[tor-talk] Building Petnames with DNSSEC...?
Jacob Appelbaum
jacob at appelbaum.net
Mon Jun 4 01:30:44 UTC 2012
On 06/03/2012 04:16 AM, Jérémy Bobbio wrote:
> On Sat, Jun 02, 2012 at 04:12:04PM -0300, Jacob Appelbaum wrote:
>> So the question is - how should this practically work? Should a user be
>> able to dynamically register foo.petnames.tld and have it resolve to one
>> or more .onions as CNAME that point somewhere or no where? If somewhere,
>> where? Furthermore, should we ensure that a .onion can publish a petname
>> somewhere, so we can do forward the reverse lookup? I think that would
>> allow for some useful properties.
>
> CNAME recards are probably not the best fit. `.onion` addresses do not
> resolve to IP addresses. Imagine a RR like:
>
> tor.petnames.tld. IN CNAME idnxcnkne4qt76tg.onion.
>
> If a resolver performs an A query for `tor.petnames.tld.`, any
> unmodified resolver would try (and fail) with NXDOMAIN. Because it would
> try to perform an A query against `idnxcnkne4qt76tg.onion.` which is
> doomed to fail.
>
> My previous research on putting hidden service addresses in DNS records
> lead me to think that using TXT records within a specific prefix would
> be the easiest solution. Something like:
>
> _onion.tor.petnames.tld. IN TXT "idnxcnkne4qt76tg"
>
That does indeed seem like a better idea. We'll need to use something
like unbound anyway, so we can use TXT records all the same, I guess.
Another consideration is that we could write a plugin to intercept
specific domains as petname domains - similar to how we deal with .onion
as a whole. If we could configure such a domain, we'd be able to avoid
extra software entirely, I think.
All the best,
Jake
More information about the tor-talk
mailing list