#dnssec — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #dnssec, aggregated by home.social.
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD
-
#Unbound 1.25.1 has been released ( #DNS / #DNSOverTLS / #DNSOverHTTPS / #DNSSEC / #NLnetLabs / #CVE / #SecurityVulnerability ) https://unbound.net/
-
I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.
Moving my static sites was pretty easy. The hardest part was dealing with #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.
I was able to map services directly:
Route 53 -> Bunny DNS
Cloudfront -> Bunny CDN
S3 -> Bunny Storage
bunny.net is a #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.
The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.
What's next on my exodus from AWS?
Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall. -
I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.
Moving my static sites was pretty easy. The hardest part was dealing with #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.
I was able to map services directly:
Route 53 -> Bunny DNS
Cloudfront -> Bunny CDN
S3 -> Bunny Storage
bunny.net is a #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.
The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.
What's next on my exodus from AWS?
Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall. -
I spent a few hours last week migrating my personal websites from AWS to @[email protected]. I'm very happy with it so far.
Moving my static sites was pretty easy. The hardest part was dealing with #DNSSEC, which is a PITA to migrate between hosts. You do want to migrate your DNS, cause they have a PZ record type, so you don't have to use a CNAME to point to the CDN.
I was able to map services directly:
Route 53 -> Bunny DNS
Cloudfront -> Bunny CDN
S3 -> Bunny Storage
bunny.net is a #CDN based out of Slovenia, so they're covered by GDPR and not part of USA's big tech industry. They're a small company, but their network is not small. They have 9 regions (where data is stored) and 119 edge locations (where data is cached) on the six continents.
The hosting itself is pretty cheap. They have a 14 day trial that includes some trial bucks, but my personal sites didn't use enough resources to get charged a penny even. that is until I enabled a premium service, Bunny Optimizer. This service is about $10/mo and includes features to make your site even faster, like on request conversion of your images to webp format, and resizing/cropping/etc images based on querystring. It also compacts css/js/etc. It's worth it for my image-heavy site, but you can decide if it's worth it for your use case.
What's next on my exodus from AWS?
Bunny isn't a registrar, so I need to migrate my domain registrations off Route 53. This should be easy, but they don't expire till next year, so I'm in no hurry to transfer.
Bunny has container hosting, but they don't have a service comparable to EC2. So, I need to migrate my VPSes (unrelated to websites) off AWS. They're prepaid with Savings Plans through December, so this is something to look at in the fall. -
PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released) -
PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released) -
PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released) -
PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.15 & 5.0.5 released) -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
And for additional background, watch this presentation at #RIPE92:
https://ripe92.ripe.net/programme/meeting-plan/sessions/76/T7NMB8/ #DNS #DNSSEC #Mythos #LLM #OpenSource -
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
For more context, read https://hachyderm.io/@alexband/116594865185375042 #DNS #DNSSEC #Mythos #LLM #OpenSource
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
-
🔥 CVE-2026-33278: Critical use-after-free in NLnet Labs Unbound (1.19.1 – 1.25.0). DNSSEC validator flaw can lead to DoS or RCE if attacker controls DNS zone. Patch: upgrade to 1.25.1. https://radar.offseq.com/threat/cve-2026-33278-cwe-416-use-after-free-in-nlnet-lab-c0de645d #OffSeq #DNSSEC #Vuln #Infosec
-
Ah. J’aime quand les problèmes se résolvent aussi facilement.
J’ai désactivé l’option, puis l’ai réactivée. Et maintenant, c’est bon, j’ai pu renouveler le certificat Let’s Encrypt dans YunoHost.
Oui, parce que c’est grâce à l’interface d’admin de YunoHost que j’ai su que c’était DNSSEC le problème. J’aurais jamais trouvé ça tout seul!
#Infomaniak #DNS #DNSSEC -
-
Allons bon. J’ai donc désactivé l’option DNS Fast Anycast pour tous mes domaines chez Infomaniak (youpi, des économies). Du coup, j’en ai profité pour activer DNSSEC pour les quelques domaines chez qui ce n’était pas déjà fait (youpi, c’est gratos). Sauf que du coup, j’en ai un qui ne marche plus du tout.
Alors, je précise tout de suite, moi, les histoires de DNS, je connais le principe, de loin, mais j’y connais pas grand-chose. Juste, là, je constate que l’activation a tout cassé. Et juste pour ce domaine-là, pas pour les autres, chez le même registraire.
#Infomaniak #DNS #DNSSEC -
Checkdomain ist auch geil. Beschreibt auf der Website, dass man doch DNSSEC nutzen soll, um seine Domain abzusichern.
Ich finde das Feature aber in der Verwaltung nicht. Also Support angeschrieben.
Support sagt: Jaaa das empfehlen wir schon, aaaaber ... eh ... wir bieten es nicht an.
🤦♂️
Wer hat sich das denn schon wieder ausgedacht ...
-
@bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.
While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.
This is our plan.
We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.
We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.
Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.
-
@bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.
While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.
This is our plan.
We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.
We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.
Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.
-
@bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.
While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.
This is our plan.
We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.
We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.
Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.
-
@bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.
While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.
This is our plan.
We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.
We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.
Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.
-
@bortzmeyer As the manager of the Cascade project, I feel it's important to provide some context and nuance to the terms "alpha”, “beta" and “production ready”. This applies especially to software that is intended to run in critical infrastructure, with possible grave consequences when there is a failure.
While @nlnetlabs is building Cascade on 25 years of experience in DNS and software architecture, operators should not take our work for granted based on that.
This is our plan.
We have frozen the feature set Cascade has now, for the beta release. That means a DNSSEC signer with HSM support, IXFR in and out with TSIG, deterministic incremental signing, review hooks, and monitoring endpoints.
We will mark this release as “beta” in the coming weeks, but read this as whatever you feel is appropriate given the context I gave. That being said: we will dogfood this release. Starting this summer, operators can put Cascade in their testing environments to put it through their wringers, so we can iron out bugs and fix corner cases.
Over the coming months, our aim to have operators build the confidence to start deploying Cascade in production, with the expectation that we'll see real-world Cascade deployments towards the end of this year.
-
Peter Koch (DENIC) on the 5 may problem in .de.
.de has almost 18 million domain names and is incrementally updated.
Validation is done once it is already published.
HSM were using different keys :-(
-
"Cascade [#DNSSEC key manager and signer]: Beyond alpha" by Ximon Eighteen
Written in Rust. Still alpha (beta was not released yet).
Supported (among others) by the Sovereign Tech Agency.
-
@ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.
Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource
-
@ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.
Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource
-
@ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.
Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource
-
@ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.
Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource