[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
- To: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
- From: nusenu <nusenu-lists@xxxxxxxxxx>
- Date: Sun, 14 Jun 2020 20:16:49 +0200
- Autocrypt: addr=nusenu-lists@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFj53gUBEADYKwT0pW1yiqt6UReZW8T2nXVCyeVT2G6z7AvW69afp82uthRH237pQ7Qs 5vq91DivN6fGN6cVksp0N9Yv+5HEQAwUxpLfcNDcGzmHMd0JMItEtozGv3a4FuiUoHAqeGXM 6Kzi3v5F2PZGF+U4QaGKEZq6u50gO/ZFy4GfC9z9tsO6Cm7s7KldVHMGx/a0MEGMwh6ZI9x2 hGXSSAKu58KRUkEpHzDiQTj+/j58ndNfZRQv6P5BLppHADRPqwEOm4RQcQYskyM0FdKXbJ8E 5GW268meflfv2BASsl3X/Xqxp+LNrstXIbFZ+38hVlQDDmdvaASpPTzIAxf8FxMYZqI+K1UE kP5nU45q84KiZoXwT6YYJDKToLSDnYkKlsrCSnLkE3Nb/IexgNoYO4nE6lT9BDV3athQCWw1 FwB5idRYWnIqbVgUFgYZDUdZBJmeTEeI+Wn5hFz6HvFVc/+haMVTcoEKSkG/tsSGsKOc2mp6 z+71io9JWrVQGmw7OeZeE4TvkF9GhwS8jrKO4E0crfcT/zT6368PZCO6Wpir8+po/ZfOWbbh 1hi3MxmXn4Fki55Zrvhy3sf28U+H/nByQV4CssYv/xVhIZsN/wNQLcDLgVs4JTBUik8eQR0Y Qrq9lG3ZVtbpEi7ZTJ6BOGIn2TKHsVIVGSQA0PdKpKYV45Lc4QARAQABtCBudXNlbnUgPG51 c2VudS1saXN0c0ByaXNldXAubmV0PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBJaQzx+7tCmFlU3yu61hOMJFzUJ+BQJevydnBQkGspdiAAoJEK1hOMJFzUJ+oh4P /R+cSCszon9qrG2JaUSEaDVOTTJ8idR7Q2QEzumD9QCmvBxxZaSd/l53Koebm6Y6DQ3/bw3D +SSy6vwvpWBpBMBI0MGDvNLUUUgW8FlPxOXYkPItdvjbLYcEjYCyOOXB63b2OUx3KAdPScwI FIvm2QAwILQf2BwrNglWoDVH9HKBGp8nkQg2co08/HxkJ/19CkXpEa3CGCV7yo059bIJr7+S OLxKlLiyzDRK7dyIN/wL+ZJwBORzQ7F8JiHGzIK5XAMeDe4ehnLDd1AaTvTDPGlaUlrFxvQd FjPCZXVWH1QFCWLveZI2cCkPW2Nbv0FtuqWhSyFpNX+Fyo46JDw2VqIdNmLdm1lxYnxNBLzp aefgzU6yYyPy1u5mAjm5llqzNpNmxbVyGSeBRbxXiR7RmP2PKiiQds2OmXhMa/fcEc2l4i63 lEOquOfnBbTmw5p8fdTeE4aIgv6eVR1O1sL+ZWQaqxR8ssfYIehYoxzMkLwDPyWfjLEK2rg9 ujH+3rHAraHYggcDgvsPNRQ7tM0iLtFB+/g5GbPQsRutZR4oxTujwglp+4BdFZZQZmR2ONSk g/k01IMToD/mDWP9KQQ5qqAO+97rsBoJAES40JxEV6PtHA55kUglGYdLV39CV0Iq6B9OF7jC dezf7e+LVK9NHpmxkQ1cxGv1KE2ElLTBLHfFuQINBFj53gUBEADAlnpTtRPy4HVYJ8srcA5H VZr1vM4CCGVNHhZdscHhqNAobv8XO5331ufAPRXf8A5XP9JsYPId77scy93UDQuXg2DIfo6n FjvA7AJcBhMBtxcukzt4pOOOxv0D1cbcVwga+NzLvo6Rp7CqGIAFpKGVK0Rhw+RG6wdm55xe 0Kd8KMkqKFT+SKdakE72BjpKsXYoULBp5LivftutdD3Ly7LeBnXrxAW4hrkAp8vSvlg3eThK 01IDanln+m59Zcw3cHTdAL7d+Kt6LPd2KeUcrpeNRbyhZJ03EmF7FP+VTD56mKw25ZNCu7Ls 8P4d6iFgZeqOCCY9SJZzXvVJ7BvZ/wcIdWIcx57xBeqj8tJGRhWu2zHQdRIwqxVA6Zr+7YHL Te5yugiRAlBB+pfdikrWLcSlQ7YvT+YTxSkG9SbW+uy3ngQXKbi1g0lOP2t5V98UqHZxzOY9 U3mjy/dGt1MX3qYa1xv0QlsZXjbvtkQupSym+IQFfKepTfJnjwmEhYePbb+FrpN4GlqlhkM4 nyV4953wTfgn8ZgTZheXrkuGlcAq9bM7cqIHIYzKxv0uLrOpn38FhC2DkIDpDw6jukHEriKI MfcZfZa/KaYuho4Gk5ohh28qvf19qMSbN9uDtN1kpfGqnYoOtvDu9QksPKuY9anEfKEoci3O iLVjn3DNhKreHQARAQABiQI8BBgBCAAmAhsMFiEElpDPH7u0KYWVTfK7rWE4wkXNQn4FAl6/ J2sFCQayl2YACgkQrWE4wkXNQn5+RhAAkdSze4EXa+GHsdKqv+JSIgpflI0uT5SDxycGUyL2 p76AuHl7+P/tQK+4gzV0eRpdCuDfYI8BTDmaBXSA+acNofrhWtYC4VcgsxeqNjTzBJXCTgb+ /Y8ba0Z0ggDEfsH4TSOnt6yYLheVxy6OYddghg/woPnCiImz/Y7fhSiCRugG1N/+5euCevuy wWSmMLUuqGAxN9MHE2NUsWJMFdFRFT2jdFMusk+T+rwr2OB2bu7Vma0uweu2nG2lHB1QYUu5 llQXbkUPy9z5SUXvTWZQkMbeQigrAXpfO7Jov++TAelNAPY0hZQQ9Ou8wrLvZA7fLNB6Apgu Pdi2l9OkRMROsMNYuh0h2oQ6KCXx50HQ5sbaceFRkzk8g0KphPrLOsL2jZEk4nNdZxoL3nW9 2zWJfRbq8LfJktO4UP1MwIBrnoM9aj2ooBf8Vn0VKaacfJrd2iWjktDDOJigWIUEBCvJoxkF x5IFj8igcHVQgZumYqgg1FOF3vSozDAskASuqdb8Cv5mkfd+3KXYGEAHgW7hOJhJwBWwx0UC v+bXsPEQJsJ+atq5k4/Dox7sNdUxoaGSv3NmK+4uvmEdbIT/zGl1rTtHnfot8yEULF7Em2ia /qG+Sp2fbPeSxeHUqhLTu1jComXEZv59HnNhlcJeAxKFXoiAFCFV4XbKdVG2bKh434c=
