At DNSimple, we're constantly keeping up with innovations in DNS and the domain space. Blockchain, crypto currencies, and web3 have been everywhere lately, and several interesting blockchain-related projects have emerged in the DNS and domain ecosystem. A few, like Handshake and ENS, have captured our attention.
In this post, we'll give you an overview of Handshake, how it compares to traditional DNS, and their future in the industry. We'll also discuss how you can register HNS domains and how DNSimple can help you manage your Handshake domains.
Handshake (HNS) is a decentralized, peer-to-peer, permissionless naming protocol that aims to provide an alternative to centrally managed domain names, like .COM and the many other generic and country-code domains. In practice, Handshake aims to become a DNS chain alternative to the current IANA root chain.
Today, the creation of new top-level domains (TLDs) — .STUDIO, .AGENCY, etc. — is managed by ICANN, and subject to an application process. To have a new TLD created in the root DNS, you need to apply for the TLD, win the auction, and wait for the TLD to be approved.
Due to the limited amount of spots for new gTLDs, this process is complex, expensive, and time consuming. It's also strictly centralized in the hands of a single organization.
HNS wants to change that.
Handshake decentralizes the process of applying, creating, and managing TLDs on the blockchain. Anyone can buy or sell TLDs using the HNS coin native to the Handshake blockchain. By removing centralized bodies from making the decisions on what or who can register and manage TLDs, Handshake allows for the root zone to be uncensorable and permissionless.
No single entity takes control over the data stored in the system, and anyone can access it if they have enough HNS to participate. The whole process is codified into the HNS protocol itself, and no individual can undergo the process without community consensus. If you'd like to read a more detailed explanation, specific information about the Handshake protocol design is well documented in the Handshake whitepaper.
Each peer in the network validates and manages the root DNS naming zone, making centralized governing bodies unnecessary for managing the DNS root zone. It stores the root zone in the form of decentralized blockchain transactions where every transaction is cryptographically validated by every peer in the network. The root zone stored in the blockchain is the source of truth. Ownership information is stored in an encrypted state to ensure the privacy of TLD owners.
Handshake also aims to remove the need for centralized Certificate Authorities (CA) for signing SSL certificates. Currently, SSL certificates are authorized by trust anchors which represent a CA. The trust anchor certificate is used to verify the signature on a certificate that was issued by a CA, and comes pre-installed on devices. This comes with its own challenges. However, the DANE security protocol (DNS-based Authentication of Named Entities) exists and allows a browser, for example, to check the TLSA (TLS Authentication) DNS record of a domain, and verify the authenticity of a certificate provided by the webserver behind the domain – without needing an additional trust anchor. It relies solely on the TLSA record to verify the authenticity of the issued certificate for a given domain.
It's important to note that the Handshake blockchain is only concerned with first-level TLDs – no second-level TLD (SLD) records can be managed. This means, in practice, that you cannot apply for
mydomain.mytld in Handshake. Handshake will only be responsible for creating and storing the
mytld TLD. TLD owners will need to set the appropriate name servers entries for the TLD in the Handshake blockchain to delegate the TLD zone to a DNS hosting service if they want to rent or allow the registration of second-level domains.
For example, with the current registry-registrar-registrant state of affairs, anyone can apply for a TLD in Handshake. You can then become a registry, and open registration of domain names under your own TLD. You can either develop your own registrar implementation, or rent your TLD to one of the already available HNS registry platforms. A few HNS registrars exist that allow individuals to acquire a second-level domain from a TLD they don't own.
The current DNS infrastructure relies on the root zone provided by ICANN – this means Handshake domains cannot be resolved by default without introducing a Handshake-aware resolver in the resolution chain.
The only difference from the current implementation of the internet is which root zone file we trust and read from. Nothing else changes from the perspective of how DNS works. Therefore SLDs can be hosted with any traditional DNS provider – like DNSimple.
You can't entirely switch to using the Handshake root zone. That would mean existing TLDs like .COM stop resolving unless the organizations behind the existing TLDs claim and replicate their TLD root zones in the Handshake blockchain. To ensure the new decentralized root zone is backward-compatible with the existing ~1500 TLDs, the Handshake project has reserved them. Organizations that are already managing them can claim them over the next three years.
An unfortunate side-effect of having no restrictions on who can purchase a TLD in an open market like Handshake is that we can expect to see cybersquatting, but on the TLD level, where individuals hoard domains with the pure intent of reselling or using for ads. While cybersquatting is illegal in some regions, due to the anonymous nature of the blockchain, no one can take action against squatters. In the long run, this may do Handshake more harm than good.
The risk of root chain conflicts is the major challenge that alternate projects like Handskake will face. They could significantly affect adoption, and even cause the project to fail. There are ongoing conversations among the community and Handshake-aware resolver implementers, but currently the choice is pretty much left to each individual integration.
You can access domains on the Handshake blockchain with these methods (this list is non-exhaustive):
NextDNS.io Secure DNS resolution as a service with both free and paid tiers. It supports a number of different blockchain-based DNS projects, including Handshake. You can enable Handshake resolution with a click of a button.
Fingertip Fingertip is an open-source project that runs a lightweight Handshake client that syncs with the blockchain and allows for local domain resolution. This is considered one of the more secure, privacy-oriented options. It doesn't rely on any third-party, like NextDNS, to resolve Handshake domains, instead reading directly from the blockchain.
Beacon Web Browser A Chromium-based web browser with a built-in HNS resolsver.
HNSD HNSD is an official lightweight recursive DNS resolver that pulls down the Handshake blockchain and directly reads from it. It's also what Fingertip uses under the hood.
If you want to own an Handshake (top-level) domain, you'll need to interact with the Blockchain. Either directly, using the Handshake protocol and a wallet (such as Bob Wallet), or indirectly using one of the higher-level services like Namebase.
For the time being, you won't be able to delegate the TLD at DNSimple once it's registered on the blockchain.
Once it's registered, you can delegate the SLD to DNSimple, and manage it via DNSimple.
If you're ready to start hosting your second-level Handshake domains with DNSimple, you'll either need to delegate your Handshake domain to DNSimple's nameservers at your domain registrar, or, if you own a HNS top level domain, you can add the appropriate NS records for second-level domains directly into your HNS zone.
You can find out more about the process of setting up Handshake domains with DNSimple in our support article.
Nothing is impossible, it's just a function of effort over time.
Use DNSimple's Domain Access Control to limit what each member can access on a per-domain or per-zone basis.
DNSimple is moving our DNSSEC out of beta and into general availability.