[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Special-use-TLD support



On Sun, 2015-09-27 at 23:32 +0200, Tim Wilson-Brown - teor wrote:
> I have some questions about how NameSubstitution rules work in some
> edge cases:

In truth, I originally wrote the NameSubstitution rules bit for the
.gnu TLD.  In the end, Christian explained why that doesn't work,
mostly that the .gnu TLD should never query the network. 

I left NameSubstitution in as a discussion point, but it wouldn't
surprise me if NameSubstitution didn't quite suffice for any real
purposes.

It's probably best if one instead writes a simple tool called from a
NameService rule that provides NameSubstitution like functionality.

> Are multiple NameSubstitution rules applied in the order they are
> listed?
> 
> For example:
> NameSubstitution .com .net
> NameSubstitution .example.net .example.org
> 
> What does foo.example.com get transformed into?

In principle, one could apply the most specific (longest) rule, but..

My prejudice is that disjointness should be enforced for anything in
the torrc.  Otherwise, one must worry more about attackers modifying
torrc files. 

> Are trailing periods significant?

I believe they do not make sense.  DNS names may not end in a period,
so this is covered by the references I gave, not sure if I speced it
correctly though.

> Are leading periods significant?

I doubt the leading periods matter, but they make rules marginally
easier to read.  

> Are duplicate rules significant?

No.


> Is there a length limit for the final query?
> (DNS names are limited to 255 characters.)

> For example:
> NameSubstitution .a .<254 characters>
> 
> What does <253 characters>.a get transformed into?

Originally, I'd meant to propose 510 characters since I'd envisioned
blahblah.gnu being translated into blahblah.hash.zkey where .zkey gets
processed by GNS.  There is no need for that now, so I'm ambivalent. 


As I said, we should probably drop the NameSubstitution rules in favor
of an external application that one calls via a NameService rule, but
this brings up a larger question :

I proposed that Tor implement NameService rules using UNIX domain
sockets, or ports, since that's how GNUNet works, but maybe Tor should
instead launch a helper application it communicates with via stdin and
stdout.  I donno if that'll work well on Windows however.

Jeff

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev