Deprecation plan for DNS?

From @mcast on Fri Sep 09 2016 22:40:35 GMT+0000 (UTC)

In https://github.com/ipfs/faq/issues/16#issuecomment-232497229

so as an alternate, IPNS can use the DNS system to create human readable names. Though this is a centralized system. So it sucks to rely on it to make human readable names, maybe one day IPNS will support something like https://namecoin.info/ ? or maybe another decentralized naming system.

From the point of view of a development engineer, this is

  1. get something working
  2. show people a working system
  3. acquire more developers
  4. fix the problems later

but from the point of view of a production engineer, the same events look like

  1. create a userbase on a legacy system (DNS)
  2. invent & refine something better
  3. encourage users to migrate off the old system
    • possibly having no way to search down old references to names, or audit ongoing use
  4. create a process for resolving conflicts of expected name resolution between old & new
    • presumably there will be name-grabbers on the new system, and expiry-squatters on the old
  5. carry on supporting the old system much longer than you wanted to

Is it worth designing in a fixed life or deliberately ugly contrivance?
Or are we all so used to linkrot that it’s not an issue?


Copied from original issue: https://github.com/ipfs/faq/issues/179

From @lgierth on Thu Sep 15 2016 23:13:05 GMT+0000 (UTC)

> Or are we all so used to linkrot that it’s not an issue?

Not at all! :slight_smile: Conserving links is a core goal of IPFS, it’s the “permanent” in “the permanent web”.

create a userbase on a legacy system (DNS)

The role of DNS in IPFS is two-fold, on the one hand it’s just one of multiple pluggable naming systems, on the other hand it’s part of the upgrade path from the “old web” to the “interplanetary web”.

The userbase is already there (all of the existing web), and dnslink taps into that similar to the http-to-ipfs gateway. We don’t have a better human-readable naming system implemented in IPFS so far, but we most likely will in the future as there’s plenty of interesting stuff, e.g. blockstack, namecoin, and GNS from GNUnet.

carry on supporting the old system much longer than you wanted to

The different stages of adoption will all run in parallel for a very very long time, think similar to the IPv6 adoption curve, ideally a bit steeper of course :slight_smile:


I’d have a few more things to say but I’m still not sure I got to the core of your question, so do please ask away!

From @ec1oud on Mon Nov 21 2016 15:43:53 GMT+0000 (UTC)

What is the obstacle to just choosing one of the alternatives (like namecoin or another one) and getting that working?

I keep waiting for the other shoe to drop. The plan is to use ipns to map a long-term hash to dynamic content, and then use DNS to store the long-term hash right? I read that it’s only a one-to-one mapping though. And how does the authentication work? How is collaboration possible?

If the author(s) instead uses a blockchain to publish the latest name-content mapping, that would make it hard to forge and yet mutable, but it would also be terribly slow and bloated, if we can use existing blockchains to guide expectations. So I suppose even if we use namecoin now, we could expect a further evolution later, when someone figures out how to make blockchains more efficient.

From @lgierth on Mon Nov 21 2016 22:27:48 GMT+0000 (UTC)

> The plan is to use ipns to map a long-term hash to dynamic content, and then use DNS to store the long-term hash right? I read that it’s only a one-to-one mapping though.

Yes that’s what IPNS and dnslink are capable of right now. We definitely wanna integrate other name systems, but other things have taken priority. We’re very happy about people contributing thoughts and ideas in ipfs/notes!

And how does the authentication work?

Not sure which authentication you mean but I’m happy to elaborate.

How is collaboration possible?

You can use ipfs-key and ipfs-key to publish IPNS records without a go-ipfs node.

If the author(s) instead uses a blockchain to publish the latest name-content mapping, that would make it hard to forge and yet mutable, but it would also be terribly slow and bloated, if we can use existing blockchains to guide expectations. So I suppose even if we use namecoin now, we could expect a further evolution later, when someone figures out how to make blockchains more efficient.

There’s a few blockchain projects working on naming and integration with ipfs, check out https://blockstack.org especially <3

From @raptortech-js on Tue Dec 06 2016 22:27:17 GMT+0000 (UTC)

I think @lgierth might have meant https://github.com/whyrusleeping/ipns-pub instead of the second link to ipfs-key.

It’s not… it’s not a peer-to-peer system, but it’s not “centralized” the way a website is.

The biggest issue with DNS is lack of authentication – there’s no way to be sure that the records you get back for a given name are the ones the owner of that name intended. DNSSEC proposes to fix this, but in a somewhat dubious way. TLS is the way we “fix” it in HTTP-land, but there’s no good key distribution system in common use.

For IPFS/dnslink, maybe we could publish the TXT record signed by an IPNS key, and have it contain both the IPNS name and the domain name. That way there’s a clear intent from the IPNS key to be bound to that name.

1 Like

@singpolyma would you mind creating a new issue at ipfs/notes named “DNSLINK Authentication” ?
Just copy&paste your idea there. I feel it is solid enough to have a separate discussion around it there :+1:

On more thought, my proposal is backwards and solves nothing :stuck_out_tongue: Any attacker could poison a properly-signed record pointing at the attacker’s IPNS name.

I’m not sure we can actually do any better than DNSSEC… might want to make sure that IPFS gateways properly verify DNSSEC when available.

Hm… I wonder it is feasible to make DNSSEC mandatory for dnslink.

This would break some things, for example entire *.it (Italian tld) could not use dnslink due to the lack of DNSSEC support, but at the same time lack of authentication in dnslink makes me really uncomfortable.