[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] DNSSEC

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] DNSSEC
From: merc1984@xxxxxx
Date: Mon, 01 Sep 2014 09:02:21 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 01 Sep 2014 12:02:35 -0400
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=f-m.fm; h= message-id:from:to:mime-version:content-transfer-encoding :content-type:subject:date; s=mesmtp; bh=ibWB5sEjTWXWGtHXS4P/SKl DMi8=; b=nVBMsHy/f1M7rVyO5cvZdWM9Pra1VqA9U0R0vZJzyILTmIFynw84nGP YT2NSwz9JI+mw8ZeLtxvMExZDO7yNxfIwzQF6OKe2wKKOk97416aRiYvV+SGInV9 KKCxh3NGKaBTULZ2d1tayuqbzD0t7JN3Hyay2ZAKlrlRvkvMVqoc=
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:subject:date; s=smtpout; bh=ibWB5sEjTWXWGtHXS4P/SKlDMi8=; b=PZ3cW7HSaLMr1JLU5IcsC4ugbQhg ag+Ihe9epsZg50x5R8l9UqNWI9xlGBc1PAAEEsp/Lt2h6bXpgZNJ+bbzPAbKtbo+ 3Qf3GrbpuDEi3XKqfljDos/GX+HCN4Swcg4IhFtj2lwG/P48rNeMPYC2aAFMg1tV wACwj4BD+DpMA0s=
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

I am surprised to find that there is no form of DNSSEC associated with
TOR.  I am running dnscrypt, but find that I fail the DNSSEC test at
http://dnssec.vs.uni-due.de/ when using the TBB.  I have unbound chained
to dnscrypt which is on a rotary to 5 trusted DNS resolvers.

How can you not understand what this means WRT DNS cache poisoning?  Why
are we susceptible to DNS cache poisoning?  I suppose that the TOR
system needs to resolve .onion addresses, but there should be some way
of using dnssec locally if the TOR system cannot provide authenticated
DNS.

No one in the #tor irc channel seems to know how TOR DNS is done, and
unfortunately there's not a word about it at
https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver .  But I
suspect it must be TCP DNS as TOR can't do UDP.  And I suspect DNS must
be done by relay servers, in order to resolve intermediate .onion
addresses.  Beyond that, it's a mystery how it's done.

How to secure TOR DNS?

-- 
http://www.fastmail.fm - mmm... Fastmail...

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] DNSSEC
  - From: David Stainton

Prev by Author: Re: [tor-dev] Scaling tor for a global population
Next by Author: Re: [tor-dev] DNSSEC
Next by thread: Re: [tor-dev] DNSSEC
Index(es):
- Author
- Thread