[tor-dev] Support for full DNS resolution and DNSSEC validation

Alexander Færøy ahf at torproject.org
Fri May 15 16:24:20 UTC 2020


Hey Jeremy,

On 2020/05/15 15:53, Jeremy Rand wrote:
> FYI I already wrote a Prop279 provider that looks up the names via DNS
> (it's aptly named "dns-prop279"); it does pretty much exactly what you
> describe.  It doesn't handle DNSSEC validation itself (it assumes that
> you've specified a DNS server that you trust -- most likely one running
> on localhost).  Stream isolation can be handled via an EDNS0 field (and
> I'm guessing it would not be difficult to patch an existing DNS server
> to respect that EDNS0 field).  I wouldn't be surprised if it's easy to
> make dns-prop279 do DNSSEC validation itself (and not use a
> localhost-based DNS server) if that's desired -- the library it uses
> (miekg/dns) does claim to support DNSSEC validation, though I've never
> tried testing that feature.

Very interesting.

I think proposal #279 only tries to solve the subset of name look ups,
which is about looking up onions from a human name. The work in this
thread is to replace all name lookups *except* for Onions. It could very
well be that it would be easier to extend proposal #279 by having it
handle all lookups and not just for .onion's, but I think my intuition
says that it should be two different systems as onion lookups is still a
much more open question whereas Tor will need to support ordinary DNS
for many years into the future.

If `OnionNamePlugin` allowed you to specify `.*` for "everything" as the
TLD specifier, then it might be possible to implement such system using
proposal #279 :-)

All the best,
Alex.

-- 
Alexander Færøy


More information about the tor-dev mailing list