Skip to content
Snippets Groups Projects
New look
Closed Prop 312: 3.2.2. Stop Directory Authorities Resolving *Port Hostnames
  • View options

    • Prop 312: 3.2.2. Stop Directory Authorities Resolving *Port Hostnames

  • View options
    • Closed Issue created by teor

    For security reasons, directory authorities only use addresses that are explicitly configured in their torrc. Therefore, we propose that directory authorities only accept IPv4 or IPv6 address literals in the address part of the ORPort and DirPort options.

    As part of this fix, we may also ban DNS resolution on all configured Ports. (We should try to avoid banning DNS resolution entirely on authorities, because some test networks use Authority/Exits.)

    See proposal 312, section 3.2.2, directory authority case: https://gitweb.torproject.org/torspec.git/tree/proposals/312-relay-auto-ipv6-addr.txt#n340

    Directory authorities must not attempt to resolve these addresses using DNS. It is a config error to provide a hostname as a directory authority's ORPort or DirPort.

    If directory authorities don't have an IPv4 address literal in their Address or ORPort, they should issue a configuration error, and refuse to launch. If directory authorities don't have an IPv6 address literal in their Address or ORPort, they should issue a notice-level log, and fall back to only using IPv4.

    Linked items ... 0

    • Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first
    Loading Loading Loading Loading Loading Loading Loading Loading Loading Loading