feat: CON-1716 Allow SetupInitialDkg requests to be answered by subnets other than NNS#9782
Merged
eichhorl merged 12 commits intoApr 23, 2026
Merged
Conversation
eichhorl
changed the title
SetupInitialDKG requests to be answered by subnets other than NNS
eichhorl
changed the title
SetupInitialDKG requests to be answered by subnets other than NNSSetupInitialDkg requests to be answered by subnets other than NNS
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
This pull request changes code owned by the Governance team. Therefore, make sure that
you have considered the following (for Governance-owned code):
-
Update
unreleased_changelog.md(if there are behavior changes, even if they are
non-breaking). -
Are there BREAKING changes?
-
Is a data migration needed?
-
Security review?
How to Satisfy This Automatic Review
-
Go to the bottom of the pull request page.
-
Look for where it says this bot is requesting changes.
-
Click the three dots to the right.
-
Select "Dismiss review".
-
In the text entry box, respond to each of the numbered items in the previous
section, declare one of the following:
-
Done.
-
$REASON_WHY_NO_NEED. E.g. for
unreleased_changelog.md, "No
canister behavior changes.", or for item 2, "Existing APIs
behave as before.".
Brief Guide to "Externally Visible" Changes
"Externally visible behavior change" is very often due to some NEW canister API.
Changes to EXISTING APIs are more likely to be "breaking".
If these changes are breaking, make sure that clients know how to migrate, how to
maintain their continuity of operations.
If your changes are behind a feature flag, then, do NOT add entrie(s) to
unreleased_changelog.md in this PR! But rather, add entrie(s) later, in the PR
that enables these changes in production.
Reference(s)
For a more comprehensive checklist, see here.
GOVERNANCE_CHECKLIST_REMINDER_DEDUP
basvandijk
approved these changes
Apr 22, 2026
alin-at-dfinity
approved these changes
Apr 22, 2026
eichhorl
dismissed
github-actions[bot]’s stale review
- Done.
- No breaking changes.
- No data migration needed.
- No security review needed. Conceptually this is analogous to
ReshareChainKeyrequests being routed to the II subnet during subnet creations/recoveries, which is done to reshare an ECDSA/Schnorr/Vetkd key at the same time.
pierugo-dfinity
approved these changes
Apr 23, 2026
daniel-wong-dfinity-org
approved these changes
Apr 23, 2026
Contributor
daniel-wong-dfinity-org
left a comment
daniel-wong-dfinity-org
left a comment
There was a problem hiding this comment.
👍 for Governance.
Co-authored-by: Daniel Wong <97631336+daniel-wong-dfinity-org@users.noreply.github.com>
Co-authored-by: Daniel Wong <97631336+daniel-wong-dfinity-org@users.noreply.github.com>
dsarlis
pushed a commit
to dsarlis/ic
that referenced
this pull request
May 5, 2026
…ng and rental (dfinity#10027) Creating, recovering or splitting a subnet requires new key material for the nodes comprising the subnet. This key material needs to be generated by a different subnet. Until recently, this key generation was exclusively done by the NNS. Since dfinity#9782 however, it may be done by any subnet (and specifically, _not_ the NNS). The linked PR already updated proposals for creating and recovering subnets to optionally specify which subnet should be responsible for generating the initial key material. This PR similarly updates the remaining two proposal types that also cause new key material to be generated, namely subnet splitting and subnet rental (which is a subnet creation).
pull Bot
pushed a commit
to bit-cook/ic
that referenced
this pull request
May 15, 2026
…te's `NetworkTopology` (dfinity#10235) dfinity#9782 introduced the ability to route `SetupInitialDKG` requests (caused by subnet creation/recovery/splitting) to arbitrary subnets, instead of always handling them on NNS. This was done by extending proposal payloads to create/recover/split a subnet with an optional `SubnetId` field, to which the request should be routed. However, this approach delegates the responsibility of choosing a suitable subnet to the proposer, which is brittle and difficult to test. Instead, this PR begins the implementation for introducing a "default initial DKG subnet" to which all `SetupInitialDKG` requests should be routed, unless specified differently by the proposal payload. In particular, this PR introduces a new field holding the ID of the default initial DKG subnet, as part of the replicated state's `NetworkTopology`. For compatibility reasons, the field remains `None` for now, until it is rolled out to all subnets. Note that it must still be possible to override the default initial DKG subnet (at least as part of the recovery proposal), for the case that the default DKG subnet is the one being recovered.
pull Bot
pushed a commit
to bit-cook/ic
that referenced
this pull request
May 22, 2026
…finity#10242) ## Background dfinity#9782 introduced the ability to route `SetupInitialDKG` requests (caused by subnet creation/recovery/splitting) to arbitrary subnets, instead of always handling them on NNS. This was done by extending proposal payloads to create/recover/split/rent a subnet with an optional `SubnetId` field, to which the request should be routed. ## Proposed Changes The approach above delegates the responsibility of choosing a suitable subnet to the proposer, which is brittle and difficult to test. Instead, this PR introduces a registry key holding a "default initial DKG subnet" to which all `SetupInitialDKG` requests should be routed, unless specified otherwise by the proposal payload. In particular, we: - Introduce a new proposal to set/unset this new registry key - Add `ic-admin` support to submit the proposal and query the current default subnet - Add a registry invariant that the default initial DKG subnet must exist - Populate the default initial DKG subnet in the replicated state's `NetworkTopology` based on the value in registry Note that it must still be possible to override the default initial DKG subnet (at least as part of the recovery proposal), for the case that the default DKG subnet is the one being recovered. ## Future Work Extend the `create_subnet` system test to include a default initial DKG subnet, once the functionality is supported by mainnet NNS canisters.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
SetupInitialDkgis a management canister call that can only be made by canisters residing on the NNS. Typically, this management canister call is triggered by proposals that create or recover a subnet. Similarly, it will also be used to create cloud engines.Upon receiving such a
SetupInitialDkgrequest, the receiving subnet will perform two instances of the NiDKG protocol. The result yields the key material of the new or recovered subnet, from which also the subnet ID is derived.Problem
Today,
SetupInitialDkgrequests are exclusively handled by the NNS subnet. This has some disadvantages, which are exacerbated by the advent of cloud engines:Proposed Solution
Instead of always handling
SetupInitialDkgrequest on the NNS, this PR proposes the ability to optionally specify the subnet to which the request should be routed. Specifically, this would allow the key material for cloud engines to be created on a different subnet than the one handling critical recovery proposals.To do this, we extend the
SetupInitialDKGArgs(and consequently, theCreate/RecoverSubnetPayload) with an optionalSubnetIdfield, to which the request will be routed.Note that, although these changes have not been deployed to the mainnet NNS canisters yet, system tests using mainnet NNS canisters already pass. This is because the new argument is still ignored by the mainnet canisters, which means they fall back to the old behavior (
SetupInitialDkgis routed to the NNS).Future Work
SetupInitialDkgsubnet for handling Cloud Engine creations, for instance the II subnet.