[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Support for full DNS resolution and DNSSEC validation

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
From: Jeremy Rand <jeremyrand@xxxxxxxxxx>
Date: Fri, 15 May 2020 17:22:00 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 15 May 2020 13:23:22 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=airmail.cc; s=mail; t=1589563387; bh=KvWlTQTMdYRH6ZfELlQ599mYd3ZDASQbMatuJSqa+7E=; h=Subject:To:References:From:Date:In-Reply-To:From; b=lQAOF/XbmcVD4bdLqHmEPCjDwN7pu+v0lmRjF2bZCpx+lDiNmHg1Y96VSocrEa4ck AlfjVKcqYlJ/l9L+icDeoFO/Wwj24XdHVtUyLG0YJrOi5lLkvtrtWJuyTfgGOYAGw+ uXmFCRf4azrxvhtwAhiwrsV5K4lxlsSnUKmptVDK0E+FyJ4E8EcXP0xxu8IJMzjg3B PAZF+7S7vJhl7NCeVcwqPKEf3zsjlLgZohPX7siw5RR/LKio4Tw60PW/R0IWej2U3j SBahPaXVumURdhnRUDzoY+wXh55sb8mgKJXQkEqaxURSrDD2FMbM+RiBEZXlnd2ss6 vkgpdfxOh88RQ==
In-reply-to: <20200515165329.2ledlcvx2v7uco2r@localhost>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
References: <2c459db33cb48d1ff9116f98e15ff6af7ca8dc1a.camel@gmail.com> <20200515152944.c2up4hxh3y76vizx@localhost> <5bcc4ea9-bfe8-8467-5349-7e8b5a789a99@airmail.cc> <20200515162420.uuobo2g2g27sfnfu@localhost> <701ff4c4-2a87-699f-0ca6-678c66ed77bb@airmail.cc> <20200515165329.2ledlcvx2v7uco2r@localhost>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Alexander Færøy:
> Hey,
> 
> On 2020/05/15 16:36, Jeremy Rand wrote:
>> The Prop279 spec text is ambiguous about whether the target is required
>> to be a .onion domain, but the implementations (TorNS and StemNS) do not
>> have that restriction.  TorNS and StemNS allow a Prop279 plugin to
>> advertise acceptance of any domain suffix (haven't explicitly tried the
>> root zone as an suffix, but if that doesn't work, it's a bug that should
>> be easy to fix) and can resolve them to any result (e.g. an IP address,
>> a .onion domain, or another DNS name a la CNAME).
> 
> In proposal #279 the subprocess passes the `RESOLVED` message to Tor
> once it is has completed a name look up. The `RESOLVED` message is
> defined as follows:
> 
>     ``When the name plugin completes the name resolution, it prints the
>     following line in its stdout:
> 
>         RESOLVED <QUERY_ID> <STATUS_CODE> <RESULT>
> 
>     where QUERY_ID is the corresponding query ID and STATUS_CODE is an integer
>     status code. RESULT is the resolution result (an onion address) or an error
>     message if the resolution was not succesful.''
> 
> Here the `<RESULT>` must be an onion address. We would have to change
> that, such that an IP address can be returned as well :-)

Hi Alex,

The ambiguity I was referring to is that while the section you quote
does require that the result be a .onion domain, below it is this note:

> Tor MUST validate that the resolution result is a valid .onion name.
> XXX should we also accept IPs and regular domain results???

Prop279 is clearly labeled as a draft, so this makes it appear that no
decision was reached on whether the result should be required to be a
.onion domain.

My opinion is that accepting non-.onion addresses as results is
desirable (both because it's useful for the Namecoin use case and
because it's useful for the DNSSEC use case that we're discussing).

Cheers,
-- 
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile@xxxxxxxxxx
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jeremy@xxxxxxxxxxx is having technical issues at the
moment.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
  - From: Alexander Færøy
- Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
  - From: Jeremy Rand
- Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
  - From: Alexander Færøy
- Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
  - From: Jeremy Rand
- Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
  - From: Alexander Færøy

Prev by Author: Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
Next by Author: Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
Previous by thread: Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
Next by thread: Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
Index(es):
- Author
- Thread