[tor-commits] [torspec/master] 219-expanded-dns: Isolate the references to DNSSEC
nickm at torproject.org
nickm at torproject.org
Mon Aug 12 19:17:31 UTC 2013
commit 0e39d9e3b953a55e9ee57d454c8d8c1ae6bcf5bd
Author: Nick Mathewson <nickm at torproject.org>
Date: Fri Aug 2 11:55:19 2013 -0400
219-expanded-dns: Isolate the references to DNSSEC
This was originally a DNSSEC proposal, but the round trip issue makes
it look as though this proposal is not sufficient to implement DNSSEC
for practical use.
---
proposals/219-expanded-dns.txt | 42 ++++++++++++++++++++++++++++++----------
1 file changed, 32 insertions(+), 10 deletions(-)
diff --git a/proposals/219-expanded-dns.txt b/proposals/219-expanded-dns.txt
index c291984..dd015a6 100644
--- a/proposals/219-expanded-dns.txt
+++ b/proposals/219-expanded-dns.txt
@@ -1,13 +1,13 @@
-Filename: xxx-dns-dnssec.txt
+Filename: 219-expanded-dns.txt
Title: Support for full DNS and DNSSEC resolution in Tor
Authors: Ondrej Mikle
Created: 4 February 2012
-Modified: 19 August 2012
+Modified: 2 August 2013
Status: Draft
0. Overview
- Adding support for any DNS query type to Tor, as well as DNSSEC support.
+ Adding support for any DNS query type to Tor.
0.1. Motivation
@@ -17,13 +17,23 @@ Status: Draft
XMPP). TLS connections will benefit from planned TLSA record that provides
certificate pinning to avoid another Diginotar-like fiasco.
- DNSSEC is part of the DNS protocol and the most appropriate place for DNSSEC
- API would be probably in OS libraries (e.g. libc). However that will
- probably take time until it becomes widespread.
+0.2. What about DNSSEC?
- On the Tor's side (as opposed to application's side), DNSSEC will provide
- protection against DNS cache-poisoning attacks (provided that exit is not
- malicious itself, but still reduces attack surface).
+ Routine DNSSEC resolution is not practical with this proposal alone,
+ because of round-trip issues: a single name lookup can require
+ dozens of round trips across a circuit, rendering it very slow. (We
+ don't want to add minutes to every webpage load time!)
+
+ For records like TLSA that need extra signing, this might not be an
+ unacceptable amount of overhead, but routine hostname lookup, it's
+ probably overkill.
+
+ [Further, thanks to the changes of proposal 205, DNSSEC for routine
+ hostname lookup is less useful in Tor than it might have been back
+ when we cached IPv4 and IPv6 addresses and used them across multiple
+ circuits and exit nodes.]
+
+ See section 8 below for more discussion of DNSSEC issues.
1. Design
@@ -162,7 +172,19 @@ Status: Draft
- does not pose "ghost-cache-attack", since once RR is flushed from
libunbound's cache, it must be fetched anew
-8. Round trips and serialization
+8. DNSSEC notes
+
+8.1. Where to do the resolution?
+
+ DNSSEC is part of the DNS protocol and the most appropriate place for DNSSEC
+ API would be probably in OS libraries (e.g. libc). However that will
+ probably take time until it becomes widespread.
+
+ On the Tor's side (as opposed to application's side), DNSSEC will provide
+ protection against DNS cache-poisoning attacks (provided that exit is not
+ malicious itself, but still reduces attack surface).
+
+8.2. Round trips and serialization
Following are two examples of resolving two A records. The one for
addons.mozila.org is an example of a "common" RR without CNAME/DNAME, the
More information about the tor-commits
mailing list