HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ate53

no profile record

comments

ate53
·4 jaar geleden·discuss
It's a viable strategy. No legitimate implementation produces compression pointers that go anywhere other than backwards. I track the start of a label sequence and whether I've followed a pointer. If I've just followed a pointer, I must be at a point earlier than the last start, or I consider it a malicious name. I also disallow pointers to pointers but I'm less confident that there's not something out there that does that.
ate53
·4 jaar geleden·discuss
https://powerdns.org/hello-dns/
ate53
·4 jaar geleden·discuss
> On the TLSA side, the argument is roughly that (1) the WebPKI is bad ...

Is that a common argument? I've seen it argued that WebPKI shouldn't be used because it outsources DNS trust to the CAB forum, but not "WebPKI is bad".
ate53
·5 jaar geleden·discuss
There's private use ranges for classes and types. They don't have specific mnemonics but you can use the generic ones (eg: CLASS65280 and TYPE65280).

CHAOS probably gets used most because that's what BIND happened to do.
ate53
·5 jaar geleden·discuss
A possibly needless clarification: The DNS is organised by class, name, and then type. Each class is a seperate space, so ycombinator.com in the IN (Internet) class and ycombinator.com in any other class aren't necessarily the same entities. Types can also be class specific, for example A in the IN class is different to A in the CHAOS class. Types may also only be defined in specific classes like SRV (amongst others) in IN. (Aside: this model is why CNAMEs can't coexist with other records.)
ate53
·5 jaar geleden·discuss
I can understand how you might arrive at such an intuition but I'm not sure how well it serves you, particularly when you apply it outside of the search results that have formed it. There's over 150 million names under .com, people are going to go elsewhere.
ate53
·5 jaar geleden·discuss
> ... especially on a "nonstandard" TLD.

I guess that's a dig but I'm not sure why. It's resolvable via the ICANN root and is no more "nonstandard" than any of its siblings.
ate53
·5 jaar geleden·discuss
Has anyone here had experience with Glauca? I'm curious about them because they support RFC 2136.
ate53
·5 jaar geleden·discuss
Namecheap's DNSSEC implementation has broken a number of times and last I looked their API was pretty poor.
ate53
·5 jaar geleden·discuss
My problem with this spec is it requires Service Providers and DNS Providers to know about each other. It's essentially formalising the status quo of cookie cutter setups for big name providers.
ate53
·5 jaar geleden·discuss
Dynamic responses make transfers difficult to implement in some server architectures. Which is not to take away from your point - trying to hide things in the DNS is a fairly pointless exercise.
ate53
·5 jaar geleden·discuss
IXFR is for incremental transfers in which the client asks for a series of diffs between a particular serial and the current one. AXFR requests a transfer of the full zone. dig supports supports both.
ate53
·5 jaar geleden·discuss
> Multiple questions inside the same packet are quite common in DNS-SD based multicast queries.

mDNS is DNS in name only. Yes the wire format is mostly the same but the semantics are not.

> Note that technically, servers have to support TCP via port 53, too...but they never actually do :)

No? I haven't come across a widely used server implementation that doesn't support TCP in a very long time. What server software are you referring to?

> ...there are literally dozens of ways to fix this in a better way than disabling ANY completely.

As fanf2 said, ANY isn't ALL, and so it doesn't do what most people would want it to do anyway.
ate53
·5 jaar geleden·discuss
> deactivate message compression if possible.

PowerDNS tried this early on, it ended poorly because a client with a large installed base assumed that answers following the question section would start with a compression pointer.
ate53
·5 jaar geleden·discuss
What was the implementation that produced the bad NSEC3 proofs?