that hasn't made threats to wipe neighbors off the map, allowed criminals within it's own population to overrun foreign embassies and supplied terrorist groups with financial support/weapons.
Just to be clear, are you talking about Iran or the US here?
Recall that is came out that Nixon was buying weapons in China and sending them through Russia to Afghani "freedom fighters". The same guys we call "insurgants" today. And that was 30 years ago. It didnt stop happening, they just cover it up better these days. Cept for Col. North who got caught.
"I like the fact that Britannica is trying to get into the "free dictionary" sphere, wiki may be good, but several independent (free) sources are always better than one!"
A more cynical view would have it that it's the articles you're allowed to create, not the time to publication, that will determine the winner.
"Unless we are talking about an extremely popular app (Linux, Firefox), the first or second line of the summary should tell what the hell the app is!"
Eh, I dunno. I don't know the names of most of the Linux oriented stuff, but as a BSD guy if it says "Bordeaux" and "BSD" in the same line, I know what it is.
If you make it easier for non-BSD people to understand this stuff maybe the same courtesy could be paid for this so call popular linux app thing as well. Fair is fair?
I don't even care if it's an ad. I actually want to read it (unlike the, say, Microsoft banner ads)
My well pump suges to 3500 watts. If you're running the microwave and vacuum cleaner and got forbid a space heater is running in a room then that 8k just went away or tried to do it's best, either way it was epic failure. Granted I have a large house.
They sell $7K whole home generators up here that run on gasoline. They have a Sabre engine that you can get out of a lawn tractor and a $500 generator head. You can diy this bit.
But if it were me I'd not use gas (natutal or propane) or gasoline, I'd use a diesel generator. You have more fuel options then.
"I'm amazed that something this good emerged from regulatory agencies under the Bush Administration. I suspect that some staffers are thinking very hard about what happens to their career once government regulation again gets, as Obama puts it, "adult supervision"."
Ironically, the DoC was to provide "Adult Supervision" to ICANN as their overseers. Next up the food chain from the DoC is congress.
NTIA/DoC has people there that have been monitoring this for a long time and actually know the issues. However, they side, as Bushies, with TM owners, while playing the "good for the consumer" card. Remember that Trademarks are also to "protect consumers".
Keep in mind it was the USG that nixed.xxx on "moral grounds" in the only ever demonstration of a moral imperative trumping a technical DNS addition at the root level.
(Karl Rove had it done allegedly as a favour to the Southern Baptist convention).
It was $100 for two years and $50 for renewal per year. 1/3 of that went into the NSF's "Intellectual infrastructutre fund" that NSF staffer Don Mitchell (who started and ran this) wanted to "keep the IETF *process* (not the IETF per se) alive. This fund was pretty much stolen by Mike Roberts the first CEO of ICANN. It was his reward for clearing the way for the ICANN steamroller back a decade ago at it's incepttion.
You all understand the institutional purpose of ICANN is to prevent the creation of any new tlds for their buddies in the intellectual property section of the legal departments of large corporations eveyrwhere, right?
If you knew how many tens if not hundreds of millions of dollars had gone into blocking their seeing the light of day you might be quite shocked. So this news, of another delay, isn't exacly news.
When icann does something right, call me, that's news.
"Though I suppose if I were going to waste a nuke on Canada I would probably hit Vancouver and Halifax (and maybe Ottawa because of the dirty politicians, and perhaps Toronto, well just because its Toronto, smug bastards...)"
Karma is a bitch. They won't be so smug when they loose a zero off the end of their house value and paycheck.
I used to live there, but moved far enough away to be safe but close enough to watch it burn.
Exactly. Of course you don't hear from them cause they can't talk to the V4 network.
I guess this is the best spin they could put on the numbers they had. They certainly wouldn't want headlines like "growth in number of new V4 hosts still exceeds total number of V6 hosts by a large margin"
Shamir's algorithm is very clever. And cleverness is in short supply these days, especially in the dns.
I'm just thinking out loud here, but it seems to me if the source of authority field in the SOA statement were an IP and not a domain name, and each nameserver had a txt record with part of the zone maintainer signtaure of the whole zone that might work better than DNSSEC. Am I missing something here?
You'd have to change nameserver code but it's all gonna have to change anyway. Abd Bernstein said he's not gonna add something as stupid as DNSSEC to djbsns, which you'll note doesn't have the problem trying to be solved here in the first place.
