Sam Mason wrote: > Just out of interest, why isn't this done at the DNS level? It > seems appropriate to have multiple IP addresses associated with > "volunteergrid-introducer.allmydata.org" and you'd gain the advantage > that the list of introducers can be varied more easily. This doesn't > seem to introduce any additional attacks as the multiple-hosts-per-url > version you have also trusts the DNS system.
Using multiple DNS domains prevents the 'allmydata.org' domain itself from becoming a single point of failure. In every case, we explicitly require the introducer to have only a single IP address at any given moment to avoid the "netsplit situation" that Brian was writing about. It also doesn't seem really practical to know in advance -- because the furl is going to be deployed on every node -- all the possible IP addresses on which the introducer might run in the future. The goal of this new introducer furl is primarily to prevent the need to reconfigure every node in the volunteer grid if the introducer disappear (server crash, expired domain name, unresponsive administrator, etc.). Unfortunately, it doesn't protect from someone with access to one of the zone used in the furl to actively disrupt the grid by creating a bogus introducer. François _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
