Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



Root DNS Zone Now DNSSEC Signed

wayne Re:Say goodbye to... (94 comments)

The "packets of 576 bytes can't be fragmented" is a commonly stated reason, but it is wrong. It is a myth/misunderstanding. It is, in practice, true has has been true since probably the late 1980s, but DNS was around long before that. Indeed, if you read some of the earlier RFCs, it is quite clear that packets of any size could be fragmented, down to something like 16 bytes of payload per fragment. No,the reason for the 512 byte payload size is much more basic than that. Back in the early 80s, memory was tight, you could have mainframes supporting dozens of users on a machine with maybe 1MB of memory, each of user could have more than one active network connection. IP supports packets sizes up to around 64k, but it would be unreasonable to expect every host to be able to accept such a large packet size. It would mean that they could get fragments from all those packets piecemeal and out of order, so reconstructing each packet would require holding lots of 64k buffers, each of those buffers would be 6% of all available memory. It would be very unreasonable to expect every host on the internet to be able to accept any size packet, even if those packets came in fragment that wouldn't saturate your connection. Now, protocols like TCP have the ability to negotiate the packet size, but for UDP, it gets messy and slow. So, it is a *requirement* that each host on the internet can accept a packet with 512 bytes of payload. That packet can be fragmented, but it has to be accepted.

more than 4 years ago

"Cumulative Voting" Method Gaining Attention

wayne Re:The Illinois experience (375 comments)

Intelligence as a requirement for voting has been fought for a long time see voting tests.

There is a certain amount of irony with you saying this, followed by your .signature of:

Knowledge = Power
P= W/t
Money = Work/Knowledge so the less you know the more you make

This "joke" is clearly aimed at people who think they understand math/physics/science, so it won't be funny to most people. But, it also shows a complete lack of understanding about how equations should be interpreted. What the formula "money = work/knowledge" says to increase the amount of worked done, you need either more money or more knowledge. In other words, "the only substitute for knowledge is money", or "a fool and his money are soon parted". You are a case of "a little knowledge is a dangerous thing". By your own statments, you shouldn't vote.

more than 4 years ago

ICANN and NIST Announce Plans To Sign the DNS Root

wayne the problem with securing DNS is the DNS is secure (94 comments)

The big problem with DNSSEC, if widely used, is that it prevents forgery of DNS responses. ISPs and internet cafes will not like this, since that means they can no longer forget DNS replies to missing domains or to force people through registration pages. I can see a *LOT* of push-back from having end-users using DNSSEC.

more than 5 years ago

Working Around Slow US Gov. On DNS Security

wayne Re:Use DNSCurve (91 comments)

Trust is the same for DNSSEc, it's just that instead of using the root servers as a trust chain, you use a 3rd party that every domain owners had to pay for.

DNSCurve does not require you to pay any third parties, it is like DNSSEC where you publish your own information. Both technologies are (or in the case of DNSCurve, will be) free.

DNSCurve is much easier to implement than DNSSEC and and also advantages in term of cryptography speed and increase of traffic.

DNSSEC has many years of actual deployment, not as wide spread as it needs to be, but it has been out there and tested.

Can you point me to a single implementation of DNSCurve? Can you even point me to a specification of what exactly it is? I've looked, and the best that I can tell, there aren't any. More over, it doesn't appear that DJB's website has been updated since he proposed DNSCurve last year.

more than 5 years ago

Working Around Slow US Gov. On DNS Security

wayne Re:Use DNSCurve (91 comments)

DNSCurve is interesting technology, but it has many problems, not the least of which is that it is mostly hype right now. It does not really replace DNSSEC in functionality, but rather, it is closer to TSIG. That is, instead of securing the actual DNS records, it secures the communication between name servers and resolvers. With DNSSEC, you can get your DNS records for a totally untrustworthy server, and yet be able to prove if they are valid or not, but there isn't any form of encryption so there isn't any privacy. DNSCurve encrypts the transactions, but you can often figure out what is there anyway by watching which name servers you are contacting and monitoring other things to figure out what you were looking up. I like DNSCurve, I hope it goes some where, but I also hope that DNSSEC takes off soon.

more than 5 years ago

Working Around Slow US Gov. On DNS Security

wayne DNSSEC is a good subsitute for paid-for CERTs (91 comments)

To the contrary, DNSSEC could possibly kill the goldmine that is the SSL cert racket. That is, unless having your DNS entry signed somehow becomes a "value added" service you need to pay for extra. I'm a layman here, but glancing at how DNSSEC works, I see no obvious way selectively signing some but not the rest of entries could work. This means, DNSSEC would provide a more secure way to give the public key to a viewer.

You may be a layman, but you appear to have far more clue about this stuff than most. Yes, once DNSSEC is deployed, anyone with a domain name can publish CERT records and have about the same security as a paid-for CERT. Granted the cert authorities right now require you to give your name and address and such, which publishing CERT records in the DNS won't require so they aren't exactly the same, but close enough considering how little checking the cert authorities do on such information

more than 5 years ago

What Happens To Bounced E-Mails

wayne Re:A possible use for (286 comments)

SPF policies apply only to the envelope sender address, not the message's From: header.

Most of the time, the email address in the "From:" header gets copied to the envelop "from". And, most importantly in this case, the envelop "from" is where bounces get sent to, so the bounces he receive could have been stopped if he had published an SPF record *and* everyone checked it.

more than 6 years ago



wayne wayne writes  |  more than 7 years ago

wayne writes "Microsoft has now put the SenderID patents under the OSP. The Open Specification Promise was discussed on slashdot before in conjunction to web services and it is good to see that they are opening up even more. There are still technical problems with SenderID compared with SPF and, of course, SPF isn't problem free. Still, over the last year, the number of SPF records has more than doubled from around 1.7 million to 4.1 million, with rate of growth increased in the last 6 months."

wayne wayne writes  |  about 8 years ago

wayne writes "As reported on CircleID, Vint Cerf has confirmed that ICANN's new contracts for the .org/.biz/.info domain prices can be tiered, so that could cost $1 million per year, while could cost $100,000/year. This is very similar to how the .tv TLD already works. The domain registrar could also could also use pricing for political purposes, claiming that pricing high would be to "protect the children", while could be priced at $1/year. Verisign's contract for .com and .net have recently been renewed, so those domains are safe for now, but I'm sure they would want similar treatment."



web logs are lame

wayne wayne writes  |  about 13 years ago I've never quite understood why people think they need to create web logs of their life. I guess it is about as lame to read them as it is to create them.

Oh well. To each their own.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>