00:22:59 8 reorg 11:52:40 @ofrnxmr:xmr.mx: Is that you that caused re-orgs on testnet? Checkpointing node got stuck because no hashpower was pointed at it https://testnetnode4.moneroconsensus.info/ 11:55:20 I was slow spamming testnet and some of my txs were invalidated by the 10+ re-org: https://testnet.xmrchain.net/txpool 11:55:51 tested the dns-checkpoints server and added NOTIFY, now secondary public DNS servers get new records within 5s or so https://git.gammaspectra.live/P2Pool/monero-highway 11:57:20 DataHoarder: Thanks! How can this be deployed on testnet? 11:57:38 The usage guidelines should allow you to deploy one 11:57:48 though you can forgo the external DNS secondaries 11:58:11 you need a VPS or some server with an external IP that can bind port 53 for dns 11:58:22 (or port forward to port dns) 11:59:34 replace checkpoints.example.com with for example testpoints-highway.moneroconsensus.info and that should be good to go 12:00:01 I run a test instance of this on checkpoints.gammaspectra.live (which should have the current mainnet checkpoints) 12:00:24 $ dig +dnssec +multi checkpoints.gammaspectra.live TXT @ns1.he.net 12:00:28 $ dig +dnssec +multi checkpoints.gammaspectra.live TXT @1.1.1.1 12:00:29 etc. 12:01:53 I can make a specific guide to get something running on DigitalOcean (Ubuntu 24.04) as it's let's say, "fun" when you need to run things on port 53 :) 12:02:41 Is it: 1) Point monero-highway to the authoritative name server (e.g. njalla), 2) Point checkpointed nodes to monero-highway? 12:03:27 1) set up delegation of testpoints-highway.example.com on your DNS provider (this lets it be authoritative for that subdomain only) 12:03:32 2) yes 12:04:21 Thanks. I will test it. 12:04:45 just setting up another one to test with the commands I used, I think you can bind to the external IP to have port 53 work well :) 12:11:00 @rucknium:monero.social: here's a quick guide https://paste.debian.net/hidden/8bca7c39/ 12:11:13 took me from the time I said to make the guide to now to have it live 12:11:17 10m job :) 12:11:35 ofc, you want to run the dns-checkpoints.bin on a service or some what that restarts 12:12:23 but it's ready now to take new checkpoints via port 19080 on localhost 12:12:36 and serve these on testpoints.gammaspectra.live directly 12:15:41 so yeah, all you need to add in your DNS provider is an A record for the nameserver, the NS nameserver record, the DS signer delegation record for DNSSEC 12:18:52 you can check if all is ok via for example https://dnsviz.net/d/testpoints.gammaspectra.live/dnssec/ 12:19:04 or https://dnssec-analyzer.verisignlabs.com/testpoints.gammaspectra.live 12:20:00 the graph will look something like this with no error/warnings markers https://irc.gammaspectra.live/e170cb043667802c/testpoints.gammaspectra.live-2025-09-05-12_18_22-UTC.png 12:21:32 read DNSSEC Notes on https://git.gammaspectra.live/P2Pool/monero-highway#dnssec-notes to see if selecting ed25519 vs secp256r1 is worth it for you 12:22:47 secp256r1 is the highest deployment % at 69.8%, but ed25519 has improved massively at 63% 12:23:30 69% is max you can get effectively 12:25:02 I have a secp256r1 key on checkpoints.gammaspectra.live, ed25519 on testpoints :) 12:40:18 No > <@rucknium> @ofrnxmr:xmr.mx: Is that you that caused re-orgs on testnet? Checkpointing node got stuck because no hashpower was pointed at it https://testnetnode4.moneroconsensus.info/ 13:07:57 if you want to test if your local setup DNS resolver supports DNSSEC + Ed25519, you can use $ dig +dnssec +multi testpoints.gammaspectra.live TXT 13:08:21 or use https://rootcanary.org/test.html on a browser that fetches system DNS server directly (instead of DNS over TLS/HTTPS) 13:25:24 When do I add this, on what, pointing to where? > so yeah, all you need to add in your DNS provider is an A record for the nameserver, the NS nameserver record, the DS signer delegation record for DNSSEC 13:25:41 on your DNS provider, say njalla or cloudflare 13:25:57 on here https://paste.debian.net/hidden/8bca7c39/ it'd be the entries on lines 29, 30, 32 13:26:02 for my specific example 13:26:13 Do I add A, NS, and DS records to the domain that is supposed to be the checkpointing domain, or to a domain that points to my "new" DNS server? 13:26:38 https://irc.gammaspectra.live/84fda98dde73cc8f/image.png 13:27:01 we are talking subdomains here, say, you want testpoints.gammaspectra.live to be the "checkpointing" subdomain 13:27:16 you go to where you manage records for gammaspectra.live itself 13:27:34 then add DS/NS records on testpoints.gammaspectra.live (this causes the delegation) 13:27:57 the A record is so it can be found by name to IP, but if you have one already you can reuse 13:29:28 ^ does that make more sense? 