[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor resolver DNSSEC RRs



On 11/29/2011 06:35 AM, Adam Langley wrote:
> On Tue, Nov 29, 2011 at 6:06 AM,  <tor@xxxxxxxxxxxxxxxxxx> wrote:
>> If the SSHFP RR type is added too, people who use OpenSSH with the
>> VerifyHostKeyDNS option can benefit from public key verification when
>> SSH'ing into a box for the first time, over Tor.
> 
> (It's important to note that OpenSSH trusts the AD bit in the DNS
> reply. So, using it with Tor's DNS resolver assumes that Tor acts as a
> full, validating, DNSSEC resolver. It would likely be more expeditious
> to figure out a way have Unbound forward over Tor.)
> 

That's something that I've started to work on with letoams and there's a
bit of progress here:

https://gitweb.torproject.org/ioerror/ttdnsd.git/blob/665a534df8394d221f07a9155eee6211ddc33f1c:/misc/README.unbound
https://gitweb.torproject.org/ioerror/ttdnsd.git/commit/14c806d5ec0d6a171532c84c5e0fdbe7974e3f20

All the best,
Jake
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk