chainparams: Add achow101 DNS seeder

achow101 commented at 6:55 pm on April 30, 2024: member

I wrote a DNS seeder and have been running it for the past 2 months now. I believe it is ready/good enough to be used as an additional DNS seeder for all of our supported public networks.

DrahtBot commented at 6:55 pm on April 30, 2024: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	mzumsande, willcl-ark, laanwj
Concept ACK	ariard, Sjors, virtu, kristapsk
Stale ACK	1440000bytes

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

in src/kernel/chainparams.cpp:250 in 6cb459aaea outdated

246@@ -246,6 +247,8 @@ class CTestNetParams : public CChainParams {
247         vSeeds.emplace_back("seed.tbtc.petertodd.net.");
248         vSeeds.emplace_back("seed.testnet.bitcoin.sprovoost.nl.");
249         vSeeds.emplace_back("testnet-seed.bluematt.me."); // Just a static list of stable node(s), only supports x9
250+        vSeeds.emplace_back("dnsseed.testnet.bitcoin.achow101.com"); // Ava Chow, only supports x1, x5, x9, x49, x809, x849, xd, x400, x404, x408, x448, xc08, xc48, x40c

laanwj commented at 7:21 pm on April 30, 2024:

Looks like it’s missing “.” at the end (all the other seeder DNS names have this)–same for the testnet one

achow101 commented at 7:59 pm on April 30, 2024:

Done

achow101 force-pushed on Apr 30, 2024

laanwj added the label P2P on Apr 30, 2024

laanwj commented at 10:01 am on May 1, 2024: member

Concept ACK

 0Flags: x9
 1Status DNS name                                 Totals     IPv4                  IPv6
 2                                                nconn/n    nconn/n           TTL nconn/n           TTL
 3* mainnet
 4OK     seed.bitcoin.sipa.be.                    25/25      25/25            2640 0/0
 5OK     dnsseed.bluematt.me.                     29/31      20/21              60 9/10               60
 6OK     dnsseed.bitcoin.dashjr-list-of-p2p-nodes 22/22      22/22            2644 0/0
 7ERR    seed.bitcoinstats.com.                   0/0        SERVFAIL              SERVFAIL
 8ERR    seed.bitcoin.jonasschnelli.ch.           0/0        SERVFAIL              SERVFAIL
 9OK     seed.btc.petertodd.net.                  11/36      7/23             2705 4/13             3600
10OK     seed.bitcoin.sprovoost.nl.               22/36      15/23            2705 7/13             3600
11OK     dnsseed.emzy.de.                         35/39      21/25            2764 14/14            3600
12OK     seed.bitcoin.wiz.biz.                    23/31      16/21              60 7/10               60
13OK     dnsseed.mainnet.bitcoin.achow101.com.    38/40      20/20              30 18/20              30
14
15* testnet
16NONE   testnet-seed.bitcoin.jonasschnelli.ch.   0/0        0/0                   0/0
17OK     seed.tbtc.petertodd.net.                 15/36      9/23             2841 6/13             3600
18NONE   testnet-seed.bluematt.me.                0/0        0/0                   0/0
19NONE   seed.testnet.bitcoin.sprovoost.nl.       0/0        0/0                   0/0
20OK     dnsseed.testnet.bitcoin.achow101.com.    31/40      15/20              30 16/20              29
21
22* signet
23NONE   seed.signet.bitcoin.sprovoost.nl.        0/0        0/0                   0/0
24OK     dnsseed.signet.bitcoin.achow101.com.     30/40      15/20              30 15/20              30

Returns a good number of results (20 per query), of which a large fraction tends to be connectable within one second.
~~A TTL of 30 seconds is low compared to the others. FWIW, in dnsseed-policy.md a minimum of 60 seconds is mentioned.~~ (this was fixed and changed to 60)

willcl-ark commented at 10:15 am on May 1, 2024: member

Concept ACK

Some of our DNS seeds are currently not performing well, so adding a new/more reliable one seems logical to me.

