Dear merc1984@xxxxxx, Is DNSSEC is not evil? To me it seems like the 1984 of domain name systems... Please take a good look at the political implications of DNSSEC. I personally do not understand why this Tor Project spec includes mention of DNSSEC: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-dns.txt Can we use djb's DNSCurve instead of DNSSEC? Perhaps I misunderstand the situation and the difference between DNSCurve and DNSSEC. Perhaps "ZOMG someone is wrong on the Internet!" will spark someone else's interest in correcting me here in this discussion. I personally think that people mentioning DNSSEC on tor communications channels must either have an agenda to help the US government gain more control of the Internet... or they must be trolls. But maybe I am totally wrong about this. I'd be interested in hearing a correction if I am wrong... and does this mean the DJB is also wrong? =-) https://en.wikipedia.org/wiki/DNSCurve If you want to know how Tor currently handles DNS then read this: https://tor.stackexchange.com/questions/8/how-does-tor-route-dns-requests Sincerely, David On Mon, Sep 01, 2014 at 09:02:21AM -0700, merc1984@xxxxxx wrote: > I am surprised to find that there is no form of DNSSEC associated with > TOR. I am running dnscrypt, but find that I fail the DNSSEC test at > http://dnssec.vs.uni-due.de/ when using the TBB. I have unbound chained > to dnscrypt which is on a rotary to 5 trusted DNS resolvers. > > How can you not understand what this means WRT DNS cache poisoning? Why > are we susceptible to DNS cache poisoning? I suppose that the TOR > system needs to resolve .onion addresses, but there should be some way > of using dnssec locally if the TOR system cannot provide authenticated > DNS. > > No one in the #tor irc channel seems to know how TOR DNS is done, and > unfortunately there's not a word about it at > https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver . But I > suspect it must be TCP DNS as TOR can't do UDP. And I suspect DNS must > be done by relay servers, in order to resolve intermediate .onion > addresses. Beyond that, it's a mystery how it's done. > > How to secure TOR DNS? > > -- > http://www.fastmail.fm - mmm... Fastmail... > > _______________________________________________ > tor-dev mailing list > tor-dev@xxxxxxxxxxxxxxxxxxxx > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev