* Posts by Brett

8 publicly visible posts • joined 25 Jun 2007

Sun banks future on multicore virtualization

Brett
Alert

@frank

Virtuabox is good for learning the basics about Virtualisation on the desktop, it's not a Datacentre VM solution though, XVM Server has potential but it hasn't even hit beta yet so it's a long way from being production ready. IMO Hypervisor production ready VM solutions number 2 at the moment, VMWare and Xen.

Brett

Caching bugs exposed in second biggest DNS server

Brett
Boffin

using tcp

Not really scalable when you have DNS servers serving multiple thousand queries of dns servers per second. The speed isn't the issue it's the overhead of setting up and maintaining those thousands of TCP sessions if you are running an auth server that is going to cause you headaches.

Brett (Wondering why Paris hasn't commented on this thread)

Kaminsky (finally) reveals gaping hole in internet

Brett

It's not really a fix is it?

No the only real fix is DNSSEC period.

Brett

Apple DNS patch doesn't patch Mac clients

Brett
Thumb Down

re: Nothing to do

Whether the client responds to external requests is irrelevant, by definition it must listen for answers to the queries it sends, if it does that and has a cache and doesn't randomize its ports then its vulnerable. This is why MS released patches for both the server and the client, that said I'm not 100% sure there is a local cache on osx clients is there?

DNS lords expose netizens to 'poisoning'

Brett
Flame

oh

and i just realised atcually it's rfc5155 not rfc5255.

Brett

Brett
Flame

All too aware of dnssec and its shortcomings

James:

I am well aware of RFC5255 and the problems it fixes, and am very well aware of how dnssec works (I deployed it on the European Reverse tree) hopefully when there are some solid implementations of nsec3 we will start to see more deployments, however we still need support from ISP's and there needs to be a cost benefit for them to do it.

Sara: You are right the root operators are not/have not done anything with regard to dnssec in . However don't blame them the key and signing policies are political issues that need to come from ICANN, if you really want to see this happen get involved with ICANN and push it through.

Brett

Brett
Flame

Mmmm

Well firstly the IETF have been and are doing something (DNSSEC) this protocol is ready to roll (and is being rolled in places) however it does need a push from a political (and marketing) point of view.

As for the zero cache although this is a good idea in principal if everybody were to ignore the TTL's on zones and there was no caching we would have a helluva lot more traffic on an already very congested internet, so not really scalable.

The answer is short term to ensure the ID's are propely randomised, and long term to deploy DNSSEC.

Brett

ICANN goes to the Caribbean

Brett

dnssec deployment

Just a short comment but there has also been extensive work by the RIPE NCC to deploy dnssec on the reverse dns tree (in-addr.arpa)