Handshake Hackathon Speaker / Q&A


(00:01) [Music] [Applause] [Music] kinetic is a blockchain crypto investment firm based in hong kong and puerto rico [Music] founded in 2016 they were the first fund in hong kong and one of the earliest in asia with a portfolio of over companies they were seed investors in such projects as ethereum parity and polka dot solana ftx and of course handshake in name base [Music] founder johan chu was an active investor and supporter of the handshake ecosystem over one hundred thousand domains co-founder of d-web foundation co-founder of handicon and sponsor of

(00:52) the handshake house at miami hack week 2022 [Music] all right and we are back with zipkin again uh here we’re gonna talk about um this website race that we got going on zipping dm’d me a little while ago saying we need more content on handshake sites and i said absolutely i agree let’s make this happen uh so we set up bounties we set up prizes uh so if you build websites on handshake domain names you can get some handshake if you build something cool i’m going to drop the handshake website race discord as well as this

(01:41) tweet if you guys could retweet it like it or anything share it around so more people are aware of this we also partnered with um skynet and akash um so they’re giving out some uh akash and see uh see coin uh with their bounties but i’m not gonna take up too much of matt’s time i’m gonna let him take it away and talk about uh more the more technical side of the handshake website race all right thanks yeah so we want websites on handshake a lot of people are building cool stuff and weird things like nfts

(02:19) and stuff on on handshake and applications and stuff but you know we’ve got these cool new browsing tools now fingertip and beacon browser and i want urls to type into those um that aren’t just uh that aren’t just my owner like the couple that i know about so this is what i want is content on handshake and specifically like content you can’t get anywhere else because that adds value to the network makes the price of the coin go up makes people need to install handshake software on their computer

(02:46) so they can access this content um i’ve even tweeted informally that you know there will be extra bounties for censorship resistant related content content that is generally censored let’s say um just no hate of course but you know there’s lots of loving and freedom fighting content that is also censored anyway that’s beside the point um we want websites on handshake and specifically we want secure websites on handshake um so today we’re going to talk about dane i’m going to spend this next half hour talking

(03:14) about how to set up a secure website on handshake and the original idea was to maybe do like a live demo and like i was going to get a digitalocean server and like show everybody how to do it instead i’m going to kind of do all the commands in slides and then maybe next week i’ll post a youtube video of an actual demonstration because so much can go wrong live but um this talk is going to be very technical i’m i’m talking i was going to make it broad and i’m going to skip the first maybe 10 slides i made i’m going to skip

(03:40) the general stuff and go right to you the web developer you are the person who makes a website you’ve made websites before you want to make a website for the handshake website race maybe you’ve never made a handshake website before or you’ve never made a secure handshake website before this talk is for you so let’s go um i was going to kind of generally talk about delegation and how like if you know if i have a parking how do i pay this parking ticket the only thing i know is that president is that joe biden

(04:07) is a president well then you ask the biden he says go talk to uh oh i made a mistake on it oh yeah you go talk to gavin newsom in sacramento who says go talk to london breed in san francisco who says go talk to doris on the fourth floor and she’ll take you know your payment so this idea of delegation and um on the internet how we delegate things is with an ip address and a public key basically the ip address is where the next person is and the public key is how you know it’s it’s them when you get there

(04:36) um skipping this for now skipping this for now skipping this for now here we go dane all right hopefully we’re gonna talk about um a lot this week i think we talked about it last year and it’s one of my favorite topics and and one of the most important technical topics um when it comes to handshake and this slide is it so this is the the the delegation of authority from the blockchain from the miners from the energy being wasted on proof of work to your website and it’s just a single flow from left to right proof of work

(05:07) secures the website um and there are three things you need to do if you want um a secure website on handshake um the one on the right is the web server and that’s the one that you as i’ve already addressed are familiar with you’ve set up in nginx web server or apache you’ve got a certificate from um let’s encrypt you basically know how to put html files in a folder and so that when somebody types in a url they see your website with security because you know let’s encrypt is easy to do

(05:38) what you might not know how to do is how to set up a name server and the good news is that name servers are almost exactly like web servers if you have experience with nginx or apache you can run nsd or bind or name d or powerdns name servers work basically the same way there’s a config file where you plug in some options you got to know a little bit of that syntax and then there’s another directory where you put the content files instead of html files with websites it’s zone files with dns records

