Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Implements DNSSEC Validation For Public DNS

Soulskill posted about a year ago | from the internet-dragging-its-feet-slightly-less dept.

Google 101

wiredmikey writes "Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn't actually perform validation. 'With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,' Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post. According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013. 'Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,' Gu said."

cancel ×

101 comments

Sorry! There are no comments related to the filter you selected.

What web sites and hosts do you visit? (-1)

Anonymous Coward | about a year ago | (#43216091)

Google knows.

Re:What web sites and hosts do you visit? (3, Insightful)

Nerdfest (867930) | about a year ago | (#43216125)

I think your ISP has a much better log of your activities.

Re:What web sites and hosts do you visit? (-1)

Anonymous Coward | about a year ago | (#43216147)

I used my log in your moms activities!

MOD THIS SHIT UP!!! (-1, Offtopic)

Anonymous Coward | about a year ago | (#43216215)


 

Re:MOD THIS SHIT UP!!! (-1)

Anonymous Coward | about a year ago | (#43216985)

Wrong way mod, your other up!

Re:What web sites and hosts do you visit? (0)

Anonymous Coward | about a year ago | (#43217143)

In Soviet Russia, mother uses log on you!

Re:What web sites and hosts do you visit? (1)

RocketRabbit (830691) | about a year ago | (#43216861)

Could be true, but my ISP is not in the business of serving banner ads, building a profile of all my personal interests, habits, and vices, and there is actually somebody who will pick up the telephone at my ISP unlike Google, which has no actual humans that one is likely to be able to speak with about these concerns.

Google should be viewed as an adversary, and they didn't build that new building right across from spook central for nothing.

Re:What web sites and hosts do you visit? (3, Interesting)

AG the other (1169501) | about a year ago | (#43217653)

My ISP, AT&T has terrible DNS, at least in this area. They randomly take down DNS servers, without replacing them. In case you don't know this leaves customers without any way to access the internet.
They occasionally stop serving requests to competitors. For a while the only way that I could reach my work home page from home was to type in the IP address, at least until I switched to Google DNS. It was sort of important because I was an admin.
Google DNS just works. I can go to any page I need to go to.

Re:What web sites and hosts do you visit? (1)

RocketRabbit (830691) | about a year ago | (#43217739)

I wasn't remarking on the relative effectiveness of the domain name servers at AT&T vs. Google, I was pointing out that Google seeks more and more information about you, to use for whatever purposes they see fit.

AT&T might do this too but at least they aren't building a profile of you and selling it to anybody with two bits to spend.

Re:What web sites and hosts do you visit? (1)

Branciforte (2437662) | about a year ago | (#43220397)

Neither is Google.

Re:What web sites and hosts do you visit? (1)

RocketRabbit (830691) | about a year ago | (#43221917)

Google is certainly building up a profile of everybody who uses any of their sites, and anybody using a page that uses any Google API, and selling this information. No need to lie to me, especially when everybody already knows the truth about Google.

Re:What web sites and hosts do you visit? (1)

Branciforte (2437662) | about a year ago | (#43223213)

You can see what's in this "profile" by visiting your Google account page. This "profile" consists of some of the pages you visited and things you searched for. Basically, clues to what ads you might be likely to click on. That's all.

Google never has and never will sell your information to anyone.

yes, yes, yes, I get it, you are the tech-age hipster crying wolf. Don't let me spoil your fun.

Re:What web sites and hosts do you visit? (1)

RocketRabbit (830691) | about a year ago | (#43229475)

We have no guarantee that everything Google knows about you is in your Google profile. They are keeping tabs on everybody who lands on a page that uses Google APIs, they have been busted circumventing privacy controls in browsers, and they are not to be trusted.

The wolf is right there. Everybody can see it. You just need to take your blinders off.

Re:What web sites and hosts do you visit? (1)

Branciforte (2437662) | about a year ago | (#43231513)

Read up on the details the case where Google was "circumventing privacy controls in browsers". All Google was doing was trying to the the status for the +1 button on the page. A bug in Safari was piling on the extra cookies, which Google ignored.

Or, let's tape on our tin foil hats and look at it from YOUR perspective:

There were a relatively tiny number of people who actually enabled DNT in Safari. And those were people who were not likely to click on ads anyway. But, according to you, the people at Google made an active decision to that this was a market worth pursuing. So, knowing full well that privacy advocate would quickly discover that Safari was still tracking Google users, the decision was made to exploit a bug in Safari that piled on cookies to an outgoing connection.

I mean, come on, this is Google, some of the top web experts on the planet. If they knew about this Safari bug, and decided to exploit it, then they also would have known that the exploit would be discovered almost immediately and have to be removed. So you are asking us to believe that Google decided to engage in a huge PR fiasco just so that they could get a months worth of tracking info on a handful of people who were unlikely to click on ads anyway?

Is that what you want us to believe? Better add another layer of tin foil.

Re:What web sites and hosts do you visit? (1)

RocketRabbit (830691) | about a year ago | (#43237669)

I know (not believe, kow) that Google is doing anything and everything it can to build up profiles of everybody who uses any Google service - visible or not - all of the time. This is their primary job. They are advertisers, trying to make money by selling targeted ads (and perhaps information that allows targeting) to anybody. And yes, I know they were purposefully targeting this Safari bug.

