I can tell you much of the problem is about how to retrofit existing areas. New builds get fiber, but anything that existed before 2014 or so is a legacy build. I live in an area that was built in the late 90s and there's no hope of getting anything fast out here so I'm doing it myself. The costs are reasonable (about 30-50k/mile) but the majority of the issue is in permitting to go underground. (If you go on poles, it's actually just as expensive as underground in many cases due to annual fees on the poles, engineering studies, tree clearing fees, make-ready, etc.. Plus then you need to own a bucket truck and other expenses).

The wholesale cost of the bandwidth is nothing, it's all about the cost to put the stuff in the ground and the permit process. Expect 30% of your costs (and 90% of build-time) to be constrained by engineering and permitting costs. The rest of that 30-50k USD/mile cost is the labor and materials needed. You need to put in a place every 2-3 homes you pass to deliver service. There are a lot of people doing this in rural areas to close the gap but most people have only heard of the incumbents so there's a market awareness problem. Many people that are WISPs (see WISPA.org) are now moving into the fiber world, but the capital costs are around 50-250k to get all the equipment you need for underground construction.

Rough costs if you care: 35c/ft for conduit, 7-10c/ft for fiber (once you get large counts like 96 count, it's closer to 1c/strand/foot) and $100-300 for a pedestal or hand-hole, plus splice trays, etc. $1/foot (linear) * $1/foot (depth) for your route if it's not complicated. Costs go up in urban environments very quickly if you have a lot of requirements or other utilities to dodge.

Only it will automatically update itself unless you stop it.

This is irritating as it upsets my plans for end-to-end Web encryption. By which I mean encryption of the data on the server so that the server has no access to it. The only things that are on the server are encrypted data blobs and a pile of random numbers.

By end-to-end Web I mean that you will be able to set up comment forums like slashdot, read email in a Web browser and everything else you are accustomed to doing on the Web but without any of the plaintext content being accessible to the server.

The technical basis for this scheme was worked out in the 1990s and then patented by a completely unrelated company which merely sat on the patent till it expired last year. It uses meta-cryptography which is a property of the Diffie Hellman schemes that if you add two private keys, the corresponding public key is the product of the public keys, etc. Matt Blaze, Torben Pedersen and others worked out how to apply these effects to achieve an effect they considered interesting but insufficient. My contribution is merely to show that the simple scheme is more than enough to do interesting things.

So now I need to work out how to hook into the browser. One possibility is to present the decryption module as a new compression scheme. It looks like a compression scheme in other respects. It just requires the host to have access to a private key capable of completing the decryption.

Any help would be appreciated: hallam@gmail.com

The project site is mathmesh.com but that is of the previous approach which has been superseded in the reference code but not yet documented.

[Oh and yes, I do know what I am doing sort of, I have probably considered the corner case you have just thought up. This has been in discussion for many years with serious protocol design people.]

What you're asking for is what's known as an APEX CNAME. Some DNS providers provide this sort of faux support (I think Cloudflare and Route53 do this) via some wizardry. There is an active discussion in the DNSOP WG at the IETF about this. Come join the madness!

This isn't related to that at all, it's not about the registrar and registry system. (You can thank ICANN for that). This is about software that has to workaround several types of bugs or legacy behavior. Imagine if your web browser still had to parse those gopher:// links

This isn't related to that, there's features like EDNS cookies just like you have TCP cookies to help prevent DDoS and other things. It's fine if you don't upgrade, but what will happen is you may not work as the DNS industry is doing the same thing as IPv6 day and IPv6 launch and standing together saying "we are removing all the workarounds for non-standards compliant and buggy servers".

Obama didn't release his birth certificate for one very good reason, he is very clever and Trump is very stupid.

The fact is that the Republicans will always invent some crazy idiotic 'scandal' that they obsess about and endlessly throw up smoke. The birther conspiracy was mind numbingly ridiculous. It would require someone to go back in time to plant the birth notice in the papers. Or for some group of conspirators to go to an enormous amount of trouble in order to make a particular black kid president.

So rather than release the birth certificate and let the Republicans invent a new scandal, Obama held onto it and let them obsess about a scandal nobody else thought made the slightest sense, knowing that he could knock their house of cards down any time he chose. Which of course he did a week before the Bin Laden raid which was guaranteed to end the story.

