More

throw0101a · 2026-03-27T21:35:53 1774647353

Software patents suck. :/

jrepinc · 2026-03-27T21:49:43 1774648183

Yup software patents are terribly bad, we need to abolish them https://endsoftwarepatents.org/

joshcartme · 2026-03-27T23:04:39 1774652679

Yeah I'm curious to see how this turns out, because I think part of the appeal of AV1 was how it's unencumbered by them

throw0101a · 2026-03-27T17:28:37 1774632517

One tool that can be used in a deployment hook which supports the API of several dozen DNS providers:

* https://github.com/dns-lexicon/dns-lexicon

justin_oaks · 2026-03-27T18:11:08 1774635068

The list of API integrations provided by the lego project looks quite impressive. https://go-acme.github.io/lego/dns/index.html

throw0101a · 2026-03-27T17:25:56 1774632356

There's at least one ACME client that has this as an explicit feature:

> Get certificates for remote servers - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, e.g. if it's a shared server.

* https://github.com/srvrco/getssl

It's written in Bash, so dependencies aren't too heavy.

throw0101a · 2026-03-27T16:17:49 1774628269

> I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone.

Depending on your DNS provider, it may be possible to narrow the permissions to allow only updates of a particular record. Route53 as an example:

      {
         "Effect": "Allow",
         "Action": "route53:ChangeResourceRecordSets",
         "Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>",
         "Condition": {
            "ForAllValues:StringEquals": {
               "route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.<SUB>.<DOMAIN>.<TLD>"
            }
         }
      }

* https://github.com/acmesh-official/acme.sh/wiki/How-to-use-A...

BIND 9 example:

* https://dan.langille.org/2020/12/19/creating-a-very-specific...

You can also point the hostname that you wish to issues certs for to another (sub-)domain completely via a CNAME, and allow updates only for that other (sub-)domain:

* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...

* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

justin_oaks · 2026-03-27T16:42:28 1774629748

Yes, I see that AWS Route53 can limit credential scope. That kind of thing helps a lot.

I've never heard of that CNAME approach for changing the validation domain. That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.

throw0101a · 2026-03-27T17:13:41 1774631621

> That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.

At my last job we deployed a special sub-domain for that purpose (dnsauth.example.com) and manually created CNAMEs on our main (sub-)domains to point to it.

We then deployed a single (no-HA) externally exposed BIND server with a bunch of scripts that folks could connect to (we had deploy hooks scripts for users/developrs). Nowadays there even purpose-build DNS servers for this purpose:

* https://github.com/acme-dns/acme-dns

radiowave · 2026-03-27T19:25:04 1774639504

My experience has been that CertBot doesn't play well with CNAME delegation, but it's probably very situational, like depending upon which DNS hosting provider plugin you're using.

My solution was to give up on CertBot and use dehydrated instead. This did require me to come up with a script to make the necessary API call to the DNS hosting, which dehydrated will then run as necessary.

throw0101a · 2026-03-27T19:36:48 1774640208

> My experience has been that CertBot doesn't play well with CNAME delegation […]

A CertBot ticket on the subject opened January 2026:

* https://github.com/certbot/certbot/issues/10555

throw0101a · 2026-03-26T18:06:15 1774548375

> English on the other hand has so many exceptions (usually based on the origin of the word), that I still encounter words that I'll mispronounce at first.

English is not really one language in a sense given that it uses words from some many others. Anglo-Saxon, French, Latin, Greek, etc.

throw0101a · 2026-03-26T18:01:10 1774548070

It originated in Prague due to two incidents:

* https://en.wikipedia.org/wiki/Defenestration#Origin

* https://en.wikipedia.org/wiki/Defenestrations_of_Prague

ithkuil · 2026-03-26T18:22:27 1774549347

Also used in Italian and presumably in many other languages.

Like with any word, it's use in colloquial form may vary from generation to generation, from subculture to subculture etc

throw0101a · 2026-03-05T17:21:08 1772731268

A few years old now, but still worth checking out:

* https://en.wikipedia.org/wiki/The_High_Cost_of_Free_Parking

davidw · 2026-03-05T18:04:11 1772733851

Grabar's book that I linked below is probably more accessible to most people, but Shoup is of course the OG.

throw0101a · 2026-03-05T15:55:26 1772726126

For those unaware, this is the dialogue/caption in Tom Toro's 2012 New Yorker cartoon:

* https://www.newyorker.com/cartoon/a16995

* https://tomtoro.com/cartoons/

* https://condenaststore.com/featured/the-planet-got-destroyed...

throw0101a · 2026-03-05T15:40:18 1772725218

> Maybe there's 3rd party code which SGI/HPE licensed?

IIRC, this was one of the complication of open sourcing Solaris back in the day.

linolevan · 2026-03-05T16:55:48 1772729748

Yep, I recall one of the big components being libc i18n

throw0101a · 2026-03-04T14:25:00 1772634300

> It's incredible that about 80% of people in this thread seem to be commenting without having looked at the website.

Are you new to the Internet? This has been a thing since (at least) Slashdot. :)