I do not believe that it is possible for advertisers, attorneys, loan brokers, and certain other classes of people to have souls, morals, or a conscience. I personally know some of the highest ranking Googlers, having grew up with them and gone to school with them, and they are not fully human. I know how they think. I know how Google works, and I think it's funny that you mention tinfoil hats in this age of total surveillance on the Internet. By resorting to such a cheap tactic you are basically admitting that I am correct.

Re:What web sites and hosts do you visit? (1)

Branciforte (2437662) | about a year ago | (#43238487)

Can you share with us how you "know" this? Not "believe", but "know"?

Did the "voices" tell you? Or can you offer us even a tidbit to verify that your claims are anything other than "beliefs"?

Are you saying that you are currently in contact with "some of the highest ranking Googlers" and that they are sharing their nefarious plans with you? Or are you saying that you once went to the same school as someone who now works at Google and you did not like that person at the time?

We await you fabulous stories with bated breath.

Re:What web sites and hosts do you visit? (0)

Anonymous Coward | about a year ago | (#43232357)

Boohoo. They have information about me that they use to advertise, woe is me, I am dying. You know what they don't do? Serve ads and search results over what should be 404 pages. Remember when Comcast did that? If Google's privacy policies were so evil you'd think their DNS would do the same thing, but no it just works. If the price is that I get some spam email that I never see because G-Mail does a wonderful job of filtering it out, so be it.

Re:What web sites and hosts do you visit? (1)

Charliemopps (1157495) | about a year ago | (#43217277)

You are your ISPs customer and therefor their use of your private date is strictly regulated by federal law under penalty if quite substantial fines.

Re:What web sites and hosts do you visit? (1)

Nerdfest (867930) | about a year ago | (#43217355)

In most countries I believe that they're allowed to a anonymize it and use it that way. P
Pretty much the same thing the search companies do.

True but, you PAY your ISP (0)

Anonymous Coward | about a year ago | (#43220095)

Since you PAY your ISP for your service, you are bound to a contract with them. That contract is binding, and if they break it, by providing your information to someone else, then you have due cause for a case to be leveled against them. With Google, no such contract exists.
 

Re:What web sites and hosts do you visit? (0)

Anonymous Coward | about a year ago | (#43216595)

facebook has a good idea too...

Whoa! (-1)

Anonymous Coward | about a year ago | (#43216151)

If you like humping your mommy
And getting caught by your dad
If you're not into poota
If you have half a nad
If you'd like humping butts at midnight
In the smooth anal gape
Then I'm the love that you've looked for
Write to me and assrape

DNSSEC is inferior to custom HOSTS file (-1, Offtopic)

Anonymous Coward | about a year ago | (#43216155)

$10,000 CHALLENGE to Alexander Peter Kowalski

Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.

Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?

Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.

If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.

I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.

Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.

Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.

I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.

If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!

You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusive emails to the operator of OSY, Federal Reserve Chairman Ben Bernanke threatening to sue him for libel, claiming that the APK on OSY was fake.

My reputation as a professional in this field clearly shows in multiple publications in this field in written print, & also online in various GOOD capacities since 1996 to present day. This has happened since I was first published in Playgirl Magazine in 1996 & others to present day, with helpful tools online in programs, & professionally sold warez that were finalists @ Westminster Dog Show 2000-2002.

Did you see the movie "Pokemon"? Actually the induced night "dream world" is synonymous with the academic religious induced "HOSTS file" enslavement of DNS. Domains have no inherent value, as it was invented as a counterfeit and fictitious value to represent natural values in name resolution. Unfortunately, human values have declined to fictitious word values. Unknowingly, you are living in a "World Wide Web", as in a fictitious life in a counterfeit Internet - which you could consider APK induced "HOSTS file". Can you distinguish the academic induced root server from the natural OpenDNS? Beware of the change when your brain is free from HOSTS file enslavement - for you could find that the natural Slashdot has been destroyed!!

FROM -> Man - how many times have I dusted you in tech debates that you have decided to troll me by ac posts for MONTHS now, OR IMPERSONATING ME AS YOU DID HERE and you were caught in it by myself & others here, only to fail each time as you have here?)...

So long nummynuts, sorry to have to kick your nuts up into your head verbally speaking.

cower in my shadow some more, feeb. you're completely pathetic.

