[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] DNSSEC

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] DNSSEC
From: David Stainton <dstainton415@xxxxxxxxx>
Date: Mon, 1 Sep 2014 16:33:34 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 01 Sep 2014 12:35:08 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=n6lEqoTa2ajmnFjxD5TM1aYAdEB8vES7RqbYQX4wrt4=; b=mYdQt3Qixq9mctTM7Xig5tBZdN53cEsxUR+QGY9F1zazhZKa0GMY30yxgB82x8MW2I MBmTYwUVf2VJpZzBX0Au/x5REv+V6htD/QDDCftBaxXlv/yzsM+n6uDpBWnwD0fhfpCj qcV5MzVNZP77rVHUXjPDNT6VC/2lbCigJoqXUe+Uwtm7EjOjtbG41cpR7fVxAOXgQ6pl 3cR8ssNk2bO4ELS0kakTUGF3q0q61vu0Ps4tKs5n79VggXeQbpnILWWmDmeLenWdD1ry 1+ZMM2yh4hUVCT7vvpcr1Fq8EuLcAfhiQmq9Ji1987TZgvgftUefVAJ8ALuEcMVbHQHP jZ9Q==
In-reply-to: <1409587341.1297117.161019261.75AAB13D@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <1409587341.1297117.161019261.75AAB13D@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Dear merc1984@xxxxxx,

Is DNSSEC is not evil? To me it seems like the 1984 of domain name systems...
Please take a good look at the political implications of DNSSEC.
I personally do not understand why this Tor Project spec includes mention of DNSSEC:
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-dns.txt

Can we use djb's DNSCurve instead of DNSSEC?
Perhaps I misunderstand the situation and the difference between DNSCurve and DNSSEC.
Perhaps "ZOMG someone is wrong on the Internet!" will spark someone else's interest in correcting me here
in this discussion. I personally think that people mentioning DNSSEC on tor communications channels
must either have an agenda to help the US government gain more control of the Internet... or they must be trolls.
But maybe I am totally wrong about this. I'd be interested in hearing a correction if I am wrong... and
does this mean the DJB is also wrong? =-)
https://en.wikipedia.org/wiki/DNSCurve

If you want to know how Tor currently handles DNS then read this:
https://tor.stackexchange.com/questions/8/how-does-tor-route-dns-requests

Sincerely,

David

On Mon, Sep 01, 2014 at 09:02:21AM -0700, merc1984@xxxxxx wrote:
> I am surprised to find that there is no form of DNSSEC associated with
> TOR.  I am running dnscrypt, but find that I fail the DNSSEC test at
> http://dnssec.vs.uni-due.de/ when using the TBB.  I have unbound chained
> to dnscrypt which is on a rotary to 5 trusted DNS resolvers.
> 
> How can you not understand what this means WRT DNS cache poisoning?  Why
> are we susceptible to DNS cache poisoning?  I suppose that the TOR
> system needs to resolve .onion addresses, but there should be some way
> of using dnssec locally if the TOR system cannot provide authenticated
> DNS.
> 
> No one in the #tor irc channel seems to know how TOR DNS is done, and
> unfortunately there's not a word about it at
> https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver .  But I
> suspect it must be TCP DNS as TOR can't do UDP.  And I suspect DNS must
> be done by relay servers, in order to resolve intermediate .onion
> addresses.  Beyond that, it's a mystery how it's done.
> 
> How to secure TOR DNS?
> 
> -- 
> http://www.fastmail.fm - mmm... Fastmail...
> 
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] DNSSEC
  - From: ÐÑÑÑÑ ÐÑÑÐÐÐÐ

References:
- [tor-dev] DNSSEC
  - From: merc1984

Prev by Author: Re: [tor-dev] Call for a big fast bridge (to be the meek backend)
Next by Author: [tor-dev] Making and distributing custom TBB with a new "home-page"
Previous by thread: [tor-dev] DNSSEC
Next by thread: Re: [tor-dev] DNSSEC
Index(es):
- Author
- Thread