[tor-dev] Tor and DNS

Peter Palfrader peter at palfrader.org
Wed Feb 8 08:09:40 UTC 2012


On Tue, 07 Feb 2012, Nick Mathewson wrote:

> On Tue, Feb 7, 2012 at 7:33 PM, Ondrej Mikle <ondrej.mikle at gmail.com> wrote:
> > On 02/07/2012 07:18 PM, Nick Mathewson wrote:
> >> Like Jakob, I'm wondering why there isn't any support for setting flags.
> >
> > See my response to Jakob. I don't think it's worth to use anything else than
> > flags 0x110 (normal query, recursive, non-authenticated data ok) with DO bit
> > set. Unless there is a really good reason for other flags, that would only have
> > potential to leak identifying bits.
> 
> I can't think of one offhand; I had at first thought that
> non-recursive queries were good for something, but I'm not really sure
> what.

CD (checking disabled) is quite an important flag in my opinion.  In
fact, we should set it every time that the tor client is able to
validate DNSSSEC themselves.

There also probably ought to be a tor made up flag for "give me the (or
one) entire cert chain from the root so I can validate this thing myself
without a gazillion round trips".  (If we set this we probably also leak
less about what we have cached already.)  That might require we come up
with a way to serialize a number of DNS replies that are the response to
a single query.

Cheers,
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/


More information about the tor-dev mailing list