Disproof of all apk's statements:
http://news.slashdot.org/comments.pl?sid=3040317&cid=40946043 [slashdot.org]
http://mobile.slashdot.org/comments.pl?sid=3040729&cid=40949719 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3040697&cid=40949343 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3040597&cid=40948659 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3037687&cid=40947927 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3040425&cid=40946755 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3040317&cid=40946043 [slashdot.org]
http://developers.slashdot.org/comments.pl?sid=3038791&cid=40942439 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3024445&cid=40942207 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3038597&cid=40942031 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=3038601&cid=40942085 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3040803&cid=40950045 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3040867&cid=40950563 [slashdot.org]
http://games.slashdot.org/comments.pl?sid=3040921&cid=40950839 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3041035&cid=40951899 [slashdot.org]
http://developers.slashdot.org/comments.pl?sid=3041081&cid=40952169 [slashdot.org]
http://mobile.slashdot.org/comments.pl?sid=3041091&cid=40952383 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=3041123&cid=40952991 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3041313&cid=40954201 [slashdot.org]
http://politics.slashdot.org/comments.pl?sid=3042199&cid=40956625 [slashdot.org]
http://apple.slashdot.org/comments.pl?sid=3029723&cid=40897177 [slashdot.org]
http://games.slashdot.org/comments.pl?sid=3029589&cid=40894889 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=3027333&cid=40886171 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3042451&cid=40959497 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3042547&cid=40960279 [slashdot.org]
http://slashdot.org/comments.pl?sid=3042669&cid=40962027 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3042765&cid=40965091 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3042765&cid=40965087 [slashdot.org]
http://hardware.slashdot.org/comments.pl?sid=3043535&cid=40967049 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3044971&cid=40972117 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3044971&cid=40972271 [slashdot.org]
http://politics.slashdot.org/comments.pl?sid=3045075&cid=40972313 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3045349&cid=40973979 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3046181&cid=40978835 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3046211&cid=40979293 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3050711&cid=41002319 [slashdot.org]
http://mobile.slashdot.org/comments.pl?sid=3118863&cid=41341925 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3131751&cid=41397971 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3138079&cid=41429005 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3146511&cid=41469199 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3146549&cid=41469495 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3154555&cid=41509255 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3164403&cid=41555261 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3222163&cid=41832417 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3224905&cid=41846971 [slashdot.org]
http://ask.slashdot.org/comments.pl?sid=3227697&cid=41861263 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3228787&cid=41866351 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=3228683&cid=41866627 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=3228991&cid=41866737 [slashdot.org]
http://apple.slashdot.org/comments.pl?sid=3229177&cid=41868513 [slashdot.org]
http://apple.slashdot.org/comments.pl?sid=3229177&cid=41868567 [slashdot.org]
http://bsd.slashdot.org/comments.pl?sid=3229179&cid=41869275f [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3229765&cid=41872927 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3472971&cid=42939773 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3483339&cid=42972349 [slashdot.org]
http://mobile.slashdot.org/comments.pl?sid=3486045&cid=42981835 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=3486901&cid=42988415 [slashdot.org]
http://developers.slashdot.org/comments.pl?sid=3500483&cid=43026797 [slashdot.org]
http://developers.slashdot.org/comments.pl?sid=3501001&cid=43028205 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3503531&cid=43033535 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3504883&cid=43040365 [slashdot.org]
http://hardware.slashdot.org/comments.pl?sid=3506945&cid=43044767 [slashdot.org]
http://games.slashdot.org/comments.pl?sid=3507727&cid=43048175 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3507873&cid=43049019 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3508287&cid=43051385 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3509683&cid=43054221 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3510265&cid=43056879 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3511487&cid=43063711 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3512099&cid=43066627 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3513659&cid=43066843 [slashdot.org]
http://yro.slashdot.org/comments.pl?sid=3521721&cid=43094323 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=3521669&cid=43094855 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=3521797&cid=43096277 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3522191&cid=43096733 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3522219&cid=43097179 [slashdot.org]
http://news.slashdot.org/comments.pl?sid=3522851&cid=43101761 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3523181&cid=43103421 [slashdot.org]
http://games.slashdot.org/comments.pl?sid=3526293&cid=43109809 [slashdot.org]
http://science.slashdot.org/comments.pl?sid=3526893&cid=43114659 [slashdot.org]
http://mobile.slashdot.org/comments.pl?sid=3528603&cid=43115059 [slashdot.org]
http://tech.slashdot.org/comments.pl?sid=3528811&cid=43116535 [slashdot.org]
AND MANY MORE

Ac trolls' "BIG FAIL" (quoted): Eat your words!

That's the kind of martial arts I practice.

Re:DNSSEC is inferior to custom HOSTS file (1)

jeffclay (1077679) | about a year ago | (#43216223)

WTF?

Re:DNSSEC is inferior to custom HOSTS file (0)

Anonymous Coward | about a year ago | (#43216261)

http://en.wikipedia.org/wiki/Alexander_Kowalski

Re:DNSSEC is inferior to custom HOSTS file (0)

Anonymous Coward | about a year ago | (#43216225)

Sadly this is closer to on-topic than an actual APK post is.

Re:DNSSEC is inferior to custom HOSTS file (3, Insightful)

Wamoc (1263324) | about a year ago | (#43216241)

Could Slashdot please put in some sort of filter to automatically detect this nut and not let him post this on every story? Most the time I am against censorship, but this same comment does not belong on every story posted.

BRING CHAIRS! (-1)

Anonymous Coward | about a year ago | (#43216265)


   

Re:DNSSEC is inferior to custom HOSTS file (0)

Anonymous Coward | about a year ago | (#43216431)

Just ban any post with "apk", "host file", or "hosts file", as that would take care of the original apk too. The original has been shitposting Slashdot much longer & more intensively than the parody guy. Or ban all Tor exit nodes, as they both use Tor to circumvent IP bans.

APK (disambiguation) (1)

tepples (727027) | about a year ago | (#43216853)

Just ban any post with "apk"

So how would one discuss sideloading Android applications?

Re:DNSSEC is inferior to custom HOSTS file (-1)

Anonymous Coward | about a year ago | (#43223585)

Why don't you validly disprove apk's points on hosts then here http://ask.slashdot.org/comments.pl?sid=3554655&cid=43201719 [slashdot.org] instead? It's obvious you can't validly on computing tech based grounds, and that the use of custom hosts files on end users parts for better speed, security, reliability, and even anonymity to a degree obviously threatens you somehow (as in your botnets you create and use)? You can call his posts shitposts all you like but when they stand the test of the challenge made to you in that post to disprove apk's points, you fail and you know it. We all know it.

