On 01/31/2012 05:17 PM, Watson Ladd wrote:
I've got a more basic question: does the OP get enough information to validate the DNSSEC data, or does it have to trust the OR? I don't quite know enough to tell from the above.
I forgot to mention: validation on the client side is not finished in the PoC code. Both ldns and libunbound are capable of DNSSEC validation (libunbound has simpler API, thus lower chance in making mistakes).
Trust anchors (for root zone and maybe others) would be simply in the configuration file and distributed with Tor.
I don't know yet what the best API on the client side would be. For example, there's an evdns server code in connection_edge.c:connection_ap_handshake_socks_resolved() - the "if (ENTRY_TO_EDGE_CONN(conn)->is_dns_request)" branch. Is the evdns server actively used?
Ondrej