The Ars article mentions: “Even when HTTPS is in place, an attacker can still intercept domain look-up traffic and use DNS cache poisoning to corrupt tables stored by the target’s operating system.” Not sure, but I think this could then be further used for phishing.

DNSSEC prevents that if set up properly.

This is an on-path attacker. In end-user DNS configurations, attackers can simply disable DNSSEC; it's 1 bit in the DNS response header ("yeah, sure, I verified this for you, trust me").

No, modern resolvers like systemd-resolved actually check the dnssec signatures on the client.

To check the DNSSEC signatures on the client, you have to do a full recursive lookup. You've always been able to run your own DNS cache, if you want your host to operate independently of any upstream DNS server. But at that point, you're simply running your own DNS server.

It's not necessarily equivalent to a recursive lookup, you can ask a cache for all the answers because you already know the root keys a priori. But yes, it does follow the entire chain of trust, that's the entire point of dnssec: if you don't do that the whole exercise is utterly pointless.

It's explicitly not the point of DNSSEC, which has for most of its entire existence been designed to be run as a server-to-server protocol, with stub resolvers trusting their upstream DNS servers.

I agree with you, though. It's utterly pointless.

Not true, RFC4035 says all security aware resolvers SHOULD verify the signatures. It's far from pointless when actually implemented. Don't dismiss a whole protocol just because some historical implementations have been half assed.

The RFC uses "security-aware" to set them apart from ordinary resolvers, which are what every mainstream resolver uses.

Can you link to a distro config that defaults to that?

No, it's experimental. But I run it on all my machines, the only time I've had a problem is when it caught a typo in a DS record.

Nobody has ever disputed that you could run a fully recursive cache on your workstation, only that any ordinary user ever does.

You can see at this point how hollow "DNSSEC" is as an answer to the problem of this thread.

I'm guessing I do. Anyways: no question that there are a variety of experimental setups in which you can address the problem of on-path attackers trivially disabling DNSSEC, freeing you up to work on the next, harder set of DNSSEC security and operational problems.

Ars is a very fitting name

Does it support kiosk mode or is it configurable to run “locked down” to a single page and full-screen?

This is an incomplete browser engine, suitable mostly for technical contributors. If you're looking for a solution for kiosks, there are good for-purpose products/projects. Examples include: OpenKiosk, Porteus Kiosk, SiteKiosk.

If servoshell doesn't, Tauri will, the Tauri project seemed open to collaborating with Servo as an alternative to OS-provided WebViews

What is optics??

It's a term that has been adopted to sound more professional than "keeping up appearances" which is an age-old concept. It is about how things are/will be perceived by others, rather than the truth of the matter.

The emotional perception of the quality of you, the worker, in the eyes of the leadership who pays you. It is distinct from your true value and contributions. It is maximized by you optimizing the visibility of things that boost reputation and minimizing the visibility of embarrassing things.

Perception is reality. (For better or worse.)

Could have made a hole in the pcb the size of the chips, and flip them so they take up less vertical space which makes the card more flat. Not sure about the uSD card slot but a solution for that might also be possible.

yes, but then JLCPCB would not have assembled it for me. I would not want to assemble a few dozen of those by hand...

Web Application Firewall