Re:DNSSEC is inferior to custom HOSTS file (0)

Anonymous Coward | about a year ago | (#43233895)

He can't so he downmods ya here + in the link of apk's too.

Re:DNSSEC is inferior to custom HOSTS file (0)

Anonymous Coward | about a year ago | (#43216605)

It does. It's called the moderation system.

Re:DNSSEC is inferior to custom HOSTS file (-1)

Anonymous Coward | about a year ago | (#43217141)

It does. It's called the moderation system.

There are too many Troll Mods and sockpuppets for the moderation system to work for shit. If you don't browse at -1 you're going to end up missing a lot of good posts which get modded into the dirt by various fanboys, asswipes, and other assorted trash.

don't raise up what you can't put down (0)

Anonymous Coward | about a year ago | (#43216609)

Are you kidding me?! If we don't cast the enchantment of APK banishment in every story about DNS, general networking or privacy, soon the real APK will be summoned, and NOBODY wants that.

Re:DNSSEC is inferior to custom HOSTS file (1)

hedwards (940851) | about a year ago | (#43216825)

Or permit us to just collapse these sorts of long posts. I don't mind that there are long posts here, but it's annoying to have to scroll past them.

Re:DNSSEC is inferior to custom HOSTS file (1)

tqk (413719) | about a year ago | (#43219901)

I don't mind that there are long posts here, but it's annoying to have to scroll past them.

Um, poor baby? Do you not know how lame that is, you and those above complaining about the same thing? Gahd! Syrians are re-inventing WW1 warfare, ffs. It takes max. three seconds to spacebar past that crap. Sheesh!

Re:DNSSEC is inferior to custom HOSTS file (1)

hedwards (940851) | about a year ago | (#43220447)

What do Syrians have to do with this? Or are you just an asshole by nature. This is a usability thing that a website developer ought to care about and no, it takes me longer than that, this computer isn't the fastest out there, not with all the larding up of this web 2.0 stuff.

Re:DNSSEC is inferior to custom HOSTS file (1)

tqk (413719) | about a year ago | (#43220979)

I don't mind that there are long posts here, but it's annoying to have to scroll past them.

Syrians are re-inventing WW1 warfare, ffs.

What do Syrians have to do with this?

Wow you're shallow, as a pane of glass. People are dying out there fighting civil wars, and you're complaining about having to page past stuff you'd prefer not to see. :-|

Re:DNSSEC is inferior to custom HOSTS file (0)

Anonymous Coward | about a year ago | (#43225293)

Shallow? Again, I ask what does this have to do with a complaint about a usability problem with a website?

Just because there's a civil war going on somewhere else in the world doesn't make it any less of a problem with the site. There's always a civil war going on somewhere in the world. By your reasoning, we shouldn't ever complain about anything because somewhere in the world there is something worse going on.

And BTW, a pane of glass isn't shallow, it's transparent. If you're so poorly educated that you don't know that, your views mean nothing.

Re:DNSSEC is inferior to custom HOSTS file (1)

tqk (413719) | about a year ago | (#43226679)

I don't mind that there are long posts here, but it's annoying to have to scroll past them.

Syrians are re-inventing WW1 warfare, ffs.

What do Syrians have to do with this?

Wow you're shallow, as a pane of glass. People are dying out there fighting civil wars, and you're complaining about having to page past stuff you'd prefer not to see. :-|

Again, I ask what does this have to do with a complaint about a usability problem with a website?

"Shallow" refers to your lack of "depth", as in "deep thinking" or "inability to prioritize." Lots of things can be complained about. There's lots that's wrong in the world. But, max. three seconds to spacebar past annoying posts?!? Come on.

I see !@#$ like this all the time. People get five spams a day, and they think it's the end of the world. It drives them to avoid email and use FaceFuck to communicate instead.

Dumbth!

... a pane of glass isn't shallow, it's transparent.

Pardon me. I was previously unaware that you were an idiot. Carry on. Bon chance.

Re:DNSSEC is inferior to custom HOSTS file (1)

Inda (580031) | about a year ago | (#43222409)

Ya kidding?

There's always been an option about the text length display on Slashdot. I've adjusted mine more than once.

And then there's the ACs. For me, all ACs get a -2 on their score. It too is in the Slashdot options. Can't be bothered to create an account? I rarely read your shite.

Thirdly, replying to trolls, and then getting modded up in some way simlar to Reddit, Facebook, and any other site that does the thumbs-up shit, only serves to highlight the post to me. I then end up reading the parent troll. Gee Mister, thanks for that.

Re:DNSSEC is inferior to custom HOSTS file (0)

bill_mcgonigle (4333) | about a year ago | (#43218047)

Oh, maaan - you went and fed the troll. At least it wasn't after midnight, but c'mon, Internet 201.

Re:DNSSEC is inferior to custom HOSTS file (1)

cjfs (1253208) | about a year ago | (#43219197)

One does not simply censor 4 SIMULTANEOUS [timecube.com] posts.

Re:DNSSEC is inferior to custom HOSTS file (-1)

Anonymous Coward | about a year ago | (#43219063)

It's the troll that stalks apk on slashdot again and his 10 dollar challenges. Go away.

This story is ... (1, Insightful)

briancox2 (2417470) | about a year ago | (#43216303)

...probably the most unsexy story I've seen on Slashdot in ages. It's minimally controversial. And it leads to a minimum number of jokes and ridicule. I predict that the Limit, as time approaches infinity, of number of posts = 150.

