Traditional Domain Names, New Environments: Integrating into Blockchains and Beyond
Responsible integration will require promoting alignment with the DNS while addressing the concerns with existing and future blockchain naming connections.
Domain names have long been used as identifiers in applications. In the early days of the Domain Name System (DNS), domain names were associated with Teletype Network (TELNET) hosts, File Transfer Protocol (FTP) servers, and email services. Later, domain names were adopted for web browsing. Domain names have served for more than 35 years as unique, stable identifiers across multiple use cases.
Over the last several years, blockchain applications have emerged as a new use case for user-friendly identifiers. In these applications, an identifier can be associated with a resource such as a wallet or a smart contract – or more precisely, with the resource’s blockchain address in one of the various blockchain application environments. Associating a user-friendly identifier with a blockchain address can make it easier for users to perform transactions in a blockchain application, for the same reasons a domain name makes it easier for users to navigate to a website. First, a user-friendly identifier is more descriptive and mnemonic than a blockchain address, which is typically a long, random bit string. Second, the associated blockchain address can be updated, if necessary, without changing the identifier.
The demand for such use cases is evident as the Ethereum Name Service (ENS) reported more than 2.6 million identifiers registered as of early October 2022 with most identifiers supporting blockchain application use cases. The evolution of user-friendly identifiers in blockchain applications has so far centered on blockchain-based alternative name systems instead of DNS-based solutions.
This raises the question: Can the DNS be used for blockchain naming? Indeed, as the ICANN Office of the CTO document on the topic, OCTO-034, notes in Section 5.3, the DNS could be used as a naming system in blockchain applications “to associate DNS names to wallets, NFTs, and other blockchain objects.” But this approach has not yet been significantly adopted. One possible reason is that the DNS lacks clear support for blockchain use cases – there are no standards or agreed upon norms about how to store and use blockchain data in the DNS for blockchain use cases. However, several blockchain-based integrations do exist that link a DNS domain name into a blockchain namespace, despite the absence of standards or norms to store blockchain data in DNS.
One such integration from ENS relies on DNSSEC and was first introduced for the .xyz top-level domain (TLD) in 2018 and then for most DNSSEC-enabled TLDs in 2021. With this integration, a registrant configures DNSSEC on a second-level domain (SLD) in DNS and then links the DNS domain name into the ENS namespace by submitting a DNSSEC trust chain, which is then validated in the blockchain environment, or “on-chain.”
Another integration, from Tezos Domains, also relies on DNSSEC. However, instead of evaluating the DNSSEC data on-chain, a registrant provides a DNSSEC chain of trust to Tezos Domains off-chain, which then provides a signed confirmation that the registrant can use to link its DNS domain name into the Tezos Domains namespace. As with the ENS integration option, the DNSSEC chain of trust is leveraged to validate the intention of the registrant to link its DNS domain name into a blockchain namespace.
Although these integration options show blockchain platforms are already being configured to use DNS domain names as identifiers, there are concerns regarding the potential impact on the security and stability of the DNS to be considered:
- Synchronization – Differences in the status of a domain name between the DNS and the blockchain namespace are not directly handled in these integrations. In particular, the existing DNS integrations do not necessarily account for DNS domain name lifecycle events, such as expiration, when the DNS domain name and the corresponding blockchain identifier should be unlinked from a blockchain namespace.
- Completeness – Depending on the integration method, it may be only possible to integrate a subset of DNS domain names into a blockchain namespace, making the integration incomplete from a user experience perspective.
These concerns can lead to incorrect assumptions and expectations from both DNS registrants, regarding the impact of DNS lifecycle events on the corresponding blockchain identifier, and other users, regarding common control of the DNS domain and the corresponding blockchain identifier. For example, using currently available integrations, if a domain name expires in DNS, the corresponding blockchain identifier will persist in the blockchain namespace, presumably under the prior DNS registrant’s control. A new registrant of the domain name in DNS may be unaware or unable to update the blockchain information. Other users might then incorrectly assume the DNS domain name and the corresponding blockchain identifier are under common control, leading to unexpected outcomes, such as a blockchain transaction intended for the “new” registrant of the DNS domain name being mistakenly directed to the prior registrant.
Reliance on DNSSEC brings its own considerations if an integration does not account for the full suite of algorithms and digests used by DNSSEC. For example, as of September 2022, ENS does not support RSA-SHA512, which is used by the .it ccTLD at the TLD level. Accordingly, no .it SLD can be linked into ENS, preventing 3.5 million .it DNS domain names from being used in ENS-supported blockchain applications. Such concerns will continue to exist with current integration options as there is no agreement between DNS and blockchain namespaces or platforms to support all current or future DNSSEC algorithms.
A separate type of DNS integration is when a blockchain namespace wants to allow a DNS TLD operator to link its TLD directly, providing its own custom DNS integration for SLDs under the TLD the operator manages. In such cases, a mechanism must be provided to ensure only the current DNS operator of a TLD is allowed to make such a linkage, otherwise there is a risk that TLD could be co-opted in the blockchain namespace by someone other than the TLD’s DNS operator.
How to make a TLD linking process scalable for all 1,300+ DNS TLDs without manual intervention is an open problem. In 2019, ENS proposed allowing the registrant of the domain name nic.<TLD> to link the corresponding TLD into ENS under the assumption that nic.<TLD> was controlled by the DNS operator of the TLD. ENS abandoned this proposal after a technical note from Verisign observed this assumption does not hold true for four legacy gTLDs or potentially for ccTLDs. As such, integrations at the TLD level also require careful design.
Given the interest in using DNS domain names as identifiers in blockchain applications, the DNS community should work towards a responsible integration, promoting alignment with the DNS while addressing the concerns with existing integrations. In promoting and moving toward this responsible integration objective, all parties involved should keep in mind that:
- The DNS community should work with the blockchain community to develop criteria for responsible integration of DNS domain names into blockchain applications and support efforts to update and/or develop blockchain namespaces and mechanisms that meet these criteria.
- Blockchain namespaces should implement validation checks to ensure only the DNS registrant or DNS operator of a domain name or an authorized party can link the corresponding blockchain identifier in the blockchain namespace.
- Blockchain namespace assessments of the relationship between a DNS domain name and a blockchain identifier should account for the DNS domain name lifecycle, including the possibility that a domain name registration may expire or be subject to trademark or DNS abuse actions.
- The DNS community should support efforts to integrate DNS domain names into blockchain namespaces that implement developed best practices.
By establishing responsible integration for DNS domain names into blockchain applications, the DNS community can work towards increasing DNS domain name utility and supporting new use cases. Responsible integration practices and implementation can provide registrants with additional uses for their DNS names, as they will be able to use their existing DNS domain names to support websites, email and blockchain functionality while addressing synchronization and completeness safely and securely.