search

akash-network / support

Akash Support and Issue Tracking
Apache License 2.0
23 stars 4 forks source link

Handshake Domains #56

Open dmikey opened 3 years ago

dmikey commented 3 years ago

Qualified handshake domains like gregosuri are valid, but do not appear to pass our hostname tests, and give an error of invalid hostname.

Why?

hydrogen18 commented 3 years ago

What is a 'handshake domain'?

dmikey commented 3 years ago

Decentralized DNS. https://handshake.org http://gregosuri is an example

hydrogen18 commented 3 years ago

ok, I think we do some validation assuming a TLD can't have a record associated with it. I'm assuming greg.osuri in your example would probably work.

We can relax this if we need to support handshake

dmikey commented 3 years ago

I think we should, Greg has one, so it appears we should support them.

hydrogen18 commented 3 years ago

@boz Does this make sense to you? For domain validation we'll basically just wind up doing if len(hostname) != 0 I think

boz commented 3 years ago

hopefully k8s ingress will accept it (a TLD) as a hostname.

boz commented 3 years ago

@boz Does this make sense to you? For domain validation we'll basically just wind up doing if len(hostname) != 0 I think

Sure, although, I don't quite get it - shouldn't there be some kind of demarcation that it's a handshake domain?

$ dig gregosuri
; <<>> DiG 9.16.18 <<>> gregosuri
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 5204
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;gregosuri.         IN  A

;; Query time: 3640 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jul 02 13:25:52 PDT 2021
;; MSG SIZE  rcvd: 38
boz commented 3 years ago

hopefully k8s ingress will accept it (a TLD) as a hostname.

Also, I think that there are more restrictions on a hostname - I don't want to allow emojis and newlines or whatever.

hydrogen18 commented 3 years ago

I think this is what you're referring to?

https://en.wikipedia.org/wiki/IDN_homograph_attack

We want to block this?

boz commented 3 years ago

I think this is what you're referring to?

https://en.wikipedia.org/wiki/IDN_homograph_attack

We want to block this?

That variety of thing, yeah. I think that there's a validation function that k8s uses; if so, let's use that as we're kind of bound by it anyways. If not, let me think about it a bit.

dmikey commented 3 years ago

I think this is what you're referring to? https://en.wikipedia.org/wiki/IDN_homograph_attack We want to block this?

That variety of thing, yeah. I think that there's a validation function that k8s uses; if so, let's use that as we're kind of bound by it anyways. If not, let me think about it a bit.

I think this is in use today , handshake does pass this, but this error still gets thrown.

https://github.com/ovrclk/akash/blob/master/validation/manifest.go#L146