(06:07) um so if you can run a web server you can run a name server don’t panic you can do it uh and then the third thing is the is the root zone which in our case is the blockchain and i’m hoping that um the attendees of this event are somewhat familiar with with name base or bobwallet or hsd um and uh and um i’m gonna teach you all the commands you need to do to make this grid happen um i’m gonna continue to leave this slide up and and go through everything here because this is this is the overview this is how it all works

(06:37) um so let’s go left to right um and then how we’re actually going to do this in practices from right to left but we’re going to talk about authority so left is hsd the root zone proof of work mining electricity handshake route protocol what do we put there um there’s basically three record types that you’re going to put in the root zone for your top level domain an ns record an a record and a ds record the a record technically is is glue more on that later so i put the shruggie man next to the ns

(07:10) record and the a record and that’s because in the parent domain in the root zone ns records and the glue records are not authoritative these records are hearsay they are rumors gossip they are suggestions to the recursive resolver on what to do next they are not authoritative and i know i’ve made this mistake a lot before um when i was still learning about dns and i’m seeing other developers make this mistake now as they learn about things about like how um hip five works and trying to do tricky things with dns

(07:41) um but the the actual ns record for your name server goes in your own zone which is a little self-referential i’ve even talked to some dns experts about this very thing recently and there’s there’s a bit of hand waving even among the experts about why that is but anyway so the ns record um is a domain name that points to a glue record which is uh or points to glue which is an a record also in the root zone that’s an ip address of your name server so that’s how we get from the root zone to the name server

(08:10) that’s how we get the ip address of the name server the ds record is the hash of um your public key and the ds record i put a lock in the root zone because the ds record in the root zone is signed by the root server it is an authoritative record the ds record is owned by the parent it’s a hash of the the child of your key but the ds record is the real delegation the ns record like i said is hearsay shrugging man but the ds record is signed by the root that’s that’s real that’s authoritative the

(08:39) recursive resolver trusts that okay we’ll say that so in the root center we’re going to put an ns record with glue and a ds record in the name server so now we’re leaving the root zone we got a server on digital now we’re going to run something like bind or powerdns and this is where we put our zone file and in the zone we also put um an ns record and an a record pointing back to our own name server and like i said it’s self-referential it’s kind of weird but basically you don’t want

(09:11) the parent domain telling people where to go but also at the same time it’s like well if they already found me then how is telling them where to go to find me useful it’s just the way it is so the ns record is authoritative hence the lock icon it’s signed by your dns key in your zone let’s get past that part because it’s confusing the next a record is of your web server that is the that’s the thing that we want when we talk about dns connecting domain names to ip addresses that a record right there second one

(09:41) middle of the screen that’s the a record that does that then finally there’s the tlsa record the tlsa record is the hash of your tls certificate which will be served by your web server so when you get an ssl certificate from let’s encrypt using certbot basically what you do is you take the hash of that and put it in dns and serve it by your zone so all these records nsaa tlsa they’re all signed that’s what the lock icon means what are they signed by they’re signed by your private key um and the you obviously keep that safe

(10:17) the public key of that key pair is stored in a dns key record and that goes in your zone and that’s why i put the key icon there it is also signed i could have also added the lock icon there too it signs itself this is also a simple chart it’s also very common for there to be two dns keys the root the root zone ds record would point to a key signing key that would then point to and sign a zone signing key and the zone signing key signs everything in his own i don’t bother with that anymore i use one key you can you can sign your zone

(10:48) with a key signing key so if if you’re learning if you’re learning this you’re learning from all my mistakes the first one is that the ns record in the root zone doesn’t matter the second one is that you also you actually don’t need a zone signing key you can just go right for the key signing key if you have different security needs obviously you can split it up with two keys but it’s a lot simpler this way um all right so i think i covered everything on this i’m not gonna see i don’t see any q a so i’m gonna keep

(11:12) going through the slides but this is the idea root zone to the name server name server to the web server ds record points the dns key dns key signs everything including the tla tlsa record which verifies the tls certificate so we need to get all these records out there and all in place they all need to be connected the right way on these three different places root zone name server web server let’s go through it step by step so we’ll start on the on the right side on the web server this is the part that you’re you as a web designer

(11:42) probably more familiar with um so let’s say you have uh your content ready to go on your handshake name um this what the the uh the white content on the screen here is the actual command this is an amazing one-line command composed by my colleague buffer um i formatted it slightly differently and i put this exact function in my bash profile on my server so that i’ve basically created a command in my terminal that’s self-signed cert whenever i type that this whole command is executed um let’s pick it apart so you can kind of see

