[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Tor and DNS

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Tor and DNS
From: Ondrej Mikle <ondrej.mikle@xxxxxxxxx>
Date: Wed, 08 Feb 2012 23:47:18 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 08 Feb 2012 17:47:37 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=p9XaP9HolWMdT3+zoLplnRNljtoPLSmKWCnK1iaYrZQ=; b=YCRT0T20XQHP3JzuL8wu9NN2Vel2Qki748iCFnmE6eEX2wpQybKeJNMkv+5+xxEYzE MCrqLKAtBI2xJXUQ2ctNN723Je5nDnhEyVkCucrG1Y1D/N25dJO1IQQeW4pPv9Xv+X2Q MsmInntpjj6khbfYCftAOIqfh1HKtnMFKojM8=
In-reply-to: <CAKDKvuyoL-AL63wo8w-MMv9Hx-vExSD-2=nAg+cjf+Av=2b0Ug@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <yszobtzn9xf.fsf@xxxxxxxxxxx> <CAKDKvuwXuTp8Ejb7F-HTx9uYv61xHTR1S2xvD95WS2dVJyuifA@xxxxxxxxxxxxxx> <20120130065939.GC2550@xxxxxxxxxxxxxx> <4F265E40.3070406@xxxxxxxxxxxx> <4F266E77.2040205@xxxxxxxxxxxxx> <4F274CD8.80305@xxxxxxxxx> <4F278570.7040806@xxxxxxxxxxxxx> <CAKDKvuwJvbB6n8qNR=0H8jfAxue3r5V3o9AcNkiTBEZ8SB9eAg@xxxxxxxxxxxxxx> <4F28774C.1050902@xxxxxxxxxxxxx> <CAKDKvuxHtHSqT_gKGRTHLs4vSCUdZXa09Ad=FWsSOepyYQ9h-w@xxxxxxxxxxxxxx> <4F28FF4C.8090504@xxxxxxxxxxxxx> <4F2DF9CB.5040400@xxxxxxxxx> <CAKDKvuyMev3wjUkod-148GOfLzmiXmihRUZ-1z+-ZoLKxu_HuQ@xxxxxxxxxxxxxx> <4F31C2DF.4020903@xxxxxxxxx> <CAKDKvuyoL-AL63wo8w-MMv9Hx-vExSD-2=nAg+cjf+Av=2b0Ug@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120129 Thunderbird/10.0

On 02/08/2012 02:59 AM, Nick Mathewson wrote:
> On Tue, Feb 7, 2012 at 7:33 PM, Ondrej Mikle <ondrej.mikle@xxxxxxxxx> wrote:
> 
> I think if we want an extra field in the future, we want to put it
> after the end of the response (that is, after total_len), rather than
> having it be optionally in every cell.

OK.

>> That also means AXFR/IXFR would be off limits (I'm OK with that).
> 
> Me too.

Without AXFR/IXFR we could limit total_len to 2 octets.

>> "End" bit would work, but I find it easier to know beforehand how much data to
>> expect - we don't have to worry about realloc and memory fragmentation. Client
>> could deny request if claimed total_length is too high right away (or later if
>> OR keeps pushing more data than claimed).
> 
> Hm. If so, maybe total_len only needs to be in the first cell then.

True. Though I'd prefer it in every DNS_RESPONSE cell, I find "firm" cell
structure less error-prone (saving 2 octets per cell does not seem so
substantial). The total_length in following cells belonging to the same StreamID
could be just ignored.

Just to sum up the changes of DNS_RESPONSE, the new structure would be:

    total length (2 octets)
    data (variable)

>> So no additional overhead for RELAY_BEGIN.
>>
>> Case of DNSPort queries - example for addons.mozilla.org with empty cache:
> 
> Hang on, is each one of these a *round trip*? I don't think so.  That
> is, you don't need to get the answer for the A query before you do the
> other lookups; the client can launch them all at once.

libunbound tries to parallelize requests as much as possible, sending bunch of
requests first, continuing as the responses return.

(Hm, I've just noticed that when asking a forwarder, libunbound serializes it
instead. I'll have to ask about this.)

> I wonder, do we want to add a "resolve and connect" mode to
> relay_begin, as discussed elsewhere in this thread?

Only reason I can think of being useful is for getting NSEC/NSEC3 proof that
domain does not exist. Does not seem worth the extra complexity, unless someone
thinks of better use.

Ondrej
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Tor and DNS
  - From: Jacob Appelbaum

References:
- Re: [tor-dev] Tor and DNS
  - From: Jacob Appelbaum
- Re: [tor-dev] Tor and DNS
  - From: Ondrej Mikle
- Re: [tor-dev] Tor and DNS
  - From: Nick Mathewson
- Re: [tor-dev] Tor and DNS
  - From: Ondrej Mikle
- Re: [tor-dev] Tor and DNS
  - From: Nick Mathewson

Prev by Author: Re: [tor-dev] Tor and DNS
Next by Author: Re: [tor-dev] Tor and DNS
Previous by thread: Re: [tor-dev] Tor and DNS
Next by thread: Re: [tor-dev] Tor and DNS
Index(es):
- Author
- Thread