Skip to content

feat: enable DNSSEC BIP353 in PSBT #2397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 18, 2025
Merged

feat: enable DNSSEC BIP353 in PSBT #2397

merged 2 commits into from
Jul 18, 2025

Conversation

MrCyjaneK
Copy link
Collaborator

Description

feat: enable DNSSEC BIP353 in PSBT

This PR enables hardware wallets to validate DNSSEC proof of a BIP353 parsed address

Pull Request - Checklist

  • Initial Manual Tests Passed
  • Double check modified code and verify it with the feature/task requirements
  • Format code
  • Look for code duplication
  • Clear naming for variables and methods
  • Manual tests in accessibility mode (TalkBack on Android) passed

@OmarHatem28 OmarHatem28 merged commit 00137d2 into CW-948-bitcoin-viewonly Jul 18, 2025
5 checks passed
@OmarHatem28 OmarHatem28 deleted the cyjan-konsti-implement-bip353-psbt branch July 18, 2025 16:25
TheBlueMatt
TheBlueMatt reviewed Jul 21, 2025
View reviewed changes
cw_bitcoin/lib/psbt/transaction_builder.dart
final cwOutput = cwOutputs.where((e) => e.address.toLowerCase() == output.address.toAddress().toLowerCase()).firstOrNull;
if (cwOutput != null) {
final bip353Name = utf8.encode(cwOutput.extra['bip353_name'] as String);
final bip353Rsig = base64.decode(cwOutput.extra['bip353_rsig'] as String);
Copy link

@TheBlueMatt TheBlueMatt Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just including the RSIG is insufficient as proof - you need to include the full tree. That means DNSKEY, DS, and RSIG recors from the root through the TLD to the domain, to the record itself (sometimes also NSEC/NSEC3 records if there's a wildcard in the path). Note that elsewhere you error if "multiple rsig records found" which is also wrong, multiple RSIG records is totally allowed, and in fact common, eg during DNSSEC key rotation. You might consider using the lookup logic in https://git.bitcoin.ninja/?p=dnssec-prover;a=summary instead.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @TheBlueMatt, we are now using dnssec-prover package #2401

MrCyjaneK added a commit that referenced this pull request Jul 25, 2025
@MrCyjaneK
feat: enable DNSSEC BIP353 in PSBT (#2397)
1508327 
* feat: enable DNSSEC BIP353 in PSBT

* chore: put bitcoin view only behind a featureflag
MrCyjaneK added a commit that referenced this pull request Jul 28, 2025
@MrCyjaneK
feat: enable DNSSEC BIP353 in PSBT (#2397)
cd3b88b 
* feat: enable DNSSEC BIP353 in PSBT

* chore: put bitcoin view only behind a featureflag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheBlueMatt TheBlueMatt TheBlueMatt left review comments

@OmarHatem28 OmarHatem28 OmarHatem28 approved these changes

@konstantinullrich konstantinullrich Awaiting requested review from konstantinullrich

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MrCyjaneK @TheBlueMatt @OmarHatem28