A proposal for cryptocurrency addresses in DNS

Mattias Geniar, Monday, September 18, 2017 - last modified: Saturday, September 23, 2017

By now it's pretty clear that the idea of a cryptocurrency probably isn't going away. It might not be Bitcoin or Litecoin, it might not have the same value as it does today, but the concept of cryptocurrency is here to stay: digital money.

Just like the beginning of IP addresses, using them raw was fine at first. But with crypto, you get long hexadecimal strings that truly no one can remember by heart. It's far from user friendly.

It's like trying to remember that 2a03:a800:a1:1952::ff is the address for this site. Doesn't work very well, does it? It's far easier to say ma.ttias.be than the cryptic representation of IPv6.

I think we need something similar for cryptocurrencies. Something independent and -- relatively -- secure. So here's my proposal I came up with in the car on the way home.

Example: cryptocurrency in DNS

Here's the simplest example I can give.

$ dig ma.ttias.be TXT | sort
ma.ttias.be.	3600	IN    TXT   "ico:10 btc:1AeCyEczAFPVKkvausLSQWP1jcqkccga9m"
ma.ttias.be.	3600	IN    TXT   "ico:10 ltc:Lh1TUmh2WP4LkCeDTm3kMX1E7NQYSKyMhW"
ma.ttias.be.	3600	IN    TXT   "ico:20 eth:0xE526E2Aecb8B7C77293D0aDf3156262e361BfF0e"
ma.ttias.be.	3600	IN    TXT   "ico:30 xrp:rDsbeomae4FXwgQTJp9Rs64Qg9vDiTCdBv"

Cryptocurrency addresses get published as TXT records to a domain of your choosing. Want to receive a payment? Simple say "send it to ma.ttias.be", the client will resolve that TXT record and the accompanying addresses and use the priority field as a guideline for choosing which address to pick first.

Think MX records, but implemented as TXT. The lower the priority, the more preferred it is.

The TXT format explained

A TXT format can contain pretty much anything, so it needs some standardization in order for this to work. Here's my proposal.

ico:[priority] space [currency]:[address]

Let's pick the first result as an example and tear it down.

$ dig ma.ttias.be TXT | sort | head -n 1
ma.ttias.be.	3600	IN    TXT   "ico:10 btc:1AeCyEczAFPVKkvausLSQWP1jcqkccga9m"

Translates to;

  • ico:: a prefix in the TXT record to denote that this ia currency, much like SPF knows the "v=spv1" prefix. This is a fixed value.
  • 10: the priority. The lower, the bigger its preference.
  • btc: preferred currency is btc, or Bitcoin.
  • 1AeCyEczAFPVKkvausLSQWP1jcqkccga9m: the btc address to accept payments.

Simple, versatile format.

The priority allows for round robin implementations, if you wish to diversify your portfolio. Adding multiple cryptocurrency allows the sender the freedom to choose which currency he/she prefers, while still honoring your priority.

Technically, I published 2 records with a priority of 10. It's up to the sender to determine which currency he/she prefers, if it's available to them. If it isn't, they can move down the chain & try other addresses published.

It means only addresses on which you want to receive currency should ever be posted as DNS records.

DNSSEC required

To avoid DNS cache poisoning or other man-in-the-middle attacks, DNSSEC would have to be a hard requirement in order to guarantee integrity.

This should not be optional.

If smart people every end up implementing something like this, an additional GPG/PKI like solution might be added for increased security, by signing the addresses once more.

Currency agnostic

This isn't a solution for Bitcoin, Litecoin or Ripple. It's a solution for all of them. And all the new currencies to come.

It's entirely currency agnostic and can be used for any virtual currency.

Multi tenancy

If you want multiple users on the same domain, you could solve this via subdomains. Ie "john.domain.tld", "mary.domain.tld", ...

It makes the format of the TXT record plain and simple and uses basic DNS records for delegation of accounts.

Why not a dedicated resource record?

For the same reason the SPF resource record went away and was replaced by a TXT alternative: availability.

Every DNS server and client already understands TXT records. If we have to wait for both servers, clients and providers to implement something like a ICO resource record, it'll take ages. Just look at the current state of CAA records, only a handful of providers offer it, even though it's a mandatory CA thing already.

There are already simpler naming schemes for cryptocurrency!

Technically, yes, but they all have a deep flaw: you have to trust someone else's system.

There's BitAlias, onename, ens for ethereum, okTurtles, ... and they all build on top of their own, custom system.

