Hi,
Anonymous wrote (29 Nov 2010 02:21:20 GMT) :
> I tried posting this on the wiki, but it kept getting flagged as
> spam.
Sorry for this. The antispam system we asked the server administrators
to setup is pretty unreliable in our hosting situation (i.e. our
ikiwiki CGI does not know the visitors IP addresses). We've asked for
an alternative system and now need to wait.
> Feature request: secure/validated DNS lookups
> The Swiss/German Privacy Foundation(s) run some servers that accept
> encrypted https/ssl dns requests. There is a howto on how to
> implement this using socat and stunnel. www dot privacyfoundation
> dot de backslash wiki backslash SSL-DNS
> They can also use dnssec, which could be coupled with the
> firefox/iceweasel extensions like DNSSEC-{tools,validator,drill}
> http://www.privacyfoundation.de/service/serveruebersicht/
Warning: currently being offline I've no access to the online
resources you are pointing us to so I'm more or less talking about
things I don't know.
Thank you for these interesting suggestions. I would love if T(A)ILS
could use DNSSEC and SSL-DNS.
Thinking a bit about it my only objection is the following. T(A)ILS
currently uses the Tor DNS resolver (design document [1]) that
delegates the DNS resolution process to exit nodes. While this way of
doing does not encrypt DNS queries nor authenticate their results, it
has the advantage of being distributed; moreover, asking a new Tor
"identity" is currently enough to escape from a buggy DNS resolver
(exit node). I fear depending on a few rare special DNS resolvers
would make T(A)ILS more fragile.
[1]
https://amnesia.boum.org/contribute/design/Tor_enforcement/DNS/
We also need to find out whether the aforementioned tools work on top
of TCP.
Bye,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| Every now and then I get a little bit restless
| and I dream of something wild.