Bind and the industry's insistance on superfluous A records is disgusting. I'm shocked there haven't been more problems because of it. Recall Kashpureffs hijacking of the internic was done this way and one of the conditions of his probation was he had to explain to Kosters how to fix it. Ignore out of baliwick A records is still not well understood, and frankly made worse by the change to the structure of the DNS industry made by Commerce. It was bad enough when NSI had the wrong A record, but you could actually call them and get the to change it. Now each registrar can (and sometimes do) publish A records they shouldn't and the fun begins when two of them have different A records for the same name. It took a year to convince one of the top ten registrars staff that this was actually a problem.
So don't feel bad if you don't get it. Most of the industry doesn't either.
In theory you need one A record in the entire DNS. In can kick start itself from there. It's actually be shown to me you can rebuild the entirity of DNS just from scanning web pages.
But for practicial purposes you could get by with a very small number of A records in the legacy DNS. To be sure, things would be a bit slower, but "right" is better than "quick".
"This is a case where you're right, everyone who has thought about it agrees that you're right, and that's still not the design decision that's going to be made."
"The Internet is about consensus, not truth. Never confuse the two. - Brian Reid (who, funded BIND's development)
"A need exists for a set of (reasonably) persistent, unique, meaningful identifiers for services on the Internet, and in order to ensure this, you need a central registry."
Rubbish. As Bernstein pointed out a decade ago you could publish a cryptographically signed root zone via usenet.
You'd probably want some tool to check consistancy and some tool to let you pick what tlds you want to support.
So you don't actually need a central registry. You might say you need a single DNS root zone but you'd e wrong there too. Some people may want only.com and.us. Others may want whats there now. Others may want what's there now plus some of the other 1000 tlds that have been in submarine mode for a decade.
While that may seem on the face of it, retarded, the cat was let out of the bag when people began spamblocking entire tlds from their universe (you need to primary the root for yourself, but this is trivial).
As for DNSSEC I agree with Berntsteins decade old comments. It's garbage and there are much better ways to do this. An as much as I'm loathe to agree with Baptista, it does provide a false sense of security for a number of reasons (rogue employees being the one he mentioend, and Netsols MS mistake is about all the proof you need).
I note with relish Vint Cerf and Joe Baptista, who couldm't be more apart on DNS agree that something othre than DNSSEC shuld be used. This is probably the only thing they agree on. And they're quite right.
What he said. I mean really. If anybody still thinks BIND zonefiles are a good idea they should bloody well be forced to write a program that parses them and good luck.
(Oh, btw, hi russ)
I realize there's an obligate duty for an car analogy here, but, so sorry. *
You'll have to settle for instruction sets. BIND files are now commonly bigger than most old programs, so what you have to write to get what you want to happen is important. BIND is like an old clunky assembler with bizarre and arcane properties. IBM 1130 or 360 maybe. DJB is like the pdp-11, it's elegant and simple. It's a joy, not a pain.
I don't mind writing software that outputs BIND files but I'm not sure it's even computationally possible to parse one of those pigs. They were never meant to do that, DJB was desifgned that way.
BIND was handy until the number of bugs went asymptotic, but it really should die now.
It's a weird article. I'm not exactly certain what information was actually conveyed or what Paul Mockapetris was actually saying and I know Paul. (scratches head).
Poeple need to adopt DNSSEC. Yeah ok, whatever. A few poeple think this is giving too much power to verisign (again) and Dan Bernstein has other ideas and isn't fond of DNSSEC.
"All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities."
Well, but...
The "root servers" isn't one thing. It's 13 things. And the F server is actually a number of machines. Any one that gets compromised blows it for everything.
Another reason to run your own root zone, obtained from somebody who cryptographically signed it. Bernstein points out usenet would be a good mechanism for this.
A board? Oh, dear. No. It'd be a quagmire, a committee designed by a committee. icann did that, whciuh is why it takes $62M to replace what used to be literally a $15K/yr part time contract.
Brian K. Reid. Everybody else is either too corrupt or too bizarre to actually do the job. Brian understands people, unlike most geek geniuses.
Nobody else can do as good a job in that role. Plus, never forget Sun was founded by the commission of a federal crime.
No, what should have been done a long time ago is to scrap X and use Sun's NeWS. They demo'd it in the 80s and it fixes a lot of problems in any X(/Y).
"If they were smart, they would disconnect their computers from the public internet. People can't access hardware they can't access."
They actually did this. The ARPA net split into the MILNET and the Internet. It wasn't actually that cut and dry, but you get the point. They wanted no part of "the network". They wanted "their network".
What's this stuff about changing rules though? Is that so the guys hakcing them have a different set of rules to circumvent, is that the idea? Or so they believe these hackers will pay attention to new rules, it's just the dusty musty old rules they ignore?
Rubber bads age, harden and break. Nonetheless this is the way milspec drives are isolated.
Try using rubber muffler mounts from a 126 chassis Mercedes. Any dealer has them stupid cheap. You need two, just cut them in half. Use thick braided wire in looks to secire the frame to the rubber and rubber to the drive.
There. That cost your military 5 million dollars 20 years ago to learn that. Isn't it great what you can find on the net for free?
That is nothing to do with ICANN's mandate, which is purely technical administration. You have a legal problem. Icann doesn't do anything about spam or ponies because they're not technical issues. Instead Icann focuses on, um trademark stuff which the government thinks is technical. Plus you're not rich enough for them to care about.
Now, as for this "we'l do good things with the money" crap. I aint getting fooled again. The NSF directed NSI to retain 33% of all original domain names sales to put into an NSF "intellectual infrastructure" fund. "Intellectual infrastructure" was people and this money was for workshops, research grants and to, in the words of the man who made the fund, "keep the IETF *process* (not the ietf per se) pure".
Congress appropriated it and gave it to Mike Roberts when he initially captures ICANN, for his useless Internet2 backbone. Never mind companies all over the world paid into that faund.
Plus, if they want companies to be able to survive risk better, why are they taking 180K from them. How many companies are lest risky cause they gave away 180K for nothing?
Now if it were me and I wanted to test a TLD I'd proably just tell you guys about it and by morning, of the server was still standing, I'm sure I'd have a pretty good idea what works and what doesn't.
Slashdot Mirror
that hasn't made threats to wipe neighbors off the map, allowed criminals within it's own population to overrun foreign embassies and supplied terrorist groups with financial support/weapons.
Just to be clear, are you talking about Iran or the US here?
Recall that is came out that Nixon was buying weapons in China and sending them through Russia to Afghani "freedom fighters". The same guys we call "insurgants" today. And that was 30 years ago. It didnt stop happening, they just cover it up better these days. Cept for Col. North who got caught.
Yeah right....ok, how many new countries have we annexed in the past couple of decades
Nicaraugua, Panama, and in 03 the CIA tried to overthrow Chavez.
The US has 186 military bases in 150 countries. This for a country that had no army before WWII.
Go watch the documentary "Why we fight" It's a great eye opener on the American military culture. Its on youtube and archive.org.
"I like the fact that Britannica is trying to get into the "free dictionary" sphere, wiki may be good, but several independent (free) sources are always better than one!"
A more cynical view would have it that it's the articles you're allowed to create, not the time to publication, that will determine the winner.
What's wrong with the ones that were remastered in 2003-2005 allegedly from tapes stolen from Apple (records) ?
" Unless we are talking about an extremely popular app (Linux, Firefox), the first or second line of the summary should tell what the hell the app is!"
Eh, I dunno. I don't know the names of most of the Linux oriented stuff, but as a BSD guy if it says "Bordeaux" and "BSD" in the same line, I know what it is.
If you make it easier for non-BSD people to understand this stuff maybe the same courtesy could be paid for this so call popular linux app thing as well. Fair is fair?
I don't even care if it's an ad. I actually want to read it (unlike the, say, Microsoft banner ads)
8kW is a reasonable amount of power." "
Only if you think nobody needs more than 640K.
My well pump suges to 3500 watts. If you're running the microwave and vacuum cleaner and got forbid a space heater is running in a room then that 8k just went away or tried to do it's best, either way it was epic failure. Granted I have a large house.
They sell $7K whole home generators up here that run on gasoline. They have a Sabre engine that you can get out of a lawn tractor and a $500 generator head. You can diy this bit.
But if it were me I'd not use gas (natutal or propane) or gasoline, I'd use a diesel generator. You have more fuel options then.
" I'm amazed that something this good emerged from regulatory agencies under the Bush Administration. I suspect that some staffers are thinking very hard about what happens to their career once government regulation again gets, as Obama puts it, "adult supervision". "
Ironically, the DoC was to provide "Adult Supervision" to ICANN as their overseers. Next up the food chain from the DoC is congress.
NTIA/DoC has people there that have been monitoring this for a long time and actually know the issues. However, they side, as Bushies, with TM owners, while playing the "good for the consumer"
card. Remember that Trademarks are also to "protect consumers".
