1
I'm interested in the most secure and reliable Namecoin DNS resolution as possible, although I admit I don't fully understand how these concepts relate to each other (Namecoin and DNS)
Is DNSSec needed or possible with Namecoin based DNS services? Would that come at a higher "cost" (more namecoins are needed?)
1
No DNSSec is not needed with Namecoin. The mapping from name to IP cannot be forged.
However, DNSSec requires changes to resolver libraries so the domains are actually cryptographically verified.
Namecoin, to be secure, requires similar changes to resolver libraries because nothing in the current resolver libraries actually checks the integrity of the results.
Anyone can run software to verify that a traditional (insecure, no cryptography) nameserver that resolves .bit addresses actually return addresses corresponding to the blockchain.
Thus namecoin name servers can be ensured to not "fool all the people all the time" by having some servers that continuously check the integrity of the results produced by the insecure but backwards compatible nameserver.
1This answer is incomplete. Yes, Name/IP mappings in Namecoin are protected, but if you use the 'ns' type instead of 'ip', this is like an insecure delegation in DNSSEC - making the original question valid. – Habbie – 2013-10-07T09:24:36.573
0
If you wish to use DANE to secure TLS then yes, you will need DNSSEC. In absense of certificate authorities, that probably is a good idea.
https://github.com/hlandau/ncdns has some hints, but I suspect it is a little more complex than that, they deal with the DNSSEC enforcing recursive resolver.
Software that DNSSEC validates itself (such as the FireFox add-on) will need to be told how to trust the DS records as they will not descend from the ICANN root.
Do you mean TLS/SSL? – kermit – 2013-03-24T14:18:36.777
@phelix No. A hacked DNS makes TLS/SSL insecure. DNSSec prevents a hacked DNS and makes TLS/SSL (HTTPS) more secure – goodguys_activate – 2013-03-24T15:47:47.833
I meant TLS/SSL via namecoin. How could namecoin dns NOT be secure? It is blockchain-secured. – kermit – 2013-03-24T22:09:10.220
@phelix The link between the host and the recursive resolver is the weak link and can be hacked. Not the resolver and the namecoin lookup proxy (not Bind <--> namecoind) – goodguys_activate – 2013-03-24T22:46:02.833
@phelix So when is Namecoin going to get a reboot? I think you're one of the devs there no? Reboot = different design. – goodguys_activate – 2013-03-24T22:46:49.463
I'm not a real dev, I'm more of a fanboy. Maybe that's why I don't understand your question / don't see the weak link. :) – kermit – 2013-03-25T13:14:09.967
There are some comments about DNSSEC on https://dot-bit.org/Namespace:Domain_names_v2.0#TLS_support (but they are not very productive).
– Habbie – 2013-10-07T09:39:21.573(Also comments about TLS/SSL there, you should read them if this is what you actually worry about.) – Habbie – 2013-10-07T09:57:31.407