Producer / Relay isolation and topology updater (from the security perspective)

Maybe I’m missing something here, but I thought the relay and the block producer are being split for a good reason - the block producer can be isolated, should not be advertised and should be only known to the relay.

With that in mind, when looking at some pool setup instructions recently, I could see that people seem to update the topology files using the topologyUpdater script, which uses the API at While the team behind that site might have good intentions, there are some concerns about how those updates work and how secure that system is. For example:

  • The API registers the IP of the requesting client - it is not clear how that data is collected and used (and that might not be an IP of an actual relay).

  • If the topology not only fetched, but also pushed (which seems to be the default setting), it sends along the IP of the block producer - why would that be needed?

  • If the domain changes hands (which might not be noticed, considering that it uses the whois privacy) or just exploited (which might happen due to misconfigurations for example), what would stop someone from distributing the rogue topology (such as pointing to the unreachable IPs or the IPs which are trageted for DDoS)?

Could anyone clarify?

I guess until P2P is implemented (Q4 2021 I believe) it’s something that you can use but don’t have to, and I agree there are some risks involved.

There is a recent, related thread:

As TopologyUpdater generates the complete topology file server-side, I guess it was the easiest approach for the author to include non public details into the file. You can always skip sending the BP IP and write your own script that inserts that IP into the generated file, or do it manually.