chainparams: Add achow101 DNS seeder #30007

pull achow101 wants to merge 1 commits into bitcoin:master from achow101:my-dns-seed changing 1 files +3 −0
  1. achow101 commented at 6:55 pm on April 30, 2024: member
    I wrote a DNS seeder and have been running it for the past 2 months now. I believe it is ready/good enough to be used as an additional DNS seeder for all of our supported public networks.
  2. DrahtBot commented at 6:55 pm on April 30, 2024: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK mzumsande, willcl-ark, laanwj
    Concept ACK ariard, Sjors, virtu, kristapsk
    Stale ACK 1440000bytes

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  3. in src/kernel/chainparams.cpp:250 in 6cb459aaea outdated
    246@@ -246,6 +247,8 @@ class CTestNetParams : public CChainParams {
    247         vSeeds.emplace_back("seed.tbtc.petertodd.net.");
    248         vSeeds.emplace_back("seed.testnet.bitcoin.sprovoost.nl.");
    249         vSeeds.emplace_back("testnet-seed.bluematt.me."); // Just a static list of stable node(s), only supports x9
    250+        vSeeds.emplace_back("dnsseed.testnet.bitcoin.achow101.com"); // Ava Chow, only supports x1, x5, x9, x49, x809, x849, xd, x400, x404, x408, x448, xc08, xc48, x40c
    


    laanwj commented at 7:21 pm on April 30, 2024:
    Looks like it’s missing “.” at the end (all the other seeder DNS names have this)–same for the testnet one

    achow101 commented at 7:59 pm on April 30, 2024:
    Done
  4. achow101 force-pushed on Apr 30, 2024
  5. laanwj added the label P2P on Apr 30, 2024
  6. laanwj commented at 10:01 am on May 1, 2024: member

    Concept ACK

     0Flags: x9
     1Status DNS name                                 Totals     IPv4                  IPv6
     2                                                nconn/n    nconn/n           TTL nconn/n           TTL
     3* mainnet
     4OK     seed.bitcoin.sipa.be.                    25/25      25/25            2640 0/0
     5OK     dnsseed.bluematt.me.                     29/31      20/21              60 9/10               60
     6OK     dnsseed.bitcoin.dashjr-list-of-p2p-nodes 22/22      22/22            2644 0/0
     7ERR    seed.bitcoinstats.com.                   0/0        SERVFAIL              SERVFAIL
     8ERR    seed.bitcoin.jonasschnelli.ch.           0/0        SERVFAIL              SERVFAIL
     9OK     seed.btc.petertodd.net.                  11/36      7/23             2705 4/13             3600
    10OK     seed.bitcoin.sprovoost.nl.               22/36      15/23            2705 7/13             3600
    11OK     dnsseed.emzy.de.                         35/39      21/25            2764 14/14            3600
    12OK     seed.bitcoin.wiz.biz.                    23/31      16/21              60 7/10               60
    13OK     dnsseed.mainnet.bitcoin.achow101.com.    38/40      20/20              30 18/20              30
    14
    15* testnet
    16NONE   testnet-seed.bitcoin.jonasschnelli.ch.   0/0        0/0                   0/0
    17OK     seed.tbtc.petertodd.net.                 15/36      9/23             2841 6/13             3600
    18NONE   testnet-seed.bluematt.me.                0/0        0/0                   0/0
    19NONE   seed.testnet.bitcoin.sprovoost.nl.       0/0        0/0                   0/0
    20OK     dnsseed.testnet.bitcoin.achow101.com.    31/40      15/20              30 16/20              29
    21
    22* signet
    23NONE   seed.signet.bitcoin.sprovoost.nl.        0/0        0/0                   0/0
    24OK     dnsseed.signet.bitcoin.achow101.com.     30/40      15/20              30 15/20              30
    
    • Returns a good number of results (20 per query), of which a large fraction tends to be connectable within one second.
    • A TTL of 30 seconds is low compared to the others. FWIW, in dnsseed-policy.md a minimum of 60 seconds is mentioned. (this was fixed and changed to 60)
  7. willcl-ark commented at 10:15 am on May 1, 2024: member

    Concept ACK

    Some of our DNS seeds are currently not performing well, so adding a new/more reliable one seems logical to me.

