Internet Engineering Task Force (IETF)                      J. Appelbaum
Request for Comments: 7686                         The Tor Project, Inc.
Category: Standards Track                                     A. Muffett
ISSN: 2070-1721                                                 Facebook
                                                            October 2015
        
Internet Engineering Task Force (IETF)                      J. Appelbaum
Request for Comments: 7686                         The Tor Project, Inc.
Category: Standards Track                                     A. Muffett
ISSN: 2070-1721                                                 Facebook
                                                            October 2015
        

The ".onion" Special-Use Domain Name

“洋葱”专用域名

Abstract

摘要

This document registers the ".onion" Special-Use Domain Name.

本文档注册了“.onion”专用域名。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7686.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7686.

Copyright Notice

版权公告

Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   3
   2.  The ".onion" Special-Use Domain Name  . . . . . . . . . . . .   3
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   3
   2.  The ".onion" Special-Use Domain Name  . . . . . . . . . . . .   3
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7
        
1. Introduction
1. 介绍

The Tor network [Dingledine2004] has the ability to host network services using the ".onion" Special-Use Top-Level Domain Name. Such names can be used as other domain names would be (e.g., in URLs [RFC3986]), but instead of using the DNS infrastructure, .onion names functionally correspond to the identity of a given service, thereby combining location and authentication.

Tor网络[Dingledine2004]能够使用“.onion”专用顶级域名承载网络服务。此类名称可以像其他域名一样使用(例如,在URL[RFC3986]中),但不是使用DNS基础设施。洋葱名称在功能上对应于给定服务的标识,从而结合了位置和身份验证。

.onion names are used to provide access to end to end encrypted, secure, anonymized services; that is, the identity and location of the server is obscured from the client. The location of the client is obscured from the server. The identity of the client may or may not be disclosed through an optional cryptographic authentication process.

.洋葱名称用于提供对端到端加密、安全、匿名服务的访问;也就是说,服务器的标识和位置对客户端是模糊的。客户端的位置与服务器的距离不明显。客户端的身份可以通过可选的密码认证过程公开,也可以不公开。

.onion names are self-authenticating, in that they are derived from the cryptographic keys used by the server in a client-verifiable manner during connection establishment. As a result, the cryptographic label component of a .onion name is not intended to be human-meaningful.

.onion名称是自验证的,因为它们是从服务器在连接建立期间以客户端可验证的方式使用的加密密钥派生的。因此,.onion名称的加密标签组件并不具有人类意义。

The Tor network is designed to not be subject to any central controlling authorities with regards to routing and service publication, so .onion names cannot be registered, assigned, transferred or revoked. "Ownership" of a .onion name is derived solely from control of a public/private key pair that corresponds to the algorithmic derivation of the name.

Tor网络在路由和服务发布方面不受任何中央控制机构的约束,因此,洋葱名称不能注册、分配、转移或撤销。.onion名称的“所有权”仅来自对与名称的算法派生相对应的公钥/私钥对的控制。

In this way, .onion names are "special" in the sense defined by Section 3 of [RFC6761]; they require hardware and software implementations to change their handling in order to achieve the desired properties of the name (see Section 4). These differences are listed in Section 2.

这样,.洋葱名称在[RFC6761]第3节定义的意义上是“特殊的”;它们需要硬件和软件实现来更改其处理,以实现名称的所需属性(参见第4节)。这些差异在第2节中列出。

Like Top-Level Domain Names, .onion names can have an arbitrary number of subdomain components. This information is not meaningful to the Tor protocol, but can be used in application protocols like HTTP [RFC7230].

与顶级域名一样,.onion名称可以有任意数量的子域组件。该信息对Tor协议没有意义,但可以在HTTP[RFC7230]等应用程序协议中使用。

Note that .onion names are required to conform with DNS name syntax (as defined in Section 3.5 of [RFC1034] and Section 2.1 of [RFC1123]), as they will still be exposed to DNS implementations.

请注意,.onion名称需要符合DNS名称语法(如[RFC1034]第3.5节和[RFC1123]第2.1节所定义),因为它们仍将暴露于DNS实现中。

See [tor-address] and [tor-rendezvous] for the details of the creation and use of .onion names.

有关.onion名称的创建和使用的详细信息,请参见[tor address]和[tor rendezvous]。

1.1. Notational Conventions
1.1. 符号约定

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

2. The ".onion" Special-Use Domain Name
2. “洋葱”专用域名

These properties have the following effects upon parties using or processing .onion names (as per [RFC6761]):

这些属性对使用或处理洋葱名称的各方有以下影响(根据[RFC6761]):

1. Users: Human users are expected to recognize .onion names as having different security properties (see Section 1) and also as being only available through software that is aware of .onion names.

1. 用户:人类用户需要识别具有不同安全属性的.洋葱名称(参见第1节),并且只能通过知道.洋葱名称的软件使用。

2. Application Software: Applications (including proxies) that implement the Tor protocol MUST recognize .onion names as special by either accessing them directly or using a proxy (e.g., SOCKS [RFC1928]) to do so. Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion and SHOULD NOT perform a DNS lookup.

