[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r9967: Torel spec patch from tup. (in tor/trunk: . doc/contrib)
Author: nickm
Date: 2007-04-16 11:38:53 -0400 (Mon, 16 Apr 2007)
New Revision: 9967
Modified:
tor/trunk/
tor/trunk/doc/contrib/torel-design.txt
Log:
r12399@catbus: nickm | 2007-04-16 11:38:42 -0400
Torel spec patch from tup.
Property changes on: tor/trunk
___________________________________________________________________
svk:merge ticket from /tor/trunk [r12399] on 8246c3cf-6607-4228-993b-4d95d33730f1
Modified: tor/trunk/doc/contrib/torel-design.txt
===================================================================
--- tor/trunk/doc/contrib/torel-design.txt 2007-04-16 04:18:29 UTC (rev 9966)
+++ tor/trunk/doc/contrib/torel-design.txt 2007-04-16 15:38:53 UTC (rev 9967)
@@ -54,15 +54,17 @@
The DNS interface
- Standard DNSEL, if I understand right, looks like this: There's some host
- at foo.example.com. You want to know if 1.2.3.4 is in the list, so you
- query for an A record for 4.3.2.1.foo.example.com. If the record exists,
- 1.2.3.4 is in the list. If you get an NXDOMAIN error, 1.2.3.4 is not in
- the list.
+ Standard DNSEL, if I understand right, looks like this: There's some
+ authoritative name server for foo.example.com. You want to know if
+ 1.2.3.4 is in the list, so you query for an A record for
+ 4.3.2.1.foo.example.com. If the record exists and has the value
+ 127.0.0.2[DNSBL-EMAIL], 1.2.3.4 is in the list. If you get an NXDOMAIN
+ error, 1.2.3.4 is not in the list. If you ask for a domain name outside
+ of the foo.example.com zone, you get a Server Failure error[RFC 1035].
- Assume that the DNSEL sits at some host, torhosts.example.com. Below
- are some queries that could be supported, though some of them are
- possibly a bad idea.
+ Assume that the DNSEL answers queries authoritatively for some zone,
+ torhosts.example.com. Below are some queries that could be supported,
+ though some of them are possibly a bad idea.
Query type 1: "General IP:Port"
@@ -72,12 +74,12 @@
Rule:
Iff {IP1} is a Tor server that permits connections to {port} on
- {IP2}, then there should be an A record.
+ {IP2}, then there should be an A record with the value 127.0.0.2.
Example:
- "1.0.0.10.80.4.3.2.1.ip-port.torhosts.example.com" should exist
- if and only if there is a Tor server at 10.0.0.1 that allows
- connections to port 80 on 1.2.3.4.
+ "1.0.0.10.80.4.3.2.1.ip-port.torhosts.example.com" should have the
+ value 127.0.0.2 if and only if there is a Tor server at 10.0.0.1
+ that allows connections to port 80 on 1.2.3.4.
Example use:
I'm running an IRC server at w.x.y.z:9999, and I want to tell
@@ -154,6 +156,11 @@
Other issues:
+ After a Tor server op turns off their server, it stops publishing server
+ descriptors. We should consider that server's IP address to still
+ represent a Tor node until 48 hours after its last descriptor was
+ published.
+
30-60 minutes is not an unreasonable TTL.
There could be some demand for address masks and port lists. Address
@@ -164,3 +171,11 @@
to launch periodic requests to itself through all exit servers whose
policies allow it -- and then see where the requests actually come from.
+References:
+
+ [DNSBL-EMAIL] Levine, J., "DNS Based Blacklists and Whitelists for
+ E-Mail", http://tools.ietf.org/html/draft-irtf-asrg-dnsbl-02, November
+ 2005.
+
+ [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
+ Specification", RFC 1035, November 1987.