Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Re:Can someone explain ZSK and KSK? (Score 1) 57

The KSK signs only DNSKEY records, and the ZSK signs all other relevant resource records in the zone. Your DNSSEC delegation comes from a DS record (a fingerprint of your KSK) which is included (and signed) in the delegating zone. The practical upshot of this is you can change your ZSK frequently without having to update the DS record upstream (thus contacting your delegator) every time you do so.

Math

The Math of a Fly's Eye May Prove Useful 90

cunniff writes "Wired Magazine points us to recent research that demonstrates an algorithm derived from the actual biological implementation of fly vision (PLoS paper here). Quoting the paper: 'Here we present a model with multiple levels of non-linear dynamic adaptive components based directly on the known or suspected responses of neurons within the visual motion pathway of the fly brain. By testing the model under realistic high-dynamic range conditions we show that the addition of these elements makes the motion detection model robust across a large variety of images, velocities and accelerations.' The researchers claim that 'The implementation of this new algorithm could provide a very useful and robust velocity estimator for artificial navigation systems.' Additionally, the paper describes the algorithm as extremely simple, capable of being implemented on very small and power-efficient processors. Best of all, the entire paper is public and hosted via a service that allows authenticated users to give feedback."

Comment Re:erm... (Score 1) 39

Well, you're half right.

DNSSEC's original form allowed for unrestricted zone walking via querying for non-existent domains and receiving an answer containing the RRs appearing just before and after the non-existent domain. This was a major stopping point for widespread implementation. RFC 5155 and NSEC3 addresses this by using hashes of domains instead of domains themselves.

As for the certificates, you do not need to buy a certificate from VeriSign to sign your DNS data. You generate your own keys and provide a key fingerprint to whomever is delegating your domain to you. Queriers can use that fingerprint to validate the DNSKEYs you present for their use in validating your signed records.

Comment Re:DNSSEC overrated (Score 3, Informative) 91

Signed zone data is not reliant on x509 certificates; algorithms defined in RFC 4034 are RSA/MD5, Diffie-Hellman, DSA/SHA-1, Elliptic Curve, RSA/SHA-1, and room for ~245 future algorithms. There is no identity information stored in the keys used for DNSSEC, so you should be able to generate the keys yourself.

Comment Firefox Helpies (Score 2, Informative) 208

about:config

browser.identity.ssl_domain_display

Set it to 2 to see the Common Name of the cert in the address bar. Very helpful to see side-by-side with the URL. EV certs will still show the Organization and Country, but it makes non-EV certs a little more obvious.

Slashdot Top Deals

"I'm growing older, but not up." -- Jimmy Buffett

Working...