[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
From: Ondrej Mikle <ondrej.mikle@xxxxxxxxx>
Date: Tue, 31 Jan 2012 20:08:27 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 31 Jan 2012 14:08:58 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=zlnePJWEheKlItvWdldZN7XMi9F1j/CFH7u5hIazLm4=; b=jEU32D30WZyUqai1wwa6FM/dYagALgOrRsxVfkGM1d9wyUk162fwgiAt/Urjqt+HtP 4l1t5gctpry1hek+kVoyEM7MbpXzjEUSzw1x263Hm7rkDVq628oBjh78SPR0UuiYiO5K pfkrlVfLKxDpBMi09XTWUVdIPXvgdB4v6BuAM=
In-reply-to: <CACsn0ckOzYCh07XtTve2_KUa_rm+CqQ-k3jGqA5kO0WY0x-HHA@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <4F21C8DD.4090400@xxxxxxxxx> <CACsn0ckOzYCh07XtTve2_KUa_rm+CqQ-k3jGqA5kO0WY0x-HHA@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1

On 01/31/2012 05:17 PM, Watson Ladd wrote:
> I've got a more basic question: does the OP get enough information to
> validate the DNSSEC data, or does it have to trust the OR? I don't
> quite know enough to tell from the above.

I forgot to mention: validation on the client side is not finished in the PoC
code. Both ldns and libunbound are capable of DNSSEC validation (libunbound has
simpler API, thus lower chance in making mistakes).

Trust anchors (for root zone and maybe others) would be simply in the
configuration file and distributed with Tor.

I don't know yet what the best API on the client side would be. For example,
there's an evdns server code in
connection_edge.c:connection_ap_handshake_socks_resolved() - the "if
(ENTRY_TO_EDGE_CONN(conn)->is_dns_request)" branch. Is the evdns server actively
used?

Ondrej
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
  - From: Ondrej Mikle
- Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
  - From: Watson Ladd

Prev by Author: Re: [tor-dev] Tor and DNS
Next by Author: Re: [tor-dev] Tor and DNS
Previous by thread: Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Next by thread: [tor-dev] Pre-draft of Proposal XXX: Extended ORPort and TransportControlPort
Index(es):
- Author
- Thread