[tor-talk] Tor resolver DNSSEC RRs
tor at lists.grepular.com
tor at lists.grepular.com
Tue Nov 29 14:48:24 UTC 2011
On 29/11/11 14:35, Adam Langley wrote:
>> If the SSHFP RR type is added too, people who use OpenSSH with the
>> VerifyHostKeyDNS option can benefit from public key verification when
>> SSH'ing into a box for the first time, over Tor.
>
> (It's important to note that OpenSSH trusts the AD bit in the DNS
> reply. So, using it with Tor's DNS resolver assumes that Tor acts as a
> full, validating, DNSSEC resolver. It would likely be more expeditious
> to figure out a way have Unbound forward over Tor.)
Getting Tor to simply do the lookups would be a good start. Then people
will be able to stick a validating resolver between themselves and Tor.
At the moment, the only way to do this is to pick a server on the
Internet which supports recursive lookups, and point Unbound or similar
at that over Tor, forcing it to use TCP for all lookups.
--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20111129/9f8a41dd/attachment.pgp>
More information about the tor-talk
mailing list