And, since you're too lazy to post links to DNSSEC howtos (like this one), you're not helping and only name calling. The issue is that there are 15 RFCs with DNSSEC in the title and no clear idea where to get started.

But, hey, this is Slashdot, where any idiot can get a lame name like "BitZream", and post insult anonymously.

No worries; I will email Dan and talk to him offline about it.

OK, since Mr. Kaminsky is following this thread, I figured this would be a good place to open up some questions and a discussion between a DNS implementor and Mr. Kaminsky.

Let me introduce myself: My name is Sam Trenholme and I am the implementor of MaraDNS, a recursive and caching DNS server. Right now, I am in the slow process of re-writing the recursive DNS resolver. While MaraDNS has always been as secure as non-DNSSEC can be against Mr. Kaminsky's bug (DJB knew about the problem back in 1999 and I implemented his solution to randomize both the query ID and the source port back in 2001), I am wondering:

How hard is it to implement DNSSEC in my recursive cache? How many RFCs am I going to have to toil over to understand DNSSEC well enough to implement it? About how long will it take me to code MaraDNS to have full DNSSEC support?

I have a bad feeling that DNSSEC is a monster to implement and that we will not see many independent implementations of it; right now BIND and Unbound appear to be the only DNS servers to support it. DjbDNS doesn't support it, of course, and probably never will. My own MaraDNS and PowerDNS also don't support.

What are your thoughts? Has a reasonable effort been made to make DNSSEC easy to implement?

In this economy, any IT job is a good job.

Of everyone who was in my circle of friends working in the IT and computer industry in the mid-to-late 1990s, the only people who have jobs today are in middle management. Not one non-manager I knew back then and know today is working today in the tech industry.

I became an ex-pat, teaching English, translating documents, and helping with the Windows machines in an accounting office in Mexico. I would like to return, but there are just no jobs stateside where I want to live right now.

One friend saved enough money to semi-retire; he, right now, is living with his family to minimize expenses and off of savings. He's not really sure he even wants to return to the industry; the last job he had a couple of years ago left him really burnt out.

Another friend lost his job at a video game company in the late 1990s. He never got hired in the tech industry again, and is currently living off of a military disability pension, paying his debts and planning on returning to college.

These are my luckier friends. Two friends, who have families to raise, both very recently lost jobs in the tech industry and have no idea when they will get work again. One is living off of savings and is really scared when he will get a job again. Another didn't have as much savings, had to leave the apartment he was leasing, and is currently shacked up with a buddy who lets him sleep in the extra bedroom in exchange for computer help; his wife and kids are living with their family.

I am sure either one of these guys would accept a job in Cleveland or Alabama or anywhere else where the company is willing to pay them enough to support their family.

It's a really scary time to work in the tech industry. If you have a job, and it pays enough to support your family, thank the lucky stars you're still working. Not everyone is as lucky as you right now.

These days, I use a free (beer) word processor called TextMaker for this kind of thing; it's an office suite that also has a spreadsheet, not to mention a presentation thingy and scripting language if you, like I did, pay for the updated version. Just set up a table with a budget for every day in a month, note what I paid on that day, and the program automagically calculates and puts at the bottom of the table the total I have paid for the entire month, and the total money I have left over for extra unplanned expenses.

I have also used Gawk for this kind of thing, but TextMaker has a prettier output if I want to print it out and, yeah, a slicker interface for entering data than vi.

RHEL is in its death throes.

Oh, really?

Seriously, buyers who are giving RedHat serious money have asked for fewer releases with longer lifetime cycles. When 2014 begins, RHEL 5 and its derivatives will still be supported and is the only currently available Linux distribution that will be supported at that time.

If you want bleeding edge, you have Fedora. If you want tested, true, and stable, you have RedHat.

I tried that, but Ubuntu had a lot of problems with crashes and instability.

- Sam

why does linux have so many release cycles

Because Fedora is a cutting-edge testing release that's done about twice a year. The RedHat Linux way is to take software that Microsoft would only make available to internal testers in Redmond, and make it available to the general public as "Fedora".

If you want something with fewer release cycles, you're best bet is Red Hat Enterprise Linux (which every three years or so, takes a release of Fedora, declares it stable, renames it "RHEL", and updates that version of Fedora for seven years). If you're too cheap to buy RHEL, you can get CentOS, which is a free derivative of RHEL. CentOS 5.3 is the Linux equivalent of "CentOS 5, service pack 3" [1]

[1] Well, except that adding new drivers to older releases of CentOS is harder than it is to do with Microsoft Windows. What can I say, Linux isn't perfect.

