chainparams: Add achow101 DNS seeder #30007
pull achow101 wants to merge 1 commits into bitcoin:master from achow101:my-dns-seed changing 1 files +3 −0-
achow101 commented at 6:55 pm on April 30, 2024: memberI wrote a DNS seeder and have been running it for the past 2 months now. I believe it is ready/good enough to be used as an additional DNS seeder for all of our supported public networks.
-
DrahtBot commented at 6:55 pm on April 30, 2024: contributor
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
Code Coverage
For detailed information about the code coverage, see the test coverage report.
Reviews
See the guideline for information on the review process.
Type Reviewers ACK mzumsande, willcl-ark, laanwj Concept ACK ariard, Sjors, virtu, kristapsk Stale ACK 1440000bytes If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.
-
in src/kernel/chainparams.cpp:250 in 6cb459aaea outdated
246@@ -246,6 +247,8 @@ class CTestNetParams : public CChainParams { 247 vSeeds.emplace_back("seed.tbtc.petertodd.net."); 248 vSeeds.emplace_back("seed.testnet.bitcoin.sprovoost.nl."); 249 vSeeds.emplace_back("testnet-seed.bluematt.me."); // Just a static list of stable node(s), only supports x9 250+ vSeeds.emplace_back("dnsseed.testnet.bitcoin.achow101.com"); // Ava Chow, only supports x1, x5, x9, x49, x809, x849, xd, x400, x404, x408, x448, xc08, xc48, x40c
laanwj commented at 7:21 pm on April 30, 2024:Looks like it’s missing “.” at the end (all the other seeder DNS names have this)–same for the testnet one
achow101 commented at 7:59 pm on April 30, 2024:Doneachow101 force-pushed on Apr 30, 2024laanwj added the label P2P on Apr 30, 2024laanwj commented at 10:01 am on May 1, 2024: memberConcept ACK
0Flags: x9 1Status DNS name Totals IPv4 IPv6 2 nconn/n nconn/n TTL nconn/n TTL 3* mainnet 4OK seed.bitcoin.sipa.be. 25/25 25/25 2640 0/0 5OK dnsseed.bluematt.me. 29/31 20/21 60 9/10 60 6OK dnsseed.bitcoin.dashjr-list-of-p2p-nodes 22/22 22/22 2644 0/0 7ERR seed.bitcoinstats.com. 0/0 SERVFAIL SERVFAIL 8ERR seed.bitcoin.jonasschnelli.ch. 0/0 SERVFAIL SERVFAIL 9OK seed.btc.petertodd.net. 11/36 7/23 2705 4/13 3600 10OK seed.bitcoin.sprovoost.nl. 22/36 15/23 2705 7/13 3600 11OK dnsseed.emzy.de. 35/39 21/25 2764 14/14 3600 12OK seed.bitcoin.wiz.biz. 23/31 16/21 60 7/10 60 13OK dnsseed.mainnet.bitcoin.achow101.com. 38/40 20/20 30 18/20 30 14 15* testnet 16NONE testnet-seed.bitcoin.jonasschnelli.ch. 0/0 0/0 0/0 17OK seed.tbtc.petertodd.net. 15/36 9/23 2841 6/13 3600 18NONE testnet-seed.bluematt.me. 0/0 0/0 0/0 19NONE seed.testnet.bitcoin.sprovoost.nl. 0/0 0/0 0/0 20OK dnsseed.testnet.bitcoin.achow101.com. 31/40 15/20 30 16/20 29 21 22* signet 23NONE seed.signet.bitcoin.sprovoost.nl. 0/0 0/0 0/0 24OK dnsseed.signet.bitcoin.achow101.com. 30/40 15/20 30 15/20 30
- Returns a good number of results (20 per query), of which a large fraction tends to be connectable within one second.
A TTL of 30 seconds is low compared to the others. FWIW, in dnsseed-policy.md a minimum of 60 seconds is mentioned.(this was fixed and changed to 60)
willcl-ark commented at 10:15 am on May 1, 2024: memberConcept ACK
Some of our DNS seeds are currently not performing well, so adding a new/more reliable one seems logical to me.
I have also been running this seeder myself for some time (at seed.bitcoin.fish.foo) and the program seems to work well from the operator side too, not requiring any intervention in the few weeks i’ve been running it.
I ran a different test to @laanwj on mainnet IPV4 only, and did find seeds generally returning results:
0Results: 1 2seed.bitcoin.sipa.be. 3 x1 responses: 25 4 x5 responses: 25 5 x9 responses: 25 6 xd responses: 25 7 8dnsseed.bluematt.me. 9 x9 responses: 21 10 11dnsseed.bitcoin.dashjr-list-of-p2p-nodes.us. 12 (no flag) responses: 22 13 x9 responses: 22 14 15seed.bitcoinstats.com. 16 x1 responses: 17 17 x2 responses: 17 18 x3 responses: 17 19 x4 responses: 17 20 x5 responses: 17 21 x6 responses: 17 22 x7 responses: 17 23 x8 responses: 17 24 x9 responses: 17 25 xa responses: 17 26 xb responses: 17 27 xc responses: 17 28 xd responses: 17 29 xe responses: 17 30 xf responses: 17 31 32seed.bitcoin.jonasschnelli.ch. 33 x1 responses: 23 34 x5 responses: 23 35 x9 responses: 23 36 xd responses: 23 37 38seed.btc.petertodd.net. 39 x1 responses: 23 40 x5 responses: 23 41 x9 responses: 23 42 xd responses: 23 43 44seed.bitcoin.sprovoost.nl. 45 (no flag) responses: 23 46 x9 responses: 23 47 48dnsseed.emzy.de. 49 (no flag) responses: 26 50 x9 responses: 25 51 52seed.bitcoin.wiz.biz. 53 (no flag) responses: 21 54 x9 responses: 21 55 56dnsseed.mainnet.bitcoin.achow101.com. 57 x1 responses: 20 58 x5 responses: 20 59 x9 responses: 20 60 x49 responses: 20 61 x809 responses: 20 62 x849 responses: 20 63 xd responses: 20 64 x400 responses: 20 65 x404 responses: 20 66 x408 responses: 20 67 x448 responses: 20 68 xc08 responses: 20 69 xc48 responses: 20 70 x40c responses: 20
I will try to expand my test script soon to include testnet and also to query whether the flags are accurate for returned results so I can verify both this new seed, and existing seeds.
achow101 commented at 3:56 pm on May 1, 2024: memberA TTL of 30 seconds is low compared to the others. FWIW, in dnsseed-policy.md a minimum of 60 seconds is mentioned.
I’ve changed it to 60 seconds.
mzumsande commented at 4:28 pm on May 1, 2024: contributor@virtu FYI, would it be easily possible to run some of the metrics of https://21.ninja/dns-seeds/ for this new seeder?ariard commented at 2:47 am on May 2, 2024: memberConcept ACK.
By the way, it would be great if mainnet DNS seeders are considering to sign by default the peers records. This could be amply checked in
ThreadDNSAddressSeed()
or in semi-automatic fashion in the logs. ECDSA secp256k1 isn’t supported by default in DNS, though you have ed25519 or ECDSA P256 which are widely supported by key management softwares.laanwj commented at 6:46 am on May 2, 2024: memberBy the way, it would be great if mainnet DNS seeders are considering to sign by default the peers records. This could be amply checked in ThreadDNSAddressSeed()
There are some that do (#19714), but as far as i know, there is no cross-platform API for checking DNSSEC status from user code. i’ve unlocked that issue for discussion.
virtu commented at 10:25 am on May 2, 2024: contributor@virtu FYI, would it be easily possible to run some of the metrics of https://21.ninja/dns-seeds/ for this new seeder?
Concept ACK @mzumsande, the seed is now being monitored on dev.21.ninja.
There may be some graph artifacts until a second data point becomes available. But so far data looks good: 40 advertised addresses (half of them ipv4, the other ipv6), and 35 of them reachable.
1440000bytes commented at 4:02 am on May 3, 2024: noneWhy does the seeder consider ‘default port’ for good nodes?achow101 commented at 4:13 am on May 3, 2024: memberWhy does the seeder consider ‘default port’ for good nodes?
DNS cannot provide port numbers, but a port must be known when connecting to a node. So we assume the default port, and because of that assumption, DNS seeders need to return nodes that are listening on the default port.
Sjors commented at 7:15 am on May 3, 2024: memberConcept ACK
There’s discussion in #29911 about whether we should mention the specific feature bits here.
I tested that the mainnet seed result returns both IPv4 and IPv6 records and tried to connect to a random result. I didn’t do any fancier analysis.
1440000bytes commented at 2:54 pm on May 3, 2024: noneConcept ACK on adding another DNS seeder
Why does the seeder consider ‘default port’ for good nodes?
DNS cannot provide port numbers, but a port must be known when connecting to a node. So we assume the default port, and because of that assumption, DNS seeders need to return nodes that are listening on the default port.
TXT records could work but that will require lot of other changes (out of scope)
laanwj commented at 4:28 pm on May 4, 2024: memberTXT records could work but that will require lot of other changes (out of scope)
Right-DNS can serve arbitrary information, but it would complicate things in the client: the cross-platform libc resolver,
getaddrinfo
, can only resolve addresses. So for that’d we’d need to add some dependency library for DNS resolving. The question is whether it’s worth it.Also, IIRC caching DNS servers don’t always cache TXT records (because they can store arbitrary data); the caching and the privacy that comes with it, is the advantage of using DNS in the first place, over simply using bitcoin protocol for seeding.