    I have also been running this seeder myself for some time (at seed.bitcoin.fish.foo) and the program seems to work well from the operator side too, not requiring any intervention in the few weeks i’ve been running it.

    I ran a different test to @laanwj on mainnet IPV4 only, and did find seeds generally returning results:

     0Results:
     1
     2seed.bitcoin.sipa.be.
     3  x1         responses: 25
     4  x5         responses: 25
     5  x9         responses: 25
     6  xd         responses: 25
     7
     8dnsseed.bluematt.me.
     9  x9         responses: 21
    10
    11dnsseed.bitcoin.dashjr-list-of-p2p-nodes.us.
    12  (no flag)  responses: 22
    13  x9         responses: 22
    14
    15seed.bitcoinstats.com.
    16  x1         responses: 17
    17  x2         responses: 17
    18  x3         responses: 17
    19  x4         responses: 17
    20  x5         responses: 17
    21  x6         responses: 17
    22  x7         responses: 17
    23  x8         responses: 17
    24  x9         responses: 17
    25  xa         responses: 17
    26  xb         responses: 17
    27  xc         responses: 17
    28  xd         responses: 17
    29  xe         responses: 17
    30  xf         responses: 17
    31
    32seed.bitcoin.jonasschnelli.ch.
    33  x1         responses: 23
    34  x5         responses: 23
    35  x9         responses: 23
    36  xd         responses: 23
    37
    38seed.btc.petertodd.net.
    39  x1         responses: 23
    40  x5         responses: 23
    41  x9         responses: 23
    42  xd         responses: 23
    43
    44seed.bitcoin.sprovoost.nl.
    45  (no flag)  responses: 23
    46  x9         responses: 23
    47
    48dnsseed.emzy.de.
    49  (no flag)  responses: 26
    50  x9         responses: 25
    51
    52seed.bitcoin.wiz.biz.
    53  (no flag)  responses: 21
    54  x9         responses: 21
    55
    56dnsseed.mainnet.bitcoin.achow101.com.
    57  x1         responses: 20
    58  x5         responses: 20
    59  x9         responses: 20
    60  x49        responses: 20
    61  x809       responses: 20
    62  x849       responses: 20
    63  xd         responses: 20
    64  x400       responses: 20
    65  x404       responses: 20
    66  x408       responses: 20
    67  x448       responses: 20
    68  xc08       responses: 20
    69  xc48       responses: 20
    70  x40c       responses: 20
    

    I will try to expand my test script soon to include testnet and also to query whether the flags are accurate for returned results so I can verify both this new seed, and existing seeds.

  8. achow101 commented at 3:56 pm on May 1, 2024: member

    A TTL of 30 seconds is low compared to the others. FWIW, in dnsseed-policy.md a minimum of 60 seconds is mentioned.

    I’ve changed it to 60 seconds.

  9. mzumsande commented at 4:28 pm on May 1, 2024: contributor
    @virtu FYI, would it be easily possible to run some of the metrics of https://21.ninja/dns-seeds/ for this new seeder?
  10. ariard commented at 2:47 am on May 2, 2024: member

    Concept ACK.

    By the way, it would be great if mainnet DNS seeders are considering to sign by default the peers records. This could be amply checked in ThreadDNSAddressSeed() or in semi-automatic fashion in the logs. ECDSA secp256k1 isn’t supported by default in DNS, though you have ed25519 or ECDSA P256 which are widely supported by key management softwares.

  11. laanwj commented at 6:46 am on May 2, 2024: member

    By the way, it would be great if mainnet DNS seeders are considering to sign by default the peers records. This could be amply checked in ThreadDNSAddressSeed()

    There are some that do (#19714), but as far as i know, there is no cross-platform API for checking DNSSEC status from user code. i’ve unlocked that issue for discussion.

