On Sun, 2015-09-27 at 23:32 +0200, Tim Wilson-Brown - teor wrote: > I have some questions about how NameSubstitution rules work in some > edge cases: In truth, I originally wrote the NameSubstitution rules bit for the .gnu TLD. In the end, Christian explained why that doesn't work, mostly that the .gnu TLD should never query the network. I left NameSubstitution in as a discussion point, but it wouldn't surprise me if NameSubstitution didn't quite suffice for any real purposes. It's probably best if one instead writes a simple tool called from a NameService rule that provides NameSubstitution like functionality. > Are multiple NameSubstitution rules applied in the order they are > listed? > > For example: > NameSubstitution .com .net > NameSubstitution .example.net .example.org > > What does foo.example.com get transformed into? In principle, one could apply the most specific (longest) rule, but.. My prejudice is that disjointness should be enforced for anything in the torrc. Otherwise, one must worry more about attackers modifying torrc files. > Are trailing periods significant? I believe they do not make sense. DNS names may not end in a period, so this is covered by the references I gave, not sure if I speced it correctly though. > Are leading periods significant? I doubt the leading periods matter, but they make rules marginally easier to read. > Are duplicate rules significant? No. > Is there a length limit for the final query? > (DNS names are limited to 255 characters.) > For example: > NameSubstitution .a .<254 characters> > > What does <253 characters>.a get transformed into? Originally, I'd meant to propose 510 characters since I'd envisioned blahblah.gnu being translated into blahblah.hash.zkey where .zkey gets processed by GNS. There is no need for that now, so I'm ambivalent. As I said, we should probably drop the NameSubstitution rules in favor of an external application that one calls via a NameService rule, but this brings up a larger question : I proposed that Tor implement NameService rules using UNIX domain sockets, or ports, since that's how GNUNet works, but maybe Tor should instead launch a helper application it communicates with via stdin and stdout. I donno if that'll work well on Windows however. Jeff
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev