S4E21: "Can You Dig It?"

Posted 2019-12-09 04:59
Modified 2019-12-09 21:46
Comments 0

We talk about DNS over HTTPS, DNSSEC, and a little bit of TSIG.

• Just the Tip
• Notes
• 15 Clams
• Errata
• Music

Just the Tip

• Paden talks about sleep.

Notes

Starts at 07m10s.

I was drinking chai tea. Paden was drinking Miller Lite. Jthan was drinking water (because he was at work).

• DNS over HTTPS
  • DoH is RFC 8484.
  • But it is not without controversy, and very vocal criticism from some information security professionals.
  • A better solution would be DNS over TLS assuming you even need that encryption in your risk model.
    • But browsers have no business shipping with preconfigured resolvers using a non-transparent protocol and not respecting the system’s DNS resolving configuration.
• DNSSEC (33m52s)
  • RFC 2535, RFC 4033, rfc 4034, rfc 4035, RFC 5155 (NSEC3), and probably others.
  • APNIC had a presentation on it, and
    • There’s also some good primers on it out there.
  • Along with DNSSEC, PowerDNS also supports TSIG via its API.

15 Clams

In this segment, Jthan shares with you a little slice of life. The title is a reference to this video. (2m16s in)

Starts at 48m50s.

Jthan went to the SC Conference and got a hard-on for Spack. I think it’s just asking for trouble. The overhead of just building a new package with different make flags using e.g. RPM SPEC files is negligible (cp and 10 seconds in vim) compared to adding a new “spack spec”. It’s a layer of complexity that adds more work that masquerades as making it easier as a band-aid to broken package distribution. It’s snake oil that pretends to be magic. Just fix your package distribution methods.

Errata

• I couldn’t find the emergency-booze-in-computer-case thing, but I found the inverse!
• DNS over TLS was accepted as an RFC! Yay!
• This is what Paden was talking about.

Music

Author r00t^2
Categories Season Four