[tor-dev] Tor and DNS

Ondrej Mikle ondrej.mikle at gmail.com
Wed Feb 8 23:21:10 UTC 2012 

On 02/08/2012 09:09 AM, Peter Palfrader wrote:
> On Tue, 07 Feb 2012, Nick Mathewson wrote:
> 
>> On Tue, Feb 7, 2012 at 7:33 PM, Ondrej Mikle <ondrej.mikle at gmail.com> wrote:
>>> On 02/07/2012 07:18 PM, Nick Mathewson wrote:
>>>> Like Jakob, I'm wondering why there isn't any support for setting flags.
>>>
>>> See my response to Jakob. I don't think it's worth to use anything else than
>>> flags 0x110 (normal query, recursive, non-authenticated data ok) with DO bit
>>> set. Unless there is a really good reason for other flags, that would only have
>>> potential to leak identifying bits.
>>
>> I can't think of one offhand; I had at first thought that
>> non-recursive queries were good for something, but I'm not really sure
>> what.
> 
> CD (checking disabled) is quite an important flag in my opinion.  In
> fact, we should set it every time that the tor client is able to
> validate DNSSSEC themselves.

Sorry, I named CD flag wrong ("unauthenticated data ok"), but it's set.

> There also probably ought to be a tor made up flag for "give me the (or
> one) entire cert chain from the root so I can validate this thing myself
> without a gazillion round trips".  (If we set this we probably also leak
> less about what we have cached already.)  That might require we come up
> with a way to serialize a number of DNS replies that are the response to
> a single query.

I like the idea - every lookup would be single roundtrip and would not leak
cache state.

It might be very tricky to do it right. There's one (incomplete) draft about
serializing DNSSEC data into own structures
(https://tools.ietf.org/html/draft-agl-dane-serializechain-01). I find using own
structures means essentially rewriting validation from scratch (definitely
should be avoided).

A naive implementation of simply putting DNS packets together and throwing them
in front of libunbound to sort them out might be much less error-prone.

We should also think about error states and corner cases: what happens if exit
node does not send all needed packets? Retry? Declare it fail?


Ondrej

More information about the tor-dev mailing list