public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Matt Corallo <bitcoin-list@bluematt•me>
To: Rick Wesson <rick@support-intelligence•com>
Subject: Re: [Bitcoin-development] bitcoin DNS addresses
Date: Tue, 26 Jul 2011 19:18:27 +0200	[thread overview]
Message-ID: <1311700678.23041.13.camel@Desktop666> (raw)
In-Reply-To: <CAJ1JLtskNnCB1cbUBht3oAVWuYPSF82GoNacMbqcN0YGd5Pvxw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1476 bytes --]

On Tue, 2011-07-26 at 09:50 -0700, Rick Wesson wrote:
> [snip]
> 
> > I totally agree, however I don't think DNS-based resolving is a good
> > idea here.  HTTPS does have several advantages over a DNSSEC-based
> > solution without any significant drawbacks that I can see.
> 
> To restate your (con dnssec) points:
>    o DNS resolution of bitcoin addresses is bad because of potential
> MITM attacks
>    o DNSSEC is not a security measure for mitigating DNS resolution of
> bitcoin addresses
>       because the application would require its own dnssec enabled stub resolver
That is one point, but yes.
> 
> Please restate
>    o HTTPS is your preferred method for resolution because?
Because it allows for the giving of different addresses to each client
based on IP much easier.  Its possible with DNS by setting TTL to 0 and
hoping that Bitcoin clients will be using their own resolver, but that
is far from guaranteed.  Additionally, HTTPS stuff has already been
coded and implemented, so there's that...

Frankly, HTTPS' advantages are very small here, but since they exist,
and DNS has no advantages that I can see, I don't see any reason to go
with DNS here.  I much prefer using a HTTPS library (of which there are
many which have had much more thorough security audits) than a
DNSSEC-implementing DNS recursion library with the root trust anchors
and root servers built-in (are there any?).

Maybe I'm missing something here?

Matt

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

  reply	other threads:[~2011-07-26 17:18 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-26  0:29 Rick Wesson
2011-07-26  1:35 ` Matt Corallo
2011-07-26  3:35   ` Rick Wesson
2011-07-26  4:22     ` Luke-Jr
2011-07-26  4:54       ` Rick Wesson
2011-07-26  6:18         ` Luke-Jr
2011-07-26  8:04           ` John Smith
2011-07-26 13:23     ` Matt Corallo
     [not found]       ` <CAJ1JLtvHubiC_f_a17fnXODs54CCdmxPf8+Zz4M5X9d8VEfFSQ@mail.gmail.com>
     [not found]         ` <1311691885.23041.2.camel@Desktop666>
     [not found]           ` <CAJ1JLtsLXEPFkBuHf6ZKUSVYUnY+NL7TtsEswGvdTYtrZZTXWw@mail.gmail.com>
2011-07-26 16:24             ` Matt Corallo
2011-07-26 16:50               ` Rick Wesson
2011-07-26 17:18                 ` Matt Corallo [this message]
2011-07-30 11:34 ` Mike Hearn
2011-07-30 13:42   ` Rick Wesson
2011-07-30 14:07     ` Matt Corallo
2011-07-26 16:32 phantomcircuit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1311700678.23041.13.camel@Desktop666 \
    --to=bitcoin-list@bluematt$(echo .)me \
    --cc=rick@support-intelligence$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox