HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ate53

no profile record

comments

ate53
·4 yıl önce·discuss
It's a viable strategy. No legitimate implementation produces compression pointers that go anywhere other than backwards. I track the start of a label sequence and whether I've followed a pointer. If I've just followed a pointer, I must be at a point earlier than the last start, or I consider it a malicious name. I also disallow pointers to pointers but I'm less confident that there's not something out there that does that.
ate53
·4 yıl önce·discuss
https://powerdns.org/hello-dns/
ate53
·4 yıl önce·discuss
> On the TLSA side, the argument is roughly that (1) the WebPKI is bad ...

Is that a common argument? I've seen it argued that WebPKI shouldn't be used because it outsources DNS trust to the CAB forum, but not "WebPKI is bad".
ate53
·5 yıl önce·discuss
There's private use ranges for classes and types. They don't have specific mnemonics but you can use the generic ones (eg: CLASS65280 and TYPE65280).

CHAOS probably gets used most because that's what BIND happened to do.
ate53
·5 yıl önce·discuss
A possibly needless clarification: The DNS is organised by class, name, and then type. Each class is a seperate space, so ycombinator.com in the IN (Internet) class and ycombinator.com in any other class aren't necessarily the same entities. Types can also be class specific, for example A in the IN class is different to A in the CHAOS class. Types may also only be defined in specific classes like SRV (amongst others) in IN. (Aside: this model is why CNAMEs can't coexist with other records.)
ate53
·5 yıl önce·discuss
I can understand how you might arrive at such an intuition but I'm not sure how well it serves you, particularly when you apply it outside of the search results that have formed it. There's over 150 million names under .com, people are going to go elsewhere.
ate53
·5 yıl önce·discuss
> ... especially on a "nonstandard" TLD.

I guess that's a dig but I'm not sure why. It's resolvable via the ICANN root and is no more "nonstandard" than any of its siblings.
ate53
·5 yıl önce·discuss
Has anyone here had experience with Glauca? I'm curious about them because they support RFC 2136.
ate53
·5 yıl önce·discuss
Namecheap's DNSSEC implementation has broken a number of times and last I looked their API was pretty poor.
ate53
·5 yıl önce·discuss
My problem with this spec is it requires Service Providers and DNS Providers to know about each other. It's essentially formalising the status quo of cookie cutter setups for big name providers.
ate53
·5 yıl önce·discuss
Dynamic responses make transfers difficult to implement in some server architectures. Which is not to take away from your point - trying to hide things in the DNS is a fairly pointless exercise.
ate53
·5 yıl önce·discuss
IXFR is for incremental transfers in which the client asks for a series of diffs between a particular serial and the current one. AXFR requests a transfer of the full zone. dig supports supports both.
ate53
·5 yıl önce·discuss
> Multiple questions inside the same packet are quite common in DNS-SD based multicast queries.

mDNS is DNS in name only. Yes the wire format is mostly the same but the semantics are not.

> Note that technically, servers have to support TCP via port 53, too...but they never actually do :)

No? I haven't come across a widely used server implementation that doesn't support TCP in a very long time. What server software are you referring to?

> ...there are literally dozens of ways to fix this in a better way than disabling ANY completely.

As fanf2 said, ANY isn't ALL, and so it doesn't do what most people would want it to do anyway.
ate53
·5 yıl önce·discuss
> deactivate message compression if possible.

PowerDNS tried this early on, it ended poorly because a client with a large installed base assumed that answers following the question section would start with a compression pointer.
ate53
·5 yıl önce·discuss
What was the implementation that produced the bad NSEC3 proofs?