[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
- To: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
- From: nusenu <nusenu-lists@xxxxxxxxxx>
- Date: Mon, 25 May 2020 21:23:12 +0200
- Autocrypt: addr=nusenu-lists@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFj53gUBEADYKwT0pW1yiqt6UReZW8T2nXVCyeVT2G6z7AvW69afp82uthRH237pQ7Qs 5vq91DivN6fGN6cVksp0N9Yv+5HEQAwUxpLfcNDcGzmHMd0JMItEtozGv3a4FuiUoHAqeGXM 6Kzi3v5F2PZGF+U4QaGKEZq6u50gO/ZFy4GfC9z9tsO6Cm7s7KldVHMGx/a0MEGMwh6ZI9x2 hGXSSAKu58KRUkEpHzDiQTj+/j58ndNfZRQv6P5BLppHADRPqwEOm4RQcQYskyM0FdKXbJ8E 5GW268meflfv2BASsl3X/Xqxp+LNrstXIbFZ+38hVlQDDmdvaASpPTzIAxf8FxMYZqI+K1UE kP5nU45q84KiZoXwT6YYJDKToLSDnYkKlsrCSnLkE3Nb/IexgNoYO4nE6lT9BDV3athQCWw1 FwB5idRYWnIqbVgUFgYZDUdZBJmeTEeI+Wn5hFz6HvFVc/+haMVTcoEKSkG/tsSGsKOc2mp6 z+71io9JWrVQGmw7OeZeE4TvkF9GhwS8jrKO4E0crfcT/zT6368PZCO6Wpir8+po/ZfOWbbh 1hi3MxmXn4Fki55Zrvhy3sf28U+H/nByQV4CssYv/xVhIZsN/wNQLcDLgVs4JTBUik8eQR0Y Qrq9lG3ZVtbpEi7ZTJ6BOGIn2TKHsVIVGSQA0PdKpKYV45Lc4QARAQABtCBudXNlbnUgPG51 c2VudS1saXN0c0ByaXNldXAubmV0PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBJaQzx+7tCmFlU3yu61hOMJFzUJ+BQJevydnBQkGspdiAAoJEK1hOMJFzUJ+oh4P /R+cSCszon9qrG2JaUSEaDVOTTJ8idR7Q2QEzumD9QCmvBxxZaSd/l53Koebm6Y6DQ3/bw3D +SSy6vwvpWBpBMBI0MGDvNLUUUgW8FlPxOXYkPItdvjbLYcEjYCyOOXB63b2OUx3KAdPScwI FIvm2QAwILQf2BwrNglWoDVH9HKBGp8nkQg2co08/HxkJ/19CkXpEa3CGCV7yo059bIJr7+S OLxKlLiyzDRK7dyIN/wL+ZJwBORzQ7F8JiHGzIK5XAMeDe4ehnLDd1AaTvTDPGlaUlrFxvQd FjPCZXVWH1QFCWLveZI2cCkPW2Nbv0FtuqWhSyFpNX+Fyo46JDw2VqIdNmLdm1lxYnxNBLzp aefgzU6yYyPy1u5mAjm5llqzNpNmxbVyGSeBRbxXiR7RmP2PKiiQds2OmXhMa/fcEc2l4i63 lEOquOfnBbTmw5p8fdTeE4aIgv6eVR1O1sL+ZWQaqxR8ssfYIehYoxzMkLwDPyWfjLEK2rg9 ujH+3rHAraHYggcDgvsPNRQ7tM0iLtFB+/g5GbPQsRutZR4oxTujwglp+4BdFZZQZmR2ONSk g/k01IMToD/mDWP9KQQ5qqAO+97rsBoJAES40JxEV6PtHA55kUglGYdLV39CV0Iq6B9OF7jC dezf7e+LVK9NHpmxkQ1cxGv1KE2ElLTBLHfFuQINBFj53gUBEADAlnpTtRPy4HVYJ8srcA5H VZr1vM4CCGVNHhZdscHhqNAobv8XO5331ufAPRXf8A5XP9JsYPId77scy93UDQuXg2DIfo6n FjvA7AJcBhMBtxcukzt4pOOOxv0D1cbcVwga+NzLvo6Rp7CqGIAFpKGVK0Rhw+RG6wdm55xe 0Kd8KMkqKFT+SKdakE72BjpKsXYoULBp5LivftutdD3Ly7LeBnXrxAW4hrkAp8vSvlg3eThK 01IDanln+m59Zcw3cHTdAL7d+Kt6LPd2KeUcrpeNRbyhZJ03EmF7FP+VTD56mKw25ZNCu7Ls 8P4d6iFgZeqOCCY9SJZzXvVJ7BvZ/wcIdWIcx57xBeqj8tJGRhWu2zHQdRIwqxVA6Zr+7YHL Te5yugiRAlBB+pfdikrWLcSlQ7YvT+YTxSkG9SbW+uy3ngQXKbi1g0lOP2t5V98UqHZxzOY9 U3mjy/dGt1MX3qYa1xv0QlsZXjbvtkQupSym+IQFfKepTfJnjwmEhYePbb+FrpN4GlqlhkM4 nyV4953wTfgn8ZgTZheXrkuGlcAq9bM7cqIHIYzKxv0uLrOpn38FhC2DkIDpDw6jukHEriKI MfcZfZa/KaYuho4Gk5ohh28qvf19qMSbN9uDtN1kpfGqnYoOtvDu9QksPKuY9anEfKEoci3O iLVjn3DNhKreHQARAQABiQI8BBgBCAAmAhsMFiEElpDPH7u0KYWVTfK7rWE4wkXNQn4FAl6/ J2sFCQayl2YACgkQrWE4wkXNQn5+RhAAkdSze4EXa+GHsdKqv+JSIgpflI0uT5SDxycGUyL2 p76AuHl7+P/tQK+4gzV0eRpdCuDfYI8BTDmaBXSA+acNofrhWtYC4VcgsxeqNjTzBJXCTgb+ /Y8ba0Z0ggDEfsH4TSOnt6yYLheVxy6OYddghg/woPnCiImz/Y7fhSiCRugG1N/+5euCevuy wWSmMLUuqGAxN9MHE2NUsWJMFdFRFT2jdFMusk+T+rwr2OB2bu7Vma0uweu2nG2lHB1QYUu5 llQXbkUPy9z5SUXvTWZQkMbeQigrAXpfO7Jov++TAelNAPY0hZQQ9Ou8wrLvZA7fLNB6Apgu Pdi2l9OkRMROsMNYuh0h2oQ6KCXx50HQ5sbaceFRkzk8g0KphPrLOsL2jZEk4nNdZxoL3nW9 2zWJfRbq8LfJktO4UP1MwIBrnoM9aj2ooBf8Vn0VKaacfJrd2iWjktDDOJigWIUEBCvJoxkF x5IFj8igcHVQgZumYqgg1FOF3vSozDAskASuqdb8Cv5mkfd+3KXYGEAHgW7hOJhJwBWwx0UC v+bXsPEQJsJ+atq5k4/Dox7sNdUxoaGSv3NmK+4uvmEdbIT/zGl1rTtHnfot8yEULF7Em2ia /qG+Sp2fbPeSxeHUqhLTu1jComXEZv59HnNhlcJeAxKFXoiAFCFV4XbKdVG2bKh434c=
