Perhaps each boundary node can provide canisters with their own IPv4 or IPv6 address. (probably a paid service)
So one canister can have multiple IP addresses pointing toward different boundary nodes and then use all the goodness of something like Route 53.
So instead of boundary nodes providing subdomains like *.ic0.app
they will also allow custom domains (domain.com) to point to many boundary nodes simultaneously, all leading to one canister.
And this canister can also have routing for its subdomains (according to a protocol, boundary nodes can ask that canister where subdomain.domain.com resolves, which will point to another canister.
Maybe that’s how ic0.app works right now, but can we get it for all developers?
EDIT: Since IPv4 addresses are expensive and IPv6 aren’t supported. We can also add a DNS record that has the canister id inside. So boundary node can ask the DNS to which canister it should resolve, instead of doing that based on IP.
EDIT: Maybe that DNS record should be signed by the canister message.
Boundary nodes will validate and cache it. If someone steals the domain and changes the record, they will also need a signature from the canister with a date later than the cache.
Then we have two benefits:
- Internet Identity can be set in a way that URL like https://jglts-daaaa-aaaai-qnpma-cai.ic0.app/ controls the users even if they are singing from a custom domain and can remove the link.
- Only the canister can allow that domain to use the boundary nodes.
So that gives more control to the DAO which owns private keys and whoever holds the domain doesn’t have much. They can only point it to a web2 server without permission and they will also lose all Internet Identity users.