On 26 Apr (19:37:56), Christian Hofer wrote:
Hi there,
Greetings Christian!
I have a proposal regarding DNS name resolution.
Ticket: https://trac.torproject.org/projects/tor/ticket/34004 Proposal: https://trac.torproject.org/projects/tor/attachment/ticket/34004/317-secure-... Implementation: https://github.com/torproject/tor/pull/1869
First, this is quite impressive piece of work. I was _NOT_ expecting a 27k line diff ;).
So the proposal looks very good. I like the idea very much. I honestly thought that you were about to propose a way for Tor to talk to an *external* DNS resolver client application (third part) but I see that client DNSSEC is basically implemented in tor with your patch which is... interesting?
Before we go further, can you walk me through the reasons (if you had thought of it of course) why you didn't use something like libunbound?
There are side effects of adding DNSSEC client support (with our own implementation) that we, people maintaining tor, have to become DNSSEC expert in some ways just to be able to understand what is happening in that code, fix issues but also possibly implement new features if any. That is where a third part library like unbound becomes very nice because they are the experts at providing such features.
Of course, everytime we have to link to an external library we do it carefully and with considerations because of the "yet another attack" vector problem. But adding that much code to support a well known feature like DNSSEC also has huge implications for tor maintainability and security.
Finally, something I noticed and made me itch a bit. You hardcoded a lot of .onions where one appears to be Cloudflare (?) resolver. What are the other addresses? I worry here because default options are always the one used the most so I'm concerned here about shipping hardcoded addresses _within_ our C code.
Thanks! David