Keep in mind it was the USG that nixed .xxx on "moral grounds" in the only ever demonstration of a moral imperative trumping a technical DNS addition at the root level.
(Karl Rove had it done allegedly as a favour to the Southern Baptist convention).
So I find this part a little ironic.
" and hack up $75/year"
It was $100 for two years and $50 for renewal per year. 1/3 of that went into the NSF's "Intellectual infrastructutre fund" that NSF staffer Don Mitchell (who started and ran this) wanted to "keep the IETF *process* (not the IETF per se) alive. This fund was pretty much stolen by Mike Roberts the first CEO of ICANN. It was his reward for clearing the way for the ICANN steamroller back a decade ago at it's incepttion.
You all understand the institutional purpose of ICANN is to prevent the creation of any new tlds for their buddies in the intellectual property section of the legal departments of large corporations eveyrwhere, right?
If you knew how many tens if not hundreds of millions of dollars had gone into blocking their seeing the light of day you might be quite shocked. So this news, of another delay, isn't exacly news.
When icann does something right, call me, that's news.
"Though I suppose if I were going to waste a nuke on Canada I would probably hit Vancouver and Halifax (and maybe Ottawa because of the dirty politicians, and perhaps Toronto, well just because its Toronto, smug bastards...)"
Karma is a bitch. They won't be so smug when they loose a zero off the end of their house value and paycheck.
I used to live there, but moved far enough away to be safe but close enough to watch it burn.
I thought Novia made phones and the Scotia was the white one with the blue stripes.
" you mean it went from 1 person to 3 people?"
Exactly. Of course you don't hear from them cause they can't talk to the V4 network.
I guess this is the best spin they could put on the numbers they had. They certainly wouldn't want headlines like "growth in number of new V4 hosts still exceeds total number of V6 hosts by a large margin"
Shamir's algorithm is very clever. And cleverness is in short supply these days, especially in the dns.
I'm just thinking out loud here, but it seems to me if the source of authority field in the SOA statement were an IP and not a domain name, and each nameserver had a txt record with part of the zone maintainer signtaure of the whole zone that might work better than DNSSEC. Am I missing something here?
You'd have to change nameserver code but it's all gonna have to change anyway. Abd Bernstein said he's not gonna add something as stupid as DNSSEC to djbsns, which you'll note doesn't have the problem trying to be solved here in the first place.
Bind and the industry's insistance on superfluous A records is disgusting. I'm shocked there haven't been more problems because of it. Recall Kashpureffs hijacking of the internic was done this way and one of the conditions of his probation was he had to explain to Kosters how to fix it. Ignore out of baliwick A records is still not well understood, and frankly made worse by the change to the structure of the DNS industry made by Commerce. It was bad enough when NSI had the wrong A record, but you could actually call them and get the to change it. Now each registrar can (and sometimes do) publish A records they shouldn't and the fun begins when two of them have different A records for the same name. It took a year to convince one of the top ten registrars staff that this was actually a problem.
So don't feel bad if you don't get it. Most of the industry doesn't either.
In theory you need one A record in the entire DNS. In can kick start itself from there. It's actually be shown to me you can rebuild the entirity of DNS just from scanning web pages.
But for practicial purposes you could get by with a very small number of A records in the legacy DNS. To be sure, things would be a bit slower, but "right" is better than "quick".
" This is a case where you're right, everyone who has thought about it agrees that you're right, and that's still not the design decision that's going to be made."
"The Internet is about consensus, not truth. Never confuse the two. - Brian Reid (who, funded BIND's development)
"A need exists for a set of (reasonably) persistent, unique, meaningful identifiers for services on the Internet, and in order to ensure this, you need a central registry."
Rubbish. As Bernstein pointed out a decade ago you could publish a cryptographically signed root zone via usenet.
You'd probably want some tool to check consistancy and some tool to let you pick what tlds you want to support.
So you don't actually need a central registry. You might say you need a single DNS root zone but you'd e wrong there too. Some people may want only .com and .us. Others may want whats there now. Others may want what's there now plus some of the other 1000 tlds that have been in submarine mode for a decade.
While that may seem on the face of it, retarded, the cat was let out of the bag when people began spamblocking entire tlds from their universe (you need to primary the root for yourself, but this is trivial).
As for DNSSEC I agree with Berntsteins decade old comments. It's garbage and there are much better ways to do this. An as much as I'm loathe to agree with Baptista, it does provide a false sense of security for a number of reasons (rogue employees being the one he mentioend, and Netsols MS mistake is about all the proof you need).
