Author: Riccardo Spagni 2015-07-16 16:18:37
Published on: 2015-07-16T16:18:37+00:00
The discussion in this context revolves around the use of OpenAlias and DNSSEC for securing domain name aliases on Bitcoin. One argument made is that having a limited number of proxies could force users to trust a small number of actors, which goes against the goals of the Bitcoin ecosystem. However, aliasing provides convenience for non-technical users who need to be protected from nosy neighbors, workmates, or ISPs. The need to protect users from man-in-the-middle attacks is emphasized, particularly for financial transactions.There are concerns about the security of DNSSEC, especially since private KSK must be secured and not kept on servers. ENOM/Namecheap does not have DNSSEC support yet. It is suggested that ICANN has required registrars and registries support DNSSEC on the domains they register, but this is disputed. The relevance of using DNSSEC in OpenAlias is also debated, with some arguing that it is necessary while others disagree.The issue of amplification attacks is discussed, but it is pointed out that DNS-over-TCP uses TFO (TCP Fast Open) to mitigate such attacks. While some people might choose to do their DNS lookups over a non-logging VPN connection without forcing others through centralized servers, research by the IETF DNS working group seems to suggest otherwise, with only 14% of all DNS queries requesting DNSSEC validation. ICANN's page listing DNSSEC-capable registrars also lists only a handful.It is suggested that if a user is setting up DNS themselves, adding DNSSEC does not take a lot of additional time depending on the registrar. Finally, it is argued that although a soft fail doesn't magically let the money go, it warns users of the risk and asks them to verify the address by site. However, this could be built out so that higher value transactions hard fails in the absence of DNSSEC, and anything particularly high value refuses to use an alias altogether and requires an actual cryptocurrency address. It is worth the trade-off that some existing names won't work until their TLDs come into compliance with current Internet standards.
Updated on: 2023-06-10T02:36:47.800040+00:00