node icon indicating copy to clipboard operation
node copied to clipboard

Published 20 hours ago verified publisher icon akash-network

Handshake Domains

Open dmikey opened this issue 4 years ago • 11 comments

Qualified handshake domains like gregosuri are valid, but do not appear to pass our hostname tests, and give an error of invalid hostname.

Why?

dmikey avatar Jun 27 '21 14:06 dmikey

What is a 'handshake domain'?

hydrogen18 avatar Jul 02 '21 19:07 hydrogen18

Decentralized DNS. https://handshake.org http://gregosuri is an example

dmikey avatar Jul 02 '21 19:07 dmikey

ok, I think we do some validation assuming a TLD can't have a record associated with it. I'm assuming greg.osuri in your example would probably work.

We can relax this if we need to support handshake

hydrogen18 avatar Jul 02 '21 20:07 hydrogen18

I think we should, Greg has one, so it appears we should support them.

dmikey avatar Jul 02 '21 20:07 dmikey

@boz Does this make sense to you? For domain validation we'll basically just wind up doing if len(hostname) != 0 I think

hydrogen18 avatar Jul 02 '21 20:07 hydrogen18

hopefully k8s ingress will accept it (a TLD) as a hostname.

boz avatar Jul 02 '21 20:07 boz

@boz Does this make sense to you? For domain validation we'll basically just wind up doing if len(hostname) != 0 I think

Sure, although, I don't quite get it - shouldn't there be some kind of demarcation that it's a handshake domain?

$ dig gregosuri
; <<>> DiG 9.16.18 <<>> gregosuri
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 5204
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;gregosuri.			IN	A

;; Query time: 3640 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jul 02 13:25:52 PDT 2021
;; MSG SIZE  rcvd: 38

boz avatar Jul 02 '21 20:07 boz

hopefully k8s ingress will accept it (a TLD) as a hostname.

Also, I think that there are more restrictions on a hostname - I don't want to allow emojis and newlines or whatever.

boz avatar Jul 02 '21 20:07 boz

I think this is what you're referring to?

https://en.wikipedia.org/wiki/IDN_homograph_attack

We want to block this?

hydrogen18 avatar Jul 02 '21 20:07 hydrogen18

I think this is what you're referring to?

https://en.wikipedia.org/wiki/IDN_homograph_attack

We want to block this?

That variety of thing, yeah. I think that there's a validation function that k8s uses; if so, let's use that as we're kind of bound by it anyways. If not, let me think about it a bit.

boz avatar Jul 02 '21 20:07 boz

I think this is what you're referring to? https://en.wikipedia.org/wiki/IDN_homograph_attack We want to block this?

That variety of thing, yeah. I think that there's a validation function that k8s uses; if so, let's use that as we're kind of bound by it anyways. If not, let me think about it a bit.

I think this is in use today , handshake does pass this, but this error still gets thrown.

https://github.com/ovrclk/akash/blob/master/validation/manifest.go#L146

dmikey avatar Jul 02 '21 20:07 dmikey