[tor-dev] DNSSEC

merc1984 at f-m.fm merc1984 at f-m.fm
Mon Sep 1 17:56:30 UTC 2014

On Mon, Sep 1, 2014, at 10:19, Артур Истомин wrote:
> On Mon, Sep 01, 2014 at 04:33:34PM +0000, David Stainton wrote:
> > 
> > Dear merc1984 at f-m.fm,
> > 
> > Is DNSSEC is not evil? To me it seems like the 1984 of domain name systems...
> > Please take a good look at the political implications of DNSSEC.
> > I personally do not understand why this Tor Project spec includes mention of DNSSEC:
> > https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-dns.txt
> > 
> > Can we use djb's DNSCurve instead of DNSSEC?
> > Perhaps I misunderstand the situation and the difference between DNSCurve and DNSSEC.
> > Perhaps "ZOMG someone is wrong on the Internet!" will spark someone else's interest in correcting me here
> > in this discussion. I personally think that people mentioning DNSSEC on tor communications channels
> > must either have an agenda to help the US government gain more control of the Internet... or they must be trolls.
> > But maybe I am totally wrong about this. I'd be interested in hearing a correction if I am wrong... and
> > does this mean the DJB is also wrong? =-)
> > https://en.wikipedia.org/wiki/DNSCurve
> Yeah, he is troll or/and NSA's agent :)
> He's already got the answer exactly the same as yours, from two people
> from
> tor-talk:
> 1.
> https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-dns.txt
> 2. DNSSEC is suck, not security technology.
> to merc1984 at f-m.fm,
> is it act of sabotage? Stop it or I will come for you! ;)

Lol, first of all Copernicus, I have made no posts in that stackexchange
thread.  I do have the same concern though, as it is legitimate. 
Second, I believe all the answers there are wrong because an exit node
could not resolve .onion addresses by the time a query gets there.

I suspect that TOR DNS is TCP, and that relays can also resolve.  But
then, so far it seems that no one actually knows.

To those whose skirts I've blown up about DNSSEC, you must not
understand that what we have now is very susceptible to DNS Cache
Poisoning.  This is a serious problem.  And if you don't take this
seriously, either you clearly do not understand the problem, or you are
not telling us why it is not a problem.

IDC if the solution is DNSSEC, DNSCurve, or Waltzing with DNS, but I say
this is a serious problem that must be addressed.  

Yeah, I'm an NSA agent, trying to tell you about a serious problem with
TOR which you are too stupid to see.  pfff  Gourd-head and come after
me, lol.


http://www.fastmail.fm - Access all of your messages and folders
                          wherever you are

More information about the tor-dev mailing list