ops: Enable DNSSEC on all Bitcoin DNS Seed domain names #19714

issue wiz opened this issue on August 13, 2020
  1. wiz commented at 7:09 PM on August 13, 2020: contributor

    Quoting from the Bitcoin DNS Seed Policy,

    A DNS seed operating organization or person is expected to follow good host security practices

    Therefore, since DNSSEC is now considered best practice for DNS servers, please enable DNSSEC if not done already.

    There should not be any errors, warnings, or "insecure" messages on your dnsviz analysis:

  2. wiz added the label Bug on Aug 13, 2020
  3. TheBlueMatt commented at 7:30 PM on August 13, 2020: contributor

    Not exactly a likely attack that someone bgp hijacks DNSSEED-hosting prefixes to insert records and sybil fresh nodes, but if possible it's still nice to have.

  4. fanquake added the label P2P on Aug 14, 2020
  5. petertodd commented at 3:33 AM on August 16, 2020: contributor

    On Thu, Aug 13, 2020 at 12:10:00PM -0700, wiz wrote:

    Please enable DNSSEC if not done already. There should not be any errors, warnings, or "insecure" messages on your dnsviz analysis:

    FWIW I use Amazon Route 53, which has no DNSSEC support, so unless that changes I won't be enabling it.

  6. Emzy commented at 4:00 PM on September 6, 2020: contributor

    emzy.de. is now DNSSEC. But the bitcoin-seeder software on dnsseed.emzy.de. has no DNSSEC option. I may look into putting a bind9 in front of it, for signing the zone.

  7. practicalswift commented at 8:44 AM on September 7, 2020: contributor

    I may look into putting a bind9 in front of it, for signing the zone.

    As long as we don't end up in a mono culture of BIND only DNS servers due to a DNSSEC requirement :)

    I'd rather have partial DNSSEC support due to some non-BIND servers in the mix than full DNSEC support with BIND servers only :)

  8. wiz commented at 9:31 AM on September 13, 2020: contributor

    @emzy okay you get partial credit for emzy.de working now :+1: @practicalswift there are many other authoritative DNS server software available other than BIND, but the relevant issue is that the community expects DNS Seed Operators to follow "good host security practices", so we should all support DNSSEC.

  9. practicalswift commented at 1:47 PM on September 13, 2020: contributor

    As long as we don't end up in a mono culture of BIND only DNS servers due to a DNSSEC requirement :)

    @practicalswift there are many other authoritative DNS server software available other than BIND, but the relevant issue is that the community expects DNS Seed Operators to follow "good host security practices", so we should all support DNSSEC.

    Yes, ideally we can both support DNSSEC and avoid a BIND monoculture :)

    The only point I was trying to make was that the number of BIND alternatives supporting DNSSEC is quite small, and that avoiding a BIND monoculture is important too :)

    Do we know if any Bitcoin DNS seed domain which is currently supporting DNSSEC is running under something other than BIND?

    Do you have any recommendations for DNS Seed Operators who want to support DNSSEC without using BIND? :)

  10. Sjors commented at 4:21 PM on September 14, 2020: member

    @practicalswift I'm using @sipa's thing, which I don't think (?) uses BIND: https://github.com/sipa/bitcoin-seeder

  11. sipa commented at 4:33 PM on September 14, 2020: member

    I have no intention of implementing DNSSEC myself in bitcoin-seeder. @Emzy If you figure out how to setup BIND in front of it to add DNSSEC, let me know (or write it up and add it as documentation to bitcoin-seeder).

  12. Emzy commented at 10:01 AM on September 15, 2020: contributor

    @Emzy If you figure out how to setup BIND in front of it to add DNSSEC, let me know (or write it up and add it as documentation to bitcoin-seeder).

    I have a proof of concept bind9 dnsseed running on: dnsseed-test.emzy.de

    It is a simple bash script that queries the bitcoin-seeder via dns and puts the result in the dns zone. I'm still testing. I will do a write up if all works well.

  13. Emzy commented at 11:05 AM on September 18, 2020: contributor

    I have a proof of concept bind9 dnsseed running on: dnsseed-test.emzy.de

    I moved it over to the production dnsseed: dnsseed.emzy.de Looks good.

  14. cdecker commented at 12:18 PM on September 27, 2020: contributor

    Would love a write-up on how to use bind as a DNSSEC proxy as well. I have no intention of implementing it in my custom server.

  15. Emzy commented at 12:46 PM on September 27, 2020: contributor

    Would love a write-up on how to use bind as a DNSSEC proxy as well. I have no intention of implementing it in my custom server.

    It's on top of my to-do list.

