[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor resolver DNSSEC RRs

On Tue, Nov 29, 2011 at 6:06 AM,  <tor@xxxxxxxxxxxxxxxxxx> wrote:
> If the SSHFP RR type is added too, people who use OpenSSH with the
> VerifyHostKeyDNS option can benefit from public key verification when
> SSH'ing into a box for the first time, over Tor.

(It's important to note that OpenSSH trusts the AD bit in the DNS
reply. So, using it with Tor's DNS resolver assumes that Tor acts as a
full, validating, DNSSEC resolver. It would likely be more expeditious
to figure out a way have Unbound forward over Tor.)



Adam Langley agl@xxxxxxxxxxxxxxxxxx http://www.imperialviolet.org
tor-talk mailing list