08:48:56 <br-m> <helene:unredacted.org> that sounds problematic :D > <DataHoarder> it just looks at the AD flag
11:38:17 <DataHoarder> You are trusting the DNS Server you set
11:38:27 <DataHoarder> That is why you should run local recursive dns servers
11:38:36 <DataHoarder> They check the chain of trust of delegation
11:45:17 <br-m> <ofrnxmr> I think monerod checks
11:45:28 <br-m> <ofrnxmr> It prints logs about getting the chain of trust etc
11:49:25 <DataHoarder> Does it have an embedded recursive dns client?
11:51:35 <br-m> <ofrnxmr> 🤷‍♂️
11:52:34 <br-m> <syntheticbird> no
11:52:47 <br-m> <syntheticbird> but cuprate can
11:52:57 <br-m> <syntheticbird> did I talked to you about our lord and savior hickory-dns
11:53:23 <br-m> <syntheticbird> secure, correct, rust-written dns resolver library, now in discount for the whole family
11:59:01 <br-m> <syntheticbird> https://github.com/hickory-dns/hickory-dns
11:59:07 <br-m> <syntheticbird> https://github.com/hickory-dns/hickory-dns/tree/main/crates/client
12:07:54 <br-m> <321bob321> Hates self sign certs
15:47:21 <br-m> <alfieedwards> Hello, I've read so far:
15:47:21 <br-m> <alfieedwards> https://www.eddieoz.com/monero-under-attack-how-the-community-responds-to-selfish-mining-attacks/
15:47:21 <br-m> <alfieedwards> https://github.com/monero-project/monero/issues/10064
15:47:21 <br-m> <alfieedwards> [... more lines follow, see https://mrelay.p2pool.observer/e/-MfSs7cKTWRieWN1 ]
15:49:15 <br-m> <alfieedwards> I just hope Monero project future won't depend on a few domains registered at Gandi and "protected" behind a single Cloudflare account...
15:49:47 <br-m> <syntheticbird> that's a lot of text
15:50:08 <br-m> <basses:matrix.org> @syntheticbird: stop watching tiktok
15:50:18 <br-m> <alfieedwards> @syntheticbird: And it's not LLM! 😀
15:50:27 <br-m> <syntheticbird> @basses:matrix.org: no, i love reducing my brain size
15:50:31 <br-m> <syntheticbird> @alfieedwards: odd thing to say
15:51:17 <br-m> <syntheticbird> @alfieedwards: CHAT DONT LOOK AT ME LOOK AT THIS MESSAGE.
15:55:41 <DataHoarder> 2) dnssec is and was always required. the code for this is already in Monero
15:56:12 <DataHoarder> 1) the code is already in monero and it's an opt-in temporary bandaid before proper means are developed
15:56:57 <DataHoarder> also for 2) if using dns-checkpoint or a custom server that is possible. However, exposing the hardcoded IPs of each one opens you to DDoS
15:57:33 <DataHoarder> note the system is fail-safe and stopping checkpoints = no harm. node operators can also disable the opted-in flag and restart, and nothing else happens
15:58:31 <DataHoarder> DNS deployment for last comment also allows you to have a hidden server signing the records, then deploying to DNS secondaries. There is no need to have the active IP(s) in NS records be the alive ones.
15:59:05 <DataHoarder> I have shown this in checkpoints.gammaspectra.live example https://dnsviz.net/d/checkpoints.gammaspectra.live/dnssec/
15:59:31 <DataHoarder> (one issuing server and several secondaries across different ISPs, but these ISPs cannot sign new records, only publish pre-signed zones)
16:02:46 <DataHoarder> keep in mind this is not intended to be permanent, nor the bandaid over the entire temporary deployment
16:03:33 <DataHoarder> as better options/decentralization is possible that can be deployed then, but waiting while bleeding and specifically having end user transactions invalidated and reverted, that's harmful
16:08:13 <br-m> <alfieedwards> > <DataHoarder> also for 2) if using dns-checkpoint or a custom server that is possible. However, exposing the hardcoded IPs of each one opens you to DDoS
16:08:13 <br-m> <alfieedwards> How can I host my own checkpoint server? There are different approaches to DDoS protection, reverse-proxies are just one of them. You may host on infrastructure where there are hardware firewalls (Palo Alto, etc) and exposed IP won't be the issue.