  16. Emzy commented at 5:21 PM on September 29, 2020: contributor

    Write-up of DNSSEC setup for dnsseed: https://github.com/Emzy/bitcoin-seeder/blob/master/README-dnssec.md This is the script that updates the DNS zones: https://github.com/Emzy/bitcoin-seeder/blob/master/contrib/dnsupdate

  17. Emzy commented at 2:44 PM on October 7, 2020: contributor

    @sipa I did a pull request https://github.com/sipa/bitcoin-seeder/pull/85

  18. miningdave commented at 11:55 AM on June 6, 2021: none

    FWIW I use Amazon Route 53, which has no DNSSEC support, so unless that changes I won't be enabling it. @petertodd

    They started supporting it the end of last year (2020): https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-route-53-support-dnssec/

  19. petertodd commented at 1:56 AM on July 17, 2021: contributor

    FWIW I use Amazon Route 53, which has no DNSSEC support, so unless that changes I won't be enabling it.

    @petertodd

    They started supporting it the end of last year (2020): https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-route-53-support-dnssec/

    Thanks! I have it partly setup. Scaleway is discontinuing the type of server I'm running the seeder on in a few months; I'll setup the rest later.

  20. petertodd commented at 5:49 AM on July 17, 2021: contributor

    ...went ahead and setup a new seed, seed.ns.petertodd.net (note the .net rather than .org!) with CNAME re-directions for the main domain and all the x* bit combinations it supports.

    Separate issue from dnssec, but it'd be nice to eventually migrate away from running it under petertodd.org to a domain I don't need for email so anti-spam dns block lists don't cause issues again. :)

  21. miningdave commented at 5:21 PM on July 18, 2021: none

    Drifting from the OT but, perhaps a master domain for all the seeders xxx.yyy.org Yes it becomes a single point of failure / control. But it also becomes 1 place to manage all the seeds. So if you go evil, you are gone.

  22. adamjonas commented at 8:16 PM on March 9, 2023: member

    Closing since the rest of the seeders have said they are not going to implement or have not addressed for multiple years.

  23. adamjonas closed this on Mar 9, 2023
  24. Sjors commented at 12:58 PM on March 10, 2023: member

    I just noticed @Emzy's script and PR on the seeder repo. Will look into it soon(tm).

  25. bitcoin locked this on Mar 9, 2024
  26. bitcoin unlocked this on May 2, 2024
  27. laanwj commented at 5:54 AM on May 3, 2024: member

    i checked the current (+30007) list of DNS seeds for having valid DNSSEC and it's still close to the list in the OP (S column):

    Flags: x9
Status DNS name                                 S Totals     IPv4                  IPv6
                                                  nconn/n    nconn/n           TTL nconn/n           TTL
* mainnet
OK     seed.bitcoin.sipa.be.                      36/39      25/25            3600 11/14            3600
OK     dnsseed.bluematt.me.                     ✓ 26/31      19/21              60 7/10               60
OK     dnsseed.bitcoin.dashjr-list-of-p2p-nodes   32/34      21/22            3600 11/12            3600
ERR    seed.bitcoinstats.com.                     0/0        SERVFAIL              SERVFAIL
ERR    seed.bitcoin.jonasschnelli.ch.             11/23      11/23            3600 SERVFAIL
OK     seed.btc.petertodd.net.                  ✓ 15/36      9/23             3600 6/13             3600
OK     seed.bitcoin.sprovoost.nl.               ✓ 29/36      18/23            3600 11/13            3600
OK     dnsseed.emzy.de.                         ✓ 38/39      24/25            3600 14/14            3600
OK     seed.bitcoin.wiz.biz.                    ✓ 27/31      19/21              60 8/10               60
ERR    dnsseed.mainnet.bitcoin.achow101.com.      20/20      SERVFAIL              20/20              60

* testnet
OK     testnet-seed.bitcoin.jonasschnelli.ch.     19/22      19/22            3600 0/0
OK     seed.tbtc.petertodd.net.                 ✓ 21/36      12/23            3600 9/13             3600
NONE   testnet-seed.bluematt.me.                ✓ 0/0        0/0                   0/0
OK     seed.testnet.bitcoin.sprovoost.nl.         19/22      19/22            3600 0/0
OK     dnsseed.testnet.bitcoin.achow101.com.      37/40      19/20              60 18/20              60

* signet
OK     seed.signet.bitcoin.sprovoost.nl.          21/22      21/22            3600 0/0
OK     dnsseed.signet.bitcoin.achow101.com.       40/40      20/20              60 20/20              60

    Looks like @Sjors' mainnet seed gained support for it since.

  28. Sjors commented at 6:57 AM on May 3, 2024: member

    Yes, I added DNS sec support, as per @Emzy's instructions here: https://github.com/sipa/bitcoin-seeder/pull/85

    Only for mainnet (I might do the other networks too once the instruction PR is merged)

  29. bitcoin locked this on May 3, 2025
Contributors
wizTheBlueMattpetertoddEmzypracticalswiftSjorssipacdeckerminingdaveadamjonaslaanwj
Labels
BugP2P
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-02 12:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me