i9nvrppj@tutanota.com:
Hi,
Why run a separate process instead of using unix socket or TCP socket?
Since a Namecoin domain can point to IP addresses and ICANN-based DNS names in addition to onion service names, and a Namecoin domain owner might wish to switch between these configurations without causing downtime or forcing their users to change behavior, I recommend against this. However, see the open question below:
Open question: If a Namecoin domain points to an onion service, end users might expect encryption to be built in, and this assumption will be violated if the Namecoin domain switches to using an IP address. However, Namecoin domains can include TLS fingerprints, which would be enforced for both the IP address and the onion service address. Is it sufficient to tell users that TLS is required if they want encryption for Namecoin-addressed services, or is some additional mechanism needed here to avoid bad things?
How about specifying whether the Namecoin domain should point to .onion or clearnet in the domain? We can require that TLDs for such service must end in either:
o o: The name points to a .onion name.
o i: The name points to an IP address.
o a: The name points to a clearnet domain name.
So example.zkeyo points to 66tluooeeyni5x6y.onion. example.zkeyi points to 192.0.2.1 or (and?) 2001:db8::1. example.zkeya points to example.com.
Vina Gaff
Well, first of, using a different TLD to access A/AAAA records versus CNAME records would violate the various DNS specs that say how CNAME works. Relatedly, by your logic, why not require a different TLD for A versus AAAA records?
DNS, by design, allows more than one record type to exist for a given domain name. There needs to be a really good reason if we want to change that.
A concern over whether end-to-end encryption/authentication is in use would possibly be a really good reason. But that definitely doesn't have anything to do with whether an A/AAAA record or a CNAME record was used to find the IP address, so it's not a reason to treat A/AAAA records and CNAME records differently.
It's also unclear to me that changing the TLD is the right way to specify what record types are being looked up. That's not the way DNS works anywhere else.
It's also worth noting that it's been hard enough to get IETF to accept .bit (that effort stalled) -- adding a bunch of other TLD's would probably annoy IETF significantly (and destroy whatever good will exists at IETF right now), and I fully understand why this would annoy them.
I'm not really sure what the right mechanism is for a user to specify "I want this request to either use TLS or be resolved to a .onion record" (which seems to be the primary use case here). Does anyone have suggestions?
Cheers, -Jeremy