Valid validator set without DDoS

How does Tendermint maintain a persistent public key record of nodes without exposing them to DDoS attacks?

I think this post on Sentry Node architecture might help: Sentry Node Architecture Overview

Sentry nodes increase reliability on centralised cloud service providers , can you think of an more decentralised alternative ?

There is no “public key record” of full nodes. They can join and leave freely via the p2p layer.

I am guessing that by “public key record” you refer to the validator set managed by the cosmos-sdk. This does not contain any information (such as IP address) usable for DDoS attacks and is thus decoupled from the network layer.

Regarding sentries and cloud service providers, it is entirely possible to set up sentry nodes in a colocated environment as well.

Yes makes sense , thank you :slight_smile: