Comment: Happy to answer questions (Score 2) 151
Happy to answer questions about this work.
Comment: Re:Oh no! (Score 2) 1521
Really the only thing you can be reasonably certain about with a UID pissing contest is that you'll pretty much inevitably lose.
If it were a competition that mattered, I feel like I could compete.
Comment: What a great run... (Score 1) 1521
You guys provided the platform which educated, informed and helped shape my views on technology and the Internet.
Thanks for all the fish. :-)
-davidu
Thanks for all the fish.
-davidu
Nominations for the 2011 SysAdmin Awards->
Submitted
by
davidu
davidu writes "We SysAdmins never get the love. We often save the day and because we do, nobody notices or even knows what we did.
That's why July is SysAdmin Appreciation Month and nominations for the 2011 SysAdmin Awards end on July 12th. Nominate yourself, or your favorite SysAdmin hero to receive recognition and an award."
Link to Original Source
That's why July is SysAdmin Appreciation Month and nominations for the 2011 SysAdmin Awards end on July 12th. Nominate yourself, or your favorite SysAdmin hero to receive recognition and an award."
Link to Original Source
Comment: Re:This is not accurate (Score 1) 187
He titled his blog post "In a CDN'd world, OpenDNS is the enemy!" not "Using third-party DNS resolvers can in some cases cause suboptimal server targeting."
I thought my response and followups were fairly even-keeled all things considered but appreciate the feedback. I have no ill will to the author and welcome his further tests.
Comment: Re:This is not accurate (Score 1) 187
I always encourage testing and was actually happy to see you posted your scripts. You can email me at david at opendns dot com if you want to discuss further. I just don't think your testing methodology backs up your rather bold claims.
Comment: Re:This is not accurate (Score 1) 187
What you're suggesting is really just another way of saying a "Man in the middle" attack. IE, someone in transit can copy, inspect or re-route your packets and do bad stuff. That always exists when using insecure channels, and is a different concern. DNS will never eliminate that concern actually. Even with DNSSEC.
End to end dynamic ad-hoc encryption would, but that's a pipe dream. :-)
Comment: Re:This is not accurate (Score 2, Insightful) 187
Well the critics argue that the Internet != The WWW. Which is true. If you are sending email, the destination SMTP server, and it's corresponding authoritative DNS server would never normally see the client's original IP. The fact that TONS of benefits exist from routing and performance to anti-spam measures would benefit from this, we're creating a vector of privacy leakage that possibly didn't previously exist in all scenarios.
None of this considers the fact that very few DNS operators would actually even implement this standard. Just big 3rd party resolvers like us and Google and big CDNs and eye-ball sites.
Comment: Re:This is not accurate (Score 2, Interesting) 187
You have summarized the privacy concern well. That's exactly the issue. The fear that is held is that implementations won't respect someone who includes 0.0.0.0/0 and instead will replace it with the actual client's source_addr when forwarding a request along. Think hotel, cafe, wifi hotspot vendors, etc... Those folks tend to implement for ease, not privacy. And sometimes they opt against privacy.
The critics of the proposal think that there is no assurance of privacy, and they feel that's a reason to not move forward. In my world, there are much better ways to violate real privacy than to see a client IP address in a DNS request, but maybe I'm less sensitive about it. I think it's certainly worthy of discussion and attempting to find a solution.
Comment: Re:This is not accurate (Score 2, Interesting) 187
That's the argument opponents make. I don't buy it for a variety of reasons. Hard to write it on my iPhone but will blog about it soon.