Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gateway: DNS resolution export with DNSSEC records #8799

Closed
3 tasks done
thibmeu opened this issue Mar 17, 2022 · 5 comments
Closed
3 tasks done

Gateway: DNS resolution export with DNSSEC records #8799

thibmeu opened this issue Mar 17, 2022 · 5 comments
Labels
kind/feature A new feature P3 Low: Not priority right now topic/gateway Topic gateway

Comments

@thibmeu
Copy link
Contributor

thibmeu commented Mar 17, 2022

Checklist

  • My issue is specific & actionable.
  • I am not suggesting a protocol enhancement.
  • I have searched on the issue tracker for my issue.

Description

#128 focuses on serving verifiable IPFS content. However, an important part of this content is requested via a naming system, such as DNS with DNSLink.
Ideally, users should be able to verify the way a gateway maps example.com to dnslink=/ipfs/bafy.... Honest gateway operators would also benefit from this work, as they can provably tell they are honest.

In #6129, @Bren2010 proposed a way to serialise DNS resolution along with its DNSSEC proof, in addition to DAG content. DAG is now taken care of by CAR (#8769), so the focus should be on the serving the serialised resolution and its proof. The proof should at least be served along with CAR response.

The only requirement on the user side is to trust DNSSEC Root keys.

Proposed design

DNS and DNSSEC records should be serialised, and passed along with the answer.

Serialisation

The serialisation could be done as follow

  1. Cloudlare verifiable gateway implementation, an ad-hoc serialisation model - GitHub
  2. IETF defunct serialisation standard, not updated for the last 11 years - IETF archive
  3. Leveraging an IPLD format to map DNS information, I don't know enough about IPLD to architecture this proposition with it - IPLD docs

Response

Passing the serialised DNS resolution to the answer could be done via

  1. an HTTP Response header, but that might be too small for certain DNS setup
  2. a header to the returned binary file. This is the approach Cloudflare took. This could work well along with CAR, as an extension, providing Named Resolution aRchive
  3. A follow up call, but this would require state to be maintained on the gateway side

Retrieval of DNSSEC root Key-Signing Key

DNSSEC root keys could be included along with the IPFS node, or fetched at start. I would rather use the first option, as this would avoid issues with root resolution.
At the time of writing, this is the root I can resolve.

dig @1.1.1.1 . dnskey +nosplit | grep  -e '^\.' | grep 257
.			171885	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

Non-goals

DNS is not the only name root used by IPFS nodes. Users can also leverage ENS or unstoppable for instance. These proofs cannot be serialised in such a way a user without an Ethereum nodes can validate them. Serving their proofs is not a goal of this issue.

@thibmeu thibmeu added the kind/feature A new feature label Mar 17, 2022
@lidel
Copy link
Member

lidel commented Mar 17, 2022

Thank you for filling this @thibmeu. I'm happy to discuss design, and if you have bandwidth to implement it, also review PR.

My initial thoughts / questions:

  • If we add support for returning DNSLink resolution along with its DNSSEC proof, then it should not be limited to CARs, we would return this for every /ipns/{example.com} response.
    • Bit skeptical how useful this is for clients who fetch CAR. In my mind, those clients will most likely don't trust gateway anyway, and do all resolution and validation on their own.
    • However, there is a huge value for mobile clients etc. If we provide DNSSEC proofs for regular responses, HTML websites like https://cf-ipfs.com/ipns/en.wikipedia-on-ipfs.org/wiki/ then these hints will enable vendors like Brave to display some integrity indicator in the user interface (instead of green padlock), which is a big deal.
  • DNSSEC roots
    • we would ship implicit ICANN defaults with go-ipfs + allow users to override them via config, per tld or globally, just like we do already with DoH resolvers
      • this should allow people to experiment with non-ICANN roots without the need to fork go-ipfs
  • Do we know the average size of serialized resolution?
    • Websites have many subresources, and we don't want to return the same serialized DNS resolution with every response over and over again.
    • I'm thinking Gateway will cache this DNSSEC proof/resolution for some time, just like it caches IPNS record and DNSLink record resolutions, so we could add it as a binary blob to IPFS (format tbd) and return a CID in the header. This way, clients who care will be able to fetch it on-demand.
      Dnslink-Dnssec-Proof: {CID}
      
    • In regard to serialization format: I did not dig too deep into the prior art in https://github.com/cloudflare/go-ipfs/tree/master/namesys/dnssec yet, but it sounds like original DNS records are serialized as protobuf. I think we would change that and use IPLD Data Model using dag-cbor. It will enable use to link to reusable DNSKEY/RR/RRSIGs minimizing the amount of data that needs to be fetched each time clients wants to calculate the DNSSEC proof.

@lidel lidel moved this to Todo in @lidel's IPFS wishlist Mar 17, 2022
@BigLep BigLep added the need/author-input Needs input from the original author label Mar 18, 2022
@BigLep
Copy link
Contributor

BigLep commented Apr 22, 2022

@thibmeu : is this something you have bandwidth to drive forward?

@thibmeu
Copy link
Contributor Author

thibmeu commented May 18, 2022

I am still considering to drive it forward. Has this been made part of a roadmap or does it have strong dependencies @BigLep ?

I like the proposition to implement an IPLD based DNS schema. I don't think only returning the CID would suffice, because there would be an expectation for gateways to store the content, which I don't think is a good approach. Gateway should be stateless as much as possible. This was the reasoning behind Cloudflare using a request header to understand if the client is willing to consume the DNS proof, and return it along with the content.

I agree with the mobile client verification, this would be a great improvement. It's light, and makes implementation faster and easier on the browser side.

The size of the resolution varies, especially in the case of a complex DNS setup. For our current implementation, we limit the number of links to 30, which can lead to an overhead in the order of 10kB maximum. This is still reasonable, especially considering this could be cached. Using dag-cbor would help indeed.

@lidel lidel removed the need/author-input Needs input from the original author label May 27, 2022
@lidel
Copy link
Member

lidel commented May 27, 2022

@thibmeu this is not on our immediate roadmap, but would accept it as a contribution.
I am available for reviewing things if you are willing to drive it and spec out details around this new header.

@lidel
Copy link
Member

lidel commented Jun 13, 2023

ipfs/specs#296 (review)

@lidel lidel closed this as not planned Won't fix, can't repro, duplicate, stale Jun 13, 2023
@github-project-automation github-project-automation bot moved this from Todo to Done in @lidel's IPFS wishlist Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature A new feature P3 Low: Not priority right now topic/gateway Topic gateway
Projects
None yet
Development

No branches or pull requests

3 participants