
I'm a bit confused by this. The text seems to imply that if the server is malicious or compromised, then the client has no way to verify that the data actually came from the blockchain. Is this correct? If so, isn't this quite a bit weaker than checking the blockchain locally? If that's the case, I guess this project would benefit from the lite-client proposals which allow a single name to be verified as from the current blockchain without needing an entire copy of the blockchain.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

Re: Introducing DNSNMC, your connection Namecoin’s blockchai

Post by sugarpuff »

biolizard89 wrote:Cool stuff.
Thanks. :)
To be assured of the authenticity of answers provided by a DNSNMC server, clients must have its public key fingerprint. With these two pieces (the server’s IP address and the server’s fingerprint), users are given strong authentication for all of the information that resides within the blockchain. Of course, we do not claim that this system provides perfect authentication, but rather it provides authentication that is meaningful. Once this relationship has been established between the DNSNMC server and its clients, the clients are guaranteed to receive accurate values from the blockchain, so long as the software involved (both server & client) and their respective keys (public and private) are not compromised.
I'm a bit confused by this. The text seems to imply that if the server is malicious or compromised, then the client has no way to verify that the data actually came from the blockchain. Is this correct? If so, isn't this quite a bit weaker than checking the blockchain locally?
If the server does not belong to you then it's certainly weaker than checking the blockchain locally. Checking the blockchain locally, however, just isn't practical in most circumstances for most people.
If that's the case, I guess this project would benefit from the lite-client proposals which allow a single name to be verified as from the current blockchain without needing an entire copy of the blockchain.
You mean having a partial copy of the blockchain stored locally? DNSNMC is designed for mass adoption, so I don't know how useful a lite client would be for most people. It would depend on what device they were using it on, how big of a cache it stored, etc. Generally speaking, there is no need for lite-clients with a trustworthy DNSNMC.

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Introducing DNSNMC, your connection Namecoin’s blockchai

Post by domob »

sugarpuff wrote:
If that's the case, I guess this project would benefit from the lite-client proposals which allow a single name to be verified as from the current blockchain without needing an entire copy of the blockchain.
You mean having a partial copy of the blockchain stored locally? DNSNMC is designed for mass adoption, so I don't know how useful a lite client would be for most people. It would depend on what device they were using it on, how big of a cache it stored, etc. Generally speaking, there is no need for lite-clients with a trustworthy DNSNMC.
Yes, that's the idea. For a light client, you basically only need the block headers plus some limited additional data. BitcoinJ in SPV-mode works very well on mobile devices, and needs only a couple MiB of data for the Bitcoin blockchain (and note that the size depends only on the number of blocks, so people storing lots of data with Namecoin isn't going to increase the size). I think that would be feasible. However, it would probably also be a useful compromise to have even lighter clients if the user trusts a DNSNMC server fully, if they decide to do that.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

virtual_master
Posts: 541
Joined: Mon May 20, 2013 12:03 pm
Contact:

Re: Introducing DNSNMC, your connection to Namecoin’s blockc

Post by virtual_master »

Cool site.
Still didn't read all but it seems that it took a lot of work.
http://namecoinia.org/
Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba | NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

Re: Introducing DNSNMC, your connection Namecoin’s blockchai

Post by sugarpuff »

moa wrote:Following.

Edit: previously similar proposal systems to secure dns using namecoin has been referred to as NMCSEC ... just something to consider at your early stage of dev when it is easy to change to avoid future confusing mixing of terminologies. Also, great that you make a reference to Aaron, thanks for that. We NEED systems like this.
Thanks so much for the kind words of encouragement moa! :D

Do you have some links to NMCSEC that you could share? I'd love to read more about it, but I'd love to see what you (specifically) are thinking of. Off the top of your head, what differences (if any) do you see between it and DNSNMC?
Edit2: ok just read the paper, good work, great start, good foundations and looks like you got the chops and concepts to make this thing work as it was meant, go for it.

Let me know how I can help.
Sure thing!

Which project are you more interested in working on btw, okTurtles or DNSNMC? I'll be working on DNSNMC first (since okT needs it). Right now I'm preparing the full specification draft as well as a github repo so that others can join in.

Pagel1928
Posts: 27
Joined: Fri Sep 13, 2013 6:15 am

Re: DNSNMC deprecates Certificate Authorities and fixes HTTP

Post by Pagel1928 »

I just want to point out, that right now if you use https://cloudns.com.au/ as your resolver, by using DNSCrypt you have authenticated the cloudns.com.au resolver and you are encrypting your DNS queries.

The cloudns.com.au resolver also resolves .bit addresses and returns TLS data for TLSA records. This ends up hitting all your DNSNMC security points (i think?), except for the fact its using DNS as a transport.

sugarpuff
Posts: 110
Joined: Tue Oct 22, 2013 10:17 pm

Re: DNSNMC deprecates Certificate Authorities and fixes HTTP

Post by sugarpuff »

Pagel1928 wrote:I just want to point out, that right now if you use https://cloudns.com.au/ as your resolver, by using DNSCrypt you have authenticated the cloudns.com.au resolver and you are encrypting your DNS queries.

The cloudns.com.au resolver also resolves .bit addresses and returns TLS data for TLSA records. This ends up hitting all your DNSNMC security points (i think?), except for the fact its using DNS as a transport.
What is this? Any more info on it? Where's the code?

Pagel1928
Posts: 27
Joined: Fri Sep 13, 2013 6:15 am

Re: DNSNMC deprecates Certificate Authorities and fixes HTTP

Post by Pagel1928 »

sugarpuff wrote:
Pagel1928 wrote:I just want to point out, that right now if you use https://cloudns.com.au/ as your resolver, by using DNSCrypt you have authenticated the cloudns.com.au resolver and you are encrypting your DNS queries.

The cloudns.com.au resolver also resolves .bit addresses and returns TLS data for TLSA records. This ends up hitting all your DNSNMC security points (i think?), except for the fact its using DNS as a transport.
What is this? Any more info on it? Where's the code?
What do you mean? Its just using existing technology...

DNSCrypt for authentication/encryption of DNS queries:
http://dnscrypt.org/

The cloudns.com.au server is using nmcontrol for lookups into namecoin:
https://github.com/khalahan/nmcontrol

You can use the DNSSEC/TLSA browser extension to validate TLSA records:
https://www.dnssec-validator.cz/

I've been using the cloudns.com.au dns server for awhile without any problems, I setup my router to use it so now all my computers can query .bit domains, and after I installed the dnssec-validator plugin I can validate TLSA records.

The downside is cloudns.com.au could potentially be sniffing or tampering with my DNS queries, although they promise not to, and I havn't noticed anything weird.

Post Reply