I have also been running this seeder myself for some time (at seed.bitcoin.fish.foo) and the program seems to work well from the operator side too, not requiring any intervention in the few weeks i’ve been running it.

I ran a different test to @laanwj on mainnet IPV4 only, and did find seeds generally returning results:

 0Results:
 1
 2seed.bitcoin.sipa.be.
 3  x1         responses: 25
 4  x5         responses: 25
 5  x9         responses: 25
 6  xd         responses: 25
 7
 8dnsseed.bluematt.me.
 9  x9         responses: 21
10
11dnsseed.bitcoin.dashjr-list-of-p2p-nodes.us.
12  (no flag)  responses: 22
13  x9         responses: 22
14
15seed.bitcoinstats.com.
16  x1         responses: 17
17  x2         responses: 17
18  x3         responses: 17
19  x4         responses: 17
20  x5         responses: 17
21  x6         responses: 17
22  x7         responses: 17
23  x8         responses: 17
24  x9         responses: 17
25  xa         responses: 17
26  xb         responses: 17
27  xc         responses: 17
28  xd         responses: 17
29  xe         responses: 17
30  xf         responses: 17
31
32seed.bitcoin.jonasschnelli.ch.
33  x1         responses: 23
34  x5         responses: 23
35  x9         responses: 23
36  xd         responses: 23
37
38seed.btc.petertodd.net.
39  x1         responses: 23
40  x5         responses: 23
41  x9         responses: 23
42  xd         responses: 23
43
44seed.bitcoin.sprovoost.nl.
45  (no flag)  responses: 23
46  x9         responses: 23
47
48dnsseed.emzy.de.
49  (no flag)  responses: 26
50  x9         responses: 25
51
52seed.bitcoin.wiz.biz.
53  (no flag)  responses: 21
54  x9         responses: 21
55
56dnsseed.mainnet.bitcoin.achow101.com.
57  x1         responses: 20
58  x5         responses: 20
59  x9         responses: 20
60  x49        responses: 20
61  x809       responses: 20
62  x849       responses: 20
63  xd         responses: 20
64  x400       responses: 20
65  x404       responses: 20
66  x408       responses: 20
67  x448       responses: 20
68  xc08       responses: 20
69  xc48       responses: 20
70  x40c       responses: 20

I will try to expand my test script soon to include testnet and also to query whether the flags are accurate for returned results so I can verify both this new seed, and existing seeds.

achow101 commented at 3:56 pm on May 1, 2024: member

A TTL of 30 seconds is low compared to the others. FWIW, in dnsseed-policy.md a minimum of 60 seconds is mentioned.

I’ve changed it to 60 seconds.

mzumsande commented at 4:28 pm on May 1, 2024: contributor

@virtu FYI, would it be easily possible to run some of the metrics of https://21.ninja/dns-seeds/ for this new seeder?

ariard commented at 2:47 am on May 2, 2024: member

Concept ACK.

By the way, it would be great if mainnet DNS seeders are considering to sign by default the peers records. This could be amply checked in ThreadDNSAddressSeed() or in semi-automatic fashion in the logs. ECDSA secp256k1 isn’t supported by default in DNS, though you have ed25519 or ECDSA P256 which are widely supported by key management softwares.

laanwj commented at 6:46 am on May 2, 2024: member

By the way, it would be great if mainnet DNS seeders are considering to sign by default the peers records. This could be amply checked in ThreadDNSAddressSeed()

There are some that do (#19714), but as far as i know, there is no cross-platform API for checking DNSSEC status from user code. i’ve unlocked that issue for discussion.

virtu commented at 10:25 am on May 2, 2024: contributor

@virtu FYI, would it be easily possible to run some of the metrics of https://21.ninja/dns-seeds/ for this new seeder?

Concept ACK @mzumsande, the seed is now being monitored on dev.21.ninja.