13:33:02 I am trying. Getting You can not mix NS with other records. 13:33:31 when I try to add a NS 13:33:44 record to townforger.net 13:34:03 you want to setup a subdomain, not change the whole domain, as you are delegating 13:34:20 say, testpoints2.townforger.net 13:34:35 so set a NS record on testpoints2.townforger.net (in the interface) 13:34:58 use a subdomain that's not in use by anything else, ofc 13:35:03 a different subdomain that the one that the nodes are querying for the checkpoint TXT recrds...? 13:35:08 ok 13:35:18 if you want to replace the current setup you can use the same 13:35:30 but then you need to remove all other records on that subdomain :) 13:35:38 TXT for example 13:36:06 so checkpoints.townforger.net right? 13:36:25 that still has a TXT entry, which needs to be removed if you want to delegate 13:36:51 delegate = you are telling the world that "records on checkpoints.townforger.net are handled by , here's some records that prove that, find the rest there" 13:37:21 for that you need NS records, and for adding dnssec, the DS one as well 13:39:08 For your setup something like this I guess? 13:39:08 https://mrelay.p2pool.observer/p/wP_lnLIKbmIwUnhZ/1.txt (code snippet, 18 lines) 13:39:34 If you are replacing the setup, of course 13:45:04 I think I have the records added. On my VPS, the running go process says 13:45:04 time=2025-09-05T13:35:58.273Z level=ERROR msg="Failed to start DNS server on UDP" bind=185.193.127.188:53 error="listen udp 185.193.127.188:53: bind: permission denied" 13:45:04 time=2025-09-05T13:35:58.275Z level=ERROR msg="Failed to start DNS server on TCP" bind=185.193.127.188:53 error="listen tcp 185.193.127.188:53: bind: permission denied" 13:45:20 I guess I need to allow permission to bind on port 53 13:45:24 correct 13:45:37 or bind to a different port and set firewall rules to bring TCP/UDP to that port 13:55:20 I think I just needed to use sudo dns-checkpoints.bin, which may have security implications, but we'll ignore that now. 13:55:43 DataHoarder: I input dig +tcp +dnssec +multi checkpoints.townforger.net SOA @1.1.1.1 and get some info. Is it working? 13:55:45 I think you can set bind permissions to the binary. I have a TODO to drop permissions if it's given more after binding 13:55:49 lemme try 13:56:16 that's still using njalla 13:56:45 $ dig +dnssec +multi checkpoints.townforger.net NS @1-you.njalla.no 13:56:55 that still shows it's using njalla and there is no delegation 13:57:24 Njalla gives me an option to "use custom domain servers" in its GUI. Should I do something there? 13:57:33 no, that overwrites the entire domain 13:57:47 you only want to delegate a single subdomain (so the rest is unaffected) 13:58:45 you should get under SOA your new NS details if that works 13:58:57 or at least under the NS command, you should see the new nameserver 13:59:35 so, what records did you set on njalla? 13:59:58 I'm starting the doubt the value of me testing this and understanding how it works. Or, at least, whether the value exceeds the cost 14:00:48 I think it's the DNS part we are failing at, the value for having a quick DNS server (for low TTL records) and not exposing main API keys is good, maybe not for this testing stage 14:00:49 DS checkpoints2.townforger.net 36693 15 2 B1218AB95D21849AA2FDBC89FE74708F326149FFCB45724D92F60C8772887BAB 14:00:49 NS checkpoints2.townforger.net ns1-checkpoints2.townforger.net 14:00:49 A ns1-checkpoints2.townforger.net 185.193.127.188 14:00:52 aha 14:00:54 lemme see on that 14:01:21 looks good on checkpoints2, lemme see if server replies 14:01:59 185.193.127.188 is not replying to DNS queries on port 53 TCP/UDP 14:02:08 records otherwise look ok! 14:02:28 Need to open port maybe on the VPS? 14:02:51 this should be able to verify it directly $ dig +dnssec +multi checkpoints2.townforger.net SOA @ns1-checkpoints2.townforger.net 14:03:04 yeah, port 53 TCP/UDP or on firewall 14:03:22 I'll look into the specific bind permissions so no root is desired :) 14:05:04 DataHoarder: Try checking again 14:05:12 works! 14:05:20 🎉 14:05:29 yep and all valid 14:06:09 sudo ufw allow out 53 14:06:09 sudo ufw allow in 53 14:06:21 https://dnsviz.net/d/checkpoints2.townforger.net/dnssec/ 14:06:23 looks ok! 14:06:27 did it. Not sure I need out 14:06:38 you need out due to UDP 14:06:51 looks ok on https://dnssec-analyzer.verisignlabs.com/checkpoints2.townforger.net as well 14:07:09 Thanks for all the hand-holding. 