[tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)

Ondrej Mikle ondrej.mikle at gmail.com
Tue Jan 31 19:08:27 UTC 2012

On 01/31/2012 05:17 PM, Watson Ladd wrote:
> I've got a more basic question: does the OP get enough information to
> validate the DNSSEC data, or does it have to trust the OR? I don't
> quite know enough to tell from the above.

I forgot to mention: validation on the client side is not finished in the PoC
code. Both ldns and libunbound are capable of DNSSEC validation (libunbound has
simpler API, thus lower chance in making mistakes).

Trust anchors (for root zone and maybe others) would be simply in the
configuration file and distributed with Tor.

I don't know yet what the best API on the client side would be. For example,
there's an evdns server code in
connection_edge.c:connection_ap_handshake_socks_resolved() - the "if
(ENTRY_TO_EDGE_CONN(conn)->is_dns_request)" branch. Is the evdns server actively


More information about the tor-dev mailing list