Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Comment Re:Can we please stop already? (Score 3) 124

Agreed, someone comes up with something new to solve a very specific issue, and all of a sudden someone's predicting how it will completely replace everything else in the next month.

Grow up.

Physical storage and relational databases aren't going anywhere anytime soon. in-memory this and non-relational that are all well and good for the specific problems they were designed for, but physically stored and relational data fits the needs of 90% of data storage and retrieval. I sure as HECK don't want my bank storing my financial data purely in memory.

So keep yelling to yourselves about how the sky is falling on traditional techniques. Meanwhile the rest of us have real work to do.

Comment Re:Hrmmm (Score 5, Insightful) 348

No, it's not particularly elegant. But on the other hand, split-horizon DNS is nothing new or magical either. Nor would I classify it as "abuse". The capability has been there since the early days of BIND.

In the DNS trade, we refer to it under the category of "stupid DNS tricks"

That said, it does have some significant advantages over other techniques.

#1, It's protocol-independent. Sure you can do intelligent redirects with HTTP, but not everything in the world is HTTP
#2, Even with HTTP, in order for it to work, you have to now change the name of the server, and often the links to internal content. Your initial request to www.domain.com will now have to be redirected to hostx.domain.com or www.location.domain.com etc., and links on the pages to content servers will also have to be altered. This can be confusing to end-users, and may require additional SSL certs. It's also a code maintenance issue.
#2a, While the renaming seems trivial on first glance, it has HUGE implications for search engines, etc, since those "local" servers will get indexed instead of a generic name
#2b, It also means that a calculation will have to be made by the web server deciding where to redirect you to, then the actual redirect, increasing load and latency. DNS solutions are "pre-computed" and thus do not have similar issues.
#2c, If you solve 2a by checking every request at every location, you make 2b much worse
#3, It's simple.

Downsides:

#1, Third-party DNS recursive services throw it off. (There is a proposed RFC that would allow for such recursives to pass the originating network in the request)
#2, It makes DNSSEC a right royal PITA (Much more than it already is)

Comment Re:When can we have DNSSEC-derived TLS certs? (Score 1) 62

This is definitely theoretically possible. However, you're going to have to convince the major application developers to play along.

Though to be fair, it would only be the equivalent of the cheaper certs that only verify domain control for authority when issuing certs. The higher-level certs truly do involve a third-party verification of identity of the cert recipient.

Comment Re:More security in what way? (Score 1) 62

Sure, they could pressure the parent to supply bogus records. On the other hand, they always could have pressured them to change the NS records, which they would also have to do if they published bogus DS records.

So at absolute worst, no security was gained from the "government". It cannot be made worse, because any theoretical compromise by the governing agency was already possible, and much easier before.

Comment Re:More security in what way? (Score 4, Informative) 62

You really don't know what DNSSEC is, do you?

What DNSSEC does: DNSSEC provides a means for an end-user to determine the authenticity of the DNS data they receive by proving that only someone in control of the domain could have served the record.

What DNSSEC does not do: DNSSEC does not provide for the security of data being exchanged between systems.

With DNSSEC, each domain admin holds their own private keys. Nobody else should ever see them. Chain of authenticity is provided by each parent domain signing the delegation records provided by the child domain.

So, for the "government" to "exert control" over your domain, they would have to completely spoof every parent of your domain. This would affect not just your domain, but all domains in that TLD. Pretty sure if everyone in .com all broke at the same time, someone would notice. In short, this makes it harder for someone to take control of your DNS. If the "government" wanted it to be easier, they never would have allowed the root to be signed.

And let's face it, DNSSEC was not designed for you. DNSSEC is designed for businesses, banks and other large entities who are trying to protect their customers from being spoofed. It is just another tool like SSL. And, IMO, anyone who uses SSL certs should use DNSSEC. If you don't use SSL, it's highly unlikely you need DNSSEC.

But hey, if all you want to do is spew ridiculous conspiracy theories, never mind, rant on.

Comment Re:Intervals (Score 2, Interesting) 363

Reading "Of Mice and Men" is more important than reading "Girl with the Dragon Tattoo".

Why? Granted, I haven't read either of them.

I don't get the snobbishness that goes along with certain books/authors. Yeah, I read Gatsby, I thought it was boring as all get out. I much preferred the Táin Bó Cúailnge. Seriously, a bunch of english professors who've never lived in the real world declare some book as "important", and I'm supposed to care? Yes, I've read many of the "great works", but I read them because they interested me, not because they were important. Just as many of them, I've found to be navel-gazing, coma-inducing drivel. YMMV.

IMO, a book is only important if the person reading it got something out of it besides a headache, even if it was just a few hours of escapism.

Comment Re:ok but (Score 2, Interesting) 148

Agreed, I went through a couple of TI calcs before buying an HP. I've never had an HP break. That's not to say I haven't dropped them. My poor HP 11C is now over 25 years old, and has been dropped too many times to count. It's still my favorite calculator. My 48G has likewise seen some rough handling, it is also still running fine.

TIs are decent from a functionality point of view, but they are unable to take any kind of rough handling.

My wife used TIs in college, and went through a couple of them as well.

Slashdot Top Deals

A bug in the code is worth two in the documentation.

Working...