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Mon, 25 May 2020 15:23:53 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1590434617; bh=83uuKqUL0/W59rpq4drHIZNXjGpqf5zIEGutHZi5oxg=; h=To:References:From:Subject:Date:In-Reply-To:From; b=fEVXeiZlKGCHpz1MIpfgYicYcUU3h0IJhse2to5+D8ps8o/l6KrZMYLxYhijl5M3y dtKhmCT0LixLV0WjeL24VxUwgxN67Bod9XjCU/QFepy5rSHZ8K/XUrFhGTpWDJG/BI wLVJm6i8irCbctlFEqnL4dipxuqrSJ5KXJTmKJhc=
- In-reply-to: <045ea758673559a748ed41fd96f6352541dd09f4.camel@gmail.com>
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- References: <2c459db33cb48d1ff9116f98e15ff6af7ca8dc1a.camel@gmail.com> <20200515152944.c2up4hxh3y76vizx@localhost> <5e3a3a2e-7d23-0976-a213-d55f25c1f2a5@riseup.net> <ec5a8c3514766eff328cd44756519e661da68353.camel@gmail.com> <33edd9b1-8133-b3d1-4576-b577eed3118a@riseup.net> <045ea758673559a748ed41fd96f6352541dd09f4.camel@gmail.com>
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
Christian Hofer:
> The thread model is DNS hijacking. Yes, you can prevent DNS hijacking
> using DoH if you *trust* the resolver you connect to. However, if you
> want to verify authenticity and integrity of DNS responses you need
> DNSSEC.
Could you elaborate on the use-case since DNS record authenticity is often just a vehicle to
bootstrap some other use-case (for example DANE). What higher level use-case do you have in mind where authenticity
of DNS entries provides a value for tor / Tor Browser users?
What I'm trying to get to:
Authentic IP addresses from A/AAAA records are probably of limited value in the context of a tor
client since the exit relay has full control over the routing anyway.
If the tor clients asks the exit relay to connect to IP A (which is the actual DNSSEC validated IP address)
there is nothing that can stop an exit from routing it to some other IP address.
That is why I'm trying to get to the bottom of your DNSSEC use-case.
To avoid anonymity set reductions I'm also primarily interested in enabled by default designs
(in contrast to opt-in) which brings you to the next problems: performance, scaleability and resolver selection.
Please don't let me discourage you with my questions, they are not meant to.
Just trying to understand and hopefully find some common ground to move forward since I see a rather
motivated person and it would be a pity to loose that opportunity.
My vision for DNS privacy in Tor Browser:
Be able to visit a HTTPS website without the exit relay learning what domain it was
(encrypted DNS + encrypted SNI)
There are a few issues to solve along that path.
kind regards,
nusenu
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev