Re: [tor-dev] DNSSEC

merc1984@f-m.fm:

Does anyone know why TOR does not use DNSSEC? The only documentation I found on the TORProject website for DNS does not actually explain how DNS works on TOR. I infer it must be TCP, as TOR can not do UDP, and I imagine that relay nodes must be the resolvers in order to resolve .onion domains. But beyond that there is no information on how it works.

Seems to me that the lack of DNSSEC in TOR is a gigantic security hole. (DNS cache poisoning)

See proposal 219 for the status of current efforts: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-...

Please contribute if you can!