On Thu, Jan 26, 2012 at 3:42 PM, Ondrej Mikle <[email protected]> wrote: > Hi, > > I decided to give it a shot in implementing full DNS/DNSSEC resolution support > for Tor, here's the branch: > > https://github.com/hiviah/tor > > ATM the biggest limitation is that reply DNS packet must fit in a single cell > (i.e. max size is RELAY_PAYLOAD_SIZE). > > How it's implemented: > > There's new command SOCKS_COMMAND_RESOLVE_FULL for SOCKS interface and new > cells > RELAY_COMMAND_RESOLVE(D)_FULL. The RESOLVE_FULL cell contains query string and > RR-type, RESOLVED_FULL just the DNS packet in wire format. > > Resolving is implemented via libunbound on the relay's side, ldns parses > packet > on client's side. > > The tor-resolve now uses the new SOCKS command and accepts -t parameter with > RR-type (numeric, default 1 - RR-type 'A'), e.g.: > > ./src/tools/tor-resolve -t 28 lupa.cz localhost:10050 > > Packet size: 319 > Flags: qr: 1, aa: 0, tc: 0, rd: 1, cd: 0, ra: 1, ad: 1 > -- Rcode: NOERROR > -- Opcode: QUERY > -- Question section > lupa.cz. IN AAAA > -- Answer section > lupa.cz. 600 IN AAAA 2001:67c:68::7b > lupa.cz. 600 IN RRSIG AAAA 5 2 600 20121022235305 > 20111023235305 8130 lupa.cz. > wFdVqKCEh4Nmac3v5K9y6HT+aIBAtF4Q9QIqHjlAl/ljp4m5TKkgKCF083zFTMh0LqfwdODfQdSNTKAwO55hyw== > -- Authority section > lupa.cz. 600 IN NS ns.iinfo.cz. > lupa.cz. 600 IN NS ns6.adminit.cz. > lupa.cz. 600 IN RRSIG NS 5 2 600 20121022235305 > 20111023235305 8130 lupa.cz. > SpqkpBlK1dzrfACHh3yfUp01Vr/w9qzVYQms4RDXNQZW1Hwr5WYMHIuGrFEgOOrjyg1vB01HENXJf4i2ISx51g== > -- Additional section > > > Other implementation notes: > - some checks like whether private address is resolved are missing (also a > whitelist of allowed RR-types might be implemented) > - in the SOCKS5 request, RR-type is hacked onto port number > - in SOCKS5 reply, high byte of length is hacked onto SOCKS5 reserved byte > - libunbound supports async resolving, for now synchronous is used > - there are more details, grep FIXDNS in code > - Makefile.am's have -lldns and -lunbound hardwired > - new code may not be pretty at some places (getting to know Tor code) I've got a more basic question: does the OP get enough information to validate the DNSSEC data, or does it have to trust the OR? I don't quite know enough to tell from the above. Sincerely, Watson Ladd
-- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