Mind that the DNS seeds are only an entry point to the network. The gossip network itself can handle alternative ports fine, so from that point on, nodes with other ports can be discovered by a node. In the main threat scenario that would make this entry point useless, a hypothetical future where port 8333 would be blocked by ISPs, it’s extremely likely that the DNS seeds would also be blocked entirely as they’re easy to enumerate.
achow101 commented at 2:24 am on May 5, 2024: memberI’ve implemented DNSSEClaanwj commented at 8:18 am on May 5, 2024: memberI’ve implemented DNSSEC
That’s neat!
i think it’s still missing some part, resolving through Google’s DNS (which has more verbose error messages than my ISP) gives:
0$ dig x9.dnsseed.signet.bitcoin.achow101.com. [@1](/bitcoin-bitcoin/contributor/1/).1.1.1 1⋮ 2;; OPT PSEUDOSECTION: 3; EDNS: version: 0, flags:; udp: 1232 4; EDE: 10 (RRSIGs Missing): (failed to verify signatures for x9.dnsseed.signet.bitcoin.achow101.com. opt-out proof) 5⋮
achow101 commented at 5:39 pm on May 5, 2024: memberi think it’s still missing some part, resolving through Google’s DNS (which has more verbose error messages than my ISP) gives:
Should be fixed now
laanwj approvedlaanwj commented at 9:38 pm on May 5, 2024: memberAll good now!
ACK ee218aa9a9eaac53030c31b099b4afe354197ba7
DrahtBot requested review from willcl-ark on May 5, 2024DrahtBot requested review from ariard on May 5, 2024DrahtBot requested review from Sjors on May 5, 20241440000bytes approved1440000bytes commented at 11:51 am on May 6, 2024: nonekristapsk commented at 6:36 pm on May 7, 2024: contributorConcept ACK on using different software for various DNS seeders. Need to do more review / testing on this one.willcl-ark approvedwillcl-ark commented at 2:12 pm on May 20, 2024: memberACK ee218aa9a9eaac53030c31b099b4afe354197ba7
I checked that these seeds return diverse and (mainly) active node addresses (although not in a scripted way, but by
addnode
-ing a random selection of each).I also checked DNSSEC setup using Verisign’s DNSSEC debugger tool for each of them, which they all passed.
achow101 commented at 10:20 pm on June 4, 2024: memberAnything left to do here?
Are you sure you want to put this on a common domain with other things?
I don’t think this will be an issue.
achow101 commented at 2:41 am on June 5, 2024: memberAre you sure you want to put this on a common domain with other things?
I don’t think this will be an issue.
Actually on second thought I will switch this to a different domain.
chainparams: Add achow101 DNS seeder 2721d64989achow101 force-pushed on Jun 5, 2024achow101 commented at 3:25 am on June 5, 2024: memberUpdated root domain toachownodes.xyz
1440000bytes approved1440000bytes commented at 10:34 am on June 15, 2024: noneDrahtBot added the label CI failed on Jun 18, 2024mzumsande commented at 4:42 pm on June 18, 2024: contributorACK 2721d64989c2b2114890586b7efd01ab4b062ca6DrahtBot requested review from willcl-ark on Jun 18, 2024DrahtBot requested review from laanwj on Jun 18, 2024DrahtBot removed the label CI failed on Jun 18, 2024willcl-ark approvedwillcl-ark commented at 10:54 am on June 19, 2024: memberreACK 2721d64989c2b2114890586b7efd01ab4b062ca6
Retested that the seed on the new domain for each chain is returning good addresses.
1440000bytes commented at 9:20 pm on June 25, 2024: noneI was not sure about .xyz domain for a bitcoin DNS seed based on things that I have read. Still ACKed it because I have been using .xyz domain for joinstr and had no issues. After recent fedimint incident I think
achownodes.xyz
will also get suspended sooner or later. So retracted my ACK.DNS seed domains resolve to lot of IP addresses which may host some website. Its possible that someone will report it or it will get red flagged by automated systems.
DrahtBot requested review from 1440000bytes on Jun 25, 2024achow101 commented at 10:37 pm on June 25, 2024: memberAfter recent fedimint incident I think
achownodes.xyz
will also get suspended sooner or later.That is a risk of using anything DNS as the registry operator can seize them. But I think it’s preferable to have more DNS seeders so that we are not overly reliant on a few of them. Furthermore, DNS seeders are not critical infrastructure - one being shut down does not really impact the network that much. They’re also easily portable and changing domains is not difficult.
DNS seed domains resolve to lot of IP addresses which may host some website. Its possible that someone will report it or it will get red flagged by automated systems.
The actual sites on this domain have HSTS enabled with subdomain inclusion, although you have to visit those sites for the browser to know about that. I’ve also submitted it to the HSTS preload list. Once a browser knows it has HSTS enabled (whether by visiting the actual sites or through the preload list), the random sites people have on their node IPs should stop loading as they will not have a valid certificate for the domain.
laanwj commented at 8:38 am on June 26, 2024: memberACK 2721d64989c2b2114890586b7efd01ab4b062ca6 Adding a DNS seed adds redundancy, so does spreading them over as many top-level domains as possible, so i don’t think “this domain might get blocked” is ever an argument against this.fanquake merged this on Jun 26, 2024fanquake closed this on Jun 26, 2024
Sjors commented at 11:56 am on June 26, 2024: memberThe actual sites on this domain have HSTS enabled with subdomain inclusion, although you have to visit those sites for the browser to know about that. I’ve also submitted it to the HSTS preload list.
Oh that’s a good idea…
This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-21 15:12 UTC
More mirrored repositories can be found on mirror.b10c.me