"Is DNSSEC ready for prime time?"
Nope.
I note with relish Vint Cerf and Joe Baptista, who couldm't be more apart on DNS agree that something othre than DNSSEC shuld be used. This is probably the only thing they agree on. And they're quite right.
"Why the hell would I want to buy a bigger object with the same feature set?"
So you can read the screen? Is this a trick question?
What he said. I mean really. If anybody still thinks BIND zonefiles are a good idea they should bloody well be forced to write a program that parses them and good luck.
(Oh, btw, hi russ)
I realize there's an obligate duty for an car analogy here, but, so sorry. *
You'll have to settle for instruction sets. BIND files are now commonly bigger than most old programs, so what you have to write to get what you want to happen is important. BIND is like an old clunky assembler with bizarre and arcane properties. IBM 1130 or 360 maybe. DJB is like the pdp-11, it's elegant and simple. It's a joy, not a pain.
I don't mind writing software that outputs BIND files but I'm not sure it's even computationally possible to parse one of those pigs. They were never meant to do that, DJB was desifgned that way.
BIND was handy until the number of bugs went asymptotic, but it really should die now.
* not sorry
It's a weird article. I'm not exactly certain what information was actually conveyed or what Paul Mockapetris was actually saying and I know Paul. (scratches head).
Poeple need to adopt DNSSEC. Yeah ok, whatever. A few poeple think this is giving too much power to verisign (again) and Dan Bernstein has other ideas and isn't fond of DNSSEC.
http://cr.yp.to/djbdns/forgery.html
"All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities."
Well, but...
The "root servers" isn't one thing. It's 13 things. And the F server is actually a number of machines. Any one that gets compromised blows it for everything.
Another reason to run your own root zone, obtained from somebody who cryptographically signed it. Bernstein points out usenet would be a good mechanism for this.
A board? Oh, dear. No. It'd be a quagmire, a committee designed by a committee. icann did that, whciuh is why it takes $62M to replace what used to be literally a $15K/yr part time contract.
Brian K. Reid. Everybody else is either too corrupt or too bizarre to actually do the job. Brian understands people, unlike most geek geniuses.
Nobody else can do as good a job in that role. Plus, never forget Sun was founded by the commission of a federal crime.
No, what should have been done a long time ago is to scrap X and use Sun's NeWS. They demo'd it in the 80s and it fixes a lot of problems in any X(/Y).
Oh well.
" If they were smart, they would disconnect their computers from the public internet. People can't access hardware they can't access. "
They actually did this. The ARPA net split into the MILNET and the Internet. It wasn't actually that cut and dry, but you get the point. They wanted no part of "the network". They wanted "their network".
What's this stuff about changing rules though? Is that so the guys hakcing them have a different set of rules to circumvent, is that the idea? Or so they believe these hackers will pay attention to new rules, it's just the dusty musty old rules they ignore?
Rubber bads age, harden and break. Nonetheless this is the way milspec drives are isolated.
Try using rubber muffler mounts from a 126 chassis Mercedes. Any dealer has them stupid cheap. You need two, just cut them in half. Use thick braided wire in looks to secire the frame to the rubber and rubber to the drive.
There. That cost your military 5 million dollars 20 years ago to learn that. Isn't it great what you can find on the net for free?
"but there is a reason the devil is sometimes portrayed as a lawyer."
Can we change that to Republican governor from Alaska instead then?
"Where the hell is ICANN at a time like this? "
That is nothing to do with ICANN's mandate, which is purely technical administration. You have a legal problem. Icann doesn't do anything about spam or ponies because they're not technical issues. Instead Icann focuses on, um trademark stuff which the government thinks is technical. Plus you're not rich enough for them to care about.
Now, as for this "we'l do good things with the money" crap. I aint getting fooled again. The NSF directed NSI to retain 33% of all original domain names sales to put into an NSF "intellectual infrastructure" fund. "Intellectual infrastructure" was people and this money was for workshops, research grants and to, in the words of the man who made the fund, "keep the IETF *process* (not the ietf per se) pure".
Congress appropriated it and gave it to Mike Roberts when he initially captures ICANN, for his useless Internet2 backbone. Never mind companies all over the world paid into that faund.
Plus, if they want companies to be able to survive risk better, why are they taking 180K from them. How many companies are lest risky cause they gave away 180K for nothing?
Now if it were me and I wanted to test a TLD I'd proably just tell you guys about it and by morning, of the server was still standing, I'm sure I'd have a pretty good idea what works and what doesn't.