This release of Fedora is the release that will probably be the basis for the next release of Red Hat Enterprise Linux (RHEL). This is a good thing, because I like using commercial software on Linux (read: I like using VMware Player to run virtual machines), and right now RHEL 5 does not run with the 2007-era hardware I have, being based on a version of Fedora from 2006.

Once this becomes RHEL, commercial ISVs (Independent Software Vendors) will start supporting the release and both the hardware I use and the commercial software I need to be productive (sorry guys, I find VirtualBox a lot more buggy and less intuitive to use than VMware) will be supported in a version of Linux that will have the stability I need.

Can anyone confirm that RHEL6 will be based on Fedora 11?

Or Sumatra PDF, which doesn't try and get the user update to the for-pay registered version.

The problem with Firefox is that the Gecko codebase is messy and prone to a lot of security problems. It is, if you will, the BIND 8 or Sendmail of the 2000s. In 2009 alone there have been eight critical security holes reported. Yes, Firefox patches these quickly, but having to update a program more than once a month to keep it secure is a real pain in the butt.

Firefox has a very short update lifecycle for a given update of Firefox; if you want to use an older release of Firefox (think enterprise desktops where any software update has to be approved; think live CD or embedded distributsions), you have no choice but to place yourself at risk.

Modern HTML + CSS + ECMAscript is so complicated that we can't have someone come forward and write a browser that is security-aware. Safari isn't much better, since it needed two updates already this year, and Opera has had an update this year with a couple of security problems fixed.

So, yeah, to keep a modern browser secure requires running on the update treadmill. I hope HTML + CSS + ECMA stop being constantly updated, new web Acid tests are no longer made every couple of years, and the standards calm down so that browser developers don't have to rush to add new features to their browsers all the time, allowing browser developers to take the time to write secure code.

You know, that's a good feature request for Deadwood, code I'm working on now that will eventually become the next-generation recursive DNS resolver for MaraDNS. Have a feature so that, if we get a given IP over DNS, make the reply a "notthere" reply (It's a bad idea to make it a NXDOMAIN).

MaraDNS is an open-source (BSD licensed) DNS server I've been working on for over eight years; right now I'm re-writing the recursive code. Currently, the rewrite of the recursive code is a tiny (32k) DNS forwarding (non-recursive) cache for both Linux and as a native Windows binary.

My goal is to have full recursion supported by the end of 2009.

SHA-256 and SHA-512, Whirlpool and Tiger are all pretty thoroughly-reviewed with no weaknesses uncovered

Tiger actually is vulnerable to a "pseudo-near-collision" ref. No, I have no idea what a "pseudo-near-collision" is, but Tiger's vulnerable to it.

My favorite hash is RadioGatun, but I also like Keccak. I would like Skein, except there is no published variant of it that uses 32-bit words (Whirlpool [1] and Tiger have the same problem).

[1] Yes, you could make a Whirlpool variant with a 128-bit or even 256-bit hash using AES as the compression function, but I prefer to stick to published crypto, since I don't know how to make a truncated differential.

No network, no desktop. A minute and twenty seconds from entering name/password until the desktop appears because Nautilus is hanging for a whole minute. GDM does a similar but shorter hang everytime the login appears.

OK, silly question: Why not remove GDM and Nautilus and replace it with XDM and KDE or some other desktop environment?

Another thought: If this is a DNS issue (I bet it is; you can find out if it is with strace), why not set up a DNS server on the localhost that does nothing but send some reply so these programs get the DNS reply they're waiting for. I have a tiny simple DNS server that might fit the bill if this is your issue.

Any reason we're not buying XP licenses and putting Windows XP on these computers?

You know, this is a common retort: "Windows is hard to install, you have to install drivers after installing the OS; Linux is so easy to install because the OS comes with all drivers"

What Linux advocates forget to mention is that it's really easy to install drivers after installing windows. If you have the disks your hardware came with, it's as simple as "next, I accept, next, next, done".

Another minor detail advocates forget to mention is that, if a given Linux distribution doesn't have your drivers, you're SOL. Nor do advocates mention that each version of Linux has a different driver API/ABI (this is a deliberate decision done by kernel devs) so you can't, for example, use your Ubuntu drivers in Red Hat Enterprise Linux 5.

Linux advocates also forget to mention that the time needed to edit configuration files with arcane formats to get just one thing to work in Linux (such as, say, file and printer sharing in Samba) is far greater than the time needed to install all of the drivers to get a given Windows install to work.

Quite frankly, I would rather deal with the bother of downloading and installing whatever drivers an older version of Windows needs to work (I'm sticking with Windows XP for the foreseeable future) than being forced to install a new unstable version of Linux just so I can have drivers for my new computer.