Re:This story is ... (0)

Anonymous Coward | about a year ago | (#43216555)

so you're saying the more flameworthy a story is, the more comments it generates, the more entertaining a read, and thus bad stories are good stories?

Re:This story is ... (4, Interesting)

MaraDNS (1629201) | about a year ago | (#43216647)

DNS is really boring today, but let me tell you, between 1999 and 2001, DNS was a much more interesting topic.

Back then, there were two DNS servers out there:

  1. BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
  2. DJBDNS, which was and by and large [nist.gov] is secure, but had a weird maybe-not-open license and lots of quirks

LWN has a good article from that era [lwn.net] to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound [unbound.net] and NSD [nlnetlabs.nl] , PowerDNS [powerdns.com] , and (shameless plug warning) MaraDNS [maradns.org] (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)

The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.

(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)

(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

Unicode support or lack thereof (5:erocS) (1)

tepples (727027) | about a year ago | (#43216741)

Slashdot: 2001 called and wants its lack of Unicode support back.

I've explained before how vandals forced Slashdot to stop supporting Unicode [slashdot.org] .

he comes... (0)

Anonymous Coward | about a year ago | (#43216791)

Also, Zalgo.

Re:Unicode support or lack thereof (5:erocS) (0)

Anonymous Coward | about a year ago | (#43216981)

Yes, because determining the difference between a Unicode control character and a Unicode printable character is clearly an intractable problem. One clearly unique to Slashdot, too, when you see all the other sites out there with both user-submitted comments and Unicode support. Allow me to shake my fist at those unspecified "vandals" who are clearly at fault here.

(And hey, what do you have against that particular Germanic tribe anyway, it's not like they were the first ones to sack Rome during late antiquity.)

Re:Unicode support or lack thereof (5:erocS) (1)

tepples (727027) | about a year ago | (#43219887)

determining the difference between a Unicode control character and a Unicode printable character is clearly an intractable problem

The problem comes when Unicode releases a new standard with new control characters before Slashdot administrators can implement the changes.

And hey, what do you have against that particular Germanic tribe anyway

What does the most widely used reference wiki have against them too [wikipedia.org] ?

Re:Unicode support or lack thereof (5:erocS) (1)

unixisc (2429386) | about a year ago | (#43217091)

How about /. lack of support for IPv6?

Re:Unicode support or lack thereof (5:erocS) (0)

Sloppy (14984) | about a year ago | (#43217177)

I'm a pure-7-bit-ASCII vandal, myself. I just embed escape [2;9y into my posts, to make your VT100 do a constantly-repeating self-test.

Another fun fact: I just upgraded to MaraDNS about a week ago. Believe it or not, I had been using Twisted Names, and got away with it for several years. It mostly worked. Mostly.

Re:Unicode support or lack thereof (5:erocS) (1)

MaraDNS (1629201) | about a year ago | (#43217371)

Be sure to be using MaraDNS 2 and not MaraDNS 1; MaraDNS 1 is obsolete and support ends in about 2 years [samiam.org] . ObNeckbeard: 2 years, 6 months, and 2 days.

Re:Unicode support or lack thereof (5:erocS) (1)

MaraDNS (1629201) | about a year ago | (#43217613)

Make that 2 years, 3 months, and 2 days.

Slashdot: 2001 called and wants their lack of ability to edit posts (perhaps with a timeout to stop some forms of abuse) back. I swear, this place is becoming almost as musty as Usenet.

Re:Unicode support or lack thereof (5:erocS) (1)

Sloppy (14984) | about a year ago | (#43219279)

I'm about 0.4.03-1.1+squeeze1 version units of the way in between 1 and 2. Bah, sounds like I have 2 years 6 months and 1 day to deal with upgrading.

Damn, now that I think of it, I probably won't get to it in time.

Re:This story is ... (0)

Anonymous Coward | about a year ago | (#43217093)

Neckbeard here:

Of course, you cunningly fail to mention that DNSSEC does not do channel encryption, so your analogy fails because https encrypts the data transferred, while DNSSEC doesn't do that. DNSSEC is more like an email signature program - it signs the records. DNSSEC adoption is still in its infancy, and when we start getting tired of interesting DNSSEC attacks, DNSCurve might actually pick up or DNSSEC will fail its adoption. Of course, getting rid of our DJB aversions would also help in this department.

Re:This story is ... (1)

MaraDNS (1629201) | about a year ago | (#43217287)

You're right of course; it's just not possible to fully describe the differences between DNSSEC and DNScurve in a 250-word summary written for people who think DNS is just some "boring subject". I chose readable over "pedantically accurate", along with a disclaimer that some details were lost in the interest of brevity and readability.

Re:This story is ... (0)

Anonymous Coward | about a year ago | (#43217691)

I sense an anti-DJB agenda and promotion of DNSSEC at all costs.

Re:This story is ... (2)

X0563511 (793323) | about a year ago | (#43217469)

(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

While I support your idea, smart quotes need to die in fires. I also do not understand the need for different types of dashes - a dash is a dash!

Re:This story is ... (1)

tqk (413719) | about a year ago | (#43220363)

I'm already awaiting a somewhat pedantic correction from a neckbeard ...

Defensive much? I've used MaraDNS. It worked. Now I use bind9. It works.

