Warning

The downloads on this page are not yet ready for general-purpose production use. We’d love to hear what works and what doesn’t (that’s why they’re posted here), but don’t use them in any situation where failure could result in consequences that you’re unwilling to accept. For example, don’t use them with wallets that contain coins or names that you aren’t willing to sacrifice to science.

The more people test these downloads, the faster they’ll be ready for release. However, there are no guarantees of when, or if, these downloads will be released in final form.

As usual, it is a good idea to verify the hashes and signatures of these downloads (especially the ones not hosted on namecoin.org). The more people reproduced the hashes, the better. If you’re paranoid, run them inside an isolated virtual machine.

Nightly builds are produced by infrastructure that is not under our direct control. As such, they should be treated with extra suspicion.

Namecoin Core

Things to Test

  • Full flow for registering names.
  • Full flow for updating and renewing names.
  • State display in the names list.
  • The above with mainnet, testnet, and regtest networks.
  • The above with encrypted locked, encrypted unlocked, and unencrypted wallets.

Known Issues

  • Windows builds not working (should be fixed in Beta 2)
  • macOS builds not working (should be fixed in Beta 2)

ConsensusJ-Namecoin

ConsensusJ-Namecoin is a lightweight SPV client that acts as a drop-in replacement for Namecoin Core’s name lookup functionality (e.g. for browsing .bit domains with ncdns). It synchronizes faster and uses less storage than Namecoin Core, but trusts Namecoin miners more than Namecoin Core does.

You need to have Java installed:

  • If you’re using GNU/Linux, use your package manager.
  • If you’re using Windows, download it from the Oracle website. Make sure you right-click the .exe installer, click Properties, and click Digital Signatures. It should be signed by Oracle America, Inc. If it is not, do not install it.
  • We’re not sure about macOS. If anyone can contribute instructions for macOS, let us know.

If you’re using Windows, you will need to install the Microsoft Visual C++ 2010 Redistributable Package.

Preliminary ConsensusJ-Namecoin documentation is here.

Known Issues

  • Relies on patches to ConsensusJ that are not yet upstreamed.
  • Proxies are not yet supported.
  • Build is not yet reproducible.

Electrum-NMC

Electrum-NMC is the Namecoin port of the lightweight Bitcoin wallet Electrum.

Electrum-NMC documentation is here.

Known Issues

  • AuxPoW support is still experimental.
  • Hardware wallets other than Trezor and Safe-T mini are untested and probably don’t work.
  • Name transactions are not yet supported for hardware wallets.
  • The Android/Linux version doesn’t yet have most of the Namecoin-specific GUI features.
  • macOS binaries are untested, unsigned, and are built on Cirrus infrastructure. The Python binaries should work on macOS.
  • Build reproducibility is not yet tested.

ncdns

ncdns is software for accessing .bit domain names. If you want to access .bit domain names, ncdns is most likely what you want to install.

See the ncdns documentation.

The ncdns Windows installer also automatically installs and configures a Namecoin client (Namecoin Core, ConsensusJ-Namecoin, or Electrum-NMC) and Dnssec-Trigger/Unbound, and sets up TLS certificate validation in any supported web browsers that are installed (see documentation for a list of supported browsers). It’s basically all you need for browsing .bit domain names.

Before running the ncdns Windows installer, you will need to install the following:

ncdns plain binaries are also available for most major operating systems. These are useful for advanced users or for users who are not on Windows. Using these will require setting up a Namecoin client (Namecoin Core, ConsensusJ-Namecoin, or Electrum-NMC) and a recursive DNS resolver (e.g. Unbound) separately; they can sometimes be used for TLS certificate validation, but additional setup is required.

Known Issues

  • Build is not yet reproducible.

generate_nmc_cert

generate_nmc_cert is a tool for generating TLS server certificates of the form expected by Namecoin. If you run a .bit website, you should use generate_nmc_cert to create a TLS certificate for your website.

See the documentation on setting up TLS for name owners.

certinject

certinject is a tool for adding and manipulating certificates in the Windows CryptoAPI certificate store. Unlike the built-in Windows tool certutil, certinject can easily set the EKU (extended key usage, AKA enhanced key usage) and NC (name constraints) properties on certificates, and does not require Administrator privileges.

Encaya

Encaya enables Namecoin TLS (positive overrides only) in applications that support AIA, such as Chromium. Encaya is also a dependency of ncp11 and the Chromium version of DNSSEC-HSTS.

Known Issues

  • Build is not yet reproducible.

cross_sign_name_constraint_tool

cross_sign_name_constraint_tool applies a name constraint exclusion to a DER-encoded TLS trust anchor via cross-signing, without that trust anchor’s consent. The intended use case is to disallow a CA from issuing certificates for a domain name that it has no legitimate business issuing certificates for. For example:

  • Disallowing a public CA from issuing certificates for the .bit TLD used by Namecoin.
  • Disallowing a public CA from issuing certificates for a TLD controlled by your corporate intranet.
  • Disallowing your corporate intranet’s CA from issuing certificates for a TLD allocated by ICANN.

Namecoin users will probably want to use cross_sign_name_constraint_tool to disallow any non-Namecoin CA’s that they have manually imported to their system from signing .bit certificates. For CA’s that are on your system by default, you probably instead want tlsrestrict_nss_tool (see below) or tlsrestrict_chromium_tool (bundled with ncdns, see above).

Known Issues

  • Build is not yet reproducible.

