Delegation happens via public key and records are resolved through a DHT. The idea is you could add your friend/org's key to your root, and from there you could resolve recursively using your friend/org's zone.
Pretty neat stuff, at least on paper.
Also, the hyper hyper local root and public-key delegation balance the powers of the centralized root. Hypothetically, adding a new "TLD" (for your client) would be very easy so we would probably see more old-style "indexes" sharing zones you could subscribe to, also in a peer-to-peer manner so that if i add my friend anita's zone to my root, i could then recursively resolve through her published index (in her zone), like blog.anita or barbara.anita (a hypothetical friend of anita's).
It's also worth mentioning that this would significantly change the Certificate Authority problem by having a secure network to distribute the keys via DANE entries. It would still be a problem though that anita could suddenly point barbara in her zone to her own machine and serve her own content/certificate. But i guess that's what Web of Trust (or rather Fog of Trust with zero-knowledge proofs) is for? :)
Which leaves me the question of how blockchain DNS could ever come to pass. What's in it for the project that pulls it off? The answer to that question is likely the reason it won't come to pass.
The ideal system, IMO, would be one where anyone can get a name, no one can "hoard" names, and all names are of equal value. As such, the profit motive, and thereby the impetus for corruption, is removed. I have created such DNS at home, I run an "alternate root" on the loopback. It's ideal for me.
The "vanity names" are the primary value of DNS to the majority of its users, and the desirable ones will always inherently be scarce.
Obviously something similar to a .onion address would fit your criteria, but no one is ever going to seriously consider anything like that as a realistic alternative to ICANN DNS.
I’m immediately reminded of Tor .onion names, though those aren’t exactly user-friendly…
At some point, browsers will finally manage to get rid of the address bar and have everything working fully operated via suggestions/search. Then, DNS will become sort of irrelevant for the web.
What would something like AlterNIC have looked like if it was backed by a blockchain? Would it have had easier acceptance, or more reliability?
It's worth comparing 1997 to 2022 to see why attempts to seize the Internet roots are unlikely to go anywhere. It's similar in a bunch of ways to the WebPKI. For all its faults, AlterNIC had a better case against Network Solutions than anyone has against ICANN: Internet governance at the time prohibited new TLDs, and registrars were rapacious. But over the next 10 years, that mostly changed, just like the WebPKI has been drastically cleaned up after abuses in the 2000s.
People continually propose replacements for the WebPKI today that seem premised on a CA system that works like it did in 2005. But we don't have the 2005 WebPKI; we have 2022's.
(I was doing DNS security work at the time Kashpureff cache poisoned internic.net, and it was a pretty formative experience for me, if people wonder why I'm so shocked that anyone would take Handshake seriously).
What you're saying is like, "imagine if a security researcher decided he was tired of getting paid much less than he deserves and decides to hack a bank," and then using this imagined experience as a "logical" reason to hold disdain for something.
You're welcome to your opinion, but please stop trying to paint a false picture about Handshake specifically unless you're using actual facts that are real life and not imagined.
More's the pity! If the Handshake DNS root heist works, it'd open up new business models for all of us. I had been looking forward to minting ARPCoin and charging everyone to join their WiFi networks.
Handshake domains are only accessible by a tiny percent of people, make stuff like HTTPS very difficult, and no matter how devices eventually use Handshake, you'll always need to have a domain on a normal TLD because there will always be devices (like TVs and old phones) that will not support it.
And what benefit do you get anyways? A custom TLD? There's already so many new TLDs but most domains are on gTLDs or ccTLDs because thats what people recognize. Even Google and Apple barely use theirs. Ownership? Not really. Handshake only manages TLDs. Buying a subdomain (like you can on Namecheap) doesn't happen on the blockchain, the owner of the TLD can take it away anytime. Say what you want to say about ICANN, but they do have rules (such as contingency plans) that new TLD owners have to follow. In what world is buying a handshake subdomain from an unknown person beholden to nobody better in any way?
