HIP2 can be used with insecure domains

[Falci]

The RRSIG for iamfernando expired:

(Fingertip failed to validate)

But Bob still accept it:

[rithvikvibhu]

I tried reproducing this with an invalid DNSSEC setup, but the resolver didn't return any response (as expected I think).

While iamfernando's sigs are updated now, I think at that time it was returning a response without the ad flag set. Can't get that kind of response right now. Any idea what else might have been different?

[rithvikvibhu]

Okay! Finally back on this and looks like it's fixed. Turns out hsd's resolver (from bns) validated dnssec and only marked ad flag, but still returned results, unlike other resolvers that SERVFAIL when verification fails.

More info in chjj/bns#35.

Fixed in chjj/bns#36. Tested it out by using this bns in hsd and bob-wallet, iamfernando fails as expected and others continue to work.

I don't think a PR is needed right now since there aren't any changes in Bob itself, just need to update hsd (which will be done before the next release).

To anyone who wants to test it:

# clone hsd, bns, bob-wallet (if you haven't already)
git clone https://github.com/handshake-org/hsd
git clone https://github.com/chjj/bns
git clone https://github.com/kyokan/bob-wallet

# checkout bns PR
git checkout -b bogus-servfail
git pull origin pull/36/head:bogus-servfail

# npm install in each of them (if you haven't already)
cd hsd && npm i && cd ../
cd bns && npm i && cd ../
cd bob-wallet && npm i && cd ../

# npm link them all together (hsd needs bns; bob-wallet needs hsd and bns)
cd hsd && npm link ../bns && cd ..
cd bob-wallet && npm link ../hsd ../bns && cd ..

# build and run (for linux, see readme for other os)
cd bob-wallet
npm run package-linux
./release/Bob-0.9.0.AppImage

# Now try different domains on the Send page
# @falci.me - should work
# @iamfernando - should NOT work (expired RRSIGs)
# @hip2.bb-8 - should work
# @nathan.woodburn - should work

Let's leave this issue open until hsd is actually updated.