DoB will have to deal with some problems, especially bad actors; people will squat on domains, register typos (fscebook.com) or even bitflips (fabebook.com, b is one bitflip from c). Malware owners will run their C&C servers on domains.
Malicious domains will require someone removing them or blocking them even, unless you want the DoB namespace to turn into a cesspool of malware, phishing and nazis. Not something the average person wants.
You either have the freedom of decentralization and all the benefits and drawbacks that comes with it, or you have our current system with the ability to centrally manage but then you depend on those large, centralized entities to do an impartial job. And we know that nobody is impartial.
Why is it always so black-and-white with blockchain people?
There is no reason we can't deploy something that takes the good parts of decentralized operation without having to commit to a full P2P blockchain IoT buzzword fiasko.
DNS was introduced when a centrally managed /etc/hosts file was no longer feasible, it was a simple solution to a problem that fairly few people (mostly computer researchers) had. It solved the problem and not much more.
Computers weren't mainstream when DNS was invented.
Then Facebook can buy the space of typos around their name? Just because Facebook (or Twitter, Instagram, et al) are popular sites, doesn't mean registrars should give them special treatment. What happens when they stop being popular?
Most larger registrars give you the same protection if you run any type of business. Though below certain threshold typo-squatting will simply not happen, but atleast in my jurisdiction I can actually sue the owner of the typosquat for the ownership of the domain.
Yeah, why even let the Nazis have IP addresses? In fact, if we took away their computers, pens, and papers, surely that would make them less likely to lash out violently.
Yes, DNS should be like the old phone book — published regularly, pick one up anywhere & everywhere, look things up anonymously (granted, authenticity guarantees were somewhat lacking).
My question - Sure blockchain can do this, but couldn’t a simpler DHT-based p2p system would work just as well or better? I like the distributed/anonymity/authenticity, but why is blockchain required?
There are capabilities to use the existing DNS system (or an EthDNS system in the works) for human readable names with IPFS, but you can also use other channels like pubsub to resolve mutable content like IPNS names quickly - so IPFS doesn't actually require DNS at all.
Multiwriter IPNS records are also a work in progress, though I disagree with your characterization that somehow only allowing one key to edit a particular signed record somehow makes the network itself centralized...
This isn'T about the IPFS Application Layer but the Link layer.
Bootstrapping a P2P system efficiently requires known P2P nodes and those will require DNS unless you want to shell out for a static IP permanently (and hope nobody poisons ARP!)
You don't need to,even if you get a malicious thumbprint,the associated cert still needs to be signed by a trusted CA. CA list for TLDs will be distributed with the resolver software just like browsers ship with such a list (or rely on your browser/client preferred list)
The implementation could easily change to not require DNS. You only need to find a single live node to bootstrap, so hardcoding a bunch of high-quality nodes works perfectly fine.
Also you don't need the "Where is IPFS?" DNS query to be anonymous in the first place.
Then you still need to trust the initial node to not provide you with a poisoned peer list (ie, a list of peers that are wholely isolated from the proper IPFS network and provide bogus DNS answers).
And you need to bootstrap without DNS if you plan to actually replace DNS, not live beside it.
Anything in the world could theoretically be poisoned. There's no point in worrying about attacks above a certain level of difficulty. If you can check in with a certain number of builtin peers, that's about as solid as we can make things.
> And you need to bootstrap without DNS if you plan to actually replace DNS, not live beside it.
Whatever. DNS itself is never going to shut down, so 100% replacement even for bootstrapping isn't a real concern. And if starting with 13 fixed IP addresses is good enough for DNS, then it should be good enough for IPFS.
Bootstrapping without DNS or bootstrap nodes is possible, if hard, but still leaves some open questions.
Not everything in the world can be poisoned if you design carefully enough, but IPFS isn't a design I'd pick for building the foundation of an internet.
Handshake is another DNS on blockchain project that's taking a different approach — it's aiming to decentralize the root zone (TLDs) instead of domains, because the root zone is where the centralization happens.
Every time I see an article claiming that someone is building some “decentralized” system to make censorship harder I wonder if anyone of those people even understands how the internet is censored at scale in places like China.
For the censorship we have in the west e.g. blacklisting torrent sites a non-ISP DNS and or CDN already solve that problem, for anything beyond that nothing would help.
The real innovation of Handshake is that is allows you to verify the public key associated with a name. This opens the door to enabling SSL/TLS without relying on Certificate Authorities, which is a vulnerability point in the security of the Internet today. The additional benefit is that the names are difficult to censor. Governments can still censor by IP of course, but the point is that it forces bad actors to censor at a deeper level (and there are other projects tackling solving that).
Indeed, this was my first thought when I read the title, and IMO, it still remains the other obious killer app. for blockchain (besides store of value / currency, obviously).