16:08:37 <DataHoarder> you cannot use reverse proxies for DNS servers in the way you see them
16:09:00 <DataHoarder> a checkpoint server is a normal DNS server with DNSSEC enabled
16:09:04 <DataHoarder> that serves a TXT record
16:09:20 <DataHoarder> you can use bind https://gitlab.isc.org/isc-projects/bind9
16:09:42 <DataHoarder> or any other DNS server that can support that
16:09:56 <DataHoarder> DNS servers can stay offline and only send pre-signed zones to the actual serving nameservers
16:10:09 <DataHoarder> As a proof of concept (that has been tested) also made https://git.gammaspectra.live/P2Pool/monero-highway#cmd-dns-checkpoints
16:10:20 <br-m> <alfieedwards> How this fail-safe mechanism works? Won't unavailability of checkpoint nodes allow for reorg attacks to continue? > <DataHoarder> note the system is fail-safe and stopping checkpoints = no harm. node operators can also disable the opted-in flag and restart, and nothing else happens
16:10:37 <DataHoarder> this is a bare-bones DNS server with DNSSEC that serves a single zone, for serving the TXT record
16:10:57 <DataHoarder> yes alfieedwards. fail-safe means if anything would go wrong, it stops to a "safe" point
16:11:03 <DataHoarder> meaning no more checkpoints are issued
16:11:24 <DataHoarder> same as if domains are seized, they cannot pass 2/3rd entries
16:11:56 <DataHoarder> again. this is not a PERMANENT setup, but temporary, and once improved, it would spread further. The code already exists in Monero and is in use
16:12:07 <DataHoarder> https://docs.getmonero.org/infrastructure/monero-pulse/
16:13:26 <DataHoarder> here are the details about MoneroPulse (the set of domains that would have the TXT records. they are already in use today, by default only as a warning, node operators have to opt-in to enforce these, and it would still be opt-in)
16:13:36 <br-m> <rucknium> Checkpoints can be manually added, without DNS, by placing a checkpoints.json file in the .bitmonero directory of each node.
16:13:41 <DataHoarder> more than the 4 listed are added https://github.com/monero-project/monero/pull/10075
16:19:37 <br-m> <alfieedwards> Thank you for explanation. I just hope there will be more moneropulse domains with different registrars than Gandi, even if it is a temporary solution.
16:20:29 <DataHoarder> Transferring the domains takes time, too
16:20:40 <br-m> <alfieedwards> NS from DNSpod, etc, besides Cloudflare could also be used
16:21:10 <DataHoarder> Current test ongoing on testnet at this moment deploys checkpoints to Cloudflare DNS via batch API request
16:21:31 <DataHoarder> this is the script running these for the test https://git.gammaspectra.live/P2Pool/monero-highway/src/branch/checkpointer/cmd/checkpointer/main.go
16:21:40 <DataHoarder> rucknium also has an alternative script
16:22:03 <DataHoarder> sorry, wrong branch. it's master https://git.gammaspectra.live/P2Pool/monero-highway/src/branch/master/cmd/checkpointer
16:22:46 <DataHoarder> logic is -> each -checkpoint-interval (recommended 5 minutes), issue checkpoints at depth -checkpoint-depth (default 2)
16:23:05 <DataHoarder> depth of 2 means tip = 100, checkpoint would be placed at height = 98
16:24:03 <DataHoarder> if -checkpoint-interval is 0, checkpoints are issued as soon as a block is received, but same -depth rule is followed. blocks are received via ZMQ or RPC as fallback, and inclusion in previous checkpointed chain is enforced
16:24:27 <DataHoarder> you will see a lot of //sanity check / panic() calls to bail out
16:31:07 <br-m> <rucknium> My alternative prototype checkpointing script is here: https://gist.github.com/Rucknium/daf4d52976fc4d32e378771f2e45f8f1 > <DataHoarder> Rucknium also has an alternative script
16:39:37 <br-m> <jfuffjcjkdrngisozkfng:matrix.org> But how temporary are we talking ? > <DataHoarder> 1) the code is already in monero and it's an opt-in temporary bandaid before proper means are developed
16:39:51 <br-m> <jfuffjcjkdrngisozkfng:matrix.org> A year ? More ?