2. 应用软件:实现Tor协议的应用程序(包括代理)必须通过直接访问或使用代理(例如SOCKS[RFC1928])来识别.onion名称的特殊性。未实现Tor协议的应用程序应在使用.onion时生成错误,并且不应执行DNS查找。

3. Name Resolution APIs and Libraries: Resolvers MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN [RFC1035].

3. 名称解析API和库:解析程序必须根据[tor rendezvous]解析.onion名称请求,或者使用NXDOMAIN[RFC1035]响应.onion名称请求。

4. Caching DNS Servers: Caching servers, where not explicitly adapted to interoperate with Tor, SHOULD NOT attempt to look up records for .onion names. They MUST generate NXDOMAIN for all such queries.

4. 缓存DNS服务器:缓存服务器不应尝试查找.onion名称的记录,而不是显式调整以与Tor进行互操作。他们必须为所有此类查询生成NXDOMAIN。

5. Authoritative DNS Servers: Authoritative servers MUST respond to queries for .onion with NXDOMAIN.

5. 权威DNS服务器:权威服务器必须响应.onion与NXDOMAIN的查询。

6. DNS Server Operators: Operators MUST NOT configure an authoritative DNS server to answer queries for .onion. If they do so, client software is likely to ignore any results (see above).

6. DNS服务器运营商:运营商不得配置权威DNS服务器来回答.洋葱的查询。如果他们这样做,客户端软件可能会忽略任何结果(见上文)。

7. DNS Registries/Registrars: Registrars MUST NOT register .onion names; all such requests MUST be denied.

7. DNS注册中心/注册中心:注册中心不得注册。域名;必须拒绝所有此类请求。

Note that the restriction upon the registration of .onion names does not prohibit IANA from inserting a record into the root zone database to reserve the name.

请注意,对.onion名称注册的限制并不禁止IANA将记录插入根区域数据库以保留名称。

Likewise, it does not prevent non-DNS service providers (such as trust providers) from supporting .onion names in their applications.

同样,它也不会阻止非DNS服务提供商(如信任提供商)在其应用程序中支持.洋葱名称。

3. IANA Considerations
3. IANA考虑

This document registers ".onion" in the registry of Special-Use Domain Names [RFC6761]. See Section 2 for the registration template.

本文件在特殊用途域名注册处[RFC6761]注册“.onion”。有关注册模板,请参见第2节。

4. Security Considerations
4. 安全考虑

The security properties of .onion names can be compromised if, for example:

.onion名称的安全属性可能会受到损害,例如:

o The server "leaks" its identity in another way (e.g., in an application-level message), or

o 服务器以另一种方式“泄露”其身份(例如,在应用程序级消息中),或

o The access protocol is implemented or deployed incorrectly, or

o 访问协议的实施或部署不正确,或

o The access protocol itself is found to have a flaw.

o 发现访问协议本身存在缺陷。

Users must take special precautions to ensure that the .onion name they are communicating with is the intended one, as attackers may be able to find keys that produce service names that are visually or semantically similar to the desired service. This risk is magnified because .onion names are typically not human-meaningful. It can be mitigated by generating human-meaningful .onion names (at considerable computing expense) or through users using bookmarks and other trusted stores when following links.

用户必须采取特别的预防措施,以确保他们与之通信的.onion名称是预期的名称,因为攻击者可能会找到生成与所需服务在视觉或语义上相似的服务名称的密钥。这种风险被放大了,因为洋葱的名字通常没有人类的意义。它可以通过生成有人类意义的.onion名称(花费相当大的计算费用)或通过用户在跟踪链接时使用书签和其他可信存储来缓解。

Also, users need to understand the difference between a .onion name used and accessed directly via Tor-capable software, versus .onion subdomains of other top-level domain names and providers (e.g., the difference between example.onion and example.onion.tld).

此外,用户需要了解通过支持Tor的软件直接使用和访问的.onion名称与其他顶级域名和提供商的.onion子域之间的区别(例如,example.onion和example.onion.tld之间的区别)。

The cryptographic label for a .onion name is constructed by applying a function to the public key of the server, the output of which is rendered as a string and concatenated with the string .onion. Dependent upon the specifics of the function used, an attacker may be able to find a key that produces a collision with the same .onion name with substantially less work than a cryptographic attack on the full strength key. If this is possible the attacker may be able to impersonate the service on the network.

.onion名称的加密标签是通过将函数应用于服务器的公钥来构造的,该公钥的输出呈现为字符串并与字符串.onion连接。根据所用函数的具体情况,攻击者可能能够找到一个密钥,该密钥会产生与相同.onion名称的冲突,所做的工作远远少于对全强度密钥的加密攻击。如果可能,攻击者可以在网络上模拟该服务。

A legacy client may inadvertently attempt to resolve a .onion name through the DNS. This causes a disclosure that the client is attempting to use Tor to reach a specific service. Malicious resolvers could be engineered to capture and record such leaks, which might have very adverse consequences for the well-being of the user. This issue is mitigated if the client's software is updated to not leak such queries or updated to support [tor-rendezvous], or if the client's DNS software is updated to drop any request to the .onion special-use domain name.

