Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment Re:who buys Sony any more? (Score 1) 284

It was news on slashdot before the firmware release:

Moral of the story might be:
Don't upgrade before reading.

It might be nice of Sony to supply a changelog before the update on the machine itself. They present an EULA to the user, maybe below is the changelog (but we all know nobody reads the EULA).

Comment Re:who buys Sony any more? (Score 1) 284

But you didn't have to upgrade to a version without Other OS option, at the cost of losing other options (online play).

But I installed Linux on it and tried to use is, unless you had some use for the Cell SPEs it was useless. No GPU access, slow disk I/O and less RAM than a decade old machine. If you were targetting Cell/SPE from Linux you wouldn't have upgraded. To my understanding current GPU it much nicer target. For me nothing of value was lost, though I didn't gain anything in return.

Comment Re:Open network? (Score 1) 505

There are a few options:
-take part in an "open" network that has some accountability (eg FON (good luck finding a functioning hotspot))
-only allow VPN connections (good luck filtering)
-tunnel your open network through TOR, you will not be implicated in any unlawful actions (slow but not my problem)

Comment Re:I deployed it at our ISP recursive servers (Score 1) 313

"Or how do you think the signature of com gets onto the public key of Magic?"

It doesn't. And you are confusing a web of trust with CA, it's like PGP. com. can only tell a dnssec user what it thinks the public KSK of is. That should have been communicated in a secure way to com. It is oneway trust between direct parent-child relations in the dns tree.

Comment Re:Dutch Innovate (Score 1) 313

Like I said, for the local market dnssec presence is huge, and last time I checked NLD is still part of the real world and it still has some influence on it (especially considering its size).

But .com has everything in place to do dnssec. So if an owner of a .com wants to get dnssec support, they should get a dutch dns provider, there are many that give the customer the option to activate dnssec.

Comment Re:I deployed it at our ISP recursive servers (Score 1) 313

But there are no CAs in DNSSEC. There are only public/private keypairs under control of the owner of the domain. has 3 pairs/signatures to check:

  • .
  • com.
  • tells the com. authority what it's public KSK is.
com. tells the root zone what it's public KSK is.
The public KSK of the root is known by all people/software that want to check dnssec signatures (the weak point since how do you securely distribute and update that one?).

Comment Re:Dutch Innovate (Score 1) 313

Math fail detected: 250*10^6 domains, 5*10^6 .nl, 10^6 .nl with dnssec. So atleast 0.4% of all domains are dnssec:
5/250/5 == 0.004 * 100% == 0.4%
.nl is in the 5 top of most used country TLDs. .nl is used for about 70% of the domains targetting the dutch market. So dnssec implementation is huge for the local market. And while it still might not be perfect, it is better than just plain DNS.

Comment Re:Dutch Innovate (Score 1) 313

No catch, just a discount per domain registered for dnssec (0.28 EUR/year). I have about 1k .nl domains, I spend a few days figuring out what dnssec was about, how to implement, test and maintain it. Activated it on the corporate domain, some personal and a couple of test domains and waited 2 months to see if there were problems (none). So now it is active for all domains saving us 420 EUR till the discount ends in 2014-06. For us it was not enough to cover the expense of my time, but this had to be implemented eventually, so better do it now while you still get some discount.

Comment Re:I deployed it at our ISP recursive servers (Score 1) 313

"its certificate system is just as broken as the SSL cert system is now"

Can you explain this? DNSSEC hasn't got much common with the SSL cert system. There is only 1 root authority, the weak point during a key change. Each domain/tld has their own (multiple) keys. tld and domains should regenerate the short Zone Signing Keys fairly often (a couple of weeks), while the bigger Key Signing Keys should be regenerated about once in a year. If a tld is compromised it only has to create a new KSK, individual domains aren't affected (IIRC). If an individual nameserver or domain is affected only that server of domain needs to regenerate a KSK.

Comment Re:Dutch Innovate (Score 2) 313

Why choose this instead of powerdnssec? I strongly suggest the dnssec training at (flash) to improve one's understanding of the dnssec protocol. And powerdns to implement it

BTW dnssec adoption is amongst the highest for .nl in absolute numbers of domains, simply because there is a bounty for every domain signed. If you have a few hundred of domains the costs to implement are lower than the discount given till mid 2014 == profit for implementing dnssec. And since powerdns does all the hard work automatically and dynamically in a transparant way (except importing the DS key in the tld)

Slashdot Top Deals

If you didn't have to work so hard, you'd have more time to be depressed.