[tor-bugs] #33237 [Core Tor/Tor]: Prop 312: 3.2.2. Stop Directory Authorities Resolving *Port Hostnames
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 11 03:29:14 UTC 2020
#33237: Prop 312: 3.2.2. Stop Directory Authorities Resolving *Port Hostnames
------------------------------------------------+--------------------------
Reporter: teor | Owner: teor
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor:
| 0.4.4.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: prop312, tor-dirauth, security-low | Actual Points:
Parent ID: #33049 | Points: 1
Reviewer: | Sponsor:
| Sponsor55-can
------------------------------------------------+--------------------------
Description changed by teor:
Old description:
> For security reasons, directory authorities only use addresses that are
> explicitly configured in their torrc. Therefore, we propose that
> directory
> authorities only accept IPv4 or IPv6 address literals in the address part
> of the ORPort and DirPort options.
>
> As part of this fix, we may also ban DNS resolution on all configured
> Ports. (We should try to avoid banning DNS resolution entirely on
> authorities, because some test networks use Authority/Exits.)
>
> Directory authorities must not attempt to resolve these
> addresses using DNS. It is a config error to provide a hostname as a
> directory authority's ORPort or DirPort.
>
> If directory authorities don't have an IPv4 address literal in their
> Address or ORPort, they should issue a configuration error, and refuse to
> launch. If directory authorities don't have an IPv6 address literal in
> their
> Address or ORPort, they should issue a notice-level log, and fall back to
> only using IPv4.
New description:
For security reasons, directory authorities only use addresses that are
explicitly configured in their torrc. Therefore, we propose that directory
authorities only accept IPv4 or IPv6 address literals in the address part
of the ORPort and DirPort options.
As part of this fix, we may also ban DNS resolution on all configured
Ports. (We should try to avoid banning DNS resolution entirely on
authorities, because some test networks use Authority/Exits.)
See proposal 312, section 3.2.2, directory authority case:
https://gitweb.torproject.org/torspec.git/tree/proposals/312-relay-auto-
ipv6-addr.txt#n340
Directory authorities must not attempt to resolve these
addresses using DNS. It is a config error to provide a hostname as a
directory authority's ORPort or DirPort.
If directory authorities don't have an IPv4 address literal in their
Address or ORPort, they should issue a configuration error, and refuse to
launch. If directory authorities don't have an IPv6 address literal in
their
Address or ORPort, they should issue a notice-level log, and fall back to
only using IPv4.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33237#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list