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Sun, 14 Jun 2020 14:17:22 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1592158628; bh=9cxsMo/uNx18Z/GKv4Y3u+wZKKP7W6UOtpHmfkyeSeQ=; h=To:References:From:Subject:Date:In-Reply-To:From; b=PDvoqusx13Jo3+LjOdhOPI1ugP1BrENR0CAWd7WPyDik7dpWMxJbQ3gbhyf98H5C2 s5JpLx0EYVOyIKtP02UtEfHo4Asuk6Ha2Or+EYMGeIV8PRC4VNhZUo0ZrC+irQ8TCH ej0K1HLuRk9vaMg4cVSXsjJK5Gqj/8nupYG71AqI=
- In-reply-to: <4cb79432edf1ee374e5160cd6ab3788c483c8868.camel@gmail.com>
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- References: <2c459db33cb48d1ff9116f98e15ff6af7ca8dc1a.camel@gmail.com> <20200515152944.c2up4hxh3y76vizx@localhost> <5e3a3a2e-7d23-0976-a213-d55f25c1f2a5@riseup.net> <ec5a8c3514766eff328cd44756519e661da68353.camel@gmail.com> <33edd9b1-8133-b3d1-4576-b577eed3118a@riseup.net> <045ea758673559a748ed41fd96f6352541dd09f4.camel@gmail.com> <2fc0b628-d486-27ff-58a8-786c6580642a@riseup.net> <d08470b114915ac06ea0793dec2df4f49ebc0b3b.camel@gmail.com> <0a057f7f-ff61-5da0-a22a-e9ec90ad9885@riseup.net> <4cb79432edf1ee374e5160cd6ab3788c483c8868.camel@gmail.com>
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
Christian Hofer:
> On Tue, 2020-06-09 at 23:54 +0200, nusenu wrote:
>>> However, thinking about it, DNSSEC might be useful for caching DNS
>>> records on the client side.
>>
>> caching has privacy implications and is therefore a risk.
>>
>
> So you are saying that caching is not an option in any case, right? Can
> I kindly ask you to elaborate on this? You don't have to write a long
> answer. A link pointing me to the answer would be more than enough. I
> just want to understand the reason behind this.
You can use cache but it must address the linkability risk by scoping the cache usage.
With DoH the browser has access to TTL values from DNS records, so caching is
somewhat easier for the browser as it used to be.
keywords and pointers:
unlinkability
first party isolation
https://www.torproject.org/projects/torbrowser/design/
>> but finding resolvers is probably one of the smaller issues when
>> compared to getting
>> everything implemented in firefox/tor browser. Current versions do
>> not even allow
>> to set more than one resolver URL.
>>
>
> I see. Are there any tickets or design proposals I can contribute to?
I haven't put my ideas into a specification yet, but it looks like there is a good reason to
write a spec now.
A next step - before anything else - could be to ask Tor Browser people if there are any DoH plans yet,
I did so back in 2018 and will follow up on that right after this email.
> Since you have no comments on my suggestion for an alternative
> approach, I assume that it is not worth to compare it to DoH, right?
to quote my vision:
> My vision for DNS privacy in Tor Browser:
> Be able to visit a HTTPS website without the exit relay learning what domain it was
> (encrypted DNS + encrypted SNI)
This vision somewhat implies the use of DoH, since Firefox requires DoH for ESNI (unless
one wants to implement that in an additional Firefox patch).
A second good reason for DoH over some other option: DoH is a specified protocol with public implementations
and public services/service providers. This helps with resolver diversity, availability
and gives us more options when choosing resolvers.
kind regards,
nusenu
--
https://mastodon.social/@nusenu
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev