[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Tor and DNS

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Tor and DNS
From: Peter Palfrader <peter@xxxxxxxxxxxxx>
Date: Wed, 8 Feb 2012 09:09:40 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 08 Feb 2012 03:09:54 -0500
In-reply-to: <CAKDKvuyoL-AL63wo8w-MMv9Hx-vExSD-2=nAg+cjf+Av=2b0Ug@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Mail-followup-to: Peter Palfrader <peter@xxxxxxxxxxxxx>, tor-dev@xxxxxxxxxxxxxxxxxxxx
References: <4F274CD8.80305@xxxxxxxxx> <4F278570.7040806@xxxxxxxxxxxxx> <CAKDKvuwJvbB6n8qNR=0H8jfAxue3r5V3o9AcNkiTBEZ8SB9eAg@xxxxxxxxxxxxxx> <4F28774C.1050902@xxxxxxxxxxxxx> <CAKDKvuxHtHSqT_gKGRTHLs4vSCUdZXa09Ad=FWsSOepyYQ9h-w@xxxxxxxxxxxxxx> <4F28FF4C.8090504@xxxxxxxxxxxxx> <4F2DF9CB.5040400@xxxxxxxxx> <CAKDKvuyMev3wjUkod-148GOfLzmiXmihRUZ-1z+-ZoLKxu_HuQ@xxxxxxxxxxxxxx> <4F31C2DF.4020903@xxxxxxxxx> <CAKDKvuyoL-AL63wo8w-MMv9Hx-vExSD-2=nAg+cjf+Av=2b0Ug@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.20 (2009-06-14)

On Tue, 07 Feb 2012, Nick Mathewson wrote:

> On Tue, Feb 7, 2012 at 7:33 PM, Ondrej Mikle <ondrej.mikle@xxxxxxxxx> wrote:
> > On 02/07/2012 07:18 PM, Nick Mathewson wrote:
> >> Like Jakob, I'm wondering why there isn't any support for setting flags.
> >
> > See my response to Jakob. I don't think it's worth to use anything else than
> > flags 0x110 (normal query, recursive, non-authenticated data ok) with DO bit
> > set. Unless there is a really good reason for other flags, that would only have
> > potential to leak identifying bits.
> 
> I can't think of one offhand; I had at first thought that
> non-recursive queries were good for something, but I'm not really sure
> what.

CD (checking disabled) is quite an important flag in my opinion.  In
fact, we should set it every time that the tor client is able to
validate DNSSSEC themselves.

There also probably ought to be a tor made up flag for "give me the (or
one) entire cert chain from the root so I can validate this thing myself
without a gazillion round trips".  (If we set this we probably also leak
less about what we have cached already.)  That might require we come up
with a way to serialize a number of DNS replies that are the response to
a single query.

Cheers,
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Tor and DNS
  - From: Ondrej Mikle

References:
- Re: [tor-dev] Tor and DNS
  - From: Jacob Appelbaum
- Re: [tor-dev] Tor and DNS
  - From: Ondrej Mikle
- Re: [tor-dev] Tor and DNS
  - From: Nick Mathewson
- Re: [tor-dev] Tor and DNS
  - From: Ondrej Mikle
- Re: [tor-dev] Tor and DNS
  - From: Nick Mathewson

Prev by Author: Re: [tor-dev] Tor and DNS
Next by Author: Re: [tor-dev] Simulating a slow connection
Previous by thread: Re: [tor-dev] Tor and DNS
Next by thread: Re: [tor-dev] Tor and DNS
Index(es):
- Author
- Thread