Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)

DaveF (OP)

Legendary

Offline

Activity: 3472
Merit: 6259

Crypto Swap Exchange

Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)

June 05, 2021, 02:04:36 PM

Merited by ABCbits (1)

#1

Was going to open an issue in github but figured I would post here in case it had been discussed before and I am having a Google / DuckDuckGo fail in search terms.
Was looking in chainparams.cpp for something and wondered how many seeds used dnssec, checked and the answer was 3 out of 9
Did a little more looking and bitcoin.org and bitcointalk.org don't use it either.

Yes I *know* it's a minor thing. But it does help in security.
I can see not having it here, but elsewhere come on. It's not that tough.

If you are going to run a seed node then I feel that should be requirement.
Any thoughts?

*full disclosure I don't have it on 99% of my own stuff so I am not one to really criticize but, I am not responsible for other peoples money either so there is that....

Either way, it's finally a nice weekend. If you need me I'll be outside....

-Dave

█▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄

▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄█

▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
░▀▀██▀▀

NotATether

Legendary

Offline

Activity: 1596
Merit: 6723

bitcoincleanup.com / bitmixlist.org

Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)

June 05, 2021, 02:25:53 PM

#2

Because of complexity perhaps? Managing HTTPS certificates, and getting them to work in the first place, is hard enough. I can't imagine how much more difficult manually creating and adding certificates to their nodes or other arbitrary software would be, unless bitcoin-seeder gets the functionality to do those things automatically merged, which is unlikely.

.
.^{BLACKJACK^♠FUN.}

███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████

CRYPTO CASINO &
SPORTS BETTING

│

.
REWARD SYSTEM
.ELITE SEAT..

│

▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████

.

Whitepaper
JACK

DaveF (OP)

Legendary

Offline

Activity: 3472
Merit: 6259

Crypto Swap Exchange

Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)

June 05, 2021, 02:40:48 PM

#3

Quote from: NotATether on June 05, 2021, 02:25:53 PM

Because of complexity perhaps? Managing HTTPS certificates, and getting them to work in the first place, is hard enough. I can't imagine how much more difficult manually creating and adding certificates to their nodes or other arbitrary software would be, unless bitcoin-seeder gets the functionality to do those things automatically merged, which is unlikely.

It's not the nodes it's the DNS for the nodes.
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

Just about every major DNS provider supports it.
If you want to host a seed node it just seems like a good piece of extra security to be sure that when someone looks up your address it really is you on the other side.

-Dave

█▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄

▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄█

▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
░▀▀██▀▀

ABCbits

Legendary

Offline

Activity: 2870
Merit: 7452

Crypto Swap Exchange

Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)

June 06, 2021, 09:14:07 AM

Merited by vapourminer (1)

#4

Quote from: DaveF on June 05, 2021, 02:04:36 PM

Was going to open an issue in github but figured I would post here in case it had been discussed before and I am having a Google / DuckDuckGo fail in search terms.

Here are some discussion about or mention DNSSEC,

ops: Enable DNSSEC on all Bitcoin DNS Seed domain names
p2p: monoculture of DNS seeder software
Is EFF's proposed Sovereign Key system similar to how Namecoin/Bitcoin works?

Looks like some people think DNSSEC doesn't have big impact and prefer seed diversity.

█▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄

▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄█

▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
░▀▀██▀▀

DaveF (OP)

Legendary

Offline

Activity: 3472
Merit: 6259

Crypto Swap Exchange

Re: Why no DNSSEC requirements for seed nodes? (and why none on bitcoin.org)

June 07, 2021, 12:19:52 AM

#5

Quote from: ETFbitcoin on June 06, 2021, 09:14:07 AM

Looks like some people think DNSSEC doesn't have big impact and prefer seed diversity.

So instead of being sure that the node your are connecting to is the actual node not one that was forged by a DNS attack nobody outside of 3 people want to put in the effort.

:sigh: sometimes some really smart people can make silly decisions.

Will leave this thread open for a bit see if anyone else chimes in.

-Dave

█▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄

▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄█

▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
░▀▀██▀▀