Admittedly, the centralised nature of domain names leaves much to be desired. However, by leveraging existing infrastructure it gives users access to a system that is already familiar to them.
By leveraging DNSSEC wij are able to prevent MITM-style attacks on an schuilnaam. Spil with HTTPS, users are able to choose to operate ter a less secure style if they are willing to accept the risks.
Decentralised DNS Ready
With Namecoin, DIANNA, P2P-DNS, and other systems bringing decentralised DNS to the fore, the OpenAlias standard has bot designed to be ordinary enough to druppel te and work.
Keeps Lookups Private
It is strongly recommended that developers bake support for DNSCrypt te and use our listed servers for lookups, thus retaining user privacy and not leaking lookup information.
What is OpenAlias?
OpenAlias seeks to provide a way to simplify aliasing amidst a rapidly shifting technology climate. Users are attempting to cross the bridge to private and cryptographically secure infrastructure and systems, but many of them have just hardly began remembering the email addresses of their friends and family.
Spil part of the ongoing development of the Monero cryptocurrency project, wij asked ourselves: how can wij simplify payments for users unacquainted with cryptocurrency? Monero stealth addresses are at least 95 characters long – memorising them is not an option, and asking someone to send a payment to <,95-character-string>, is only going to lead to confusion.
At its most basic, OpenAlias is a TXT DNS record on a FQDN (fully qualified domain name). By combining this with DNS-related technologies wij have created an aliasing standard that is extensible for developers, intuitive and familiar for users, and can interoperate with both centralised and decentralised domain systems.
How is it superior to other aliasing systems?
Typical aliasing systems are elementary key-value stores. A cryptocurrency may, for example, have an aliasing system that lets you (through the process of mining) announce that the zogenaamd Bob is equal to <,95-character-string>,. This has two major pitfalls for end-users. Firstly, it makes it the responsibility of that cryptocurrency to resolve issues or zogeheten disputes. For example, if a user loses their private keys and want to proceed using that schuilnaam, there needs to be a mechanism ter place for that, otherwise you end up with dead aliases and users have the hassle of having to update everyone that they have a fresh zogeheten. The 2nd problem is that it doesn’t actually solve anything. Once the very first few Bob-derived aliases are taken, users end up resorting to things like Bob1979-awesomesauce324, which means that the end-user still has to have that written down ter an address book somewhere.
Who created OpenAlias?
The idea of a DNS-based zogenoemde system is not fresh, and has bot suggested on more than one occassion. The groundwork for OpenAlias wasgoed primarily done by Riccardo “fluffypony” Spagni and Naphex, formerly of btcXchange.ro. Many months after this initial gem of an idea wasgoed born Riccardo, along with the surplus of the Monero core team, fleshed it out into a practical and extensible standard. A special thanks goes to Tom Winget, who created the very first OpenAlias client implementation te Monero Core.
What OpenAlias implementations exist?
What is the end-user-side process?
OpenAlias can be used for anything, but our primary use-case is to simplify cryptocurrency payments. Users are already familiar with systems like PayPal that let you send a payment to an email address. Thus, to the end user this should be no less intuitive. Te order to make the paradigm truly familiar for the end user, OpenAlias permits for the user to inject either just the FQDN (eg. example.openalias.org) or an email-style address that is translated to an FQDN (eg. [email ,protected])
user wants to send a payment to donate.getmonero.org
user visually confirms the resulting address is spil expected
payment is made to the address
What is the application-side process?
Applications should, at a ondergrens, implement the following workflow.
if the value entered contains an @ character, substitute it with a . (period) character to permit for email-style addressing
check that the value entered contains a . (period) character, if not then it is an address and not an FQDN
fetch all of the TXT records for the FQDN, retry at least Trio times on failure, treat an overall failure ter the lookup
step through each of the TXT records and make sure wij have the oa1 (OpenAlias version 1) prefix followed by the prefix for our application (oa1:xmr te our example), pauze on the very first match (overlooking zometeen matches unless your application specifically supports treating numerous records)
samenvatting the recipient_address from the parsed gegevens
check if wij have a valid DNSSEC trust chain (RRSIG, DNSKEY, NSEC3), if not then oplettend the user that it is potentially untrusted, proceed if the user agrees
confirm the validity of the address with the user
How do wij prevent the user’s lookups from leaking?
Te order to ensure that lookups do not betray the user’s privacy it is best to implement DNSCrypt from OpenDNS, and force resolution via a DNSCrypt-compatible resolver. Dependent on your use-case, you may choose to bake DNSCrypt into your software, or bundle dnscrypt-proxy along with your application.
There are only a handful of DNSCrypt compatible resolvers worldwide, and fewer still that additionally support DNSSEC validation, support Namecoin resolution, and don’t loom DNS requests. Extra DNS resolvers that meet thesis criteria will be launched and operated by OpenAlias and by contributors te the coming months. Te order to make your life lighter, you can get a list of available resolvers that meet all thesis criteria by fetching the TXT records from any of the following domains:
The TXT records consist of host:port=providername=pubkey, permitting you to connect to their DNSCrypt resolver using thesis details. Thesis resolver records will be maintained, and if a malicious resolver is found it will be liquidated. It is, therefore, prudent to poll this list regularly within the application, either on-request or at least once every 24 hours.
How are the TXT records constructed?
TXT records contain, at a ondergrens, only two lumps of information: the prefix, and the recipient_address. Let’s take a look at a typical OpenAlias TXT record:
oa1 : xmr recipient_address = 46BeWrHpwXmHDpDEUmZBWZfoQpdc6HaERCNmx1pEYL2rAcuwufPN9rXHHtyUA4QVy66qeFQkn6sfK8aHYjA3jk3o1Bv16em , recipient_name = Monero Development ,
The record always starts with “oa1:”, which indicates it is an OpenAlias Version 1 record. If wij don’t have that prefix wij overlook the record, spil it may be an SPF record or something else that wij don’t care about. For other applications, Bitcoin for example, that prefix would be oa1:btc or whatever the developers choose. OpenAlias does not maintain a repository of prefixes at this stage, but may do so ter future.
At a ondergrens, the recipient_address key-value voorwaarde exist. OpenAlias exists to zogeheten FQDNs to an “address” of any type, and this is voiced te this value. Future versions of the OpenAlias standard may implement alternative bare-minimums if use-cases are found besides FQDN->Address use.
Key-value pairs are separated by a semi-colon and, optionally, a space for legibility. The value may or may not be packaged te double-inverted commas, which should be eliminated from the value if found at the beginning and end of the value. The value should also always be trimmed of spaces, unless the space is escaped with a backslash. Dependent on the DNS library or implementation you use, you may find that the semi-colon at the end of the pair is escaped with a backslash.
Ter order to not overcomplicate this, a semi-colon is a prohibited character unless it is ter a value that is entirely packaged te double-inverted commas. Similarly, a double-inverted comma can exist anywhere te the value without needing to be escaped, unless it is both at the beginning and the end of the value, which is not permitted. Keys and values are not limited ter size, albeit it is counter-productive to have exceedingly large key-values, spil DNS is not designed spil a gegevens transfer mechanism.
The other key-value pair ter our example is the recipient_name. This is not necessary, but useful for the purpose of confirming the onberispelijk recipient with the user, or for providing the user with the option of adding an entry to an address book.
For a discussion about the extra standard (optional) key-value pairs, please see the Extend section below
This is what the same FQDN has, but for Bitcoin:
oa1 : btc recipient_address = 1FhnVJi2V1k4MqXm2nHoEbY5LV7FPai7bb , recipient_name = Monero Development ,
What other key-value pairs are standard?
- tx_description – te addition to the name of the recipient, if you are using OpenAlias for transactions you may choose to define a transaction description. Bear te mind that DNS is typically long-lived gegevens and not always updated at request time, so this should only be used if it does not need to be updated permanently.
- tx_amount – spil above, this should only be used where it is semi-permanent and unlikely to switch often. The amount is a numeric value, and the precies numeric type and size you choose to enforce is up to you and your application’s use-case.
- tx_payment_id – this is particular to Monero, but is standardised spil other cryptocurrencies (CryptoNote-based cryptocurrencies te particular) may find it useful. It is typically a hex string of 32 characters, but that is not enforced te the standard.
- address_signature – if you have a standardised way of signing messages based on the address private key, then this can be used to validate the FQDN. The message that is signed should be the entire FQDN (eg. donate.getmonero.org) with nothing else. Validation would be to verify that the signature is valid for the FQDN spil a message.
- checksum – checksum is an optional CRC-32. It has to emerge spil the last voorwerp te the TXT record, otherwise the record is open to manipulation. Depending on your use-case, it may serve little or no purpose, albeit some may choose to include it for extra validation. Ter order to calculate or verify the checksum, take the entire record up until the checksum key-value pair (ie. excluding the checksum key-value pair). Unwrap any spaces from either side, and calculate the CRC-32 on that final record.
How do I define my own key-value pairs?
Spil this is an open standard that is meant to be extensible, defining extra pairs is up to you. Your client-side application may require certain key-value pairs spil a ondergrens, and you should make that information lightly available. If you have a use-case where you feel certain key-value pairs may provide widespread use and benefit, please reach out to us and wij can include it te the standard if adequate.
OpenAlias is a very fresh standard, and is open to improvement and additions. Please reach out to us via the details at the bottom of this pagina, and wij can proceed to expand and improve the OpenAlias standard!
How can I support the OpenAlias project?
Ter order to simplify implementation for developers, the Monero Project is writing sample implementations and libraries for various languages. Additionally, OpenAlias will run open and free DNS servers that support Namecoin, DNSSEC, and DNSCrypt. If you are a developer and wish to submit or contribute code, please feel free to do so.
If you would like to support this ongoing effort and help us voorkant the costs, please consider donating to the Monero Project either via Monero: 46BeWrHpwXmHDpDEUmZBWZfoQpdc6HaERCNmx1pEYL2rAcuwufPN9rXHHtyUA4QVy66qeFQkn6sfK8aHYjA3jk3o1Bv16em or via Bitcoin: 1FhnVJi2V1k4MqXm2nHoEbY5LV7FPai7bb If you use an OpenAlias compatible client, both of thesis donation addresses are available on openalias.org and/or donate.getmonero.org.
What about contacting you or the community?
OpenAlias is a part of the Monero project, and can thus be discussed te either #monero-dev or #openalias on Freenode. There is also a dedicated OpenAlias section on the Monero forums. If you would like to get hold of us personally, then you can do so via email: [email ,protected]
Media enquiries can be directed to Riccardo Spagni directly on [email ,protected]