380m+ users seems significant to me.
> Handshake domains are only accessible by a tiny percent of people
Actually, NextDNS which is a Firefox resolver also supports Handshake, so I imagine it's not a tiny percent of people.
> make stuff like HTTPS very difficult
Additionally, HTTPS is completed by Handshake since it removes the need for a "trusted certificate authority" which, as many articles have mentioned as of late, is not so trusted .
> you'll always need to have a domain on a normal TLD because there will always be devices (like TVs and old phones) that will not support it.
TVs and old phones can support handshake since it's just regular DNS protocol.
> And what benefit do you get anyways?
You will cryptographically own your own name.
> A custom TLD?
A name all-inclusive. Hard stop.
> There's already so many new TLDs but most domains are on gTLDs or ccTLDs because thats what people recognize.
I've been around for a long time -- the internet has evolved and continues to evolve. People change quickly.
> Ownership? Not really. Handshake only manages TLDs.
Cryptographically owning things is likely a more constant ownership than a 'binding ownership' by a legal contract in some jurisdiction.
Some of the statements you made about subdomains may or may not be true, but it's not any worse than today and likely better since there will be more options of TLD owners to choose from should one choose to purchase a TLD.
Adoption by default is a huge deal and you can't ignore it by saying that something "can" use it if you configure your router properly or this and that. The vast majority of people will never change it. Re. Firefox, I just tried switching it to NextDNS, but it seems like the default NextDNS resolver does not resolve Handshake domains.
Putting aside all the issues with DANE as a replacement to HTTPS, no browser supports it. This is why I don't use my handshake TLD for my personal/internal sites either.
Look, actual Handshake adoption would benefit me quite a bit, since I own a great TLD. I will keep an eye on adoption, but its very clearly a long road, and the project itself has a number of issues besides just adoption. It's cool, but you have to be realistic.
> Putting aside all the issues with DANE as a replacement to HTTPS
The issues with DANE no longer exist when the blockchain serves as the root of trust, thus completing a chain of trust in a way that a third party certificate authority is unneeded. It's DANE without the potential for backdoor.
> Look, actual Handshake adoption would benefit me quite a bit, since I own a great TLD. I will keep an eye on adoption, but its very clearly a long road, and the project itself has a number of issues besides just adoption. It's cool, but you have to be realistic.
I agree there is a lot to do still, but the adoption Handshake has is more than significant in the context of alternate roots given it's adopted by so many DNS registrars and natively integrated into large userbase services and software. But no, it's not in Chrome... yet.
How is radically improved transparency in the WebPKI --- what you linked to --- evidence that Handshake is more trustworthy than the WebPKI?
DNS at the moment over 53/UDP is manageable and malleable. DNS over http is not and is up to your browser and hence a vendor.
Life on the helpdesk will become rather more nasty and worse than it is now and we probably won't get tools to diagnose what is going on inside the browser, and so life for IT will be increasingly crap.
I suggest we don't let the FAANGS run the world or the browser.
curl --http2 -H 'accept: application/dns-json' "https://126.96.36.199/dns-query?name=cloudflare.com" --next --http2 -H 'accept: application/dns-json' "https://188.8.131.52/dns-query?name=example.com"
not to say it is bad to have secure alternatives, but i think the internet will loose a lot of resiliancy and efficiency in the switch.
As for that malleable part... You always trust the networks you're on? Because my ISP, in the US, will inject JS into an insecure page load when I'm at 80% of my monthly data cap - I can only assume they're sniffing anything and everything in the clear. It's 2022, we shouldn't consider insecure transports viable. Zero trust, cliche or otherwise.
I remember some years back at Chaos Congress in Hamburg, a friend of mine who was very enthusiastic about CAcert physically met with a few CAcert people to show them his passport and get his certificate signed.
You'd use a new class, like "RANDOM" or something, except that no deployed DNS software knows about that class.
CHAOS probably gets used most because that's what BIND happened to do.