  12. virtu commented at 10:25 am on May 2, 2024: contributor

    @virtu FYI, would it be easily possible to run some of the metrics of https://21.ninja/dns-seeds/ for this new seeder?

    Concept ACK @mzumsande, the seed is now being monitored on dev.21.ninja.

    There may be some graph artifacts until a second data point becomes available. But so far data looks good: 40 advertised addresses (half of them ipv4, the other ipv6), and 35 of them reachable.

  13. 1440000bytes commented at 4:02 am on May 3, 2024: none
    Why does the seeder consider ‘default port’ for good nodes?
  14. achow101 commented at 4:13 am on May 3, 2024: member

    Why does the seeder consider ‘default port’ for good nodes?

    DNS cannot provide port numbers, but a port must be known when connecting to a node. So we assume the default port, and because of that assumption, DNS seeders need to return nodes that are listening on the default port.

  15. Sjors commented at 7:15 am on May 3, 2024: member

    Concept ACK

    There’s discussion in #29911 about whether we should mention the specific feature bits here.

    I tested that the mainnet seed result returns both IPv4 and IPv6 records and tried to connect to a random result. I didn’t do any fancier analysis.

  16. 1440000bytes commented at 2:54 pm on May 3, 2024: none

    Concept ACK on adding another DNS seeder

    Why does the seeder consider ‘default port’ for good nodes?

    DNS cannot provide port numbers, but a port must be known when connecting to a node. So we assume the default port, and because of that assumption, DNS seeders need to return nodes that are listening on the default port.

    TXT records could work but that will require lot of other changes (out of scope)

  17. laanwj commented at 4:28 pm on May 4, 2024: member

    TXT records could work but that will require lot of other changes (out of scope)

    Right-DNS can serve arbitrary information, but it would complicate things in the client: the cross-platform libc resolver, getaddrinfo, can only resolve addresses. So for that’d we’d need to add some dependency library for DNS resolving. The question is whether it’s worth it.

    Also, IIRC caching DNS servers don’t always cache TXT records (because they can store arbitrary data); the caching and the privacy that comes with it, is the advantage of using DNS in the first place, over simply using bitcoin protocol for seeding.

    Mind that the DNS seeds are only an entry point to the network. The gossip network itself can handle alternative ports fine, so from that point on, nodes with other ports can be discovered by a node. In the main threat scenario that would make this entry point useless, a hypothetical future where port 8333 would be blocked by ISPs, it’s extremely likely that the DNS seeds would also be blocked entirely as they’re easy to enumerate.

  18. achow101 commented at 2:24 am on May 5, 2024: member
    I’ve implemented DNSSEC
  19. laanwj commented at 8:18 am on May 5, 2024: member

    I’ve implemented DNSSEC

    That’s neat!

    i think it’s still missing some part, resolving through Google’s DNS (which has more verbose error messages than my ISP) gives:

    0$ dig x9.dnsseed.signet.bitcoin.achow101.com. [@1](/bitcoin-bitcoin/contributor/1/).1.1.1
    12;; OPT PSEUDOSECTION:
    3; EDNS: version: 0, flags:; udp: 1232
    4; EDE: 10 (RRSIGs Missing): (failed to verify signatures for x9.dnsseed.signet.bitcoin.achow101.com. opt-out proof)
    5
  20. achow101 commented at 5:39 pm on May 5, 2024: member

    i think it’s still missing some part, resolving through Google’s DNS (which has more verbose error messages than my ISP) gives:

    Should be fixed now

  21. laanwj approved
  22. laanwj commented at 9:38 pm on May 5, 2024: member

    All good now!

    ACK ee218aa9a9eaac53030c31b099b4afe354197ba7

  23. DrahtBot requested review from willcl-ark on May 5, 2024
  24. DrahtBot requested review from ariard on May 5, 2024
  25. DrahtBot requested review from Sjors on May 5, 2024
  26. 1440000bytes approved
  27. luke-jr commented at 6:17 pm on May 7, 2024: member
    @achow101 Are you sure you want to put this on a common domain with other things?
  28. kristapsk commented at 6:36 pm on May 7, 2024: contributor
    Concept ACK on using different software for various DNS seeders. Need to do more review / testing on this one.
  29. willcl-ark approved
  30. willcl-ark commented at 2:12 pm on May 20, 2024: member

    ACK ee218aa9a9eaac53030c31b099b4afe354197ba7

    I checked that these seeds return diverse and (mainly) active node addresses (although not in a scripted way, but by addnode-ing a random selection of each).

