Yes, the problem is media, nip05, and pfps, not relays. I only use 4 relays, no outbox.
Discussion
hmm. so a nostr native proxy of some sort? archive.is as a dvm
For media possibly, but nip05 is going to have to require client's hitting endpoints, or simply trusting whatever service is proxying it. We rely on client's being able to resolve domain names as they were advertised. :/
We kind of rely on the ability to share hyperlinks directly. If we switched to something like blossom, then media has a unique id and can be polled from known/trusted servers that federate. Clients could simply take the media hash and try it against a list of trusted blossom servers.
Otherwise generic media proxy services, which some clients support, but they don't really work all that well, and aren't cheap because they take so much risk.
you're trusting the proxy for any type of media, not just nip05. but how much do i care most of the time? and what if there are many proxies to compare against? and of course there's always actual fallback.
or ... always run a vpn of some form. 1.1.1.1 at least hides the signal from your isp, and the price is right
So you went from telling your ISP what you were doing to telling Cloudflare. And to be fair most of us are already telling cloudflare what were up to. And chances are the consumer router is using plain UDP. Android doesn't let you specify a DOH bootstrap resolver, and requires a domain name last I checked. Otherwise UDP.
Recursive resolver _is_ the only private option, or your buddy who runs a one and offers you a vpn.
Im suggesting that media proxy is far less of an issue to what we _wanted_ nip05 to be, and that's proof of domain ownership. Media is just something that appears when I scroll.
Also my experience with Google Android is that DoH will ALWAYS fall back to Google UDP dns if DoH fails to resolve, or returns 0.0.0.0 etc. So the only "safe" option for Android users is UDP, hopefully over VPN.
🤷🏻♂️ i don't disagree with any of these points.
fundamentally nip05 relies on dns. are most people enforcing dnssec? i don't actually care what it returns, so trusting a random proxy is fine. opsec requires a threat model, and it's more likely that my isp / dns stack gets poisoned than some paid proxy has decided to burn their trust
Yeah, and we probably agree that nip05 is... nip05. It's a thing, trust it or don't. Up to client and users I suppose right? It's never stopped me from following frauds, if we had the option to disable it I'd turn it off probably (I know some clients already do). I find it useful for bootstrapping because I have my preferred relays set there.
I think the average user doesn't care, they could click a button that verifies it and then hits DNS, as the user requests it, not automatically connected to their timeline.
> are most people enforcing dnssec?
I'm not up-to-date on modern trends, but I know consumer ISPs i'm familiar with will use plaintext from DHCP. I think their is a DHCP option for dnssec though right? Id have to confirm. Id be shocked if home routes + ISPs used dnssec.
I'd argue - I'm not sure it really matters though. Unless you trust your resolver. Otherwise, it's Google, or Cloudflare or Quad 9 etc who see your traffic, is it really that much better? If were going through the process of setting up dnssec, or tls or DoH, can't we just start putting recursive resolver in our routers?