On 29/11/11 14:35, Adam Langley wrote: >> If the SSHFP RR type is added too, people who use OpenSSH with the >> VerifyHostKeyDNS option can benefit from public key verification when >> SSH'ing into a box for the first time, over Tor. > > (It's important to note that OpenSSH trusts the AD bit in the DNS > reply. So, using it with Tor's DNS resolver assumes that Tor acts as a > full, validating, DNSSEC resolver. It would likely be more expeditious > to figure out a way have Unbound forward over Tor.) Getting Tor to simply do the lookups would be a good start. Then people will be able to stick a validating resolver between themselves and Tor. At the moment, the only way to do this is to pick a server on the Internet which supports recursive lookups, and point Unbound or similar at that over Tor, forcing it to use TCP for all lookups. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk