
DNSChain 0.5 released, brings full HTTPS support, Openname Resolver API and more - DonPellegrino
https://blog.okturtles.com/2015/03/dnschain-0-5-released-https-openname-resolver-api-more/
======
e12e
Is there a clear readme on dnschain somewhere? I looked at the github repo,
but still don't quite get what actual benefits it brings over running one's
own dns server? Using the public server obviously still leaks metadata (who
looks up what when) - not that such metadata isn't rather obvious anyway by
observing traffic between ips. How is it any better than cacert? Because you
pin the trust to your own ca? What stops you from doing that now (how is the
trust different with dnschain?).

~~~
rakoo
DNSChain queries blockchains instead of querying DNS servers. The blockchain
would have entries inserted by domain owners detailing their information --
functionally, A, AAAA and TLSA records. All the trust is put inside the
blockchain. DSNChain allows you to query the blockchain with "traditional"
tools, ie using DNS or HTTP queries.

> How is it any better than cacert? Because you pin the trust to your own ca?

There is no third-party to trust between you and the domain you want to visit
(again, assuming the blockchain doesn't lie), so you really have the
information the domain owner wants you to have.

~~~
e12e
> (assuming the blockchain doesn't lie)

Well, the blockchian lying is one thing -- another thing is if it tells the
truth about lies ("it" has been lied to).

I suppose my confusion stemmed from the fact that dnschain is two things: a
way to secure data, and an infrastructure for registering data. Apparently
there's no trust at the point of registration, which means the whole thing is
entirely untrustworthy from a certain point of view (I don't necessarily thing
this is a bad thing/feature -- it's just that without any form of vetting,
there can be only a certain _" kind"_ of trust), on the other hand if you
trust the registration, you can trust your queries to return data that has
been registered.

With the/a CA system, you can trace trust trough keys back to
organizations/individuals (that either act in bad faith, or has been
compromised) -- but detecting such bad behaviour is out of scope of the CA
system.

~~~
itistoday2
> _and an infrastructure for registering data_

Currently DNSChain supports reading from blockchains. Writing is planned for a
future release.

> _Apparently there 's no trust at the point of registration, which means the
> whole thing is entirely untrustworthy from a certain point of view_

Trust is not involved "at the point of registration", unless you are referring
to trusting a central authority for registering .gov's or something like that
(which can be done on a blockchain as well).

------
higherpurpose
> Automatically generates 4096-bit HTTPS key/certificate pair for you

Will this be a problem for low-end phones? Why not ECC certificates?

~~~
itistoday2
> Will this be a problem for low-end phones? Why not ECC certificates?

That's a great suggestion, thank you. I chose to use RSA because it has
excellent browser support and I don't know how good the browser support for
ECC is. If anyone has any useful links/info on this I'd appreciate it very
much. Note that you can of course generate and use whatever sort of key/cert
pair you'd like.

~~~
mnordhoff
I believe CloudFlare's free "Universal SSL" uses ECDSA. Support isn't, um,
universal, but it seems to be widespread enough among modern clients.

~~~
ryan-c
Clients supporting ECDSA certificates advertise it via a TLS extension - some
server software can actually serve up a RSA or ECDSA certificate depending on
what the client claims to support.