(12:17) what’s happening it’s calling openssls x509 that’s the ssl certificate module we’re going to create a new 4096-bit rsa key that expires in 365 days so by the way you will need to do this every year at least um the output file is called insert.cert and then the extension stuff so this is where it gets interesting because an ssl certificate needs to have the right kind of metadata otherwise your browser is just going to barf it’s not going to like it and this is where buffer’s expertise is just totally invaluable

(12:53) because this is perfect he’s got everything set up right here basic constraints is ca false critical subject alt name has your uh domain name and your ip address in it um all this kind of stuff so when you execute this command it will generate a private key and then compute the public key and generate a ssl certificate and sign it itself you don’t need less encrypt at all you don’t need a certificate authority at all um so this is how it looks on my server because i have that that one liner um in my profile as a as a function i just

(13:27) type self sign insert cool domain and the ip address of whatever whatever server i’m on openssl does a thing does its thing generates an rsa private key and um spits the output to certain okay and this is if you were to use the openssl x509 module to look at the cert this is what you’d see i kind of cut the output a little bit to try to cram it all into one slide but i just want you to notice that especially towards the bottom there the domain name is there cool dash domain wildcard star dot cool the dash domain is there and also the

(14:00) raw ip address meaning that if somebody just types in that ip address into their browser this certificate would be valid for that connection too without even without a host name okay so now the next step is we need to create a tlsa record now we are creating a dns record the tlsa record it just contains a hash of part of the certificate again my colleague buffer composed this awesome one line command which i turned into a function called tlsa create in my bash profile script so on my server i just type this command and it happens

(14:35) um what we’re going to do is take the open ssl x509 module again grab the cert certificate file take the public key out of it um hash it with sha256 take the binary output of that convert it into hex make it uppercase um i mean just buffer’s just brilliant like this is just a beautiful one-liner here so the certificate that i generated back here a couple steps ago i type tlsa create in that same directory and bam there’s the tlsa record you’re looking at it three one one b four d zero f that’s the hash of the public key this

(15:08) will need to go on your name server and be signed by dns sec and that’s how we get from dns to ssl to tls from dia from the dns land from the dmsk land to the certificate authority land this tlsa is that connection um and then the last step you know on your web server if this is an example of how i would set it up in nginx which is just my web server of choice lately um you know you put your uh this is the config file um the site’s enabled default file or whatever you want to do and you just put the certificate and the

(15:44) key that you just generated a few steps ago you give that to nginx so that it can um do tls and serve your website over https using the certificate that you just generated and index doesn’t care if it’s a handshake name it doesn’t care if it’s a self-signed certificate or not you give it a domain name an ip address a certificate you turn it on it works okay now to the name server so these commands um we’re going to start with dns set key gen here these commands are available when you install by nine um that’s uh

(16:13) just the tool kit that i use there’s there’s plenty of other options out there and there’s lots of great guides on um handy pdf there’s an article there about how to set up https websites and a lot of the stuff you’ll um see again there if you go check out those articles so now we need to generate another um a cryptographic key pair this is a dns sec private key and public key pair and then we will take the hash of the public key to create the ds record that will go in the root zone so this command dnsec dash keygen

(16:45) dash a means algorithm i use the ed25519 algorithm it makes very small keys um that’s an elliptic curve type algorithm it’s cool and then fksk so here i am making a key signing key as i said before like you could create a key signing key and a zone signing key you don’t have to it’s more complicated maybe you need to do that because of the value of your domain or something i generally don’t my little websites like the handshake tarot and proof of concept i’ll just kind of do it like this

(17:16) um so create a key signing key and then cool dash domain is the last argument and then bam dns that key gen generates a key pair it gives you um the title of the key which is kind of deterministic and then if you output that key you’ll see this data here and cat you know brought the cat command and then at the bottom of that you see the dns key record with some gobbledygook which is your public key it’s nice ed25519 keys are very short if this was an rsa key it’d be like blah but it’s nice and short

(17:49) um this will this dns key will go into your zone um this needs to be served by your name server it’s a public key it needs to be available then the last step is this other command dns sec dash ds from key and then you put the file name for the public key and um it will hash the key and create the ds record this is the dns record that goes into the root zone into the parent domain it’s the hash of your public key it points to your public key and that’s how we create the link from the proof of work blockchain to your dns

(18:24) set keys to the to the web server keys it’s actually kind of funny it’s sort of like in in the characters here like the string actually the hash is longer than the actual key is that’s amusing to me um okay so we got our keys um for the for the name server now it’s time to write the rest of the zone so this is what a zone file looks like before it’s signed um it’s it’s got some templating stuff like this dollar sign kind of thing and the at symbol um this is going to make sense once we

(18:54) sign it but so um um uh i’ve got the the origin is isn’t you know the tld cool domain ttl five minutes sure um the ns record is there no remember what i said about how the ms record has to be inside your zone even though that’s self-referential and kind of doesn’t make any sense there it is right there the ns record for cool domain is cool domain you actually don’t need to make ns1.