For me, when the US gov. thinks DNSSec would be a step back, hindering their ubiquitous surveillance of everyone and everything always, I like DNSSec. Rage against the machine.

[My beard's a Van Dyke, and my neck's been shaved.]

Registrars need to step up to the plate (0)

Anonymous Coward | about a year ago | (#43216453)

Here's my big complaint about DNSSEC. Most of the registrars in the world either don't support this, or make it more than a pain to implement it. Try to find one that supports adding DNSSEC and IPv6 simultaneously is a nightmare.

Re:Registrars need to step up to the plate (0)

Anonymous Coward | about a year ago | (#43216997)

So don't use your registrar's dns servers.

Re:Registrars need to step up to the plate (2)

Noodles22 (602463) | about a year ago | (#43217075)

The only one I have found so far is Dyn. Now to convince our company to move all our domains off NetSol.

Re:Registrars need to step up to the plate (1)

gmack (197796) | about a year ago | (#43221545)

I had the following conversation with my boss:
  Check this link out
  DNSSEC checker and your domain.. whats DNSSEC?
  DNS SECURITY extension.. makes it much harder to redirect my domain by attacking the DNS layer
    and you didnt do this on our domains because ... ?
  Your registar hasnt bothered implementing DNSSEC yet.
  OK were moving everything to one that does.

It was like I told him we had no firewall or backups when I put it that way. Bosses dont like to sound insecure.

Re:Registrars need to step up to the plate (1)

WuphonsReach (684551) | about a year ago | (#43222521)

Frankly, leaving your DNS with the registrars has been a non-starter for close to a decade now. They're notoriously slow at adding features to their DNS management, hilariously inept at making new "marketing directed" changes to the DNS page (in order to lock you in better), etc. The dedicated DNS companies are a better choice because they have to compete on value/features specifically related to DNS.

(We switched away to DNSMadeEasy years ago, but they don't yet do DNSSEC on "primary" domains. Which are domains where you manage the authoritative records via their web interface. If you want DNSSEC, you need to setup a public DNS server and then make DNSMadeEasy servers your secondaries.)

Re:Registrars need to step up to the plate (1)

gmack (197796) | about a year ago | (#43219407)

I have both DNSSEC and IPv6 working for all of the domains I moved to GANDI [gandi.net]

Re: Re:Registrars need to step up to the plate (1)

overlordofmu (1422163) | about a year ago | (#43221315)

I love those fuckers at Gandi.

Boring anecdote: I had to call my credit card company and authorize it for French transactions before I could purchase domains through them. No bullshit!

Re:Registrars need to step up to the plate (1)

tqk (413719) | about a year ago | (#43220675)

Most of the registrars in the world either don't support this, or make it more than a pain to implement it. Try to find one that supports adding DNSSEC and IPv6 simultaneously is a nightmare.

So, do it yourself. You don't have to use others' DNS, and IPv6 can be tunnelled via IPv4. I don't use my ISP's DNS. I use OpenNIC.

Build (or buy, or rent) your own server to do this stuff. It's not that difficult or expensive, as others have mentioned. With experience in both, you should be more valuable in the future.

DOS risk still? (1)

Anonymous Coward | about a year ago | (#43216521)

I'm not up to scratch on the whole DNSSEC thing, but last I heard the protocol allowed DNSSEC-respecting servers to be trivially used as DOS nodes by having a control server. A machine could spoof the originating host on a lookup request for something nonexistent, and the payload of whatever the DNS is supposed to return is significantly larger than the lookup requests themselves, so you could trick one of the nameservers into bombarding your victim for you. What ever happened with that?

ISP's egress filter (1)

tepples (727027) | about a year ago | (#43216803)

A machine could spoof the originating host

How does spoofing the originating host get past an ISP's egress filter? As I see it, the attacker and the victim of such an amplification attack would have to be on the same ISP.

Re:ISP's egress filter (2)

thejynxed (831517) | about a year ago | (#43218753)

Never assume ISPs like Comcast or Time-Warner would ever invest the time or money into such an egress filter.

Re:DOS risk still? (1)

CAPSLOCK2000 (27149) | about a year ago | (#43219791)

Those attacks are still going on. This exploit does not require DNSSEC, but the large size of DNSSEC records makes it much more effective. Some DNS servers have implemented rate limiting to deal with this problem.

more data for google -- a LOT more (2, Insightful)

Blymie (231220) | about a year ago | (#43216675)

Awesome... now more people will be tricked into switching to Google's DNS servers, and therefore, more people can be tracked by Google.

Before, Google just watched your browsing habits, your email, your phone calls and cell phone activities, your physical connection, tracked you through advertising, monitored your connections to your friends, and, well, when you took a dump too.

Now, Google plans to monitor every other activity your computer partakes in, as it watches all the DNS lookups you make. Any website you go to, that is not done via a Google search. What other software you use. What forums you go to. What *threads* you look at in forums, as the dns entries will sync with threads Google has already cached. Do you download torrents? Do a lot of MX record lookups?

Google can determine a vast amount of info via DNS lookups.

Google -- can you PLEASE just focus on making your core, search technology less inane? Not everyone wants to search for random, unrelated responses to searches. When they search for "bob cat", they don't want "Robert Kats".

Oh? And while you're at it, please make Verbatim searches work again. You've only had that for what, a year since you SCREWED UP + SEARCHES, and you've already started to DEGRADE IT!

Cornholes!

