#dnssec — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #dnssec, aggregated by home.social.
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
#Unbound 1.25.1 has been released ( #DNS / #DNSOverTLS / #DNSOverHTTPS / #DNSSEC / #NLnetLabs / #CVE / #SecurityVulnerability ) https://unbound.net/
-
I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.
Moving my static sites was pretty easy. The hardest part was dealing with #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.
I was able to map services directly:
Route 53 -> Bunny DNS
Cloudfront -> Bunny CDN
S3 -> Bunny Storage
bunny.net is a #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.
The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.
What's next on my exodus from AWS?
Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall. -
I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.
Moving my static sites was pretty easy. The hardest part was dealing with #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.
I was able to map services directly:
Route 53 -> Bunny DNS
Cloudfront -> Bunny CDN
S3 -> Bunny Storage
bunny.net is a #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.
The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.
What's next on my exodus from AWS?
Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall. -
I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.
Moving my static sites was pretty easy. The hardest part was dealing with #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.
I was able to map services directly:
Route 53 -> Bunny DNS
Cloudfront -> Bunny CDN
S3 -> Bunny Storage
bunny.net is a #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.
The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.
What's next on my exodus from AWS?
Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall. -
PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released) -
PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released) -
PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released) -
PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released) -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🔥 CVE-2026-33278: Critical use-after-free in NLnet Labs Unbound (1.19.1 – 1.25.0). DNSSEC validator flaw can lead to DoS or RCE if attacker controls DNS zone. Patch: upgrade to 1.25.1. https://radar.offseq.com/threat/cve-2026-33278-cwe-416-use-after-free-in-nlnet-lab-c0de645d #OffSeq #DNSSEC #Vuln #Infosec
-
Ah. J’aime quand les problèmes se résolvent aussi facilement.
J’ai désactivé l’option, puis l’ai réactivée. Et maintenant, c’est bon, j’ai pu renouveler le certificat Let’s Encrypt dans YunoHost.
Oui, parce que c’est grâce à l’interface d’admin de YunoHost que j’ai su que c’était DNSSEC le problème. J’aurais jamais trouvé ça tout seul!
#Infomaniak #DNS #DNSSEC -
-
Allons bon. J’ai donc désactivé l’option DNS Fast Anycast pour tous mes domaines chez Infomaniak (youpi, des économies). Du coup, j’en ai profité pour activer DNSSEC pour les quelques domaines chez qui ce n’était pas déjà fait (youpi, c’est gratos). Sauf que du coup, j’en ai un qui ne marche plus du tout.
Alors, je précise tout de suite, moi, les histoires de DNS, je connais le principe, de loin, mais j’y connais pas grand-chose. Juste, là, je constate que l’activation a tout cassé. Et juste pour ce domaine-là, pas pour les autres, chez le même registraire.
#Infomaniak #DNS #DNSSEC -
Checkdomain ist auch geil. Beschreibt auf der Website, dass man doch DNSSEC nutzen soll, um seine Domain abzusichern.
Ich finde das Feature aber in der Verwaltung nicht. Also Support angeschrieben.
Support sagt: Jaaa das empfehlen wir schon, aaaaber ... eh ... wir bieten es nicht an.
🤦♂️
Wer hat sich das denn schon wieder ausgedacht ...
-
New canary Unbound QUIC build is out. Runs on basically any platform @nlnetlabs Unbound supports. Distroless, and built using our hardened native and mighty 🦾 OpenSSL 3.6.2 + QUIC build environment! (https://github.com/madnuttah/openssl-buildenv)
Full DNSSEC support, QUIC/HTTP3 via ngtcp2/nghttp3... So much fun!
cc @nlnetlabs 💚
https://github.com/madnuttah/unbound-docker
https://hub.docker.com/r/madnuttah/unbound
#DNS #DNSSEC #DoT #DoH #QUIC #HTTP3 #Unbound #FOSS #SelfHosting #Homelab #Privacy
-
Glad to see that Verisign plans ahead for a #DNSSEC algorithm rollover for the
com.TLD. The plan is to discard algorithm 8 (RSA/SHA256) and instead deploy algorithm 13 (ECDSA/SHA-256). Great to see that the largest TLD of planet earth moving towards algorithms with smaller key sizes.I checked my #pdns database of my public resolvers. To give a comparison for the size reduction (and the reduction of DNS R/A potential):
com., signed with algorithm 8 returned close to 936 bytes of data.nl., signed with algorithm 13 returns 289 bytes of data.This is a reduction of ~70% of the response sizes for DNSSEC validation.
The rollover is to be expected on or around December 07. More on it in their blog.
-
91% малвари используют DNS. Кто и чем его защищает в России и мире
Подавляющее большинство вредоносного ПО использует DNS-протокол для связи с командными серверами, эксфильтрации данных или перенаправления трафика. При этом почти 60% организаций не осуществляют мониторинг DNS-трафика на регулярной основе. Между тем защита DNS это довольно крупный продуктовый домен в сфере информационной безопасности. Мировой рынок DNS Security уже оценивается в $1,6–2,0 млрд и растёт на 10–14% ежегодно. Разбираемся, что стоит за этой технологией, кто её развивает за рубежом и в России, и чего от нее ждать в ближайшие годы.
https://habr.com/ru/articles/1014854/
#DoH #DoT #threat_intelligence #sinkhole #NXDOMAIN #dns #dnssec #dnsтуннель #dns_по_https #dns_security
-
Toujours au boulot, refus assez fort d'envoyer des rapports #DMARC, de durcir les parefeux (anti-#DDoS, filtrer des bots et attaquants), de redémarrer des serveurs après des correctifs noyaux (4 ans sans appliquer la mise à jour). Refus du #DNSSEC. Refus de Wireguard jusque récemment. Refus de diversifier les AS pour nos #MX et #NS (tout chez un opérateur). Refus du #DoT/ #DoH/ #DoQ sur notre resolver public… un peu ras-le-cul 😫
-
Toujours au boulot, refus assez fort d'envoyer des rapports #DMARC, de durcir les parefeux (anti-#DDoS, filtrer des bots et attaquants), de redémarrer des serveurs après des correctifs noyaux (4 ans sans appliquer la mise à jour). Refus du #DNSSEC. Refus de Wireguard jusque récemment. Refus de diversifier les AS pour nos #MX et #NS (tout chez un opérateur). Refus du #DoT/ #DoH/ #DoQ sur notre resolver public… un peu ras-le-cul 😫
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
Der DENIC-Ausfall ist regulatorisch unangenehm. Wer unter #DORA fällt, darf jetzt sein Third-Party-Risk-Register aktualisieren und erklären, warum das kein modelliertes Szenario war.
#denic ist kein klassischer ICT Third-Party Service Provider: kein Vertrag, keine Auswahl, kein Wechselpfad. Ein nicht substituierbares Restrisiko.
"Unser Risk-Universum ist endlich, wir modellieren nicht jede TLD-Registry als kritische Tier-1 Abhängigkeit" akzeptiert der Auditor sicherlich nicht 😂