Handshake is really cool.

Where do I start?

First you'll need to purchase some HNS coins. There's quite a few places to do this, but we're gonna be using Namebase. Once you sign up, there's an extremely simple process to buy HNS.

Buy your perfect name.

Once you've got some HNS to spend, it's time to find a name. Once you find your desired name, it's time to bid on it. On Handshake, names are bid on in a decentralized Vickrey auction. If you've never taken part in a Vickrey auction give that page a quick read, it will explain everything you need to know about Vickrey auctions as a concept. However, there are some things specific to Handshake that you'll need to know:

How do I access Handshake names?

There are several ways to access Handshake names, but the easiest one by far is to set your nameserver to the DNS server provided by Resolvr. On both Linux and BSD this is very easy, simply edit /etc/resolv.conf and replace your current nameserver(s) with dns.resolvr.info (or If your resolv.conf was generated automatically, say by dhclient, make sure to update the relevent config as well. If you'd like something a little more private and/or secure, check out HSD or hnsd.

Once you can access Handshake names, you probably want to be able to access them securely. We can do that with Let's DANE. Let's DANE is a proxy server that acts as a CA for any secured websites.

Host your website on the new internet.

Now that you own a Handshake name, you probably wanna do something with it. Before we get into that, I'd like to share the technical stack that we'll be using:

Deploy a VPS.

I prefer using Vultr for my hosting needs because its plans start at $2.50/month (effectively $3.50/month with IPv4) and provides OpenBSD as a default option. If you use my affiliate link you'll get $100 credit to use over the next 30 days, perfect for testing the platform out. Once you have registered an account and linked a payment method, you'll want to deploy an instance. Different locations have different plans available, so if you're looking for the cheapest available be sure to check every location. We'll be selecting OpenBSD 6.8 with IPv6 enabled. Feel free to add your SSH key and set the hostname and label before deploying the instance.

Tell Handshake where your VPS is.

While we're waiting for our instance to finish installing, let's check out the Namebase domain manager. Click the "Manage" button next to your purchased name, then scroll down until you see "Blockchain DNS records" and "Namebase nameserver DNS records." Since we bought our Handshake name on Namebase, they've already pointed the Handshake name to the Namebase nameserver. We can choose to either continue using Namebase's nameserver to host our DNS records, or we can host them ourselves. I personally choose to host the records myself as Namebase restricts which kinds of records you can use and self hosting grants me much better control.

Since we're setting up DNSSEC later on, we're gonna go ahead and skip setting the nameserver now. We'll set it at the same time that we set the DS record.

Set up NSD.

By now your Vultr instance should have completed installing. Go ahead and SSH into it, then start editing /var/nsd/etc/nsd.conf with an editor of your choice. The defaults are fine, but you'll want to specify a zone for NSD to serve.

	name: "yourname"
	zonefile: "master/yourname.zone"

Once you've got that done, go ahead and edit /var/nsd/zones/master/yourname.zone with an editor of your choice. NSD uses BIND-style zone files, if that means something to you go ahead and start setting up your records. You know what you're doing. For the rest of us, here's the current zone file for rasor:

$ORIGIN rasor.
$TTL 5m

@                    IN  A
                     IN  AAAA   2001:19f0:5:113a:5400:03ff:fe2e:d9f8
                     IN  NS     rasor.
                     IN  SOA    rasor. sebastian.rasor. (
                                2021020401      ; serial
                                1h              ; refresh
                                30m             ; retry
                                7d              ; expire
                                1h )            ; negative
                     IN  MX     0 rasor.
                     IN  TXT    "v=spf1 mx -all"
                     IN  SSHFP  1 1 159d8df12f7d7ca6506cc33060fa7195013c47fd
                     IN  SSHFP  1 2 3d92cd60952f307410bc518b7ad993bd9d16214f6908f66e9dded2c4bc121d24
                     IN  SSHFP  2 1 4ccee07581d3a35d34d931cd6bd023636dff7e50
                     IN  SSHFP  2 2 8c6f3e253261d5995d678dba7c99345b2fcbe35c2b7e3dc9883010c3757ab38d
                     IN  SSHFP  3 1 729f797e29ecc02fc58bd798f2fa9d582f3f3f7f
                     IN  SSHFP  3 2 4bc643160fef3976ec4b444a39589458b9c610ba57bc76aac61dc3c834c4fc36
                     IN  SSHFP  4 1 cc52f0de2b68f7328fc043ed2d56c36cc5cb0095
                     IN  SSHFP  4 2 c2a633e14b83178f5c5061124e74adb8730f206d0f7b58cf39f9ece764e8eb31
20210204._domainkey  IN  TXT    "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClEb0aN4JduIFFDhD9Q5lKwpwG66cEJBq3nqshaQt64MTiKCEpJGSjZZ0JxYnZb/XxjgCJS11891CaM8u8mKsZ0W7BSZI2Ts/HbTqFunG2D86/qTOvpzCfgZoevmrCDC3r5gCfhJaRiSpkdnox+qcHyoYs1bXdkzoxjlEtK6yoQwIDAQAB;"
_dmarc               IN  TXT    "v=DMARC1;p=none;pct=100;rua=mailto:postmaster@rasor;"
_submission._tcp     IN  SRV    0 1 587 rasor.
_imaps._tcp          IN  SRV    0 1 993 rasor.

