[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Building Petnames with DNSSEC...?

On 06/03/2012 04:16 AM, Jérémy Bobbio wrote:
> On Sat, Jun 02, 2012 at 04:12:04PM -0300, Jacob Appelbaum wrote:
>> So the question is - how should this practically work? Should a user be
>> able to dynamically register foo.petnames.tld and have it resolve to one
>> or more .onions as CNAME that point somewhere or no where? If somewhere,
>> where? Furthermore, should we ensure that a .onion can publish a petname
>> somewhere, so we can do forward the reverse lookup? I think that would
>> allow for some useful properties.
> CNAME recards are probably not the best fit. `.onion` addresses do not
> resolve to IP addresses. Imagine a RR like:
>     tor.petnames.tld. IN CNAME idnxcnkne4qt76tg.onion.
> If a resolver performs an A query for `tor.petnames.tld.`, any
> unmodified resolver would try (and fail) with NXDOMAIN. Because it would
> try to perform an A query against `idnxcnkne4qt76tg.onion.` which is
> doomed to fail.
> My previous research on putting hidden service addresses in DNS records
> lead me to think that using TXT records within a specific prefix would
> be the easiest solution. Something like:
>     _onion.tor.petnames.tld. IN TXT "idnxcnkne4qt76tg"

That does indeed seem like a better idea. We'll need to use something
like unbound anyway, so we can use TXT records all the same, I guess.

Another consideration is that we could write a plugin to intercept
specific domains as petname domains - similar to how we deal with .onion
as a whole. If we could configure such a domain, we'd be able to avoid
extra software entirely, I think.

All the best,

tor-talk mailing list