[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Building Petnames with DNSSEC...?

On Sat, Jun 02, 2012 at 04:12:04PM -0300, Jacob Appelbaum wrote:
> So the question is - how should this practically work? Should a user be
> able to dynamically register foo.petnames.tld and have it resolve to one
> or more .onions as CNAME that point somewhere or no where? If somewhere,
> where? Furthermore, should we ensure that a .onion can publish a petname
> somewhere, so we can do forward the reverse lookup? I think that would
> allow for some useful properties.

CNAME recards are probably not the best fit. `.onion` addresses do not
resolve to IP addresses. Imagine a RR like:

    tor.petnames.tld. IN CNAME idnxcnkne4qt76tg.onion.

If a resolver performs an A query for `tor.petnames.tld.`, any
unmodified resolver would try (and fail) with NXDOMAIN. Because it would
try to perform an A query against `idnxcnkne4qt76tg.onion.` which is
doomed to fail.

My previous research on putting hidden service addresses in DNS records
lead me to think that using TXT records within a specific prefix would
be the easiest solution. Something like:

    _onion.tor.petnames.tld. IN TXT "idnxcnkne4qt76tg"

JÃrÃmy Bobbio                        .''`. 
lunar@xxxxxxxxxx                    : :â  :  # apt-get install anarchism
                                    `. `'` 

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list