I spun up a DNS seed for Signet, source: https://github.com/sipa/bitcoin-seeder/pull/94
If anyone else spins up a DNS seed, let me know in the comment and I'll add it.
Because one DNS seed is not very diverse, this PR leaves two hardcoded nodes just in case (). The one dropped node no longer exists.
Replaces #23000.
This commit also drops a seed node that no longer exists.
279 | @@ -280,8 +280,10 @@ class SigNetParams : public CChainParams { 280 | 281 | if (!args.IsArgSet("-signetchallenge")) { 282 | bin = ParseHex("512103ad5e0edad18cb1f0fc0d28a3d4f1f3e445640337489abb10404f2d1e086be430210359ef5021964fe22d6f8e05b2463c9540ce96883fe3b278760f048f5189f2e6c452ae"); 283 | + vSeeds.emplace_back("seed.signet.bitcoin.sprovoost.nl"); 284 | + 285 | + // TODO: remove hardcoded nodes once there are more DNS seeds 286 | vSeeds.emplace_back("178.128.221.177"); 287 | - vSeeds.emplace_back("2a01:7c8:d005:390::5"); 288 | vSeeds.emplace_back("v7ajjeirttkbnt32wpy3c6w3emwnfr3fkla7hpxcfokr3ysd3kqtzmqd.onion:38333");
Fwiw this onion node runs on a different machine than the DNS seed.
<!--e57a25ab6845829454e8d69fc972939a-->
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
<!--174a7506f384e20aa4161008e828411d-->
No conflicts as of last run.
utACK dc10ca346b138d8de88c7bf53b1d7e69cc63e989
Concept and code review ACK dc10ca346b138d8de88c7bf53b1d7e69cc63e989 Reasoning here: #23000 (comment)
Did not test though, someone should test this before merge.
Added checking for the signet DNS seed in bitcoin-core/bitcoin-maintainer-tools#116
Testing procedure is more or less: delete .bitcoin/signet/peers.dat, start bitcoind -signet, notice in the log it's using the DNS seed and successfully finds peers that way.
Update 2021-09-27: adding missing A below
The seed itself you can check with dig +trace -t AAAA seed.signet.bitcoin.sprovoost.nl and dig -6 +trace -t AAAA seed.signet.bitcoin.sprovoost.nl. The latter doesn't work for me, which imo isn't blocking, but could indicate an IPv6 configuration issue. dig -6 -t AAAA [@seed1](/bitcoin-bitcoin/contributor/seed1/).signet.bitcoin.sprovoost.nl seed.signet.bitcoin.sprovoost.nl does work. Maybe @TheBlueMatt knows...
I'll test this. Thanks for the instructions.
Before this PR there was a IPv4 hardcoded node, a IPv6 hardcoded node and a Tor hardcoded node for Signet. This PR replaces the IPv6 hardcoded node (which apparently no longer exists) with the DNS seed. I'm assuming the DNS seed (and the IPv4 hardcoded node) provide both IPv4 and IPv6 addresses? Have I understood that correctly? And that IP addresses will be requested from both the DNS seed and the IPv4 hardcoded node every time a node needs IP addresses of Signet peers?
I'm assuming the DNS seed (and the IPv4 hardcoded node) provide both IPv4 and IPv6 addresses?
Yes, use dig -t A to get IPv4 addresses and dig -t AAAA to get IPv6 addresses. The -6 option in dig uses IPv6 exclusively in order to reach the DNS seed, but that has no bearing on which address type is returned.
And that IP addresses will be requested from both the DNS seed and the IPv4 hardcoded node every time a node needs IP addresses of Signet peers?
I think so yes, but later on those hardcoded seeds should be removed (they're not as nice for privacy as DNS). We have another mechanism to include hardcoded peers, as a fall back, which are tried after a timeout.
ACK dc10ca346b138d8de88c7bf53b1d7e69cc63e989
I was able to connect to the DNS seed and connect to other peers. Also tested by blocking the other DNS seeds, and your DNS seed was able to connect me to other peers.
2021-09-27T03:20:41Z Loading addresses from DNS seed seed.signet.bitcoin.sprovoost.nl
dig -6 -t AAAA [@seed1](/bitcoin-bitcoin/contributor/seed1/).signet.bitcoin.sprovoost.nl seed.signet.bitcoin.sprovoost.nl does in fact NOT work, so if this is replacing an IPV6 node (even if the one being replaced does not work) we need to make sure this is working very soon. But I agree that it is not a blocking issue.
If it doesn't work for you even with @seed1.signet.bitcoin.sprovoost.nl then there may be a problem with the IPv6 configuration on your end.
Fortunately most people with an IPv6 connection can also connect to IPv4 DNS, from where they'll get a list of IPv6 peers. But indeed I would like it to work. I have the same problem with my testnet and mainnet seeds.
ACK dc10ca346b138d8de88c7bf53b1d7e69cc63e989 Tested on Ubuntu 20.04
The new DNS seed is working perfectly. I followed the instructions by @Sjors and was able to connect to peers through the DNS seed successfully.
2021-09-27T12:05:45Z Loading addresses from DNS seed seed.signet.bitcoin.sprovoost.nl
The command dig +trace -t AAA seed.signet.bitcoin.sprovoost.nl is working perfectly too. I was just curious though over why I was receiving the following warning when I ran this command.