(19:20) cool domain um ns1.tld is super common um everybody’s doing that that’s another kind of thing you don’t have to do um soa is a is a dns thing that proves that you’re in charge of the zone then the a record obviously very important the ip address of your website in this case i’m using the same ip address for the name server and the web server um i’m not going to elaborate on that i think you know it’s i drew all those arrows a couple slides ago and then finally there’s the tlsa record that we

(19:46) generated and then the last line here is is the dollar sign include and the name of the key file this is a sort of a macro when we do the sign command in the next slide um the signing software will will see that dollar sign include and know what it needs to do instead of explaining i’m just going to show you um so we’ll get there so this is the command so we started with this this is our our um our zone file sort of template the unsigned zone we do not serve this file it’s just input to the next step

(20:18) this is the next step dnsec sign zone um z i think is what you need to add um if you’re going to use a key sign-in key only instead of having two separate keys you need to put that dash z there um dash o cool domain is you know the output um or the origin sorry of the domain and then cool domain.

(20:40) zone is the name of the file that we created here in this slide um and then this is the output verifying the zone using the following algorithms at 255.9 zone fully signed it learns the algorithms note how the output says one active ksk keysighting key zero active zone signing keys um that’s okay it’s actually okay you don’t need a zone signing key and this is what the zone looks like once it’s signed it’s huge right we started with this like short little template signed it and now all the stuff is in here um you’ll notice there are rr

(21:07) sigs these are the actual cryptographic signatures over each record type um this is the sign zone file this goes to your name server there’s no private keys here the nice thing about dns is you can always sign it offline and then just put the signed records on your hot server and nothing can really happen bad to it there because your private keys are safe and you can take a look at this you know like the soa record is there it’s signed um the dns sec the dns keys are here on the top right remember i had that that

(21:38) dollar sign include macro that got turned into the dns key record the the starting zone function pulled that key from the file and and put it into my signed zone and signed it so we’re all good um you can see the tlsa record is there it’s important to have a wild card for the tlsa record that star because when dane actually comes along it’s not going to just look for a cool domain tlsa is going to look for underscore 443 dot underscore tcp dot um cool domain so remember try to remember that back here i have the star by the

(22:12) tlsa record and that’s going to be important um so now we’re ready to configure the name server we’ve got the content for the name server which is our signed zone this is two example configuration files for name d which is by bind and nsd two different name server applications you can kind of see the resemblance in the configuration file basically you just tell the name server the name of the zone it’s serving and where the file the signed zone file is on your drive that’s it and then finally we get to the root zone

(22:46) everybody’s favorite part this is where handshake finally comes in you could do this with name base you can do this with hsd you can do this with bobwallet um you take uh the the ds record that we generated a couple slides ago and you got to put that on chain um in handshake we are in with hsd we use this send update command with uh the domain name and then you put the ds record and i’ll explain a synth record in a second um actually i’ll explain right now so there’s a there’s there’s a couple ways

(23:15) to get that ns record with its glue in the handshake root zone if you’re name base you could add an ns record and a glue record which is redundant and waste blockchain space but you can do that if you really want to the ns record just has a domain name a glue 4 record is a special type of handshake record that includes a domain name and the ip address which is what makes that ns record redundant so you don’t have to do that you can just use a glue4 record and you can have ns1.

(23:46) cooldomain and then the ip address the coolest way to do this which is still maybe a little has some some some pitfalls which i’m not going to have time to explain but all of the websites that i run on handshake um use synth synth 4 records these are cool because they require the least amount of blockchain space and that might not be a concern to you now but hopefully blocks start getting really full on handshake fees go up because people are really using it so keep this in mind in the future when fees matter and you need

(24:17) your root zone records to be small what a synth 4 record does is all you give it is your 4 byte ip address four bytes um with no domain name no ns record just the ip address and then what happens um is that hsd the root server will translate that into a set of ns records plus glue in a very brilliant way which i don’t know if jj invented this or if there’s already some kind of dns precedent for using um base 32 and domain names but either way it’s super cool and here’s what the output