Namecoin is an idea (that failed because IMO it was too early) so old by now that I am truly surprised there hasn't been a full blown distributed DNS solution that works in parallel to the existing one based on blockchain.
I'll go ahead and note that this doesn't require a blockchain. Each TLD is controlled by a single entity. Anything a site would store on a blockchain, they could easily submit to that single entity to be published.
No, public key cryptography means that the key doesn't need to be shared.
A blockchain is only needed if parties need to write to the database in a decentralized manner, and the order of the writes is important & can't be tampered with.
Of course. The OP didn't mention which key, so assumed they are talking about the private key, especially when they mentioned out-of-bound sharing, usually terminology used for asymmetric cryptography. Public keys don't need to be shared out-of-band, in fact they are always published along with the transaction on the blockchain. (well technically, only the curve points and the hash are, but using these, we can re-create the public key)
The article explains the censorship resistance aspect but not the security. How does Handshake deal with the things Cloudflare does for me? DDoS and WAF protection, at least?
Firewalls and DDOS protection have nothing at all to do with name resolution. These are routing concerns that require taking a deep look into the packets (DPI), while name resolution and key exchange are prior steps.
Also, what does CloudFlare bring to you? 99% of websites don't need DDOS protection or a complex firewall. Using CloudFlare for these websites means:
- CloudFlare gets to inspect and snoop 100% of your "HTTPS" trafic (because the TLS termination happens on their side)
- Users without Javascript (command-line browsers or GUI browsers disabling JS for performance/security concerns) cannot access your website
- Tor users most times cannot access your services at all because CloudFlare and Google work hand-in-hand to prevent them from using the web by serving infinite CAPTCHA loops (see #FuckCloudFlare)
- CloudFlare becomes a SPOF for much of the web, like other "cloud" providers ; accessing your website depends on the availability and good will of a huge multinational
So if you want to help people access the Internet without censorship and surveillance, please never use CloudFlare or equivalent services. They make everything so much worse through centralization. If we wait too much, it will become a HUGE problem.
> Namecoin and the Ethereum Name System were the first attempts at bringing name resolution to the Blockchain. At Diode we’re going the next step and are moving PKI & DNS into the Blockchain
The article specifically calls out Namecoin, but doesn’t say anything about how Namecoin falls short or why it can’t be augmented/improved instead of building a whole new thing.
I know I’ll sound like a grump here, but why does the bar for HN front page feel so low these days?
There's some interesting work on this going on in W3C, in the Verifiable Claims Working Group [1] and in the newly minted Decentralized Identifier Working Group [2]. I'm a member of the W3C Credentials Community Group (CCG) [3], which is where those two WGs started.
There are also a number of other valuable efforts. Both in other Standards Development Organizations (SDOs), such as Decentralized Identity Foundation (DIF) [4], Apache HyperLedger projects like Aries [5], etc. And in working conferences/unconferences like Rebooting Web of Trust (RWOT) [6], and Internet Identity Workshop (IIW) [7]. On a tangential note, Unconferences are an interesting concept [8].
So every DNS change is stored into the blockchain, forever? Will you have to download terabytes and terabytes of the blockchain in order to serve as a node? Why is that kind of audit history necessary?
Why is the solution to every problem "blockchain" these days?
From my PoV blockchain can be the solution for a lot of things, but is not suited for most of these problems. It is "just" a technology like any other, but with a focus on trust in decentralized systems. If you need this then blockchain could be a good solution, but this does not mean that it fit your needs in transaction speed etc.
You don’t necessarily need to store DNS changes into the blockchain. The blockchain will only keep the current state and would prune the changes. According to Diode’s blog posts, 20kb of storage is all it needs with BlockQuick, the newly developed light-client protocol.
The point is less about storing the audit history, but more about preventing Man-in-the-Middle attacks and solving the timestamp-certificate chicken-egg problem.
question—can’t a government actor like china just watch the record for where it points to and just filter that address? doesn’t that defeat the whole purpose of this uncensorability?
while it may be harder in the US i could legitimately see a mechanism developing to make that a requirement for isps
They can, and do, already do this for regular DNS. This would prevent US-style domain name seizures but would do nothing against actual competent censorship.
Correct me if I'm wrong, but wouldn't DNS-on-blockchain make lookups orders of magnitude slower than they are now, especially with many DNS services advertising based on speed?
Yes, DNS-on-blockchain would likely make lookups orders of magnitude slower than they are now -- it's making a trade-off between security and performance.
A lot of blockchain projects coordinate "seed nodes" by storing collections of IP addresses within the DNS records of websites that community members run, because it is an already decentralized enough record
Malicious domains will require someone removing them or blocking them even, unless you want the DoB namespace to turn into a cesspool of malware, phishing and nazis. Not something the average person wants.