[tor-talk] Tor resolver DNSSEC RRs
Jacob Appelbaum
jacob at appelbaum.net
Tue Nov 29 20:13:26 UTC 2011
On 11/29/2011 06:35 AM, Adam Langley wrote:
> On Tue, Nov 29, 2011 at 6:06 AM, <tor at lists.grepular.com> wrote:
>> If the SSHFP RR type is added too, people who use OpenSSH with the
>> VerifyHostKeyDNS option can benefit from public key verification when
>> SSH'ing into a box for the first time, over Tor.
>
> (It's important to note that OpenSSH trusts the AD bit in the DNS
> reply. So, using it with Tor's DNS resolver assumes that Tor acts as a
> full, validating, DNSSEC resolver. It would likely be more expeditious
> to figure out a way have Unbound forward over Tor.)
>
That's something that I've started to work on with letoams and there's a
bit of progress here:
https://gitweb.torproject.org/ioerror/ttdnsd.git/blob/665a534df8394d221f07a9155eee6211ddc33f1c:/misc/README.unbound
https://gitweb.torproject.org/ioerror/ttdnsd.git/commit/14c806d5ec0d6a171532c84c5e0fdbe7974e3f20
All the best,
Jake
More information about the tor-talk
mailing list