DNSSEC-HSTS

DNSSEC-HSTS enforces TLS for Namecoin websites that support TLS, which protects against sslstrip attacks. Firefox users need both the WebExtensions Component and the Native Component. Chromium users need the WebExtensions component and certdehydrate-dane-rest-api (see above), but not the Native Component.

Known Issues

  • Build is not yet reproducible.

ncp11

ncp11 enables Namecoin TLS in applications that support PKCS#11, such as Firefox and Tor Browser.

Known Issues

  • Build is not yet reproducible.

pkcs11mod

pkcs11mod is a library for making PKCS#11 modules in Go. This download includes the pkcs11proxy and p11proxy modules.

tlsrestrict_nss_tool

tlsrestrict_nss_tool applies a name constraint exclusion to an NSS sqlite database for all CKBI (built-in) TLS trust anchors, without those trust anchors’ consent. The intended use case is to disallow public CA’s from issuing certificates for TLD’s with unique regulatory or policy requirements, such as:

  • The .bit TLD used by Namecoin.
  • A TLD controlled by your corporate intranet.

Namecoin users will probably want to use tlsrestrict_nss_tool to disallow all CA’s that are on their system by default from signing .bit certificates. For CA’s that you manually imported yourself, you probably instead want cross_sign_name_constraint_tool (see above).

Known Issues

  • tlsrestrict_nss_tool will probably prevent HPKP from working as intended, unless HPKP is applied to user-defined trust anchors. Firefox is capable of doing this (though it’s not the default); Chromium is not (as far as we know).
  • Build is not yet reproducible.

dns-prop279

dns-prop279 enables Namecoin naming (or any other naming method that speaks the DNS protocol) to be used with Tor, via the draft Prop279 pluggable naming API. .bit domains can point to IP addresses (A/AAAA records), DNS names (CNAME records), and onion services.

See the Namecoin Tor resolution documentation

Known Issues

  • Prop279 is still an early draft, and might change heavily. dns-prop279 will change accordingly.
  • tor doesn’t implement Prop279 (see above point); the StemNS or TorNS shim is required if you want to use or test dns-prop279.
  • dns-prop279 doesn’t follow the current Namecoin Domain Names specification for onion service records (we might amend the specification to match dns-prop279’s behavior).
  • dns-prop279 doesn’t properly return error codes; all errors will be treated as NXDOMAIN.
  • dns-prop279 hasn’t been carefully checked for proxy leaks.
  • Using dns-prop279 will make you stand out from other Tor users.
  • Stream isolation for streams opened by applications (e.g. Tor Browser) should work fine. However, stream isolation metadata won’t propagate to streams opened by the DNS server. That means you should only use dns-prop279 with a DNS server that will not generate outgoing traffic when you query it. ncdns is probably fine as long as it’s using a full-block-receive Namecoin node such as Namecoin Core or ConsensusJ-Namecoin in leveldbtxcache mode. ncdns should not be used with headers-only name lookup clients such as Electrum-NMC. Unbound is also not a good idea.
  • Nothing in dns-prop279 prevents the configured DNS server from caching lookups. If lookups are cached, this could be used to fingerprint users. ncdns has caching enabled by default.
  • DNSSEC support hasn’t been tested at all, and is probably totally unsafe right now. Only use dns-prop279 when you fully trust the configured DNS server and your network path to it.
  • Build is not yet reproducible.

ncprop279

ncprop279 enables Namecoin naming (but not DNS naming) to be used with Tor, via the draft Prop279 pluggable naming API. ncprop279 is somewhat smaller and more efficient than dns-prop279. .bit domains can point to IP addresses (A/AAAA records), DNS names (CNAME records), and onion services.

See the Namecoin Tor resolution documentation.

Known Issues

  • Prop279 is still an early draft, and might change heavily. ncprop279 will change accordingly.
  • tor doesn’t implement Prop279 (see above point); the StemNS or TorNS shim is required if you want to use or test ncprop279.
  • ncprop279 doesn’t follow the current Namecoin Domain Names specification for onion service records (we might amend the specification to match ncprop279’s behavior).
  • ncprop279 hasn’t been carefully checked for proxy leaks.
  • Using ncprop279 will make you stand out from other Tor users.
  • Stream isolation for streams opened by applications (e.g. Tor Browser) should work fine. However, stream isolation metadata will only propagate to streams opened by the Namecoin client if you’re running Tor 0.4.3.1-alpha or higher with a recent StemNS (TorNS hasn’t merged the needed changes yet). If you meet those requirements, then any Namecoin client is fine. If not, that means you should only use ncprop279 with a Namecoin client that will not generate outgoing traffic when you query it. A full-block-receive Namecoin node such as Namecoin Core or ConsensusJ-Namecoin in leveldbtxcache mode is probably fine. A headers-only name lookup client such as Electrum-NMC should not be used without Tor 0.4.3.1-alpha or higher with a recent StemNS.
  • ncprop279 caches lookups. Isolation of the caching has the same dependencies as stream isolation. If you don’t have the needed Tor and StemNS version, ncprop279’s caching could be used to fingerprint you.
  • Build is not yet reproducible.

StemNS

StemNS enables Prop279 pluggable naming in Tor. It is a dependency of ncprop279. StemNS is a lightweight, security-focused fork of meejah’s TorNS.

qlib

qlib is a memory-safe alternative to dig. You can use qlib to debug DNS servers such as ncdns and Unbound. qlib is a library-friendly refactorization of Miek Gieben’s q tool.