Warning, ignoring invalid type AAA
For me, both dig -6 +trace -t AAA seed.signet.bitcoin.sprovoost.nl and dig -6 -t AAAA [@seed1](/bitcoin-bitcoin/contributor/seed1/).signet.bitcoin.sprovoost.nl seed.signet.bitcoin.sprovoost.nl were not working. I shall check if there is some IPv6 configuration issue on my part and test the second command again.
Thanks for testing everyone.
Post-merge tested ACK. Could connect to other peers via the DNS seed.
2021-09-27T14:03:42Z Loading addresses from DNS seed seed.signet.bitcoin.sprovoost.nl
Could reach the DNS seed using only IPv6 connectivity with dig -6 -t AAAA [@seed1](/bitcoin-bitcoin/contributor/seed1/).signet.bitcoin.sprovoost.nl seed.signet.bitcoin.sprovoost.nl but not using dig -6 +trace -t AAAA seed.signet.bitcoin.sprovoost.nl
279 | @@ -280,8 +280,10 @@ class SigNetParams : public CChainParams { 280 | 281 | if (!args.IsArgSet("-signetchallenge")) { 282 | bin = ParseHex("512103ad5e0edad18cb1f0fc0d28a3d4f1f3e445640337489abb10404f2d1e086be430210359ef5021964fe22d6f8e05b2463c9540ce96883fe3b278760f048f5189f2e6c452ae"); 283 | + vSeeds.emplace_back("seed.signet.bitcoin.sprovoost.nl"); 284 | + 285 | + // TODO: remove hardcoded nodes once there are more DNS seeds
I am generally not a fan of TODO in the source code, especially ones that are impossible to solve by writing code. This one require someone to run a signet dns seed node. There is no risk in keeping the hardcoded addresses, so the TODO can simply be removed. If you think it should be kept, a simple // Hardcoded addresses can be removed once there are more DNS seeds would achieve the same without any downside. Currently this is just another TODO that wastes (new) developers time that are looking for stuff that needs to be fixed.
Even if this was something that can be fixed by writing code, I think we had a discussion to prefer GitHub (good first) issues over that.
There is no risk in keeping the hardcoded addresses, so the TODO can simply be removed.
Actually there is a risk: the hardcoded nodes are worse in terms of privacy. Although this is not a big deal with Signet. Removing the word "TODO" is fine with me though.
DNS seeds are bad in terms of security: https://bitcoin.stackexchange.com/questions/109852/dns-seeds-and-security
EDIT: and privacy if not using DNS server or config options accordingly
The hardcoded fallbacks aren't used when your peers.dat already contains peer's addresses.
If the fallbacks are compromised, it will be bad for privacy/security regardless of whether they are retrieved from a hardcoded DNS or directly a hardcoded address.
@prayank23: Blanket statements like "X is bad for security" and "Y is bad for privacy" isn't particularly helpful when you don't provide a comparison or discuss the trade-offs. Would you rather use hardcoded IP addresses than DNS seeds? Or would you rather a new node fails to find any peers rather than using hardcoded IP addresses or DNS seeds? The eclipse attack only works if the attacker controls all your peers. As long as you have one honest peer then you will receive valid blocks with sufficient proof of work that your attacker is unable to replicate. Hence using multiple DNS seeds in mainnet's case means the attacker would have to hack multiple domains. Not impossible but nothing is 100 percent secure. You just provide the best solution that is available. In signet's case we need more DNS seeds.
Blanket statements like "X is bad for security" and "Y is bad for privacy" isn't particularly helpful when you don't provide a comparison or discuss the trade-offs. Would you rather use hardcoded IP addresses than DNS seeds?
Its not a blanket statement. Has some background and I was assuming people involved in this discussion know what I am talking about.
Would you rather use hardcoded IP addresses than DNS seeds?
I will prefer using IP for 9 DNS seeds used by Bitcoin Core and reasons were discussed or obvious in IRC few days back when we discussed with Sipa and Dhruv. Also change how things work and redirection remains for all.
FYI: Indian government loves to ban things based on domains so web telegram didn't work here for lot of ISPs but client worked because it used IPs and not domains. Other reasons for my comment are mentioned. If you need details on privacy thing: #22317
I will prefer using IP for 9 DNS seeds used by Bitcoin Core
So you are arguing to ditch DNS seeds entirely for mainnet in favor of hardcoded IP addresses? Or using a mixture of both DNS seeds and hardcoded IP addresses? The Signet approach is just copying the mainnet approach just with fewer DNS seeds.
First let me clarify:
My comment here was a response to Sjors and nothing else. I don't care what signet uses. Also I agree with comment by Marcofalke. It makes sense.
So you are arguing to ditch DNS seeds entirely for mainnet in favor of hardcoded IP addresses? Or using a mixture of both DNS seeds and hardcoded IP addresses?
I am saying lets use same process as we do for Tor and 9 seeds have IP address that responds with p2p message and lot of addresses in it. I have to trust 9 people, why not use IP for them?
I see the TODO was already removed in https://github.com/bitcoin/bitcoin/pull/23122