home.social

#dnssec — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #dnssec, aggregated by home.social.

  1. I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.

    Moving my static sites was pretty easy. The hardest part was dealing with
    #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.

    I was able to map services directly:
    Route 53 -> Bunny DNS
    Cloudfront -> Bunny CDN
    S3 -> Bunny Storage

    bunny.net is a
    #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.

    The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.

    What's next on my exodus from AWS?
    Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
    Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall.

  2. I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.

    Moving my static sites was pretty easy. The hardest part was dealing with
    #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.

    I was able to map services directly:
    Route 53 -> Bunny DNS
    Cloudfront -> Bunny CDN
    S3 -> Bunny Storage

    bunny.net is a
    #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.

    The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.

    What's next on my exodus from AWS?
    Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
    Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall.

  3. I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.

    Moving my static sites was pretty easy. The hardest part was dealing with
    #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.

    I was able to map services directly:
    Route 53 -> Bunny DNS
    Cloudfront -> Bunny CDN
    S3 -> Bunny Storage

    bunny.net is a
    #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.

    The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.

    What's next on my exodus from AWS?
    Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
    Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall.

  4. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

  5. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

    #dns #dnssec

  6. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

    #dns #dnssec

  7. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

    #dns #dnssec

  8. PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
    (aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released)

    blog.powerdns.com/2026/05/20/p

    #dns #dnssec

  9. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  10. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  11. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  12. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  13. 🚨 SECURITY RELEASE 🚨
    Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

    There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

    Please read the release notes carefully and plan to upgrade.

    #DNS #DNSSEC #Mythos #LLM #OpenSource

    community.nlnetlabs.nl/t/unbou

  14. 🔥 CVE-2026-33278: Critical use-after-free in NLnet Labs Unbound (1.19.1 – 1.25.0). DNSSEC validator flaw can lead to DoS or RCE if attacker controls DNS zone. Patch: upgrade to 1.25.1. radar.offseq.com/threat/cve-20 #OffSeq #DNSSEC #Vuln #Infosec

  15. Ah. J’aime quand les problèmes se résolvent aussi facilement.

    J’ai désactivé l’option, puis l’ai réactivée. Et maintenant, c’est bon, j’ai pu renouveler le certificat Let’s Encrypt dans YunoHost.

    Oui, parce que c’est grâce à l’interface d’admin de YunoHost que j’ai su que c’était DNSSEC le problème. J’aurais jamais trouvé ça tout seul!

    #Infomaniak #DNS #DNSSEC
  16. Quelque chose me dit que ce status: REFUSED n’est pas une bonne nouvelle…

    #Infomaniak #DNS #DNSSEC
  17. Allons bon. J’ai donc désactivé l’option DNS Fast Anycast pour tous mes domaines chez Infomaniak (youpi, des économies). Du coup, j’en ai profité pour activer DNSSEC pour les quelques domaines chez qui ce n’était pas déjà fait (youpi, c’est gratos). Sauf que du coup, j’en ai un qui ne marche plus du tout.

    Alors, je précise tout de suite, moi, les histoires de DNS, je connais le principe, de loin, mais j’y connais pas grand-chose. Juste, là, je constate que l’activation a tout cassé. Et juste pour ce domaine-là, pas pour les autres, chez le même registraire.

    #Infomaniak #DNS #DNSSEC
  18. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  19. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  20. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  21. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  22. After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

  23. Checkdomain ist auch geil. Beschreibt auf der Website, dass man doch DNSSEC nutzen soll, um seine Domain abzusichern.

    Ich finde das Feature aber in der Verwaltung nicht. Also Support angeschrieben.

    Support sagt: Jaaa das empfehlen wir schon, aaaaber ... eh ... wir bieten es nicht an.

    🤦‍♂️

    Wer hat sich das denn schon wieder ausgedacht ...