14:07:13 no TXT records yet, you can feed those via the HTTP API 14:07:44 DataHoarder: How do I do that and what do you mean? 14:07:46 effectively POST to the http port you set, with &txt arguments for each txt entry 14:07:51 I mean to publish checkpoints 14:08:05 https://git.gammaspectra.live/P2Pool/monero-highway#http-api 14:08:08 By the way, the TXT record is frozen because the checkpointng node is stuck. I will un-stick it 14:08:29 I have another script pushing the TXT records. I should use something else? 14:08:41 you can probably modify it slightly to also push them here 14:09:09 this does it but any other library you have would work as well $ curl -XPOST "http://127.0.0.1:19080/?txt=abc123&txt=def567&txt=ghi890" 14:10:19 I checked server again, and it's publishing updated signed records fine btw :) 14:10:23 So, I can push TXT records directly to my VPS instead of using the Njalla API. That's what you're saying? 14:10:28 yep 14:11:02 (and that's the point, it stays local/owned by the checkpointer owner, and limited on impact) 14:11:12 no need to have full njalla API keys on server 14:11:24 or cloudflare or whatever is in use 14:12:39 Thanks. I will try that 14:30:11 addressed the privilege part https://git.gammaspectra.live/P2Pool/monero-highway#binding-to-low-numbered-ports 14:30:34 also added the regular binary hardening flags on the compilation step 14:31:32 That produces a static binary with no external dependencies, with PIE / Full RELRO / NX setup and full FORTIFY :) 14:36:28 DataHoarder: Thanks. How would you overwrite a records with the interface curl -XPOST "http://127.0.0.1:19080/?txt=abc123&txt=def567&txt=ghi890";? 14:36:39 any new change overwrites the current set 14:36:59 you are passing a list of TXT records to update 14:37:01 Ok. How is TTL set? 14:37:16 TTL is set on cmdline, defaults to 300 14:37:38 -ttl 5m 14:37:43 for example, when starting the program 14:37:56 you can use -ttl 1h or any other duration string 14:37:59 So I just pass the raw checkpoint height:hash? 14:38:03 yep 14:38:16 I think it's height=hash so you can escape that = sign 14:38:26 or use a request library, it will do it for you 14:38:58 I can make any interface / API there that is ergonomic, just had that simple one for testing 14:39:19 you can run the binary + -help to see a list or arguments it can take 14:39:41 It's colon. I hope colon doesn't need to be escaped (about to find out) 14:39:43 I'd recommend not changing -authority-ttl below the default value, if anything, you could raise it to 7 days 14:39:49 colon is fine! 15:40:54 I see you posted some checkpoints on there already! 16:07:00 I think it's working. I will make a diagram 16:07:30 I think there was deep re-org on testnet. 184 blocks? 16:17:14 Wasnt me 17:43:20 has anyone noticed someone is injecting unreachable nodes into testnet 17:43:48 it seems to be the same addresses as the ones that were injected onto mainnet a while ago 17:47:50 I dont know which are which, but i dod notice there are a fuck ton of the same ip w a different port 17:48:31 38.6.15*.* 17:48:55 pretty sure that is the same address that was injected into mainnet that @jhendrix:imagisphe.re found 17:49:50 Yeah 17:50:35 Also 154.199.21*.* 17:55:22 DataHoarder: Here is my first draft of diagram slides. Click arrows on the bottom to go through the slides: https://cryptpad.disroot.org/diagram/#/2/diagram/view/glZWi196m1pxGKKdZZKC66exXJAm9WiJsQvN8kJutOM/embed/ 17:55:46 I'll check in a few hours! 18:02:07 this seed: 176.9.0.187 is injecting the peers 18:05:42 wait multiple seeds are 18:07:21 every seed I connected to is sending me those peers 18:13:11 I think that means these addresses were reachable to the seed nodes 🤔 18:54:00 Means those nodes just connected to seeds at some point 18:54:45 Probably possible to just spin up bunch of nodes using different --p2p-bind-port 18:59:26 @ofrnxmr:xmr.mx: It would have to be somewhat recent otherwise they would be ejected but yeah 18:59:41 @ofrnxmr:xmr.mx: they cover multiple IP addresses 19:19:48 @boog900: i noticed these maybe 2weeks ago 19:20:04 Idk how recent "recent" has to be though, or when they first appeared 19:50:59 I mean they have been on mainnet for quite a while 19:51:44 Males me wonder if they are really reachable to certain nodes but not mine for whatever reason 19:55:00 I think they are only online for long enough to get out on seed node peerlists 19:55:06 Put* 19:55:47 Afaict, they have all "never" been connected to from my nodes on my liat 19:55:52 @plowsof:matrix.org 19:56:11 Can check his seeds to see if/when last connected 20:31:52 Will have a look 20:32:23 38.6.15*.* nodes 22:23:55 @rucknium:monero.social, initial feedback, split Secure Server into a "Group" of "Distributed DNSSEC Checkpointer Servers"