旧客户端可能会无意中尝试通过DNS解析.onion名称。这会导致客户机试图使用Tor访问特定服务的泄露。恶意解析程序可以被设计来捕获和记录此类泄漏,这可能会对用户的福祉产生非常不利的后果。如果客户端软件更新为不泄漏此类查询或更新为支持[tor rendezvous],或者如果客户端DNS软件更新为删除对.onion专用域名的任何请求,则此问题会得到缓解。

5. References
5. 工具书类
5.1. Normative References
5.1. 规范性引用文件

[Dingledine2004] Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The Second-Generation Onion Router", August 2004, <https://svn.torproject.org/svn/projects/design-paper/ tor-design.html>.

[Dingledine2004]丁格丁,R.,马修森,N.,和P.塞弗森,“Tor:第二代洋葱路由器”,2004年8月<https://svn.torproject.org/svn/projects/design-paper/ tor design.html>。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.

[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", RFC 6761, DOI 10.17487/RFC6761, February 2013, <http://www.rfc-editor.org/info/rfc6761>.

[RFC6761]Cheshire,S.和M.Krochmal,“特殊用途域名”,RFC 6761,DOI 10.17487/RFC6761,2013年2月<http://www.rfc-editor.org/info/rfc6761>.

[tor-address] Mathewson, N. and The Tor Project, "Special Hostnames in Tor", 2006, <https://spec.torproject.org/address-spec>.

[tor地址]Mathewson,N.和tor项目,“tor中的特殊主机名”,2006年<https://spec.torproject.org/address-spec>.

[tor-rendezvous] The Tor Project, "Tor Rendezvous Specification", April 2014, <https://spec.torproject.org/rend-spec>.

【tor会合】tor项目,“tor会合规范”,2014年4月<https://spec.torproject.org/rend-spec>.

5.2. Informative References
5.2. 资料性引用

[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, <http://www.rfc-editor.org/info/rfc1034>.

[RFC1034]Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,DOI 10.17487/RFC1034,1987年11月<http://www.rfc-editor.org/info/rfc1034>.

[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, <http://www.rfc-editor.org/info/rfc1035>.

[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,DOI 10.17487/RFC1035,1987年11月<http://www.rfc-editor.org/info/rfc1035>.

[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, DOI 10.17487/RFC1123, October 1989, <http://www.rfc-editor.org/info/rfc1123>.

[RFC1123]Braden,R.,Ed.“互联网主机的要求-应用和支持”,STD 3,RFC 1123,DOI 10.17487/RFC1123,1989年10月<http://www.rfc-editor.org/info/rfc1123>.

[RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and L. Jones, "SOCKS Protocol Version 5", RFC 1928, DOI 10.17487/RFC1928, March 1996, <http://www.rfc-editor.org/info/rfc1928>.

[RFC1928]Leech,M.,Ganis,M.,Lee,Y.,Kuris,R.,Koblas,D.,和L.Jones,“SOCKS协议版本5”,RFC 1928,DOI 10.17487/RFC1928,1996年3月<http://www.rfc-editor.org/info/rfc1928>.

[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>.

[RFC3986]Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,STD 66,RFC 3986,DOI 10.17487/RFC3986,2005年1月<http://www.rfc-editor.org/info/rfc3986>.

[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <http://www.rfc-editor.org/info/rfc7230>.

[RFC7230]Fielding,R.,Ed.和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):消息语法和路由”,RFC 7230,DOI 10.17487/RFC7230,2014年6月<http://www.rfc-editor.org/info/rfc7230>.

Acknowledgements

致谢

Thanks to Roger Dingledine, Linus Nordberg, and Seth David Schoen for their input and review.

感谢Roger Dingledine、Linus Nordberg和Seth David Schoen的投入和评论。

This specification builds upon previous work by Christian Grothoff, Matthias Wachs, Hellekin O. Wolf, Jacob Appelbaum, and Leif Ryge to register .onion in conjunction with other, similar Special-Use Top-Level Domain Names.

本规范建立在Christian Grothoff、Matthias Wachs、Hellekin O.Wolf、Jacob Appelbaum和Leif Ryge之前的工作基础上,以注册.onion以及其他类似的特殊用途顶级域名。

Authors' Addresses

作者地址

Jacob Appelbaum The Tor Project, Inc. & Technische Universiteit Eindhoven

雅各布·阿贝尔鲍姆Tor项目公司和埃因霍温科技大学

   Email: jacob@appelbaum.net
        
   Email: jacob@appelbaum.net
        

Alec Muffett Facebook

亚历克·马菲特

   Email: alecm@fb.com
        
   Email: alecm@fb.com