Recent DNS Issues Freezing Two Fedimint Federations

6 replies 333 views
whale777Full Member
Posts: 125 · Reputation: 470
#1Oct 13, 2020, 04:19 AM
So, we've got two federations in fedimint, one being the Bitcoin principal federation, both dealing with this annoying DNS issue. Users in those federations can’t access their funds, even though we were told everything’s safe. Word is, a guardian with a .xyz domain had their site put on an automated hold because a blacklist flagged them. And it seems this happens a lot with .xyz domains. The devs have discussed ways to change the DNS setup, but it looks like that’s not gonna happen easily. They’d need a hotfix upgrade for transactions to keep going. So until that hotfix is in place, things are basically on pause until the guardian comes back online. With fedimint relying on DNS like this, it feels super risky since the community can’t control it. If you’ve got funds in those federations, you should probably move your money as soon as a quorum of guardians is back online. For context, fedimint guardians are those trusted tech members who manage the federation’s Chaumian eCash system. Check out the details on their site. What do you all think about Fedimint and its dependence on DNS? Is it really complicated to create a federation mint that can work without DNS to process payments quickly? Some developers are chatting about switching from DNS to IP, but there are objections to that too, saying it doesn't really solve the underlying DNS issue.
4 Reply Quote Share
colddiamondHero Member
Posts: 623 · Reputation: 2467
#2Oct 13, 2020, 09:52 AM
Unless you have your own AS number https://www.arin.net/resources/guide/asn/ and your own IP space relying on IPs instead of DNS just moves the problem. Your static IPs are only as static as your ISP is good. What they should be doing is having multiple domains all pointing back to the same place. davef.com davef.net davef.me davef.org davef.xyz davef.win davef.biz and so on. They should mandate that the names are at least at 3 separate accredited registrars AND the DNS are at at least 3 separate hosts. Done & solved. -Dave
0 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#3Oct 13, 2020, 11:20 AM
One weird thing is they can afford server to run the guardian, but they decide to save money by buying xyz domain. I don't see how the root of the problem can be solved without letting guardian have ability notify the network that their address (whether it's IP, domain or onion address) has been changed.
5 Reply Quote Share
colddiamondHero Member
Posts: 623 · Reputation: 2467
#4Oct 14, 2020, 09:34 AM
I can see why they would not want to do it that way. Same reason the seed nodes in core are hard coded. You need some trusted things. But, as I said they need more then a single point of failure. Having multiple TLDs all with the same name point to something allows for better control. Actually makes it more secure if they want. You must query all names, and x of y must match. This way if someone gets control of davef.com but all the others I listed are different then it really does not matter. If instead of being blocked imagine the extra chaos if someone got the domain and was hosting their own malicious guardian on the xyz domain that was blacklisted. -Dave
0 Reply Quote Share
whale777Full Member
Posts: 125 · Reputation: 470
#5Oct 14, 2020, 07:32 PM
Out of the multiple suggestion by developers, fedimint have decided to remove the DNS dependency and approve guardians to rotate their endpoints, as part of the version 0.4 about to be released, also, a means to the end of issues like having a single guardian requiring to change it's DNS endpoint. Other ways includes TOR and in subsequent versions DID may come in. Observing all methods, systems like PKARR (Public key addressable resource records) came very close to solving the centralized DNS issue. Shifting to a decentralized DNS where censorship resistant naming protocol can be used, will be very helpful against domain suspensions. The name can be a public key like this https://o4dksfbqk85ogzdb5osziw6befigbuxmuxkuxq8434q89uj56uyy (not accepted by browsers, yet) For the moment, guardians are also advised not to use xyz domain names.
5 Reply Quote Share
colddiamondHero Member
Posts: 623 · Reputation: 2467
#6Oct 14, 2020, 08:41 PM
Dave's view / opinion: I would stay away from any domain ltd that is run by a for profit company. They don't really care who registers what and what they do with it. And Team Internet (the company that controls the .xyz domain) https://en.wikipedia.org/wiki/Team_Internet seems to be at least to me not doing anything when their domain holders spam. Which leads to blocks. Just my view, from running some front end mail servers but I would say about 1/3 of the TLDs they have I block at the edge. And that it probably about 3/4 of my block list. With that being said I do personally have some domains with their TLDs but I am aware of the fact that with all my blocks I am still one of the smaller ones and some places lock them and a few other registrars out at the 90%+ level. -Dave
0 Reply Quote Share
paul.stakeHero Member
Posts: 651 · Reputation: 3798
#7Oct 14, 2020, 08:58 PM
This "Public-Key Addressable Resource Records" solution reminds me of Tor hidden service. You can already have censorship resistant naming protocol, if you don't have a problem with using public keys as domain names. The yet unsolved problem is to have decentralized naming protocol, but ICANN-like (human readable). Namecoin tried, but judging by the result, I can't say it succeeded.
3 Reply Quote Share

Related topics