[tor-dev] DNSSEC

David Stainton dstainton415 at gmail.com
Mon Sep 1 16:33:34 UTC 2014


Dear merc1984 at f-m.fm,

Is DNSSEC is not evil? To me it seems like the 1984 of domain name systems...
Please take a good look at the political implications of DNSSEC.
I personally do not understand why this Tor Project spec includes mention of DNSSEC:
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-dns.txt

Can we use djb's DNSCurve instead of DNSSEC?
Perhaps I misunderstand the situation and the difference between DNSCurve and DNSSEC.
Perhaps "ZOMG someone is wrong on the Internet!" will spark someone else's interest in correcting me here
in this discussion. I personally think that people mentioning DNSSEC on tor communications channels
must either have an agenda to help the US government gain more control of the Internet... or they must be trolls.
But maybe I am totally wrong about this. I'd be interested in hearing a correction if I am wrong... and
does this mean the DJB is also wrong? =-)
https://en.wikipedia.org/wiki/DNSCurve

If you want to know how Tor currently handles DNS then read this:
https://tor.stackexchange.com/questions/8/how-does-tor-route-dns-requests

Sincerely,

David

On Mon, Sep 01, 2014 at 09:02:21AM -0700, merc1984 at f-m.fm wrote:
> I am surprised to find that there is no form of DNSSEC associated with
> TOR.  I am running dnscrypt, but find that I fail the DNSSEC test at
> http://dnssec.vs.uni-due.de/ when using the TBB.  I have unbound chained
> to dnscrypt which is on a rotary to 5 trusted DNS resolvers.
> 
> How can you not understand what this means WRT DNS cache poisoning?  Why
> are we susceptible to DNS cache poisoning?  I suppose that the TOR
> system needs to resolve .onion addresses, but there should be some way
> of using dnssec locally if the TOR system cannot provide authenticated
> DNS.
> 
> No one in the #tor irc channel seems to know how TOR DNS is done, and
> unfortunately there's not a word about it at
> https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver .  But I
> suspect it must be TCP DNS as TOR can't do UDP.  And I suspect DNS must
> be done by relay servers, in order to resolve intermediate .onion
> addresses.  Beyond that, it's a mystery how it's done.
> 
> How to secure TOR DNS?
> 
> -- 
> http://www.fastmail.fm - mmm... Fastmail...
> 
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140901/90176760/attachment.sig>


More information about the tor-dev mailing list