What is this nonsense? A domain iooks up to an IP address (and some other things). DNS does not and should not care about what protocols are going to be used with said IP address.
I can use an .onion domain for unencrypted Telnet as root with no password if I want. It's stupid but that's not something that should be restricted at a DNS level.
At first I agreed with you, but realized that my preferred solution was essentially what they recommended and just with different wording. My thought process was:
- Absolutely, DNS resolvers should not care or have knowledge of the protocol that will be used to access that address.
- What they *should* do is just say that normal DNS resolvers shouldn't ever resolve .onion addresses.
- (And then Tor should include a special DNS resolver that does anyway.)
- Oh, that's compatible with what they said.
I think some of the confusion comes from their use of "applications".
> Tor should include a special DNS resolver that does anyway
Would be pointless, given that the spec says:
> Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion and SHOULD NOT perform a DNS lookup.
So according to this spec, even if you did implement a special DNS resolver, only TOR-aware applications would be able to use it, and that's pointless since TOR-aware applications can connect to `.onion` services without using DNS at all.
I can use an .onion domain for unencrypted Telnet as root with no password if I want. It's stupid but that's not something that should be restricted at a DNS level.