Mike Dilger ☑️'s avatar
Mike Dilger ☑️ mike@mikedilger.com 6 months ago
This sounds to me like everybody has to use the same DNS resolver or plug into the same DNS resolution services somehow. And those have to plug into blockchain. And then you've got DANE and TLS fingerprinting, and how much other stuff? I find it far simpler to just use self-signed certificates, set the certificate verifier to ignore the issuer-trust relationship and just verify the self-signature matches the pubkey, and then check if the key in the certificate is the nostr key of the relay you were trying to connet to. Zero external services, no DNS, no blockchain, nada. Just client-server. Of course, where my idea falls down (which I think I already explained) is that in nostr relays don't have keys they have URLs. But other than that, far simpler.
↑ Parent

Replies (4)

Repeatedly nuked profile's avatar
Repeatedly nuked profile 6 months ago
DNS resolvers would be like relays, the user chooses which to add (1 or more). Some resolvers might be free, some might be paid, some might handle different chains, etc. DVMs, essentially. For DANE and TLS fingerprinting is one or the other. If you're doing TLS fingerprint then no need for DANE. In both cases they are self signed certificates (DANE-EE if DANE). Also it's the TLS pub key that gets fingerprinted, not the whole cert, to allow for updates. The key is (I think anyways) is that ICANN or not ICANN you will always need a source of uniqueness for human readable labels that can link to records, and there are only two ways to get that in a decentralised way, blockchain or some DHT-based Frankenstein. So blockchain it is. But yeah, it adds another layer and I don't know if it's worth it, I think perhaps not. I actually think ICANN is pretty okay as far as systems go, they get an unfairly bad rap here sometimes.
1 replies ↓
Daniel Wigton's avatar
Daniel Wigton dwigton@getalby.com 6 months ago
Mike is one of the few who understand the issues of building a network for humans in depth.
Mike Dilger ☑️'s avatar Mike Dilger ☑️
This sounds to me like everybody has to use the same DNS resolver or plug into the same DNS resolution services somehow. And those have to plug into blockchain. And then you've got DANE and TLS fingerprinting, and how much other stuff? I find it far simpler to just use self-signed certificates, set the certificate verifier to ignore the issuer-trust relationship and just verify the self-signature matches the pubkey, and then check if the key in the certificate is the nostr key of the relay you were trying to connet to. Zero external services, no DNS, no blockchain, nada. Just client-server. Of course, where my idea falls down (which I think I already explained) is that in nostr relays don't have keys they have URLs. But other than that, far simpler.
View quoted note →
1 replies ↓
aljaz's avatar
aljaz aljaz@nostr.si 6 months ago
So to solve the centralization of dns we add another layer of complicated infrastructure that people need to run besides already unprofitable relays? I dont think that solves anything besides another year or two of development efforts wasted on making using nostr even more complicated for people
1 replies ↓
The Beave's avatar
The Beave TheBeave@GitCitadel.com 6 months ago
Move beyond DNS, please.
Mike Dilger ☑️'s avatar Mike Dilger ☑️
This sounds to me like everybody has to use the same DNS resolver or plug into the same DNS resolution services somehow. And those have to plug into blockchain. And then you've got DANE and TLS fingerprinting, and how much other stuff? I find it far simpler to just use self-signed certificates, set the certificate verifier to ignore the issuer-trust relationship and just verify the self-signature matches the pubkey, and then check if the key in the certificate is the nostr key of the relay you were trying to connet to. Zero external services, no DNS, no blockchain, nada. Just client-server. Of course, where my idea falls down (which I think I already explained) is that in nostr relays don't have keys they have URLs. But other than that, far simpler.
View quoted note →