Re:more data for google -- a LOT more (1)

GeneralTurgidson (2464452) | about a year ago | (#43216719)

I wish I could mod you +1 paranoid schizophrenic.

Re:more data for google -- a LOT more (3, Insightful)

ledow (319597) | about a year ago | (#43216833)

Please explain how you know that, for example, Microsoft doesn't already do a lot of similar things?

For a start, every new connection you check in with Microsoft by connecting to a Microsoft server and downloading a text file (look up NCSI - and, yes, you can change the registry entries to your own server if you wish, but so can you NOT use Google's DNS servers. I actually use it as a primitive "call home" device should someone be stupid enough to steal my laptop - as soon as it's turned on on an unknown Internet connection, it will try to talk to my server as a connection test, which would give me their IP).

Or time.microsoft.com. Same sort of thing. Hell, a lot of security suites "call home" with details of what pages you're going to in order to see if they are malware, etc. Opera Mini/Mobile "calls home" to a server that could even cache your SSL connections in theory, etc. Just what precisely distinguishes Google from anything else that you have voluntarily installed on your computer?

Re:more data for google -- a LOT more (1)

Blymie (231220) | about a year ago | (#43216881)

Your response is the equivalent of stating that since Microsoft murdered someone, I shouldn't be upset that Google did. Further, since we all know Microsoft murdered someone, I am out-of-line for mentioning that Google did.

Guess what Jimmy -- lots of people mention the bad things that M$ does. My post is about the bad things Google does -- and they do LOTS of bad things.

And I call them on those bad things, and the bad things they continue to do.

Re:more data for google -- a LOT more (1)

ledow (319597) | about a year ago | (#43217043)

And not once have Google ever forced anyone to use 8.8.8.8 or 8.8.4.4 as their DNS server.

But I can find you a lot of things that Microsoft has done to force such things on their customers. Even convicted in a court for it.

Fact is, if you are that paranoid about Google, just stop using them or sites that support them. And if those sites were that worried, they'd stopped using them too.

The point is that LOTS of companies do lots of things with your data and have to abide by the law in doing so. Google isn't even the worst in terms of that. That doesn't give them licence to follow suit, but the fact is that nobody is forcing you to use Google, or breaking your fingers when you try to put their IP's into a host file blocklist.

Get over it. If you cared so much there wouldn't be a single piece of software on your computer that could listen in to your traffic, you wouldn't be using anything but your own DNS direct to the root servers (or are they just collecting your data too?!), and Google IP ranges would be blocked from your network. I'm willing to bet that actually you're probably, voluntarily, running some browser / security suite that does even more than Google does and don't complain about it.

Re:more data for google -- a LOT more (1, Insightful)

Blymie (231220) | about a year ago | (#43217105)

Ah, a new tact -- no one is forcing you to use Google, therefore it's OK that they do whatever they do.

No one is forcing you to rent a particular apartment either, so I guess it's OK if the landlord puts cameras in it, and spies on you?

No one is forcing you to go to a particular grocery store. I guess it is OK for that grocery store to poison your food, if you don't like it, shop elsewhere?

Sorry, the "if you don't like that you're being spied on, just shut the hell up and stop using that product" is another red herring. Please stop with the Google fanboism, OK?

Re:more data for google -- a LOT more (0)

Nerdfest (867930) | about a year ago | (#43217309)

What's your suggestion then, that all targeted advertising be stopped? Google as a company behaves pretty well in general and exceptionally well when compared to others. If I can get excellent free services in ex have for having targeted ads displayed, sign me up. The cost of the services without the ads is prohibitive. As the GP stated, if you don't like them, don't use them and block a by taking cookies. I don't think you're going to have a lot of luck making collecting information illegal.

Re:more data for google -- a LOT more (1)

Blymie (231220) | about a year ago | (#43217547)

I suggest it be made very clear what data is collected and precisely how it is used.

Then let people decide if they want to use the service.

Right now, the only choice is to GUESS how the data is being used, and to GUESS precisely what is being collected. That needs to change.

Outside of the above... Google behaves well? Pfft. They behave as poorly as any large corporation, from what I've seen. Further, as mentioned above, the sort of "if you don't like them, stop talking about it, just don't use them" thought process is broken.

Next you'll suggest that when I go to a garage, and they do something I don't like -- I should just be quiet about it/? Just switch, and not tell anyone about my experience? Yeah, that sort of reason is good for everyone, heck, it even breaks the free market!

People -- stop getting upset if someone says something about a company. It isn't a person, after all. Google's feelings won't be hurt. Why are you protecting them? Hell.. people aren't even saying "They don't collect data"... no, they just say "Don't use them then".

That's akin to standing up for your brother, after he stabbed someone. Except... Google isn't your brother, they aren't your friend. They don't care if you live or die. They just want to make as much profit off of you as possible.

What is the real goal here? To stand up for someone that does everything they can do, to reap every penny off of everything you do?

Re:more data for google -- a LOT more (0)

Nerdfest (867930) | about a year ago | (#43218049)

You keep describing bad behaviour. Please explain.

Re:more data for google -- a LOT more (1)

thejynxed (831517) | about a year ago | (#43218727)

"The point is that LOTS of companies do lots of things with your data and have to abide by the law in doing so."

Nope, what they do, is totally break the law whenever it makes financial sense to do so, while hoping nobody at places like the SEC or DOJ notices.