(24:49) looks like at the bottom of the slide so if i was going to ask my handshake root zone server for the cool domain root zone records it would look like this it would provide this ns record which is magic it came out of nowhere you might say it was synthesized um and it’s got this gobbledygook underscore ff4i0b8 and that is my ip address encoded in base32 because that’s the only data that you actually need to give the root zone um there’s that ip address it was turned in synthesized into this ns record for a name that doesn’t exist

(25:25) and is totally invalid actually and then in the glue section um that synth record is matched with your actual ip address so um the name server that i use is a handshake domain name that i got off name base for like one hns it’s the name omnitude and if you go ahead and look at the root zone records you’ll see a synth record there and this is what’s happening and then all my other sites like even um impervious and the names don’t resolve in what we call the internet and the handshake tarot they all use omnitude as

(25:53) their name server so um if so if you’re having problems resolving any of the websites that i share it’s probably because your handshake resolver is not handling synth records and actually um there were some bug fixes involved in synth records maybe a year ago so if you’re having problems visiting my sites you got to update your software anyway synth records are cool i’ve only got five minutes left but i think i’ve basically done it okay so here we go cool domain this is what it looks like i

(26:18) actually um did this this isn’t photoshopped or anything i created cool domain and reg test on my computer and and um and set this up with let state you can see the lock icon there we did it we’re done so in the last couple of minutes i’ll tell you a sort of a cheat code to this whole process is something that i wrote a couple years ago called handout you can find it on a handshake domain handout.

(26:41) js which will redirect you to github which is an icann domain but that’s okay it’s an easy way to find it handout.js and what i do is take let’s go back to here where there’s three bubbles i combine the name server and the web server into one single javascript process using tools written by jj using bns and b web um and there’s one single command it’s h sec dash gen and you um you just execute it along with your domain name and your ip address and let’s see what happens first the script will generate a self-signed

(27:14) certificate then it generates dns set key pair and it writes configuration file and it gives you the ds record and it gives you the records to either type into name base or to paste into bob wallet or to to broadcast with a transaction i’m using hsd and you’re done this is this is my last slide so if you just want to get a a simple single page um static website on handshake with dane handout is a really easy way to do it and i think a lot of users have have have done it then people start asking well what if i

(27:47) want to use ipv6 or what if i want multiple websites or what if i want to extra stuff that’s when it’s time to come back here and do the cool stuff and do it the right way but if you’ve never had a https secured website on handshake before i recommend starting with handout it’s a good way to learn um okay so that’s that’s dane i’m looking forward to seeing a lot of great secure website submissions in the website race and um fistful will have all kinds of more details about that i’m

(28:16) not seeing any questions i’ve got a couple minutes left if anybody wants to ask anything i just wanted to add really quick too make sure if you are interested in building a website make sure you come and join the website race discord it has all the information you need all about uh the requirements to submit a website and all the prize information you know you you can win uh first place gets uh 2k hms a second place gets 1k hms and even if you don’t win in one of like in first or second place we’re giving 500 h

(28:56) s to 25 websites um like oh across all the categories so even if you don’t win you win uh so yeah just join build and and get some free money man you know just just content you don’t have to invent something just make a website on handshake with a bunch of poems you wrote or or drawing of your cat or like if you’re really good web developer put a video game or an application or a forum where people talk about like organizing labor or democratic revolution or something like that anything along that spectrum

(29:30) just put up websites on handshakes so i got something to type into the beacon browser yeah we want to surf the d-web that’s what we want to do that’s it we’re talking about d-web there’s nothing out there so let’s put some websites up yeah yeah for sure um all right so we’re gonna actually i’m gonna cut it here uh and give us some transition time into our next uh talk where luke is gonna talk about uh hip five in hyper zones which is going to be really interesting i hope you guys show up for that one

(29:57) yeah alright see you guys in the next one thank you bye [Music] [Applause] [Music] kinetic is a blockchain crypto investment firm based in hong kong and puerto rico [Music] founded in 2016 they were the first fund in hong kong and one of the earliest in asia with a portfolio of over 220 companies

(31:03) they were seed investors in such projects as ethereum parity and polka dot solana ftx and of course handshake and name base [Music] founder johan chu was an active investor and supporter of the handshake ecosystem over one hundred thousand domains co-founder of d-web foundation co-founder of handycon and sponsor of the handshake house at miami hack week 2022 [Music] [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Applause]

(32:12) [Music] [Music] [Applause]