George W. Bush opened torture chambers across the world and collected photographs for a sick sexual thrill. Yet nobody ever talks about that. None of the people complaining about Hilary ever complained about GWB refusing to comply with Congressional investigation or the deletion of 5 million emails.

So here is what is going to happen. Trump is going to go down to the biggest defeat since Carter and he is going to drag the rest of his party down with him. And afterwards there is going to be a new civil rights act that prohibits Republican voter suppression tactics and the gerrymandering that give them a 5% advantage in elections. And by the time it is all done the Republican party will have two choices, either boot the racist conspiracy theorists and Trumpists out or face two decades in the wilderness.

I gave up on TV years ago, and when I travel or am exposed to it in public, I'm reminded why. I'm not missing anything and most other things are coming OTT or I can just download. I'm mostly happy with my relationship with purchasing a tv season and getting it the next morning commercial free. The buggy devices could use some refinement, but to avoid the 90dB noise fest, I can live with it.

My comment re: UUCP is having to manually configure for each site I want to distribute mail to. I'm not worried about STARTTLS stripping, I want to avoid building a full list I have to maintain manually. This is mostly a postfix issue (for me) that it's not aggressive enough in using the STARTTLS offered by the far-side.

I had someone contact me about my server -> gmail as I host a number of mailing lists and other technical resources. After much research it seems the only way to fix it is to hard code that gmail and other locations are to be encrypted vs the default opportunistic encryption of "if they offer it, try it".

There are a lot of things that should be addressed here to ensure data is properly encrypted, this is easy and a solvable problem but at least for postfix I had to enter some custom maps which the software should have solved for itself with the 'may' setting. I'm past the UUCP days, I don't want to maintain a map of who can do things and who can't. We need to solve this software not doing the right thing problem first.

I have to say it's this. 50% of the US population lives in the Eastern time zone. That means if you only have things on the east coast, you are most likely to cover everyone. Ask someone in a central state what their latency and network paths are, you end up going to Seattle, Chicago, Dallas, LA and sometimes the bay area to change networks. Not a lot of interconnection happens in the mountain states, and even markets like Phoenix while large don't quite have enough density to make sense.

Issuing for .test and .local are strictly prohibited by the CABForum EV requirements. They will soon be outlawed for DV under the basic requirements.

What seems to have happened is that instead of issuing all test certs for test.verisign.com as the procedure manual required, they had to modify the procedure when Symantec took over and they no longer had verisign.com.

So instead of doing what they should have done and using test.symantec.com or a test domain bought for the purpose, they typed the first name that entered their head.

Actually it doesn't. DANE certificates are not self-signed for a start, they are signed by the DNSSEC key for the zone.

The problem with DANE is that you swap the choice of multiple CAs for a monopoly run by ICANN, a shadowy corporation that charges a quarter million bucks for a TLD because that is what the market will bear. What do you think the price of DANE certification will rise to if it takes off?

ICANN is the Internet version of the NFL only with greater opportunities for peculation and enrichment.

Damn right they should. The CPS has a long section on the use of test hardware.

The problem is that all the original team that built VeriSign have been gone for years. A lot of us left before the sale of the PKI business to Symantec. The PKI/DNS merger was not a happy or successful partnership. The original point of the merger was to deploy DNSSEC. that effort was then sabotaged by folk in IETF and ICANN which has delayed the project by at least 10 and possibly 20 years. ATLAS was originally designed to support DNSSEC.

Unfortunately, in PKI terms what VeriSign was to IBM, Symantec is to Lenovo.

They apparently remember the ceremonies we designed but not the purpose. So they are going through the motions but not the substance.

One of the main criticisms I have heard is that we built the system too well. From 1995 up to 2010 it worked almost without any issues. So people decided that they didn't need things like proper revocation infrastructure. The only recent issue the 1995 design could not have coped with was DigiNotar which was a complete CA breach.

There are some developments on the horizon in the PKI world that will help add controls to mitigate some of the issues arising since. But those depend on cryptographic techniques that won't be practical for mass adoption till we get our next generation ECC crypto fully specified.