[tor-bugs] #33237 [Core Tor/Tor]: Prop 312: 3.2.2. Stop Directory Authorities Resolving *Port Hostnames
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 11 03:27:51 UTC 2020
#33237: Prop 312: 3.2.2. Stop Directory Authorities Resolving *Port Hostnames
--------------------------+------------------------------------------------
Reporter: teor | Owner: teor
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor: 0.4.4.x-final
Component: Core | Version:
Tor/Tor |
Severity: Normal | Keywords: prop312, tor-dirauth, security-low
Actual Points: | Parent ID: #33049
Points: 1 | Reviewer:
Sponsor: |
Sponsor55-can |
--------------------------+------------------------------------------------
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Therefore, we propose that directory
authorities only accept IPv4 or IPv6 address literals in the address part
of the ORPort and DirPort options.
As part of this fix, we may also ban DNS resolution on all configured
Ports. (We should try to avoid banning DNS resolution entirely on
authorities, because some test networks use Authority/Exits.)
Directory authorities must not attempt to resolve these
addresses using DNS. It is a config error to provide a hostname as a
directory authority's ORPort or DirPort.
If directory authorities don't have an IPv4 address literal in their
Address or ORPort, they should issue a configuration error, and refuse to
launch. If directory authorities don't have an IPv6 address literal in
their
Address or ORPort, they should issue a notice-level log, and fall back to
only using IPv4.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33237>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list