HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ate53

no profile record

comments

ate53
·il y a 4 ans·discuss
It's a viable strategy. No legitimate implementation produces compression pointers that go anywhere other than backwards. I track the start of a label sequence and whether I've followed a pointer. If I've just followed a pointer, I must be at a point earlier than the last start, or I consider it a malicious name. I also disallow pointers to pointers but I'm less confident that there's not something out there that does that.
ate53
·il y a 4 ans·discuss
https://powerdns.org/hello-dns/
ate53
·il y a 4 ans·discuss
> On the TLSA side, the argument is roughly that (1) the WebPKI is bad ...

Is that a common argument? I've seen it argued that WebPKI shouldn't be used because it outsources DNS trust to the CAB forum, but not "WebPKI is bad".
ate53
·il y a 5 ans·discuss
There's private use ranges for classes and types. They don't have specific mnemonics but you can use the generic ones (eg: CLASS65280 and TYPE65280).

CHAOS probably gets used most because that's what BIND happened to do.
ate53
·il y a 5 ans·discuss
A possibly needless clarification: The DNS is organised by class, name, and then type. Each class is a seperate space, so ycombinator.com in the IN (Internet) class and ycombinator.com in any other class aren't necessarily the same entities. Types can also be class specific, for example A in the IN class is different to A in the CHAOS class. Types may also only be defined in specific classes like SRV (amongst others) in IN. (Aside: this model is why CNAMEs can't coexist with other records.)
ate53
·il y a 5 ans·discuss
I can understand how you might arrive at such an intuition but I'm not sure how well it serves you, particularly when you apply it outside of the search results that have formed it. There's over 150 million names under .com, people are going to go elsewhere.
ate53
·il y a 5 ans·discuss
> ... especially on a "nonstandard" TLD.

I guess that's a dig but I'm not sure why. It's resolvable via the ICANN root and is no more "nonstandard" than any of its siblings.
ate53
·il y a 5 ans·discuss
Has anyone here had experience with Glauca? I'm curious about them because they support RFC 2136.
ate53
·il y a 5 ans·discuss
Namecheap's DNSSEC implementation has broken a number of times and last I looked their API was pretty poor.
ate53
·il y a 5 ans·discuss
My problem with this spec is it requires Service Providers and DNS Providers to know about each other. It's essentially formalising the status quo of cookie cutter setups for big name providers.
ate53
·il y a 5 ans·discuss
Dynamic responses make transfers difficult to implement in some server architectures. Which is not to take away from your point - trying to hide things in the DNS is a fairly pointless exercise.
ate53
·il y a 5 ans·discuss
IXFR is for incremental transfers in which the client asks for a series of diffs between a particular serial and the current one. AXFR requests a transfer of the full zone. dig supports supports both.
ate53
·il y a 5 ans·discuss
> Multiple questions inside the same packet are quite common in DNS-SD based multicast queries.

mDNS is DNS in name only. Yes the wire format is mostly the same but the semantics are not.

> Note that technically, servers have to support TCP via port 53, too...but they never actually do :)

No? I haven't come across a widely used server implementation that doesn't support TCP in a very long time. What server software are you referring to?

> ...there are literally dozens of ways to fix this in a better way than disabling ANY completely.

As fanf2 said, ANY isn't ALL, and so it doesn't do what most people would want it to do anyway.
ate53
·il y a 5 ans·discuss
> deactivate message compression if possible.

PowerDNS tried this early on, it ended poorly because a client with a large installed base assumed that answers following the question section would start with a compression pointer.
ate53
·il y a 5 ans·discuss
What was the implementation that produced the bad NSEC3 proofs?