    I also checked DNSSEC setup using Verisign’s DNSSEC debugger tool for each of them, which they all passed.

  31. achow101 commented at 10:20 pm on June 4, 2024: member

    Anything left to do here?


    Are you sure you want to put this on a common domain with other things?

    I don’t think this will be an issue.

  32. achow101 commented at 2:41 am on June 5, 2024: member

    Are you sure you want to put this on a common domain with other things?

    I don’t think this will be an issue.

    Actually on second thought I will switch this to a different domain.

  33. chainparams: Add achow101 DNS seeder 2721d64989
  34. achow101 force-pushed on Jun 5, 2024
  35. achow101 commented at 3:25 am on June 5, 2024: member
    Updated root domain to achownodes.xyz
  36. 1440000bytes approved
  37. DrahtBot added the label CI failed on Jun 18, 2024
  38. mzumsande commented at 4:42 pm on June 18, 2024: contributor
    ACK 2721d64989c2b2114890586b7efd01ab4b062ca6
  39. DrahtBot requested review from willcl-ark on Jun 18, 2024
  40. DrahtBot requested review from laanwj on Jun 18, 2024
  41. DrahtBot removed the label CI failed on Jun 18, 2024
  42. willcl-ark approved
  43. willcl-ark commented at 10:54 am on June 19, 2024: member

    reACK 2721d64989c2b2114890586b7efd01ab4b062ca6

    Retested that the seed on the new domain for each chain is returning good addresses.

  44. 1440000bytes commented at 9:20 pm on June 25, 2024: none

    I was not sure about .xyz domain for a bitcoin DNS seed based on things that I have read. Still ACKed it because I have been using .xyz domain for joinstr and had no issues. After recent fedimint incident I think achownodes.xyz will also get suspended sooner or later. So retracted my ACK.

    DNS seed domains resolve to lot of IP addresses which may host some website. Its possible that someone will report it or it will get red flagged by automated systems.

  45. DrahtBot requested review from 1440000bytes on Jun 25, 2024
  46. achow101 commented at 10:37 pm on June 25, 2024: member

    After recent fedimint incident I think achownodes.xyz will also get suspended sooner or later.

    That is a risk of using anything DNS as the registry operator can seize them. But I think it’s preferable to have more DNS seeders so that we are not overly reliant on a few of them. Furthermore, DNS seeders are not critical infrastructure - one being shut down does not really impact the network that much. They’re also easily portable and changing domains is not difficult.

    DNS seed domains resolve to lot of IP addresses which may host some website. Its possible that someone will report it or it will get red flagged by automated systems.

    The actual sites on this domain have HSTS enabled with subdomain inclusion, although you have to visit those sites for the browser to know about that. I’ve also submitted it to the HSTS preload list. Once a browser knows it has HSTS enabled (whether by visiting the actual sites or through the preload list), the random sites people have on their node IPs should stop loading as they will not have a valid certificate for the domain.

  47. laanwj commented at 8:38 am on June 26, 2024: member
    ACK 2721d64989c2b2114890586b7efd01ab4b062ca6 Adding a DNS seed adds redundancy, so does spreading them over as many top-level domains as possible, so i don’t think “this domain might get blocked” is ever an argument against this.
  48. fanquake merged this on Jun 26, 2024
  49. fanquake closed this on Jun 26, 2024

  50. Sjors commented at 11:56 am on June 26, 2024: member

    The actual sites on this domain have HSTS enabled with subdomain inclusion, although you have to visit those sites for the browser to know about that. I’ve also submitted it to the HSTS preload list.

    Oh that’s a good idea…


github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-21 15:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me