allow adding public_peers with DNS name
#1164
Conversation
eugene-babichenko
force-pushed
the
trusted-peers-dns
branch
from
4d51710 to
caac50d
Compare
eugene-babichenko
force-pushed
the
trusted-peers-dns
branch
from
a05c616 to
f914eef
Compare
NicolasDP
added
enhancement
|
We cannot use that changes yet as we need to remove the need to use the trusted peers node id first. |
| impl std::str::FromStr for TrustedPeer { | ||
| type Err = String; | ||
| fn from_str(s: &str) -> Result<Self, Self::Err> { | ||
| let mut split = s.split('@'); |
There was a problem hiding this comment.
I'm not sure we need to make an official microformat for this.
| .filter_map(|tp| { | ||
| tp.address.to_addresses().ok().map(|addrs| { | ||
| addrs.into_iter().map(move |addr| TrustedPeer { | ||
| id: tp.id.clone(), |
There was a problem hiding this comment.
Umm, do we have provisions elsewhere for the duplicated peer entries?
These are going to overwrite each other in PeerMap. To do it properly, there should be a "happy eyeballs" style async connection routine for a single peer, racing up to two connection trains – one going through a shuffled list of IPv4 addresses, the other through IPv6 – but only to the point where one connects on TCP, then the other needs to be discarded and the protocol handshake with subscriptions should proceed on the winning connection.
Provisions may need to be made in network-grpc to enable two-stage connections.
There was a problem hiding this comment.
OK, maybe happy eyeballs is a little overkill as there is not much interactive difference in how many milliseconds it takes to establish a connection. So shuffle the list of all addresses for a single peer and go through them with TCP connection attempts until one succeeds, that would do it.
There was a problem hiding this comment.
Even better perhaps, we could let hyper deal with DNS addresses because we give it an URL to connect to.
There was a problem hiding this comment.
How much headache would it be to implement DNSSEC signature validation within Jormungandr and WARN if provided FQDN is not signed? Seems (I checked just three) Rust libraries do not support DNSSEC validation, does hyper rely on OS DNS resolver or a Rust library outside of the OS?
There was a problem hiding this comment.
hyper supports custom resolvers, and previous commits on this branch used trust-dns-resolver which supports DNSSec. @eugene-babichenko @NicolasDP what do you think of re-integrating it back, either in this form or hooking into hyper?
There was a problem hiding this comment.
Umm, do we have provisions elsewhere for the duplicated peer entries?
No, and actually this is my main concern about this pull request which I discussed with @NicolasDP. The correct approach is testing IPs until we find a reachable one and then just go for that address. But we must do it right after we got the whole list of addresses, because we also need to feed the node data to poldercast. We can rework poldercast crate a bit though to make it able to accept DNS instead of bare IPs.
Even better perhaps, we could let
hyperdeal with DNS addresses because we give it an URL to connect to.
If the whole network stuff including gossiping is done via hyper (that's what I can see from the code), I think it's totally fine.
what do you think of re-integrating it back, either in this form or hooking into
hyper?
The whole point of the last commit was to remove an additional dependency, but I feel like we will return if want to support DNSSEC. I'm more into hooking that stuff into hyper, just because it sounds way more elegant.
To sum everything up, my approach would be to allow using DNS just everywhere in the code. Let's say, make it a first-class citizen along with the IPs. But this may require some modification of external dependencies, specifically poldercast.
| _ => None, | ||
| }) | ||
| .collect(), | ||
| Some(AddrComponent::DNS6(fqdn)) => format!("{}:{}", fqdn, port) |
There was a problem hiding this comment.
It's... weird that multiaddr does not support just dns/ which would resolve both A and AAAA records. Which seems to be what's going to happen under the hood anyway, except that you discard the addresses of the wrong type.
There was a problem hiding this comment.
Converting from multiaddr to an FQDN URL for hyper, as per #1164 (comment), would erase the IP address preference, so I'm not sure what would be more proper here.
There was a problem hiding this comment.
Theoretically, HttpConnector::set_local_address in hyper can be used to restrict connections to IPv4 or IPv6, but I'm not sure it works with hyper's internal resolver.
There was a problem hiding this comment.
Either approach requires us to make the whole system treat FQDNs the same way as IPs and probably bring everything to network-grpc (see #1164 (comment)).
| } | ||
|
|
||
| impl TrustedAddress { | ||
| pub fn to_addresses(&self) -> Result<Vec<Address>, AddressError> { |
There was a problem hiding this comment.
Please add a prominent (doc) comment notice that a blocking network resolver roundtrip happens here, so that we remember to avoid calling this in async code.
We still need some way to identify a node with multiple IP addresses, including the corner cases when we receive its information from gossip with a different, maybe partially overlapping, set of addresses. Any of the old IP addresses may be taken over by other, logically different nodes, so I'm not sure intersecting on any IP address would give you a moral right to put it under the same node entry and reuse the connection. |
That's what was good on the initial private key, public key design, now when node_id is just a random string, anybody can replicate someone else's node_id. |
There was a problem hiding this comment.
@mark-stopka We are still debating the correct approach with node IDs and their authentication and whether they are worth having at all.
|
closing this in favor of #2193 |
Resolves #785