But it turns out, we already have a name-translation-system called DNS, we'd be far better of implementing a readable cryptocurrency variant in DNS than in someone else's closed system.

The validator regex

With the example given above, it can easily be validated with the following regex.

ico:([0-9]+) ([a-z]{3,}):([a-zA-Z0-9]+)

And it translates to;

  • group #1: the priority
  • group #2: the currency
  • group #3: the address

A complete validator with the dig DNS client would translate to;

$ dig ma.ttias.be TXT | sort | grep -P 'ico:([0-9]+) ([a-z]{3}):([a-zA-Z0-9]+)'
ma.ttias.be.	3600	IN    TXT   "ico:10 btc:1AeCyEczAFPVKkvausLSQWP1jcqkccga9m"
ma.ttias.be.	3600	IN    TXT   "ico:10 ltc:Lh1TUmh2WP4LkCeDTm3kMX1E7NQYSKyMhW"
ma.ttias.be.	3600	IN    TXT   "ico:20 eth:0xE526E2Aecb8B7C77293D0aDf3156262e361BfF0e"
ma.ttias.be.	3600	IN    TXT   "ico:30 xrp:rDsbeomae4FXwgQTJp9Rs64Qg9vDiTCdBv"

Now, who's going to make this an RFC? I certainly won't, I've got too many things to do already.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Jerome Tuesday, September 19, 2017 at 16:26 - Reply

Fun idea.
Another option to “avoid” DNSSEC (or if you can’t) would be to issue a SSL certificate for ma.ttias.be with alternative names like
btc.1AeCyEczAFPVKkvausLSQWP1jcqkccga9m.ma.ttias.be

So it’s already signed by some authority


    Mattias Geniar Tuesday, September 19, 2017 at 16:52 - Reply

    Another option to “avoid” DNSSEC (or if you can’t) would be to issue a SSL certificate for
    ma.ttias.be with alternative names like “btc.1AeCyEczAFPVKkvausLSQWP1jcqkccga9m.ma.ttias.be”

    Hey that’s clever, I like that approach too! Especially with automation like Let’s Encrypt could make this very possible.

    Just have to think about a way to verify that you own that BTC address, something like receiving (or sending?) a micro transaction in order to confirm you own that address?


ab Tuesday, September 19, 2017 at 17:37 - Reply

This seems to assume 1 domain == 1 address set. Why not user@domain, or some scheme similar to email? Then you’d have a multi-user way to delivery cryptocurrency to multiple users on a domain. Shoehorning that into DNS gets to be a little more fun however.


d Wednesday, September 20, 2017 at 20:09 - Reply

Isn’t this overloading the TXT record with meaning? Perhaps some prefix to discern a TXT record which is actually used to indicate payment/currency destination.


    Mattias Geniar Wednesday, September 20, 2017 at 20:51 - Reply

    Isn’t this overloading the TXT record with meaning?

    Well, it’s already being abused for a lot of things, people stuff a lot in TXT records.

    Perhaps some prefix to discern a TXT record which is actually used to indicate payment/currency destination.

    More people have suggested this, it would make for more robust parsing of the record idd. I’ve updated the post with ico: as a prefix for all currency-related TXT records. The regex validator has also been updated.


Mike Wednesday, September 20, 2017 at 22:31 - Reply

The regex with named group for readability ico:(?P[0-9]+) (?P[a-z]{3}):(?P[a-zA-Z0-9]+)


Andrew A Froehlich Friday, December 22, 2017 at 07:05 - Reply

I came up with the same idea. The challenge would be people hacking accounts to change out addresses, which would be very hard to detect as they are so cryptic, and getting adoption. An RFC would be great.


    Mattias Geniar Friday, December 22, 2017 at 11:48 - Reply

    The challenge would be people hacking accounts to change out addresses, which would be very hard to detect as they are so cryptic, and getting adoption.

    Well, I built DNS Spy to get notifications when your DNS changes, so if this would get traction, a solid DNS monitoring solution is a must! :D


flo Thursday, January 25, 2018 at 18:24 - Reply

A DNS-based system as you have described it already exists with OpenAlias: https://openalias.org/
I’m using it for several months now and it works awesome :)


    Mattias Geniar Thursday, January 25, 2018 at 18:40 - Reply

    Cool!

    This part stands out:

    TXT records contain, at a minimum, only two pieces of information: the prefix, and the recipient_address. Let’s take a look at a typical OpenAlias TXT record:

    So turns out, not that different from the system I came up with 😂


Leave a Reply to flo Cancel reply

Your email address will not be published. Required fields are marked *