Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org) (Read 120 times)

ABCbits
legendary
Activity: 2842
Merit: 7333
Crypto Swap Exchange
Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)
June 07, 2021, 04:34:39 AM
#6
Quote from: DaveF on June 06, 2021, 08:19:52 PM
Quote from: ABCbits on June 06, 2021, 05:14:07 AM
Looks like some people think DNSSEC doesn't have big impact and prefer seed diversity.

 Huh So instead of being sure that the node your are connecting to is the actual node not one that was forged by a DNS attack nobody outside of 3 people want to put in the effort.

:sigh: sometimes some really smart people can make silly decisions.

But looking at first link, few DNS seeder operator/owner are interested to implement DNSSEC if the hosting service or software support it. Bitcoin community sometimes move very slow, but i expect there'll be more DNS seed which support DNSSEC in next few years.
DaveF
legendary
Activity: 3444
Merit: 6182
Crypto Swap Exchange
Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)
June 06, 2021, 08:19:52 PM
#5
Quote from: ABCbits on June 06, 2021, 05:14:07 AM
Looks like some people think DNSSEC doesn't have big impact and prefer seed diversity.

 Huh So instead of being sure that the node your are connecting to is the actual node not one that was forged by a DNS attack nobody outside of 3 people want to put in the effort.

:sigh: sometimes some really smart people can make silly decisions.

Will leave this thread open for a bit see if anyone else chimes in.

-Dave
ABCbits
legendary
Activity: 2842
Merit: 7333
Crypto Swap Exchange
Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)
June 06, 2021, 05:14:07 AM
#4
Quote from: DaveF on June 05, 2021, 10:04:36 AM
Was going to open an issue in github but figured I would post here in case it had been discussed before and I am having a Google / DuckDuckGo fail in search terms.

Here are some discussion about or mention DNSSEC,

ops: Enable DNSSEC on all Bitcoin DNS Seed domain names
p2p: monoculture of DNS seeder software
Is EFF's proposed Sovereign Key system similar to how Namecoin/Bitcoin works?

Looks like some people think DNSSEC doesn't have big impact and prefer seed diversity.
DaveF
legendary
Activity: 3444
Merit: 6182
Crypto Swap Exchange
Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)
June 05, 2021, 10:40:48 AM
#3
Quote from: NotATether on June 05, 2021, 10:25:53 AM
Because of complexity perhaps? Managing HTTPS certificates, and getting them to work in the first place, is hard enough. I can't imagine how much more difficult manually creating and adding certificates to their nodes or other arbitrary software would be, unless bitcoin-seeder gets the functionality to do those things automatically merged, which is unlikely.

It's not the nodes it's the DNS for the nodes.
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

Just about every major DNS provider supports it.
If you want to host a seed node it just seems like a good piece of extra security to be sure that when someone looks up your address it really is you on the other side.


-Dave
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)
June 05, 2021, 10:25:53 AM
#2
Because of complexity perhaps? Managing HTTPS certificates, and getting them to work in the first place, is hard enough. I can't imagine how much more difficult manually creating and adding certificates to their nodes or other arbitrary software would be, unless bitcoin-seeder gets the functionality to do those things automatically merged, which is unlikely.
DaveF
legendary
Activity: 3444
Merit: 6182
Crypto Swap Exchange
Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)
June 05, 2021, 10:04:36 AM
#1
Was going to open an issue in github but figured I would post here in case it had been discussed before and I am having a Google / DuckDuckGo fail in search terms.
Was looking in chainparams.cpp for something and wondered how many seeds used dnssec, checked and the answer was 3 out of 9
Did a little more looking and bitcoin.org and bitcointalk.org don't use it either.

Yes I *know* it's a minor thing. But it does help in security.
I can see not having it here, but elsewhere come on. It's not that tough.

If you are going to run a seed node then I feel that should be requirement.
Any thoughts?

*full disclosure I don't have it on 99% of my own stuff so I am not one to really criticize but, I am not responsible for other peoples money either so there is that....

Either way, it's finally a nice weekend. If you need me I'll be outside....

-Dave

Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: