xz53
No user record in our sample, but xz53 has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
No user record in our sample, but xz53 has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
PowerDNS got caught out too: https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6...
> ...requests up the tree That's right, it's not recursively working its way down from the root because it's a stub resolver.
RFC 8499: Stub resolver: A resolver that cannot perform all resolution itself. Stub resolvers generally depend on a recursive resolver to undertake the actual resolution function.
DNSSEC evaluates answers as being one of secure, insecure, or bogus. Secure means there's proof the answer is correct going all the way back to the root. Insecure means at some point there was a delegation that either…
> A validating stub resolver is effectively a recursive resolver proxying through another recursor. At the point where you're going to do that, you might as well just run a recursive server. Every iPhone on the planet…
In a nutshell, the vulnerability is stuffing a lot of broken signatures from different keys in a response so the validator wastes a bunch of time retrieving keys and then validating signatures that'll never validate.…
> The core problem with DNSSEC adoption has always been what happens when your ZSK/KSK expires, which it ought to for the same reason SSL certs expire. For most users there's really no reason for a ZSK/KSK split or…
> If you're not recursing, you're not really validating DNSSEC records. Nope, validating in stubs is a thing. systemd's resolved does it. Apple's high-level network frameworks do it if you ask as of a couple of years…
> Ever since enabling DNSSEC validation on my system, YouTube and every other Google product except basic searching is broken for me. Enabling DNSSEC wouldn't change resolution of those properties unless you somehow set…