    #dnssec

  24. New canary Unbound QUIC build is out. Runs on basically any platform @nlnetlabs Unbound supports. Distroless, and built using our hardened native and mighty 🦾 OpenSSL 3.6.2 + QUIC build environment! (github.com/madnuttah/openssl-b)

    Full DNSSEC support, QUIC/HTTP3 via ngtcp2/nghttp3... So much fun!

    cc @nlnetlabs 💚

    github.com/madnuttah/unbound-d

    hub.docker.com/r/madnuttah/unb

  25. Glad to see that Verisign plans ahead for a #DNSSEC algorithm rollover for the com. TLD. The plan is to discard algorithm 8 (RSA/SHA256) and instead deploy algorithm 13 (ECDSA/SHA-256). Great to see that the largest TLD of planet earth moving towards algorithms with smaller key sizes.

    I checked my #pdns database of my public resolvers. To give a comparison for the size reduction (and the reduction of DNS R/A potential):

    com., signed with algorithm 8 returned close to 936 bytes of data.
    nl., signed with algorithm 13 returns 289 bytes of data.

    This is a reduction of ~70% of the response sizes for DNSSEC validation.

    The rollover is to be expected on or around December 07. More on it in their blog.

    #dns #tld #ddos

  26. 91% малвари используют DNS. Кто и чем его защищает в России и мире

    Подавляющее большинство вредоносного ПО использует DNS-протокол для связи с командными серверами, эксфильтрации данных или перенаправления трафика. При этом почти 60% организаций не осуществляют мониторинг DNS-трафика на регулярной основе. Между тем защита DNS это довольно крупный продуктовый домен в сфере информационной безопасности. Мировой рынок DNS Security уже оценивается в $1,6–2,0 млрд и растёт на 10–14% ежегодно. Разбираемся, что стоит за этой технологией, кто её развивает за рубежом и в России, и чего от нее ждать в ближайшие годы.

    habr.com/ru/articles/1014854/

    #DoH #DoT #threat_intelligence #sinkhole #NXDOMAIN #dns #dnssec #dnsтуннель #dns_по_https #dns_security

  27. Toujours au boulot, refus assez fort d'envoyer des rapports #DMARC, de durcir les parefeux (anti-#DDoS, filtrer des bots et attaquants), de redémarrer des serveurs après des correctifs noyaux (4 ans sans appliquer la mise à jour). Refus du #DNSSEC. Refus de Wireguard jusque récemment. Refus de diversifier les AS pour nos #MX et #NS (tout chez un opérateur). Refus du #DoT/ #DoH/ #DoQ sur notre resolver public… un peu ras-le-cul 😫

  28. Toujours au boulot, refus assez fort d'envoyer des rapports #DMARC, de durcir les parefeux (anti-#DDoS, filtrer des bots et attaquants), de redémarrer des serveurs après des correctifs noyaux (4 ans sans appliquer la mise à jour). Refus du #DNSSEC. Refus de Wireguard jusque récemment. Refus de diversifier les AS pour nos #MX et #NS (tout chez un opérateur). Refus du #DoT/ #DoH/ #DoQ sur notre resolver public… un peu ras-le-cul 😫

  29. The 47-day certificate: faster treadmill, same broken foundation

    Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

    (1/6)

    offerman.com/en/blog/the-47-da

    #TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

  30. The 47-day certificate: faster treadmill, same broken foundation

    Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

    (1/6)

    offerman.com/en/blog/the-47-da

    #TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

  31. The 47-day certificate: faster treadmill, same broken foundation

    Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

    (1/6)

    offerman.com/en/blog/the-47-da

    #TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

  32. The 47-day certificate: faster treadmill, same broken foundation

    Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

    (1/6)

    offerman.com/en/blog/the-47-da

    #TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

  33. The 47-day certificate: faster treadmill, same broken foundation

    Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

    (1/6)

    offerman.com/en/blog/the-47-da

    #TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

  34. Der DENIC-Ausfall ist regulatorisch unangenehm. Wer unter #DORA fällt, darf jetzt sein Third-Party-Risk-Register aktualisieren und erklären, warum das kein modelliertes Szenario war.

    #denic ist kein klassischer ICT Third-Party Service Provider: kein Vertrag, keine Auswahl, kein Wechselpfad. Ein nicht substituierbares Restrisiko.

    "Unser Risk-Universum ist endlich, wir modellieren nicht jede TLD-Registry als kritische Tier-1 Abhängigkeit" akzeptiert der Auditor sicherlich nicht 😂

    #DNSSEC #NIS2