@dcz oh ok, that shortens all the hurdles significantly.
Maybe fedora decided they don't need a kernel on lxc/incus anyway
@dcz I hate booting from usb, all this hurdles with flashing a new iso on it, breaking into secure-mode bios with password i never remember as well as luks recovery key
@BreetzTootz true dat, Various Artists is my favourite band, OST is favourite band of my wife
@ondrej ok then I totlly miss the point. You cannot do DNS adblock without hijacking DNS, but yes that shouldn't be each and every request (proxying dns and breaking normal recursion) instead only for blacklisted. But if you hijack everything and pretend to be AA for everything then RD should be totally irrelevant as everything is non-recursive. Is it what you are saying that it still requires RD even when pretending being AA?
@Menel @xmpp @singpolyma ok perhaps it's caching more agressively than SOA TTL, I just set tlsa and checked - it was saying i should set tlsa, waited for ttl time, rechecked - still said I need to set tlsa. But today it's ok, shows green.
@ondrej I mean it's OK to return REFUSED to non recursive queries. It's not OK to do otherwise. Nothing to do with hijacking.
@ondrej Uhm, that's a default in unbound now, called cache snoop protection (REFUSE to rd=0)
@xmpp @singpolyma seems it does not follow cname? or it does not tell if domain is ok already?
@daniel So then simple minimal requirement:
Server must implement endpoint + unique for tlsv1.2 if it advertises PLUS and exporter + endpoint for tlsv1.3. Client may support either endpoint or unique for 1.2 and exporter or endpoint for 1.3 if it attempts to support PLUS
@daniel I went to add it to my domain just to realize with a big surprise I have already set it (don't remember that at all).
@daniel well yes, I'm aware about that problem, but I think the best we can do is just restrict that a rigid rules (1.2=cert+uniq, 1.3=cert+exporter) as otherwise you need to bring in signing and verification into stream feature negotiation which are usually working at different layers and not always can use each other's data.
@daniel I thought sasl-scram-plus is supported by majority client/server implementaitons?
@SwiftOnSecurity to hell with those vulnerabilities. I'm tired patching them, pulling the plug
@Zeb_Larson Yes we are all individuls, we are all different
The EU intends to add surveillance to end-to-end encrypted chats, including the use of AI powered scanners that should (generically) detect Child Sexual Abuse Material and grooming & report to Europol. Yesterday, I presented on this terrible proposal in a hearing of the Dutch parliament. Here is an English transcript of my very plain language explanation of how bad this all is: https://berthub.eu/articles/posts/client-side-scanning-dutch-parliament/ /cc @echo_pbreyer
@mntmn And how it behaves without? I mean is it just adding external noise filtering (eg you shouldn't worry about proper internal wiring) or internal (without it the screen is always unstable)?
@Sheril I disagree
@vanitasvitae @florida_ted this season at octoberfest I've been introduced into secret code of the secret dress code - the skirt knot coding