GitLab

For security reasons, directory authorities only use addresses that are explicitly configured in their torrc. Therefore, we propose that directory authorities only accept IPv4 or IPv6 address literals in the address part of the ORPort and DirPort options.

As part of this fix, we may also ban DNS resolution on all configured Ports. (We should try to avoid banning DNS resolution entirely on authorities, because some test networks use Authority/Exits.)

See proposal 312, section 3.2.2, directory authority case: https://gitweb.torproject.org/torspec.git/tree/proposals/312-relay-auto-ipv6-addr.txt#n340

Directory authorities must not attempt to resolve these addresses using DNS. It is a config error to provide a hostname as a directory authority's ORPort or DirPort.

If directory authorities don't have an IPv4 address literal in their Address or ORPort, they should issue a configuration error, and refuse to launch. If directory authorities don't have an IPv6 address literal in their Address or ORPort, they should issue a notice-level log, and fall back to only using IPv4.