[tor-dev] Support for full DNS resolution and DNSSEC validation

Jeremy Rand jeremyrand at airmail.cc
Fri May 15 16:36:00 UTC 2020


Alexander Færøy:
> Hey Jeremy,
> 
> On 2020/05/15 15:53, Jeremy Rand wrote:
>> FYI I already wrote a Prop279 provider that looks up the names via DNS
>> (it's aptly named "dns-prop279"); it does pretty much exactly what you
>> describe.  It doesn't handle DNSSEC validation itself (it assumes that
>> you've specified a DNS server that you trust -- most likely one running
>> on localhost).  Stream isolation can be handled via an EDNS0 field (and
>> I'm guessing it would not be difficult to patch an existing DNS server
>> to respect that EDNS0 field).  I wouldn't be surprised if it's easy to
>> make dns-prop279 do DNSSEC validation itself (and not use a
>> localhost-based DNS server) if that's desired -- the library it uses
>> (miekg/dns) does claim to support DNSSEC validation, though I've never
>> tried testing that feature.
> 
> Very interesting.
> 
> I think proposal #279 only tries to solve the subset of name look ups,
> which is about looking up onions from a human name. The work in this
> thread is to replace all name lookups *except* for Onions. It could very
> well be that it would be easier to extend proposal #279 by having it
> handle all lookups and not just for .onion's, but I think my intuition
> says that it should be two different systems as onion lookups is still a
> much more open question whereas Tor will need to support ordinary DNS
> for many years into the future.
> 
> If `OnionNamePlugin` allowed you to specify `.*` for "everything" as the
> TLD specifier, then it might be possible to implement such system using
> proposal #279 :-)

Hi Alex,

The Prop279 spec text is ambiguous about whether the target is required
to be a .onion domain, but the implementations (TorNS and StemNS) do not
have that restriction.  TorNS and StemNS allow a Prop279 plugin to
advertise acceptance of any domain suffix (haven't explicitly tried the
root zone as an suffix, but if that doesn't work, it's a bug that should
be easy to fix) and can resolve them to any result (e.g. an IP address,
a .onion domain, or another DNS name a la CNAME).

Cheers,
-- 
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the
moment.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200515/a35d08e7/attachment.sig>


More information about the tor-dev mailing list