Go: proposal: Vanity URLs via DNS

We can easily differentiate whether the record is an org or a repo and give the user to flexibility to use either of their URLs.

The major downside to using DNS for this is that there is no authenticity guarantee, whereas the current requirement to serve a meta tag over HTTPS ensures that an attacker cannot maliciously redirect a package download just by spoofing a DNS response. For this reason, I'd strongly suggest sticking to serving vanity import URLs over HTTPS.

There is a small project on my list to make it easy to do redirects with a minimal go server (or use a hosted one) and a standardized DNS TXT record to store the actual redirect. We might just provide one of the redirect servers for convenience.

I have a minimal server at https://github.com/googlecloudplatform/govanityurls, and I can move it to x/tools -- a more suitable place now without any dependencies to App Engine -- and we can collaborate. In my personal experience, downtime of this server has never been an issue (at least not as much as downtime of GitHub), but I host the server on a very stable provider with very stable networking.

As far as I understand from the linked Twitter thread, the remote idea of owning/maintaining servers scare people and hence we were considering options that doesn't require a server. Though we should never sacrifice security.

/cc @zombiezen

@titanous That's a good point. It's certainly not worth giving up security. Is that something that could be fixed using DNSSEC?

@benbjohnson No, DNSSEC is not widely deployed and there's no evidence that it will ever be deployed to the ubiquitous level that would be necessary for this. See these articles for details:

• https://sockpuppet.org/blog/2015/01/15/against-dnssec/
• https://sockpuppet.org/stuff/dnssec-qa.html
• https://sockpuppet.org/blog/2016/10/27/14-dns-nerds-dont-control-the-internet/

Yeah, looks like sockpuppet.org _really_ doesn't like DNSSEC. :)

I'll close this proposal for now. If anyone has improvements around it then I can reopen.

Why not allow for both? If your domain does support DNSSEC, and a lot of g/cTLDs do, it's a question of deploying it yourself or having a DNS provider that does. Just b/c the owner of sockpuppet.org doesn't like DNSSEC and happens to have a few blog posts about it doesn't make this shouldn't be pursued. About 89% of TLDs are signed and cTLDs current sit at about 47%, adoption wise. Aside from that, the major deployed DNS servers and client libraries support DNSSEC and so do most recursive resolvers.

.com, .net, .org and .io are all signed (so is .us and aside from Albania and Belarus so are all the European ccTLDs, quite a few in Asia, South America, Australia and New Zealand) which are rather prevalent TLDs when it comes to where packages are hosted on. DNSSEC has become significantly easier to deploy since it was conceived and more and more registrars offer support for it in their control panel, it's just a box you need to tick. Though it does require some testing before enabling it, it's technically not complicated to do so. If you also host your own authoritative servers for your domain then yes, it'll be a bit more work.

If the response does pass DNSSEC validation it should be entirely feasible to follow along with this proposal. If it doesn't, fall back to the current way of doing it. That would allow to gradually upgrade to this proposal without breaking anything current.

@daenney The problem is that DNSSEC as currently deployed doesn't do anything for clients. The vast majority of machines use stub resolvers that don't do DNSSEC validation, so this whole thing is moot.

Oh right, the validation part. Most seem to fallback when it fails 😞. Afaik though you can see if the request did pass DNSSEC validation, and systemd, macOS and Windows 7+ do support it in their client code, which covers a lot of people.

@daenney The Authenticated Data flag that you are talking about is just a bit in a cleartext DNS packet from the resolver, it can be tampered with/spoofed by any attacker, so it doesn't help security at all.

But how does that create a problem? If AD is set your system's stub resolver will validate the response and afaik it's not feasible for an attacker to tamper with the signature. If an attacker removes AD then you simply go for the fallback behaviour. I'm not aware of any (stub) resolver that just blindly trusts the AD flag and doesn't verify the signatures.

@daenney There are no signatures for the stub resolver to verify, so it does just blindly trust the AD flag in responses from the resolver. This Microsoft documentation has a good explanation.

@titanous Damn. I've always understood it the other way around :|. That sucks. Never mind indeed then.