nanog mailing list archives

Re: Question about DNS naming conventions

From: Jack Bates <jbates () paradoxnetworks net>
Date: Wed, 12 Feb 2025 21:53:45 -0600

On 2/12/2025 2:34 PM, William Herrin wrote:

On Wed, Feb 12, 2025 at 9:58 AM Jack Bates <jbates () paradoxnetworks net> wrote:

The software has no concept of what the data is

Which is why the software shouldn't be making a hard decision about
appropriate cryptography. The users on the two ends, the folks who do
know what the data is, should have the final say. The software should
set sensible defaults and then let those users decide what to do about
the large and growing gap of failure between the current default and
the often still allowed unencrypted plain text.

Most users don't have any idea and would allow an attacker to compromisetheir bank connection if given the choice. The defaults are designed toprotect the majority?

That "curl https://enemieslist.com"; returns a fault is not
unreasonable. That "curl --insecure https://enemieslist.com"; also
fails reflects faulty thinking on the part of alleged security
experts.

I suspect --insecure has special meaning and shouldn't be overloaded toinclude anything that is "insecure". However, curl depends on theunderlying libraries, and I believe it was those libraries that arebeing compiled and installed with older stuff disabled. A quick searchshows you have to do custom builds to enable on any current system.

My personal pain point is out of band access to older servers. They're
well past the manufacturer's maintenance so there are no more software
updates. I can use nice modern VPN software to secure the channel
between me and their LAN, but I have to maintain obsolete versions of
web browsers and their dependent libraries along with obsolete
versions of Java because the modern ones won't connect. I'd rather
have less obsolete bug ridden software around, but the self-appointed
security experts have stolen that choice from me.

In my experience, except for Java incompatibilities itself, you canusually tweak the configuration and exception rules to get Java toconnect and accept older signed packages. Sometimes you have to retweakafter an upgrade. FireFox appears to have quite a few options inabout:config to enable older stuff and also supports exception lists forsome things.

Of course, my experience is limited, and I may not be nearly as archaicas you.



Jack

Current thread:

Re: Question about DNS naming conventions, (continued)
- Re: Question about DNS naming conventions William Herrin (Feb 11)
  - Re: Question about DNS naming conventions John Levine (Feb 11)
    - Re: Question about DNS naming conventions Steven Champeon (Feb 13)
- Re: Question about DNS naming conventions Thomas Mieslinger via NANOG (Feb 12)
  - Re: Question about DNS naming conventions Mark Tinka (Feb 12)
    - Re: Question about DNS naming conventions Thomas Mieslinger via NANOG (Feb 12)
- Re: Question about DNS naming conventions nanog--- via NANOG (Feb 12)
  - Re: Question about DNS naming conventions William Herrin (Feb 12)
    - Re: Question about DNS naming conventions Jack Bates (Feb 12)
    - Re: Question about DNS naming conventions William Herrin (Feb 12)
    - Re: Question about DNS naming conventions Jack Bates (Feb 12)
    - Re: Question about DNS naming conventions William Herrin (Feb 12)
  - Re: Question about DNS naming conventions Steven Champeon (Feb 13)