lightning-dev
Lightning Address in a Bolt 12 world
Posted on: November 18, 2023 21:27 UTC
When considering the implementation of payment systems via DNS, a critical point arises regarding the balance between privacy and functionality.
Opting for a particular solution may inadvertently expose not only the service being paid but also the identity of the payee to any DoH resolver that is honest yet curious. It's important to recognize that most, if not all, implementations will likely utilize this option due to its integration into common practices.
To avoid using the widely accepted method, clients would be required to have the capability to query TXT records directly, something which isn't natively supported by standard operating system libraries. This limitation would necessitate reliance on DoH (DNS over HTTPS) queries to a local address, like 127.0.0.53. Additionally, there must be trust in the resolver's DNSSEC (Domain Name System Security Extensions) validation. This implies confidence that the resolver is local and trustworthy, as opposed to an unsecure external network like a coffee shop's Wi-Fi.
Ensuring the integrity of the DNS resolution process is paramount; therefore, it is advisable to cross-validate using multiple DoH services. Ideally, one would validate the DNSSEC chain personally, although currently, there appears to be a lack of open-source software capable of doing so, which would be the preferred route for those concerned about security.
Regarding the offers provided through this system, it is expected that users will gravitate towards long-lived offers—those that might expire after a substantial period such as one or two years. The flexibility of the DNS allows for comprehensive data storage, illustrated by the fact that a full PGP key can be stored within it, as shown by executing a command such as dig [PGP Key Identifier]._openpgpkey.[domain] type61
, which retrieves the associated PGP key from the DNS record.