feat: initial implementation

[aschmahmann]

This is an initial implementation of the DNS server using CoreDNS.

The main missing feature for getting this to work is integration with a distributed database to be shared between the primary and secondary nameservers. It might be possible to do this using zone files as well, but using something like dynamodb for now seems fine.

• Note: we might want to bump the dependencies in https://github.com/ipfs/go-ds-dynamodb

[aschmahmann]

Note on why JWT did not feel great because

• It takes the entire payload and puts it in the authorization header
  • No standards around body hash, including public keys, etc.
• IIUC most implementations don't seem to support secp256k1 and IMO we'd want to enable each of the 4 currently supported key types (RSA, Ed25519, ECDSA, Secp256k1)

[MarcoPolo]

Is this meant to follow RFC 6750? The "Bearer" Auth scheme is registered to that RFC https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml.

I haven't looked closer here, because I'm assuming we'll opt to use the HTTP Peer ID authentication flow instead.

[aschmahmann]

Note: We could've avoided doing anything special with the auth if we'd relied on libp2p doing the auth for us.

About the protocol format:

• custom wire protocol over libp2p seemed like overkill
• HTTP over libp2p would be nice and use the exact same semantics but without the auth header

About using libp2p for the transport:

• The initial connection establishment and loadbalancing stories don't seem as easy as we'd want at the moment
  • I don't want to have to embed a peerID into deployed applications (e.g. what if we have to rotate keys) and while we can get the other approaches working they feel not out of the box yet
    • Could use CA certs instead of peerIDs for the outbound connection, but that requires more new code in the libp2p implementations
    • We could use DNSAddr (e.g. /dnsaddr/registration.libp2p.direct without a peerID suffix) which seems fine (even more so with DNSSEC), although a bit of extra wrapper code likely needed in each implementation since IIRC it's not supported out of the box in most implementations

It'd be nice to evolve this into being able to do HTTP over libp2p and drop the auth header by doing one or both of:

• Enable DNSAddr or CA based connection establishment
• Land the HTTP PeerID Auth spec (yes it means two round-trips instead of one but that doesn't seem like a big deal)

The result means there'd be very little custom code here at all given the user is already leveraging a libp2p implementation.

[SgtPooki]

custom wire protocol over libp2p seemed like overkill

Land the HTTP PeerID Auth spec (yes it means two round-trips instead of one but that doesn't seem like a big deal)

Both of these seem like desire-able things that we may want at some point in the future. Is it worth investigating now before we implement some other solution that quickly goes out of date?

[aschmahmann]

custom wire protocol over libp2p seemed like overkill

This doesn't seem particularly desirable to bother with.

Land the HTTP PeerID Auth spec

WDYT @MarcoPolo, does it make more sense to land the spec then do this business with the signed envelopes?

[MarcoPolo]

Yes. The spec is very close to being ready. And if we have a use case, then I'd be very motivated to get it landed.

[MarcoPolo]

I see that we're essentially reusing the acme challenge as the authentication challenge. This is probably (?) okay for this use case, but I think it would better practice to not reuse challenges in this way. The HTTP Peer ID Auth flow would use a challenge just for the authentication (and that's where the extra round trip comes from).

[aschmahmann]

It seemed like grabbing this spec meant less overhead for implementers given that those using signed peer records (i.e. for gossipsub which is in most implementations) already do most of this. However, as can be seen from the Go code here go-libp2p hid most of the internals away such that actually getting at them was painful and/or required copy-pasting.

Alternatives welcome (including if it's just tossing all this and landing the HTTP PeerID Auth spec

[aschmahmann]

I wasn't planning on using a payload type and registering it in the codec table, however:

• If using / is valid as an escape for a user defined string without relying on the table that works for me
• While the spec says using / is fine and that it's also ok to leave it empty https://github.com/libp2p/specs/blob/master/RFC/0002-signed-envelopes.md#payload-type-information the Go implementation disagrees and has tests to enforce this https://github.com/libp2p/go-libp2p/blob/a0349afb888abafcf7991c183197859759134dfc/core/record/envelope_test.go#L145

[aschmahmann]

@MarcoPolo @sukunrt might have thoughts on ^

[aschmahmann]

No idea what the TTL should be here for these records given they shouldn't really be needed for very long. Thoughts?

[aschmahmann]

Calling these out

[MarcoPolo]

yes, and probably at least a log for now?

