dnsop | J. Appelbaum |
Internet-Draft | Tor Project Inc. |
Intended status: Standards Track | A. Muffett |
Expires: October 16, 2015 | |
April 14, 2015 |
The .onion Special-Use Domain Name
draft-appelbaum-dnsop-onion-tld-01
This document registers the “.onion” Special-Use Domain Name.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 16, 2015.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Tor network [Dingledine2004] has the ability to host network services using the “.onion” Top-Level Domain. Such addresses can be used as other domain names would be (e.g., in URLs [RFC3986]), but instead of using the DNS infrastructure, .onion names functionally correspond to the identity of a given service, thereby combining location and authentication.
In this way, .onion names are “special” in the sense defined by [RFC6761] Section 3; they require hardware and software implementations to change their handling, in order to achieve the desired properties of the name (see Section 4). These differences are listed in Section 2.
Like other TLDs, .onion addresses can have an arbitrary number of subdomain components. This information is not meaningful to the Tor protocol, but can be used in application protocols like HTTP [RFC7230].
See [tor-address] and [tor-rendezvous] for the details of the creation and use of .onion names.
Note that this draft was preceded by [I-D.grothoff-iesg-special-use-p2p-names], which registered .onion alongside other, similar TLDs. Because .onion is in wide use, it has become urgent to expedite its registration. This does not indicate that the other registrations should be abandoned.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
These properties have the following effects upon parties using or processing .onion names (as per [RFC6761]):
This document registers the “onion” TLD in the registry of Special-Use Domain Names [RFC6761]. See Section 2 for the registration template.
.onion names are often used provide access to end to end encrypted, secure, anonymized services; that is, the identity and location of the server is obscured from the client. The location of the client is obscured from the server. The identity of the client may or may not be disclosed through an optional cryptographic authentication process.
These properties can be compromised if, for example:
.onion names are self-authenticating, in that they are derived from the cryptographic keys used by the server in a client verifiable manner during connection establishment. As a result, the cryptographic label component of a .onion name is not intended to be human-meaningful.
The Tor network is designed to not be subject to any central controlling authorities with regards to routing and service publication, so .onion names cannot be registered, assigned, transferred or revoked. “Ownership” of a .onion name is derived solely from control of a public/private key pair which corresponds to the algorithmic derivation of the name.
Users must take special precautions to ensure that the .onion name they are communicating with is correct, as attackers may be able to find keys which produce service names that are visually or apparently semantically similar to the desired service.
Also, users need to understand the difference between a .onion name used and accessed directly via Tor-capable software, versus .onion subdomains of other TLDs and providers (e.g., the difference between example.onion and example.onion.tld).
The cryptographic label for a .onion name is constructed by applying a function to the public key of the server, the output of which is rendered as a string and concatenated with the string “.onion”. Dependent upon the specifics of the function used, an attacker may be able to find a key that produces a collision with the same .onion name with substantially less work than a cryptographic attack on the full strength key. If this is possible the attacker may be able to impersonate the service on the network.
If client software attempts to resolve a .onion name, it can leak the identity of the service that the user is attempting to access to DNS resolvers, authoritative DNS servers, and observers on the intervening network. This can be mitigated by following the recommendations in Section 2.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC6761] | Cheshire, S. and M. Krochmal, "Special-Use Domain Names", RFC 6761, February 2013. |
[Dingledine2004] | Dingledine, R., Mathewson, N. and P. Syverson, "Tor: the second-generation onion router", 2004. |
[I-D.grothoff-iesg-special-use-p2p-names] | Grothoff, C., Wachs, M., hellekin, h., Appelbaum, J. and L. Ryge, "Special-Use Domain Names of Peer-to-Peer Systems", Internet-Draft draft-grothoff-iesg-special-use-p2p-names-04, January 2015. |
[RFC1928] | Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D. and L. Jones, "SOCKS Protocol Version 5", RFC 1928, March 1996. |
[RFC3986] | Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. |
[RFC7230] | Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, June 2014. |
[tor-address] | Mathewson, N. and R. Dingledine, "Special Hostnames in Tor", September 2001. |
[tor-rendezvous] | Mathewson, N. and R. Dingledine, "Tor Rendezvous Specification", April 2014. |
Thanks to Roger Dingledine, Linus Nordberg and Seth David Schoen for their input and review.
This specification builds upon previous work by Christian Grothoff, Matthias Wachs, Hellekin O. Wolf, Jacob Appelbaum and Leif Ryge to register the .onion TLD in conjunction with other, similar TLDs.