_tlsa                IN  TLSA   3 1 1 688e9b68a531d810c3ad1cc52f8aa330e595b1f2d55e69cbf663d002a259854e
_993._tcp            IN  CNAME  _tlsa
_587._tcp            IN  CNAME  _tlsa
_443._tcp            IN  CNAME  _tlsa
_25._tcp             IN  CNAME  _tlsa

ns1.sebastian        IN  A
sebastian            IN  DS     62890 8 2 acd7c0ec4de58bbf9a99bb8fc73e53c177be6b688d17b19c27a77c54799d876b

Don't worry. Right now the only records we need to worry about are the first 4: A, AAAA, NS, and SOA. The A and AAAA records should be the IPv4 and IPv6 addresses of your VPS, respectively. For NS just drop in your Handshake name and don't forget to leave a dot on the end of it. SOA is a bit more tricky. You should look up the specifics of how an SOA record is formatted to make sure you have a clear understanding of it before adding it to your zone file. NS and SOA records are required, and if you have any intention of accessing your website, so are A and AAAA.

Once you're done editing those two files, you're gonna want to make sure that they're valid. We can do this by running
nsd-checkconf /var/nsd/etc/nsd.conf
nsd-checkzone yourname /var/nsd/zones/master/yourname.zone.

Now that we've validated our files, let's go ahead and start up NSD with
rcctl enable nsd && rcctl start nsd.

Since we haven't published our NS record on the blockchain yet, we'll have to query our VPS directly to make sure it's working as intended.
dig NS @your.vps.ip.address yourname

The response should look something like this:

; <<>> dig 9.10.8-P1 <<>> ns yourname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64811
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

; EDNS: version: 0, flags:; udp: 4096
;yourname.                      IN      NS

yourname.               114     IN      NS      yourname.

.                       0       ANY     SIG     RESERVED0 253 0 0 20210209181421 20210209061421 64797 . uX22PNkUEDka5wlTw7qIozS2ounyMyeA88Dh8LPUq/tldQm+FIBMgX6a luAKDrrw4NgKO2yD5Tb203wtFz1AfA==

;; Query time: 50 msec
;; SERVER: your.vps.ip.address#53(your.vps.ip.address)
;; WHEN: Tue Feb 09 06:14:21 CST 2021
;; MSG SIZE  rcvd: 142

Sign records to enable DNSSEC.

DNSSEC is way to cryptographically authenticate DNS records, and it is required for DANE. The first thing we're gonna do to set it up is install ldns-utils, because they're great. Unfortunately, the ldns-utils OpenBSD package wasn't compiled with engine support, so we'll need to compile ldns-utils ourselves.
wget https://www.nlnetlabs.nl/downloads/ldns/ldns-1.7.1.tar.gz
tar -zxvf ldns-1.7.1.tar.gz
cd ldns-1.7.1
./configure --with-examples --disable-dane
make && make install

Now we'll create a directory for our keys.
mkdir /var/nsd/keys && cd /var/nsd/keys
We'll then generate the key signing keypair and the zone signing keypair. Notice the -k flag when we generate the KSK.
export KSK="$(ldns-keygen -k -a RSASHA256 -b 4096 yourname)" # generate ksk and export basename
export ZSK="$(ldns-keygen -a RSASHA256 -b 2048 yourname)" # generate zsk and export basename
Now that we have our keys, we need to sign our zone.
export SALT="$(head -n 1000 /dev/urandom | sha256 | cut -b 1-16)"
ldns-signzone -n -s "$SALT" master/yourname.zone $KSK $ZSK
Then we'll need to tell NSD to use the signed zonefile. Just edit /var/nsd/etc/nsd.conf and replace
zonefile: "master/yourname.zone"
zonefile: "master/yourname.zone.signed"
The last step is to add the root zone DS record. Luckily ldns was kind enough to generate a DS record for us when we generated the KSK.
cat $KSK.ds | sed "s/.*DS[[:space:]]*//g"
Head on over to the domain manager and select your name, then scroll down until you see "Blockchain DNS records." Add a new record of type DS, and paste the output of the last command into the data field. While we're here, we can also update the NS record, simply change the IP address to the IP address of your VPS. Don't forget to hit the save button before you exit!

Use DANE to enable secure HTTPS.

Now that we have cryptographically secure DNS records, we can use those DNS records to enable HTTPS without a 3rd party certificate authority. First we'll need to generate a self-signed certificate. We can do that in one command:
openssl req -newkey rsa:4096 -nodes -x509 -days 1825 -addext subjectAltName=DNS:yourname -keyout /etc/ssl/private/yourname.key -out /etc/ssl/yourname.crt
The only field you need to enter is the common name, which can be anything you want. We haven't actually configured httpd yet, so let's go ahead and do that. You can find a template httpd.conf here. Fill in your information and then copy your custom httpd.conf to /etc/httpd.conf.
You'll also want to create a location for your website's files, like so:
mkdir /var/www/htdocs/yourname
You can then edit /var/www/htdocs/yourname/index.html to your liking.

The last thing that's left at this point is generating a TLSA record. You can do that by copying the contents of /etc/ssl/yourname.crt and using this tool. The defaults (3 1 1) are what we need. The port number for HTTPS is 443, and the protocol is tcp, then just put your Handshake name in and generate the key. It'll give you a record and all you'll need to do is add it to yourname.zone and resign it.

Once you've set up DANE, an easy way to test your website without Let's DANE is https://sebastian.rasor/dane-verify/yourname.