home.social

#dnssec — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #dnssec, aggregated by home.social.

  1. I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.

    Moving my static sites was pretty easy. The hardest part was dealing with
    #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.

    I was able to map services directly:
    Route 53 -> Bunny DNS
    Cloudfront -> Bunny CDN
    S3 -> Bunny Storage

    bunny.net is a
    #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.

    The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.

    What's next on my exodus from AWS?
    Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
    Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall.

  2. I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.

    Moving my static sites was pretty easy. The hardest part was dealing with
    #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.

    I was able to map services directly:
    Route 53 -> Bunny DNS
    Cloudfront -> Bunny CDN
    S3 -> Bunny Storage

    bunny.net is a
    #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.

    The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.

    What's next on my exodus from AWS?
    Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
    Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall.

  3. I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.

    Moving my static sites was pretty easy. The hardest part was dealing with
    #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.

    I was able to map services directly:
    Route 53 -> Bunny DNS
    Cloudfront -> Bunny CDN
    S3 -> Bunny Storage

    bunny.net is a
    #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.

    The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.

    What's next on my exodus from AWS?
    Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
    Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall.

  4. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

  5. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

    #dns #dnssec

  6. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

    #dns #dnssec

  7. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

    #dns #dnssec

  8. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

    #dns #dnssec

  9. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  10. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  11. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  12. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  13. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  14. 🔥 CVE-2026-33278: Critical use-after-free in NLnet Labs Unbound (1.19.1 – 1.25.0). DNSSEC validator flaw can lead to DoS or RCE if attacker controls DNS zone. Patch: upgrade to 1.25.1. radar.offseq.com/threat/cve-20 #OffSeq #DNSSEC #Vuln #Infosec

  15. Ah. J’aime quand les problèmes se résolvent aussi facilement.

    J’ai désactivé l’option, puis l’ai réactivée. Et maintenant, c’est bon, j’ai pu renouveler le certificat Let’s Encrypt dans YunoHost.

    Oui, parce que c’est grâce à l’interface d’admin de YunoHost que j’ai su que c’était DNSSEC le problème. J’aurais jamais trouvé ça tout seul!

    #Infomaniak #DNS #DNSSEC
  16. Quelque chose me dit que ce status: REFUSED n’est pas une bonne nouvelle…

    #Infomaniak #DNS #DNSSEC
  17. Allons bon. J’ai donc désactivé l’option DNS Fast Anycast pour tous mes domaines chez Infomaniak (youpi, des économies). Du coup, j’en ai profité pour activer DNSSEC pour les quelques domaines chez qui ce n’était pas déjà fait (youpi, c’est gratos). Sauf que du coup, j’en ai un qui ne marche plus du tout.

    Alors, je précise tout de suite, moi, les histoires de DNS, je connais le principe, de loin, mais j’y connais pas grand-chose. Juste, là, je constate que l’activation a tout cassé. Et juste pour ce domaine-là, pas pour les autres, chez le même registraire.

    #Infomaniak #DNS #DNSSEC
  18. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  19. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  20. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  21. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  22. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  23. Checkdomain ist auch geil. Beschreibt auf der Website, dass man doch DNSSEC nutzen soll, um seine Domain abzusichern.

    Ich finde das Feature aber in der Verwaltung nicht. Also Support angeschrieben.

    Support sagt: Jaaa das empfehlen wir schon, aaaaber ... eh ... wir bieten es nicht an.

    🤦‍♂️

    Wer hat sich das denn schon wieder ausgedacht ...

    #dnssec

  24. @bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.

    While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.

    This is our plan.

    We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.

    We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.

    Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.

    #DNS #DNSSEC #OARC46 #LoveDNS @dnsoarc

  25. @bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.

    While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.

    This is our plan.

    We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.

    We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.

    Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.

    #DNS #DNSSEC #OARC46 #LoveDNS @dnsoarc

  26. @bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.

    While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.

    This is our plan.

    We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.

    We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.

    Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.

    @dnsoarc

  27. @bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.

    While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.

    This is our plan.

    We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.

    We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.

    Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.

    #DNS #DNSSEC #OARC46 #LoveDNS @dnsoarc

  28. @bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.

    While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.

    This is our plan.

    We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.

    We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.

    Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.

    #DNS #DNSSEC #OARC46 #LoveDNS @dnsoarc

  29. Peter Koch (DENIC) on the 5 may problem in .de.

    .de has almost 18 million domain names and is incrementally updated.

    Validation is done once it is already published.

    HSM were using different keys :-(

    #DNSSEC
    #OARC46

  30. "Cascade [#DNSSEC key manager and signer]: Beyond alpha" by Ximon Eighteen

    Written in Rust. Still alpha (beta was not released yet).

    Supported (among others) by the Sovereign Tech Agency.

    #OARC46

  31. @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource

  32. @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource

  33. @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource

  34. @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource