Domain authorization

[stokito]

As far I understood the KadNode publishes a domain announcement descriptor in DHT with fields:

/*
* Announce a value id / port pair in regular
* intervals until the lifetime expires.
*/

struct value_t {
	struct value_t *next;
	uint8_t id[SHA1_BIN_LENGTH];
	char query[QUERY_MAX_SIZE];
	int port;
	time_t lifetime; // Keep entry refreshed until the lifetime expires
	time_t refresh; // Next time the entry need to be refreshed
};

They are descibed on wiki https://github.com/mwarning/KadNode/wiki/Data-Structures
But I still didn't get it, so please clarify.

• The query is a domain up to 256 chars. Why is that limit? Just curios.
• The port is a port of the KadNode AUTH service to challenge and approve the domain. For TLS challenge for an existing site we can just put 443 port, right?
• The lifetime is TTL but stored as a 8 bytes integer.
• The refresh is an expiry time? But why then we need the lifetime?

Also the AUTH challenge method needs for a connection. What if on announcing a node will encrypt an IP + timestamp pair with a secret key so that everyone can decrypt it with a public key i.e. domain name. Thenk KadNode may receive a list of records from DHT, verify them all and pick one with a latest timestamp.

This is less secure because a domain may already change it's IP again and some another computer may get the old IP. I guess this is a very rare case.

But as an advantage we can make a resolving faster.
The real validation anyway must be done by a some kind of TLS but still an attacker make issue a cert for the domain.

[mwarning]

• the length of query is kind of arbitrary. I just hope that any domain that it will be used for is a maximum of 255 bytes long. The query might be a 32byte public key in base16 or base32, or any domain you see in the browser (meet.mydomain.com).
• the port is the DHT port, but is also shared for the authentication via BOB (see function dht_handler() since we have no channel to store the extra port and we only would need a singkel port forwarding . To distinguish the traffic we check for the first three bytes of each packet to start with BOB, if not, then it is a DHT packet). Authentication via TLS/HTTPS is done via port 443, but I forgot how that is working right now and need to read the code.
• the lifetime of an annoucement is the time until the announcement is removed (> time(NULL), can be LONG_MAX for infinity)
• the refresh time of an announcement is the next time, to refresh the entries in the DHT network.

[mwarning]

I think an announcement payload may be encrypted, but I think that would require changes of the DHT implementation. I have not really tried yet.

[stokito]

Thank you for the answers. Hope I'll find a time on the week to play and learn more.
Meanwhile I watched the video where explained how Tor onion services are using DHT https://youtu.be/Di7qAVidy1Y?t=1683

So an attacker can create a DHT node with a hash similar to domain and it can see how many of requests are for the site. Not a big deal for unanimous KadNode but still maybe it's possible to grab some privacy improvements from Tor.

[stokito]

https://donncha.is/2013/05/trawling-tor-hidden-services/