Custom domains for ic0.app [Community Consideration]

While IC does not support it, why not? There is no way IC APP scale to general public without a custom domain.

1 Like

I recall this was blocked by decentralized TLS certificates (or something like that). Is that still the case? I’m curious what the current state of this is.

2 Likes

Decentralizing boundary nodes needed to decentralize TLS certificates. I see a connection to custom domains, but they are separate goals. That was the state a few weeks ago, but since then the team has been looking at this deeper, let me see if anything has changed

3 Likes

Hey,

Custom domains have a few prior milestones that need to be met. While we focus on these prereqs the design for custom domains remains fluid.

As per the latest design we don’t need MPC TLS for custom domains. We are working towards a design where end-user can manage their TLS certs using dfinity-provided software.

Reminder: this is still in the design phase and the current focus is on laying down the groundwork for community-maintained NNS-governed boundary nodes first.

-Faraz

7 Likes

Good to hear that this is getting some attention.

FWIW, I think this is the biggest single issue for people like me who just want to use the IC for traditional websites and apps.

5 Likes

Yeah we need to get cracking on this milestone. It’s the first thing people mention to me when I try to get them to use the IC. It seems it should be a high priority.

4 Likes

I think issue is closed
https://forum.dfinity.org/t/release-announcement-canister-chosen-alternative-origins

I don’t consider this to be solved since this appears to only be supported in browsers. I have other use cases :slightly_smiling_face:

Hi, guys, while the custom-domain does meet some requirements, I think it would be useful to be able to customize the canister URL directly. Does dev team have any follow-up plans for this issue.
For example, when a user visits our service, we want to provide the canister URL directly and make sure that the front-end page is secure. With custom-domain, the user still needs to make sure that the request is forwarded to the correct canister.

1 Like

Hi clar, do you mean with “customizing the canister URL” that a dev team should be able to create anything.ic0.app instead of the <canister_id>.ic0.app?
Right now, I don’t see how custom domains and custom canister URLs differ from the users’ perspective. In both cases, they have to verify that the traffic is actually forwarded to the correct canister (<canister_id>).

Yes, we want to create anything.ic0.app. Using custom-domain, we created an example website (https://domain.pangdao.org/), the request is forwarded to https://ucji4-cqaaa-aaaaj-azppq-cai.ic0.app/.

From user’s point of view, pangdao.org domain name service providers, or pangdao.org operators, can attack users by modifying the domain name resolution.
If custom-url is supported, then the URL is officially bound to a specific canister, which can not be maliciously modified and is readable. (Though users still need to trust that ic0.app is secure)
@rbirkner

Have there been any updates on this topic? I believe it to be mission critical for widespread adoption. Would it be worth pursuing an NNS resolution to raise this issue’s visibility for DFINITY and roadmap positioning? There are AWS based solutions that patch the issue, but in a non-decentralized ways. Fastblock’s need for these features has raised the issue again.

3 Likes

I don’t have a concrete update myself, but I have pinged some folks in RD to post an update. I know they have been working on it.

Hi folks, to give a little update, we are actively working on the custom domains feature.

What I mean here by “Custom Domains” is that, you will be able to configure a DNS name to point to a canister without having to host a custom service worker as described here.

The way it will work is that a developer can set their DNS name to point to the boundary nodes. Boundary nodes will generate an SSL certificate (through the letsencrypt DNS challenge) and maintain a mapping of name to canister so they know how to route traffic.

While this is not as decentralized as we would like (because the DNS record could be changed by the owner to point somewhere else) it is not worse than the solution above. On the other hand, it has the advantage of lowering the barrier to entry because:

  • Infrastructure to serve the service worker is not required.
  • maintaining a custom version of the service worker is not required.

This is a first step and IMO will help inform a design for more decentralized naming. Of course we’re open to suggestions from the community and I’d be happy to setup time to chat and hear out some ideas.

12 Likes

Will subdomain forwarding be supported by this new feature?

I’m currently hosting a custom service worker through Firebase, and they also allow subdomain redirects via DNS A records.

I need to do this because at the time I couldn’t find a solution that allowed me to use a custom domain with a single canister entry point.

See here for details on that:

This feature of Firebase allows me to redirect https://git.codebase.org to https://w7uni-tiaaa-aaaam-qaydq-cai.raw.ic0.app

This means people can do:

git clone https://git.codebase.org/@paul/hello-world.git

I believe this works because Firebase has the certificate. At first I tried this using a CNAME but ran into TLS issues and my domain name got flagged for phishing.

5 Likes

@raymondk @diegop thank you both for the ultra-fast response on this! Appreciate the ICP blockchain speeds with which you jumped on this topic.

3 Likes

Hi @paulyoung, our current plan is to start with a 1:1 mapping of DNS Name to CanisterID
If I understand your use case you should be able to map:

Happy to chat with you to understand if that is actually helpful for you or if we can help in some other way. FTR I saw you demo codebase at some point and it was really impressive :rocket:

5 Likes

Thanks @raymondk. That should at least allow me to do what I’m doing now with Firebase.

2 Likes

Do you have an estimated time when this will go live?

1 Like

We’re actively working on it. I expect we will have something to preview in early January.
We might need some volunteers to try out the first versions - if anyone is interested maybe we can partner up.

7 Likes