Re:more data for google -- a LOT more (1)

Lennie (16154) | about a year ago | (#43218543)

Try using the SSL/TLS subsystem in Windows without sending information to Microsoft.

Re:more data for google -- a LOT more (1)

hobarrera (2008506) | about a year ago | (#43220947)

I'm willing to bet more people use Google products than MS products.

Well (2)

ledow (319597) | about a year ago | (#43216951)

Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.

Fact is, usually your hosting provider runs your DNS for you, and until they change there's nothing I can do. Setting up a nameserver is within my realm of possibility but it's something that I pass off to third-parties for a reason (for a start, you need two and ideally they should be on different IP spaces and connections). Also, configuring and updating DNSSEC is, from what I've seen, a bitch and even the initial signing can be a pain in the arse. Sod all that hassle just for the convenience of a minority of visitors.

Combine that with the fact that for almost EVERYONE who owns a domain, someone else other than them actually hosts it (and the big guys who DO host their own domain nameservers? Well, they can and are enabling DNSSEC where they need it, but it's no small task) and you have a problem.

You can bitch at me as much as you like but that ain't going to DNSSEC-enable my domains that I don't host any more than bitching that my IPv6-ready setup isn't actually on an IPv6-compatible / supported connection / ISP-supplied router will get me online.

Talk to my ISP and domain host. Get a few of them moving, then we can talk. Until then, it's all just another technology that I can do nothing about without a lot of expense for virtually zero gain.

P.S. The domains I do have on VPS / external servers on hosts which offer DNSv4 control publish AAAA records which work. In the same way they publish SPF records that work, and DKIM records that work, and reverse DNS records that are valid. And they ALL get used. But not really enough to justify even the small effort it took to do all that.

I've done my bit. Call me when my ISP host gets off their arse and does theirs. In fact, call me when Slashdot does the same. 10 years on and they're still publishing articles about the doom of IPv4 without a single AAAA record to their name.

Re:Well (1)

lister king of smeg (2481612) | about a year ago | (#43217299)

you could always set up your own bind9 dns server hell my laptop has its own dns server running on it

Re:Well (1)

ledow (319597) | about a year ago | (#43217819)

Could.

Won't.

For a start, a home DNS server isn't suitable. And if I deploy a nameserver, as I said, you should be deploying two on separate networks. And it's STILL a pain in the arse to sign it all properly. It's just not worth the effort for a small home user, and those who run nameservers now can run DNSSEC now. The point is that few people run nameservers of their own, for good reason.

Re:Well (2)

PhrstBrn (751463) | about a year ago | (#43218275)

You know there is a difference between authoritative DNS servers and caching DNS servers, right?

Re:Well (1)

Anonymous Coward | about a year ago | (#43218243)

Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.

In which country?

Some areas aren't technology backwaters as much as others.

Re:Well (0)

Anonymous Coward | about a year ago | (#43218803)

I use GANDI [gandi.net] for all my DNS needs. They offer hosting, and support DNSEC and Ipv6. In addition they support [gandi.net] various open source projects, and have a moto of "no bullshit"; what more could you want?

Re:Well (1)

ledow (319597) | about a year ago | (#43221711)

Quote from their webpage (which doesn't mention DNSSEC anywhere where a potential buyer would ever find it):

"You need to be able to manage and administer your own DNS, because our hosted DNS does not allow you to manage DNSSEC directly."

Re:Well (1)

CAPSLOCK2000 (27149) | about a year ago | (#43222555)

I'm usually against advertising but in this case it is acceptable:

https://www.transip.nl/ [transip.nl]

These guys do DNSSEC and IPv6 for a reasonable price.
Unfortunately their website is in Dutch, that might be a showstopper for you.

Beating the people that should have it (0)

Anonymous Coward | about a year ago | (#43217447)

Google beats the military and the government to something that helps authenticate their identity online? Say it ain't so!

thank you google !!! (1)

johnjones (14274) | about a year ago | (#43218575)

personally I have been looking forward to this !!

thank you finally validation works

John

FAIL. (4, Interesting)

Ethanol (176321) | about a year ago | (#43220455)

Google has not correctly implemented DNSSEC. If you send them a normal DNS query and the response is not validly signed, they just pass the answer back to you without any indication that it's invalid. They only tell you that the answer failed to validate if you set the DO ("dnssec okay") or AD ("authentic data") bits in your query, which almost no DNS clients currently do.

If the answer is invalid, a validating name server is supposed to respond with SERVFAIL, so that even if the client doesn't know anything about DNS security, it will still be protected against spoofing. Google is claiming to provide protection against spoofing, and then they aren't providing *any protection at all*.

If you want DNSSEC protection, you're still going to have to run a validating name server yourself: either BIND 9 or Unbound. (Disclosure: I'm a BIND 9 author.) It is, nowadays, extremely easy to configure a validating name server using BIND 9; in any version since 9.8.0, a one-line named.conf will do it:

options { dnssec-validation auto; };

Run named with that configuration and "nameserver 127.0.0.1" in resolv.conf and you're good to go. Google public DNS is not ready to trust yet.

Useful in China (1)

unix_core (943019) | about a year ago | (#43220943)

This would be great for me in China. That is, until google DNS gets blocked completely. Even using Google DNS in mainland China gives very odd random-seeming replies for requests to certain sites like facebook. It really seems like even request to foreign DNS servers get spoofed (though not consistently, about 1 in 20 reuqests seemed to acually give a facebook server).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>