If you set up your own caching server and point it to the ISP-caching server, yes. But that would kinda defeat the point of using your own caching server. If you were doing it for your security.
Do you have any idea how easy it is to get a domain ? Pretty much the only thing they check is your creditcard number. And I have my doubts they will do any checks before setup of DNSSec.
I think this illustrates it even better: "Because I see no point. Quite often, we don't even realize some random bug could have been a security issue."
"The issue is that I think it's then _misleading_ to mark that kind of commit specially, when I actually believe that it's in the minority.
If people think that they are safer for only applying (or upgrading to) certain patches that are marked as being security-specific, they are missing all the ones that weren't marked as such. Making them even _believe_ that the magic security marking is meaningful is simply a lie. It's not going to be.
So why would I add some marking that I most emphatically do not believe in myself, and think is just mostly security theater?"
There is no real fix, other than changing than protocol in a backwards incompatible way. Port randomisation is a workaround and but it will give us some more years.
Not in this case, in this case seeing the source changes doesn't really help, it's more like a protocol-design-flaw. And the bugfix is just a workaround.
Vendors that don't implement proper randomization are just lazy. Don't buy/download there software.
It has been known for years, that it makes your DNS-implementation safer to use, they have been warned again and again. And now they needed a year to implement it.
In dutch SOA (DNS-record or service-oriented architectures) is actually the abbreviation of STD (sexually transmitted disease). That always cracks me up.
Who cares ? PowerDNS together with the implementation in Juniper 'hardware' were the only other 2 implementations that were not vulnerable as far as I can see from the document (by skimming through it). Although a lot had 'status unknown'. For example OpenBSD's heavily (?) patched bind.
I use PowerDNS, it has any feature you might want.
It runs on all the modern hardware. And a lot of operating systems.
OK, DNSSec is the only feature it doesn't have complete support for.
But until someone creates a sane specification, I doubt we'll get sane implementations which means the cure is worse then the problem (complicated code means lots of security bugs).
Let me just say: DJB, Bert (PowerDNS) and Dan K. you are my DNS heros.:-)
If you set up your own caching server and point it to the ISP-caching server, yes. But that would kinda defeat the point of using your own caching server. If you were doing it for your security.
Blame IE, it is what keeps the web moving forward
Do you have any idea how easy it is to get a domain ? Pretty much the only thing they check is your creditcard number. And I have my doubts they will do any checks before setup of DNSSec.
I think this is were CACert has it's advantage, it's about building real trust, people seeing people with real passports, etc.
I think this illustrates it even better:
"Because I see no point. Quite often, we don't even realize some random bug could have been a security issue."
"The issue is that I think it's then _misleading_ to mark that kind of commit specially, when I actually believe that it's in the minority.
If people think that they are safer for only applying (or upgrading to) certain patches that are marked as being security-specific, they are
missing all the ones that weren't marked as such. Making them even _believe_ that the magic security marking is meaningful is simply a lie.
It's not going to be.
So why would I add some marking that I most emphatically do not believe in myself, and think is just mostly security theater?"
no, Safari isn't open source, WebKit is open source, because it is based on khtml.
7. The smile on your face - priceless
There is no real fix, other than changing than protocol in a backwards incompatible way. Port randomisation is a workaround and but it will give us some more years.
And that last part is just me guessing.
Not in this case, in this case seeing the source changes doesn't really help, it's more like a protocol-design-flaw. And the bugfix is just a workaround.
It was because of forethought of one man, DJB (Bernstein).
And where you got the IP-address for the whois (hint it uses several hosts for different TLD/regions).
That's why 'smart' people use /etc/hosts. That solves the problem of remembering and of the HTTP-host-header.
I'm sorry, but if you take your average Linux distribution, you will see this won't happen.
For a company with so many resources (read: money) they keep messing up in a big way.
Exactly, Vista doesn't have any usefull features.
So you are saying they should start selling DirectX for Linux ? ;-)
It's not a devil, it's a daemon.
I guess you mean Wubi in this case ? ;-)
I think he means it's been running for a year without problems.
But I'm not a mind reader of course.
Totally agree.
I also don't want to get answers for things that don't exist, something they do or atleast have done.
There is PowerDNS. I suggest you use that.
It is known for years that it's less secure, if you don't use proper randomization. Now it turns out, it's _really_ insecure. Duh.
Vendors that don't implement proper randomization are just lazy. Don't buy/download there software.
It has been known for years, that it makes your DNS-implementation safer to use, they have been warned again and again. And now they needed a year to implement it.
In dutch SOA (DNS-record or service-oriented architectures) is actually the abbreviation of STD (sexually transmitted disease). That always cracks me up.
Did I say PowerDNS is faster too ?
</commercial> ;-)
Who cares ? PowerDNS together with the implementation in Juniper 'hardware' were the only other 2 implementations that were not vulnerable as far as I can see from the document (by skimming through it). Although a lot had 'status unknown'. For example OpenBSD's heavily (?) patched bind.
I use PowerDNS, it has any feature you might want.
It runs on all the modern hardware. And a lot of operating systems.
OK, DNSSec is the only feature it doesn't have complete support for.
But until someone creates a sane specification, I doubt we'll get sane implementations which means the cure is worse then the problem (complicated code means lots of security bugs).
Let me just say: DJB, Bert (PowerDNS) and Dan K. you are my DNS heros. :-)