There may be some graph artifacts until a second data point becomes available. But so far data looks good: 40 advertised addresses (half of them ipv4, the other ipv6), and 35 of them reachable.

1440000bytes commented at 4:02 am on May 3, 2024: none

Why does the seeder consider ‘default port’ for good nodes?

achow101 commented at 4:13 am on May 3, 2024: member

Why does the seeder consider ‘default port’ for good nodes?

DNS cannot provide port numbers, but a port must be known when connecting to a node. So we assume the default port, and because of that assumption, DNS seeders need to return nodes that are listening on the default port.

Sjors commented at 7:15 am on May 3, 2024: member

Concept ACK

There’s discussion in #29911 about whether we should mention the specific feature bits here.

I tested that the mainnet seed result returns both IPv4 and IPv6 records and tried to connect to a random result. I didn’t do any fancier analysis.

1440000bytes commented at 2:54 pm on May 3, 2024: none

Concept ACK on adding another DNS seeder

Why does the seeder consider ‘default port’ for good nodes?

DNS cannot provide port numbers, but a port must be known when connecting to a node. So we assume the default port, and because of that assumption, DNS seeders need to return nodes that are listening on the default port.

TXT records could work but that will require lot of other changes (out of scope)

laanwj commented at 4:28 pm on May 4, 2024: member

TXT records could work but that will require lot of other changes (out of scope)

Right-DNS can serve arbitrary information, but it would complicate things in the client: the cross-platform libc resolver, getaddrinfo, can only resolve addresses. So for that’d we’d need to add some dependency library for DNS resolving. The question is whether it’s worth it.

Also, IIRC caching DNS servers don’t always cache TXT records (because they can store arbitrary data); the caching and the privacy that comes with it, is the advantage of using DNS in the first place, over simply using bitcoin protocol for seeding.

Mind that the DNS seeds are only an entry point to the network. The gossip network itself can handle alternative ports fine, so from that point on, nodes with other ports can be discovered by a node. In the main threat scenario that would make this entry point useless, a hypothetical future where port 8333 would be blocked by ISPs, it’s extremely likely that the DNS seeds would also be blocked entirely as they’re easy to enumerate.

achow101 commented at 2:24 am on May 5, 2024: member

I’ve implemented DNSSEC

laanwj commented at 8:18 am on May 5, 2024: member

I’ve implemented DNSSEC

That’s neat!

i think it’s still missing some part, resolving through Google’s DNS (which has more verbose error messages than my ISP) gives:

0$ dig x9.dnsseed.signet.bitcoin.achow101.com. [@1](/bitcoin-bitcoin/contributor/1/).1.1.1
1⋮
2;; OPT PSEUDOSECTION:
3; EDNS: version: 0, flags:; udp: 1232
4; EDE: 10 (RRSIGs Missing): (failed to verify signatures for x9.dnsseed.signet.bitcoin.achow101.com. opt-out proof)
5⋮

achow101 commented at 5:39 pm on May 5, 2024: member

i think it’s still missing some part, resolving through Google’s DNS (which has more verbose error messages than my ISP) gives:

Should be fixed now

laanwj approved

laanwj commented at 9:38 pm on May 5, 2024: member

All good now!

ACK ee218aa9a9eaac53030c31b099b4afe354197ba7

DrahtBot requested review from willcl-ark on May 5, 2024

DrahtBot requested review from ariard on May 5, 2024

DrahtBot requested review from Sjors on May 5, 2024

1440000bytes approved

1440000bytes commented at 11:51 am on May 6, 2024: none

ACK https://github.com/bitcoin/bitcoin/pull/30007/commits/ee218aa9a9eaac53030c31b099b4afe354197ba7

luke-jr commented at 6:17 pm on May 7, 2024: member

@achow101 Are you sure you want to put this on a common domain with other things?

kristapsk commented at 6:36 pm on May 7, 2024: contributor

Concept ACK on using different software for various DNS seeders. Need to do more review / testing on this one.

willcl-ark approved

willcl-ark commented at 2:12 pm on May 20, 2024: member

ACK ee218aa9a9eaac53030c31b099b4afe354197ba7

I checked that these seeds return diverse and (mainly) active node addresses (although not in a scripted way, but by addnode-ing a random selection of each).

