obviously these could be cached, and what can you do about external media, but wouldn't it be nice if we resolved relay ip addresses using nostr events?
obviously you would need a few relays to bootstrap, and maybe dns for backup, but we shouldn't lean so heavily on the one thing that causes the worst outages
Yes, the problem is media, nip05, and pfps, not relays. I only use 4 relays, no outbox.
hmm. so a nostr native proxy of some sort? archive.is as a dvm
For media possibly, but nip05 is going to have to require client's hitting endpoints, or simply trusting whatever service is proxying it. We rely on client's being able to resolve domain names as they were advertised. :/
We kind of rely on the ability to share hyperlinks directly. If we switched to something like blossom, then media has a unique id and can be polled from known/trusted servers that federate. Clients could simply take the media hash and try it against a list of trusted blossom servers.
Otherwise generic media proxy services, which some clients support, but they don't really work all that well, and aren't cheap because they take so much risk.
you're trusting the proxy for any type of media, not just nip05. but how much do i care most of the time? and what if there are many proxies to compare against? and of course there's always actual fallback.
or ... always run a vpn of some form. 1.1.1.1 at least hides the signal from your isp, and the price is right
So you went from telling your ISP what you were doing to telling Cloudflare. And to be fair most of us are already telling cloudflare what were up to. And chances are the consumer router is using plain UDP. Android doesn't let you specify a DOH bootstrap resolver, and requires a domain name last I checked. Otherwise UDP.
Recursive resolver _is_ the only private option, or your buddy who runs a one and offers you a vpn.
Im suggesting that media proxy is far less of an issue to what we _wanted_ nip05 to be, and that's proof of domain ownership. Media is just something that appears when I scroll.
Also my experience with Google Android is that DoH will ALWAYS fall back to Google UDP dns if DoH fails to resolve, or returns 0.0.0.0 etc. So the only "safe" option for Android users is UDP, hopefully over VPN.
🤷🏻♂️ i don't disagree with any of these points.
fundamentally nip05 relies on dns. are most people enforcing dnssec? i don't actually care what it returns, so trusting a random proxy is fine. opsec requires a threat model, and it's more likely that my isp / dns stack gets poisoned than some paid proxy has decided to burn their trust
Yeah, and we probably agree that nip05 is... nip05. It's a thing, trust it or don't. Up to client and users I suppose right? It's never stopped me from following frauds, if we had the option to disable it I'd turn it off probably (I know some clients already do). I find it useful for bootstrapping because I have my preferred relays set there.
I think the average user doesn't care, they could click a button that verifies it and then hits DNS, as the user requests it, not automatically connected to their timeline.
> are most people enforcing dnssec?
I'm not up-to-date on modern trends, but I know consumer ISPs i'm familiar with will use plaintext from DHCP. I think their is a DHCP option for dnssec though right? Id have to confirm. Id be shocked if home routes + ISPs used dnssec.
I'd argue - I'm not sure it really matters though. Unless you trust your resolver. Otherwise, it's Google, or Cloudflare or Quad 9 etc who see your traffic, is it really that much better? If were going through the process of setting up dnssec, or tls or DoH, can't we just start putting recursive resolver in our routers?
Im more focused on the privacy aspect. Most users will have no cache in morning when the load up their client for the first time. Then hit their default ISP dns server 300 times telling their isp, governments, and everyone else watching, almost exactly what's on their nostr timeline. It's got to be so easy to track nostr users whenever someone decides to watch.
I could probably do this to myself, now if I turned on detailed query logging.
