Open pinheadmz opened 3 years ago
Example:
com
but not amazon
--> dig com ns +short
i.gtld-servers.net.
c.gtld-servers.net.
e.gtld-servers.net.
d.gtld-servers.net.
h.gtld-servers.net.
b.gtld-servers.net.
k.gtld-servers.net.
j.gtld-servers.net.
f.gtld-servers.net.
a.gtld-servers.net.
m.gtld-servers.net.
g.gtld-servers.net.
l.gtld-servers.net.
--> dig amazon ns +short
(no answer)
amazon
--> dig @1.1.1.1 amazon ns +short
dns1.nic.amazon.
dns2.nic.amazon.
dns3.nic.amazon.
dns4.nic.amazon.
dnsa.nic.amazon.
dnsb.nic.amazon.
dnsc.nic.amazon.
dnsd.nic.amazon.
From the whitepaper:
Root Zone Fallback
Due to the fact that not all reserved root names will be claimed by nameholders immediately, we propose two solutions for eventual transparent rollover to the new system: Hardcoded Fallback, and Dynamic Fallback.
Hardcoded fallback involves hard-coding the existing ICANN zonefile into the SPV software. When an absence proof is received by the authoritative server for a pre-existing TLD, the hardcoded fallback is checked for records and returned as a DNS response.
Dynamic fallback is similar, but involves querying ICANN's root servers and validating the response against their trust anchors. This provides better liveness, but bestows more power upon a centralized authority.
In both constructions, once a pre-reserved name is claimed by the proper owner, the software will transparently begin to follow the blockchain instead of either hardcoded records or ICANN's records.
So I guess its a question of trusting the root anchors. Although hsd would still need to be updated if we wanted to resolve "new" ICANN TLDs.
Another perspective on this, after discussing with @buffrr is that the design might have intended to ignore all new ICANN domains after mainnet launched - simply because those strings would NOT be reserved on HNS and so a collision could be introduced after ICANN adds a new TLD. Imagine the .music
story but reverse order: ICANN adds a new TLD .exciting
and websites start popping up and getting user credentials etc. Then the TLD is acquired on HNS and assigned different NS records, and the HNS domain can phish user credentials. This order of events is a bit more troublesome than the .music
story, and it explains why we only check the ICANN root if a TLD is on the reserved name list.
I notice something today about the HNS "dynamic fallback". We don't lookup via ICANN just because a name isn't in the HNS root zone. We check our own reserved list (filtered by
root
- so TLDs only not Alexa names) and only check names via ICANN if they are on that internal list. This means that TLDs likeesurance.
which are NO LONGER in the ICANN root zone, and TLDs likeamazon.
which were ADDED to the ICANN root zone after HNS mainnet launch will be resolved incorrectly.I'm not sure the purpose of this, I'm sure the HNS designers were aware that ICANN could/would add more TLDs to its root zone over time.
Seems "obvious" (?) to remove this and fall back to ICANN how we've been thinking it works, but I'll try to see if theres a reason to use an (outdated) root zone for this instead...
https://github.com/handshake-org/hsd/blob/a94ce87a886e943a68d4a3e67068f6e473c21156/lib/dns/server.js#L328-L348