[aschmahmann]

This seems like it could be set to infinity. Any thoughts on the number, a day, 7 days, longer?

[aschmahmann]

Looks like some details need to get hammered out here between this and the tests. We could also choose to use the stock Caddy binary and use everything we have as plugins. Whatever makes deployment and testing easier

[SgtPooki]

just read the README.md and left some comments

[SgtPooki]

custom wire protocol over libp2p seemed like overkill

Land the HTTP PeerID Auth spec (yes it means two round-trips instead of one but that doesn't seem like a big deal)

Both of these seem like desire-able things that we may want at some point in the future. Is it worth investigating now before we implement some other solution that quickly goes out of date?

[aschmahmann]

Note: This function certainly, but most of this file is pretty WIP.

Will help to flesh this out with an end-to-end test that does:

1. Sets up the DNS server
2. Uses https://github.com/letsencrypt/pebble/ as a test ACME server that uses the DNS server
3. Have a libp2p client (e.g. using this function or something similar) that gets a certificate for itself using the test ACME server + DNS server
4. Have another libp2p client that can dial the first one using WSS with a custom client TLS config that allows the test CA cert

[aschmahmann]

This constructor definitely is not great. Wanted to get something out before spending more time here, suggestions welcome.

Seems like this could go a whole lot easier if we didn't have a bunch of couplings going on:

• Need TLS Config to instantiate the host (unless we cast to Swarm and add a transport later?), but need the host (and its addresses) to setup the certmagic TLS config
• Trying to add a transport or an address would mess with the users' expectations of options passing, but we can't say "maybe add this address or transport if not already present"
• We need to setup a listener (which requires knowing the DNS name), but the DNS name is determined by the address
  • We need to dynamically change the names as the IP addresses change

Could potentially change this to setting up a host, erroring if the websocket transport already exists, and then adding it + it's addresses + another address factory wrapper.

[MarcoPolo]

Just a first pass at the server side. I'll take a look at the client side next.

[MarcoPolo]

I think we should just define the interface we actually need in this package and not require a full Datastore implementation.

[MarcoPolo]

check err?

[MarcoPolo]

nit: I think this should be Start() error. I know it's passed into an OnStartup function to register as a callback, but the function itself is about starting the acmeWriter. There's also precedent in Go stdlib for Start(...) error.

[aschmahmann]

No strong feelings, I copied this from one of the CoreDNS examples https://github.com/coredns/coredns/blob/ee4d26b7807856efbf61ebebb2687df21561a787/plugin/health/setup.go#L22. If you want to change it feel free

[MarcoPolo]

This will be so much better when we can use libp2p/go-libp2p#2854.

This could be something like:

authPeer := auth.ServerPeerIDAuth{
    // ...
    Next: func(id peer.ID, w http.ResponseWriter, r *http.Request) {
        err := c.updateDB(id, r.Body())
        // err handling
        w.WriteHeader(http.StatusOK)
    },
}
//...
c.mux.HandleFunc("/v1/_acme-challenge", authPeer)

Also is there a reason to have the peerID in the url?

[aschmahmann]

For sure, that's why I flagged it earlier in #1 (comment).

Do you think we're close enough to landing things that I should just drop and rewrite to use the server peerID auth now? Alternatively can just wait a bit and we'll delete some code before we launch.

Also is there a reason to have the peerID in the url?
We can remove it. It was mostly there to mimic some existing APIs for DNS puts that take domain names as arguments.

[MarcoPolo]

It’s close. I just need a review from sukun and we’ll merge it. Very likely by next week.

[MarcoPolo]

You should quote the relevant sentence verbatim "It MUST NOT contain any characters outside the base64url alphabet, including padding characters ("=")." As is, it's unclear if padding is allowed or not.

[MarcoPolo]

Is this meant to follow RFC 6750? The "Bearer" Auth scheme is registered to that RFC https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml.

I haven't looked closer here, because I'm assuming we'll opt to use the HTTP Peer ID authentication flow instead.

[MarcoPolo]

yes, and probably at least a log for now?

[achingbrain]

This should be w.WriteHeader(http.StatusNoContent) to cause a 204 since we send no content.

[lidel]

Let's merge this, as the client shipped with Kubo 0.32.0-rc1, and we want to start producing docker images from main / staging.

Please fill separate issues / PRs for unaddressed issues.

assiming outdated comments are addressed, if not, please fill them as separate issues