Есть тут кто живущий на deSEC в качестве DNS-провайдера?

Как впечатления?

#DNS #deSEC #Europe #DNSSec #hosting #providers #help #survey

We had to disable #DNSSEC validation for tudos.de as otherwise Ubuntu downloads break at the moment.

As they de.archive.ubuntu.com is resolving to ubuntu.mirror.tudos.de and tudos.de has a missing RRSIG.

#39c3

AWS Lambda functions changed the link local address for the internal resolver. for reasons.

caused some of my CDS monitoring functions to fail. I've fixed it now and am in the process of adding some resilience. #dns #dnssec
https://kalfeher.com/analysis/cds-charts/

Багато років (20+) працюю з #DNS та гадав себе експертом у цієї області. Доводилось навіть працювати з #DNSSEC, який не є дуже поширеним, але сьогодні був здивований, що є тип запису CAA (Certification Authority Authorization), який вказує які центри сертифікації можуть видавати #SSL сертифікати для домена. Зроблено це, щоб власник домену мав змогу заборонити видачу сертифікатів окремим CA, або дозволити це робити тільки одному CA.

First alpha release of PowerDNS Recursor 5.4.0

https://blog.powerdns.com/2025/12/16-first-alpha-release-of-powerdns-recursor-5.4.0

#dns #dnssec

Domenų registravimo ir serverių paslaugų tiekėjas "Interneto vizija" įdiegė DNSSEC palaikymą: jei naudojate numatytuosius šio tiekėjo DNS serverius (ns*.serveriai.lt), klientų srityje galite įjungti funkciją DNSSEC apsauga.

Jei naudojate kitus (ne IV) DNS serverius, DNSSEC viešąjį raktą visdar reikės nusiųsti tiesiogiai pagalbos tarnybai, kad šie jį centriniam registrui pateiktų rankiniu būdu.

#dns #aktualijos #Lietuvoje #iv #domenai #dnssec

Got around to enabling DNSSEC and CAA for funzies. Not surprised at the 2LD .com adoption sitting ~5%!

If Google, Microsoft, Akamai, Apple, Amazon all don't DNSSEC-sign.. I'm curious who is. And who by vertical (ISPs?), country (probably Germany), and NS (does using AWS, Cloudflare or UltraDNS make a difference in adoption?)

#dns #dnssec

@sneufeind @publicvoit the idea with self signed certs in combination with #dnssec sounds exciting and is robust in sense of decentralization.

My concern with #letsencrypt is the potential for compromise given its widespread use and the resulting consequences...

@publicvoit You are right that its so important to have encryption. Given the established ways of running https (with CAs) solutions like #LetsEncrypt were the most straight forward ones. It helped establishing things like #ACME and shorter cert-lifetimes.
Too bad projects like #CACert failed to really establish.
I would have hoped rolling out self-signed certs with #DNSSEC validation would have been considered by browsers as an additional and viable solution completely avoiding CA-hierarchies.

Ho usato la test suite di @internet_nl per valutare i siti istituzionali delle PA e i risultati sono imbarazzanti 😱

- Solo lo 0,55% dei domini è autenticato con #DNSSEC
- Solo l'1,67% dei siti è raggiungibile con #IPv6
- Solo il 12% dei siti implementa correttamente #HTTPS
- Solo il 4,75% dei domini di posta elettronica adotta adeguate misure di protezione dal phishing #DMARC #DKIM #SPF
- Elevata dipendenza da ISP statunitensi, in particolare per la posta elettronica

https://www.fabriziotarizzo.org/documenti/analisi-siti-pa-2025/

RFC 9824: Compact Denial of Existence in DNSSEC

Ce #RFC permet à un nom de domaine d'être à la fois existant et non-existant. Plus précisément, il permet de fournir une preuve cryptographique avec #DNSSEC, prouvant que le nom existe (alors qu'il n'existe pas) mais n'a pas les données demandées. Cette technique est particulièrement adaptée au cas des signatures dynamiques, mais a l'inconvénient de « mentir ».

https://www.bortzmeyer.org/9824.html

Mellesleg, az a jó, hogy az a nyomorék #DNSSEC még mindig nincs deaktiválva a domainemen.

PowerDNS Authoritative Server 5.0.2 and 4.9.12 Released

https://blog.powerdns.com/2025/12/11/powerdns-authoritative-server-5.0.2-and-4.9.12-released

#dns #dnssec

At DNS-OARC 45, after a stimulating pre-conference workshop, my colleague Peter Thomassen presented his updated draft on DNSSEC automation guidelines – that will maximize interoperability and minimize surprise. If that doesn’t sound like DNSSEC to your ears, go check it out!
https://www.youtube.com/watch?v=zQyrcVOf1MI

#DNS #DNSSEC #OARC #OARC45 #automation #guidelines

Since launching Cascade early October, we’ve been pumping out alpha releases of our #DNSSEC signer at a fairly high velocity.

We're now at alpha5 and decided to slow down releases for the time being, while we're working on a lot of parallel tasks that a dependent on one another.

We'll resurface in a few weeks with some big steps forward! You can stay up to date with our progress here:

https://github.com/NLnetLabs/cascade/pulls

#DNS #OpenSource

PowerDNS Security Advisories 2025-07 and 2025-08

a.k.a PowerDNS Recursor 5.1.9, 5.2.7 and 5.3.3 Released

https://blog.powerdns.com/2025/12/08/powerdns-security-advisories-2025-07-and-2025-08

#dns #dnssec

I deployed #DNSSEC soon after 2016-08-23 18:34:01 CEST, when I had added support for it in my DNS management tool:

summary: Add support for DNSSEC.

It was fun playing with it, but now I have turned it off on my main domain. Why? Because while solving one issue _somewhat_, it adds another huge issue: the entire zone can disappear.

And no matter how careful I was, I too managed make an error which brought my zone offline due to DNSSEC briefly. Luckily, monitoring catched that immediatly

#DNSSEC users, are you using trusted validating resolver _right now_?

@nlnetlabs haha, yes the nsec3 chain pointing back to itself (as discussed recently), nice :-). #dnssec