I also checked DNSSEC setup using Verisign’s DNSSEC debugger tool for each of them, which they all passed.

achow101 commented at 10:20 pm on June 4, 2024: member

Anything left to do here?

Are you sure you want to put this on a common domain with other things?

I don’t think this will be an issue.

achow101 commented at 2:41 am on June 5, 2024: member

Are you sure you want to put this on a common domain with other things?

I don’t think this will be an issue.

Actually on second thought I will switch this to a different domain.

chainparams: Add achow101 DNS seeder 2721d64989

achow101 force-pushed on Jun 5, 2024

achow101 commented at 3:25 am on June 5, 2024: member

Updated root domain to achownodes.xyz

1440000bytes approved

1440000bytes commented at 10:34 am on June 15, 2024: none

reACK https://github.com/bitcoin/bitcoin/pull/30007/commits/2721d64989c2b2114890586b7efd01ab4b062ca6

DrahtBot added the label CI failed on Jun 18, 2024

mzumsande commented at 4:42 pm on June 18, 2024: contributor

ACK 2721d64989c2b2114890586b7efd01ab4b062ca6

DrahtBot requested review from willcl-ark on Jun 18, 2024

DrahtBot requested review from laanwj on Jun 18, 2024

DrahtBot removed the label CI failed on Jun 18, 2024

willcl-ark approved

willcl-ark commented at 10:54 am on June 19, 2024: member

reACK 2721d64989c2b2114890586b7efd01ab4b062ca6

Retested that the seed on the new domain for each chain is returning good addresses.

1440000bytes commented at 9:20 pm on June 25, 2024: none

I was not sure about .xyz domain for a bitcoin DNS seed based on things that I have read. Still ACKed it because I have been using .xyz domain for joinstr and had no issues. After recent fedimint incident I think achownodes.xyz will also get suspended sooner or later. So retracted my ACK.

DNS seed domains resolve to lot of IP addresses which may host some website. Its possible that someone will report it or it will get red flagged by automated systems.

DrahtBot requested review from 1440000bytes on Jun 25, 2024

achow101 commented at 10:37 pm on June 25, 2024: member

After recent fedimint incident I think achownodes.xyz will also get suspended sooner or later.

That is a risk of using anything DNS as the registry operator can seize them. But I think it’s preferable to have more DNS seeders so that we are not overly reliant on a few of them. Furthermore, DNS seeders are not critical infrastructure - one being shut down does not really impact the network that much. They’re also easily portable and changing domains is not difficult.

DNS seed domains resolve to lot of IP addresses which may host some website. Its possible that someone will report it or it will get red flagged by automated systems.

The actual sites on this domain have HSTS enabled with subdomain inclusion, although you have to visit those sites for the browser to know about that. I’ve also submitted it to the HSTS preload list. Once a browser knows it has HSTS enabled (whether by visiting the actual sites or through the preload list), the random sites people have on their node IPs should stop loading as they will not have a valid certificate for the domain.

laanwj commented at 8:38 am on June 26, 2024: member

ACK 2721d64989c2b2114890586b7efd01ab4b062ca6 Adding a DNS seed adds redundancy, so does spreading them over as many top-level domains as possible, so i don’t think “this domain might get blocked” is ever an argument against this.

fanquake merged this on Jun 26, 2024

fanquake closed this on Jun 26, 2024

Sjors commented at 11:56 am on June 26, 2024: member

The actual sites on this domain have HSTS enabled with subdomain inclusion, although you have to visit those sites for the browser to know about that. I’ve also submitted it to the HSTS preload list.

Oh that’s a good idea…

chainparams: Add achow101 DNS seeder #30007

Code Coverage

Reviews