It maps an ed25519 keys to a DNS packet so a list of records, but that is besides the ...

npub1jvx…7yqz

2024-12-04 18:30:57

in reply to nevent1q…frc3

It maps an ed25519 keys to a DNS packet so a list of records, but that is besides the point.

Let's first consider a simple case where:
1. you lookup `my-app.<A>` (where A is a zbase32 encoded public key) only to find a CNAME record pointing to `hosting-provider.<B>`
2. you lookup `hosting-provider.<B>` to find an A record pointing to the socket address.

What you have heard is a chain of delegation, from the owner of key A to the hosting provider who owns key B.

Well, then we know for a fact that key B should be trusted as an RPK to establish a TLS connection, because Pkarr is already a signed so why not consider it as valid as x.509 certificate chain? only better because the CA in this case is the owner of the TLD (A).

Let's make things a bit more interesting by using HTTPS records instead of CNAME records, because they are more recent and work on APEX domains, and have optional parameters for stuff like ALPN, ECH, port number etc, making establishing HTTP connections more efficient.

HTTPs records are widely supported already, so not too exotic. And I consider them the perfect resource record.

Author Public Key

npub1jvxvaufrwtwj79s90n79fuxmm9pntk94rd8zwderdvqv4dcclnvs9s7yqz

Seen on

wss://relay.nostr.band wss://relay.primal.net

Show more details

Published at

2024-12-04 18:30:57

Kind type

1 Short Text Note

Event JSON

{ "id": "20878620f84304f454a1de48c581a2647c8ee7a8a8aae52127733321334a2e25", "pubkey": "930ccef12372dd2f16057cfc54f0dbd94335d8b51b4e2737236b00cab718fcd9", "created_at": 1733337057, "kind": 1, "tags": [ [ "p", "930ccef12372dd2f16057cfc54f0dbd94335d8b51b4e2737236b00cab718fcd9" ], [ "p", "97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322" ], [ "p", "6e468422dfb74a5738702a8823b9b28168abab8655faacb6853cd0ee15deee93" ], [ "p", "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d" ], [ "p", "de7ecd1e2976a6adb2ffa5f4db81a7d812c8bb6698aa00dcf1e76adb55efd645" ], [ "p", "ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49" ], [ "e", "aab7f7fb3ddf8e5d7174a456b43b4d1116e69db6533d753430ace26adf9e5048", "", "root" ], [ "e", "00003497e8d0f4711bb80ed3e020d261a5723f6a50e0ad54d22f449e43d214c6", "", "reply" ] ], "content": "It maps an ed25519 keys to a DNS packet so a list of records, but that is besides the point.\n\nLet's first consider a simple case where: \n1. you lookup `my-app.\u003cA\u003e` (where A is a zbase32 encoded public key) only to find a CNAME record pointing to `hosting-provider.\u003cB\u003e`\n2. you lookup `hosting-provider.\u003cB\u003e` to find an A record pointing to the socket address. \n\nWhat you have heard is a chain of delegation, from the owner of key A to the hosting provider who owns key B.\n\nWell, then we know for a fact that key B should be trusted as an RPK to establish a TLS connection, because Pkarr is already a signed so why not consider it as valid as x.509 certificate chain? only better because the CA in this case is the owner of the TLD (A).\n\nLet's make things a bit more interesting by using HTTPS records instead of CNAME records, because they are more recent and work on APEX domains, and have optional parameters for stuff like ALPN, ECH, port number etc, making establishing HTTP connections more efficient.\n\nHTTPs records are widely supported already, so not too exotic. And I consider them the perfect resource record.", "sig": "c98304fe20b5cd604d57e79ab668bd6af29d2328a188dde6757d313070ebb5827854688e86fbf3261c965f10955e11bb088ce1e921cccbfd56c6228efe5ed82d" }