[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)



On 01/31/2012 05:17 PM, Watson Ladd wrote:
> I've got a more basic question: does the OP get enough information to
> validate the DNSSEC data, or does it have to trust the OR? I don't
> quite know enough to tell from the above.

I forgot to mention: validation on the client side is not finished in the PoC
code. Both ldns and libunbound are capable of DNSSEC validation (libunbound has
simpler API, thus lower chance in making mistakes).

Trust anchors (for root zone and maybe others) would be simply in the
configuration file and distributed with Tor.

I don't know yet what the best API on the client side would be. For example,
there's an evdns server code in
connection_edge.c:connection_ap_handshake_socks_resolved() - the "if
(ENTRY_TO_EDGE_CONN(conn)->is_dns_request)" branch. Is the evdns server actively
used?

Ondrej
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev