Skip to content

Latest commit

 

History

History
50 lines (41 loc) · 3.35 KB

README.md

File metadata and controls

50 lines (41 loc) · 3.35 KB

ic_dns_oracle

Introduction

This is an ICP canister that generates a signature for a pair of a domain and a hash of a DKIM public key registered on the distributed name service (DNS). The signature can be verified on Ethereum, allowing smart contracts on Ethereum to verify that the given domain and public key hash are registered on the DNS. For example, this is used in ZK Email to update a dkim registry contract, which stores the authorized public key hashes accessed during email proof verification.

Our repository contains the implementations of theee canisters as follows:

  • Poseidon hash canister: this simply computes the Poseidon hash of the given RSA public key.
  • DNS client canister: this fetches an RSA public key for the given selector and domain from either Google DNS, Cloudflare DNS, or Next DNS.
  • IC DNS oracle backend canister: this is our main canister that generates an ECDSA signature for the fetched public key corresponding to the given selector and domain. The output signature can be verified by smart contracts on Ethereum.

How to try our canister

Our IC DNS oracle backend canister is available at https://a4gq6-oaaaa-aaaab-qaa4q-cai.raw.icp0.io/?id=fxmww-qiaaa-aaaaj-azu7a-cai. Once you prepare your identity and wallet on ICP, you can obtain the signature for the hash of the public key registered on DNS for the pair of the selector 20230601 and the domain gmail.com by calling the following command:

dfx canister call fxmww-qiaaa-aaaaj-azu7a-cai sign_dkim_public_key '("20230601", "gmail.com")'  --network ic --with-cycles 85_414_812_012 --wallet <YOUR_WALLET_CANISTER_ID>

You can verify it as the ECDSA signature from 0x6293a80bf4bd3fff995a0cab74cbf281d922da02, which is the signer's Ethereum address output by the get_signer_ethereum_address function.

How to run tests

First of all, you need to prepare the binary of pocket-ic according to the instruction here. After you put the binary under the ic-dns-oracle directory or set the POCKET_IC_BIN to the path to that binary, you can run tests by the following commands:

cargo build --target wasm32-unknown-unknown

cargo test

Fees for DDoS Protection

To protect our canisters against DDoS attacks, their update functions require the caller to pay specific amounts of cycles as fees. Specifically, each function requires the following amount of cycles.

Function Name Required Cycles
public_key_hash 52_946_839
get_dkim_public_key 2_236_193_826
sign_dkim_public_key 42_707_406_006 (normal domain) / 85_414_812_012 (domain with gappssmtp.com)
revoke_dkim_public_key 39_438_456_624 (normal domain) / 78_876_913_248 (domain with gappssmtp.com)

References

Acknowledgment

We sincerely thank Clank Pan for generously sharing insights and feedback on ICP, which helped us improve our library.