On Tue, 07 Feb 2012, Nick Mathewson wrote:
On Tue, Feb 7, 2012 at 7:33 PM, Ondrej Mikle ondrej.mikle@gmail.com wrote:
On 02/07/2012 07:18 PM, Nick Mathewson wrote:
Like Jakob, I'm wondering why there isn't any support for setting flags.
See my response to Jakob. I don't think it's worth to use anything else than flags 0x110 (normal query, recursive, non-authenticated data ok) with DO bit set. Unless there is a really good reason for other flags, that would only have potential to leak identifying bits.
I can't think of one offhand; I had at first thought that non-recursive queries were good for something, but I'm not really sure what.
CD (checking disabled) is quite an important flag in my opinion. In fact, we should set it every time that the tor client is able to validate DNSSSEC themselves.
There also probably ought to be a tor made up flag for "give me the (or one) entire cert chain from the root so I can validate this thing myself without a gazillion round trips". (If we set this we probably also leak less about what we have cached already.) That might require we come up with a way to serialize a number of DNS replies that are the response to a single query.
Cheers,