16:40:26 <DataHoarder> this was discussed in MRL. I think a year and a half was thrown around as a number to have bandaids, but this doesn't mean "THIS" DNS checkpoints bandaids
16:40:52 <DataHoarder> there are more distributed ways of handling this. bandaid means anything before a hard-fork effectively
16:40:59 <DataHoarder> (or soft-fork)
16:41:34 <DataHoarder> if a better distribution than DNS checkpoints is available and deployed in N weeks, it'd be N weeks for this
16:41:58 <DataHoarder> if they need to stay longer, decentralizing these more would become priority
16:42:20 <DataHoarder> note for these to make sense people need to be making progress on the long-term solution.
16:42:55 <br-m> <jfuffjcjkdrngisozkfng:matrix.org> DataHoarder: Yes because of how easily some registrars can get socially engineered to hand over accounts
16:51:07 <br-m> <ofrnxmr:xmr.mx> These domains have been in use for many yrs
16:51:37 <br-m> <ofrnxmr:xmr.mx> They are uses for dns checkpoints, dns blocklist, and dns monerod version updates
17:13:31 <br-m> <alfieedwards> DataHoarder: Are masternodes considered?
17:13:47 <br-m> <ofrnxmr:xmr.mx> Not really
17:13:55 <DataHoarder> what do you mean, for bandaid? or long term
17:14:33 <DataHoarder> (afaik for neither)
17:22:33 <br-m> <alfieedwards> Well, for Tor network similar concept (of consensus in terms of various parameters among selected "authority" nodes hosted by Tor Project members) works since a long time without issues: https://consensus-health.torproject.org/
17:23:01 <br-m> <alfieedwards> I hope it will be effective also for Monero
17:26:03 <br-m> <jack_ma_blabla:matrix.org> @alfieedwards: masternodes = pos ? 
17:29:23 <br-m> <alfieedwards> If one were to think about it, it would indeed have to rely on PoS. Which is an absolutely bad idea And I hope Monero never goes for it, as it would got literally bought by big funds.
17:30:39 <br-m> <ofrnxmr:xmr.mx> #monero
17:30:50 <br-m> <one-horse-wagon> For the
17:31:10 <br-m> <ofrnxmr:xmr.mx> #monero:monero.social
18:04:34 <binaryFate> The 7th domain (.co) is now updating as well
18:06:24 <DataHoarder> 🥳
18:06:52 <DataHoarder> all good from the checkpointer side?
18:07:38 <binaryFate> yep, no unexpected behavior and very stable
18:11:15 <br-m> <longtermwhale:matrix.org> Njalla is the first to kick your domain + they legally own it. Its weird that you mention them, while you previously correctly say "register domain directly" > <@alfieedwards> Hello, I've read so far:
18:15:40 <br-m> <longtermwhale:matrix.org> i am not sure if that attack vector was taken serious or has relevance, but a ddos attack, especially timed in a short burst (knowing for example i will cause a chain reorganisation by publishing blocks) is very very very easy to accomplish and if outsourced cheaply executed. cloudflare wont help enough especially when talking [... too long, see https://mrelay.p2pool.observer/e/z9fxt7cKeFBhMm91 ]
18:15:40 <br-m> <longtermwhale:matrix.org> attack scenario could be qubic having 18 blocks, alt chain whatever blocks, then ddos on the checkpoints for 1 hour. thats easily done. mind, that you dont have to worry about cfb necessarily, but about kids talking and backing crypto on discord :-)
18:16:42 <DataHoarder> note the checkpoints are DNS servers themselves
18:17:13 <DataHoarder> that'd mean taking down all DNS servers across the world offline or specifically for current testing that's Cloudflare DNS itself
18:17:36 <DataHoarder> > attack scenario could be qubic having 18 blocks, alt chain whatever blocks, then ddos on the checkpoints for 1 hour.
18:17:47 <DataHoarder> once a checkpoint is issued and received it sticks on nodes
18:31:23 <br-m> <ofrnxmr:xmr.mx> Even if reorg successful, nodes will have the original chain. They will later receive checkpoint that conflict with attacking chain, and drop the attacking chain
18:32:28 <br-m> <ofrnxmr:xmr.mx> If the checkpoint_ing_ node(s) blocks conflict with current checkpoints, no new checkpoints will be issued