#dnssec — Public Fediverse posts

Do No Shit
#dns #dnssec #dogsOfMastodon

New canary Unbound QUIC build is out. Runs on basically any platform @nlnetlabs Unbound supports. Distroless, and built using our hardened native and mighty 🦾 OpenSSL 3.6.2 + QUIC build environment! (https://github.com/madnuttah/openssl-buildenv)

Full DNSSEC support, QUIC/HTTP3 via ngtcp2/nghttp3... So much fun!

cc @nlnetlabs 💚

https://github.com/madnuttah/unbound-docker

https://hub.docker.com/r/madnuttah/unbound

#DNS #DNSSEC #DoT #DoH #QUIC #HTTP3 #Unbound #FOSS #SelfHosting #Homelab #Privacy

New canary Unbound QUIC build is out. Runs on basically any platform @nlnetlabs Unbound supports. Distroless, and built using our hardened native and mighty 🦾 OpenSSL 3.6.2 + QUIC build environment! (https://github.com/madnuttah/openssl-buildenv)

Full DNSSEC support, QUIC/HTTP3 via ngtcp2/nghttp3... So much fun!

cc @nlnetlabs 💚

https://github.com/madnuttah/unbound-docker

https://hub.docker.com/r/madnuttah/unbound

#DNS #DNSSEC #DoT #DoH #QUIC #HTTP3 #Unbound #FOSS #SelfHosting #Homelab #Privacy

New canary Unbound QUIC build is out. Runs on basically any platform @nlnetlabs Unbound supports. Distroless, and built using our hardened native and mighty 🦾 OpenSSL 3.6.2 + QUIC build environment! (https://github.com/madnuttah/openssl-buildenv)

Full DNSSEC support, QUIC/HTTP3 via ngtcp2/nghttp3... So much fun!

cc @nlnetlabs 💚

https://github.com/madnuttah/unbound-docker

https://hub.docker.com/r/madnuttah/unbound

#DNS #DNSSEC #DoT #DoH #QUIC #HTTP3 #Unbound #FOSS #SelfHosting #Homelab #Privacy

New canary Unbound QUIC build is out. Runs on basically any platform @nlnetlabs Unbound supports. Distroless, and built using our hardened native and mighty 🦾 OpenSSL 3.6.2 + QUIC build environment! (https://github.com/madnuttah/openssl-buildenv)

Full DNSSEC support, QUIC/HTTP3 via ngtcp2/nghttp3... So much fun!

cc @nlnetlabs 💚

https://github.com/madnuttah/unbound-docker

https://hub.docker.com/r/madnuttah/unbound

#DNS #DNSSEC #DoT #DoH #QUIC #HTTP3 #Unbound #FOSS #SelfHosting #Homelab #Privacy

New canary Unbound QUIC build is out. Runs on basically any platform @nlnetlabs Unbound supports. Distroless, and built using our hardened native and mighty 🦾 OpenSSL 3.6.2 + QUIC build environment! (https://github.com/madnuttah/openssl-buildenv)

Full DNSSEC support, QUIC/HTTP3 via ngtcp2/nghttp3... So much fun!

cc @nlnetlabs 💚

https://github.com/madnuttah/unbound-docker

https://hub.docker.com/r/madnuttah/unbound

#DNS #DNSSEC #DoT #DoH #QUIC #HTTP3 #Unbound #FOSS #SelfHosting #Homelab #Privacy

Automatic authenticated DNSSEC Bootstrapping in PowerDNS Authoritative

https://blog.powerdns.com/2026/05/12/automatic-authenticated-dnssec-bootstrapping-in-powerdns-authoritative-server

#dns #dnssec

Weekend Reads

* Rolling the DNS root key
https://www.potaroo.net/ispcol/2026-05/kskroll.html
* Measuring Internet censorship
https://ooni.org/post/2026-measuring-internet-censorship-trends-challenges-impact/
* How an HTTP header caused time.gov skew
https://alexsci.com/blog/how-time-gov-works/
* Password manager infrastructure in-the-wild
https://censys.com/blog/password-manager-infrastructure/
* Investigating NRS outreach to AFRINIC members
https://circleid.com/posts/registry-under-siege-investigating-nrs-outreach-to-afrinic-members

#DNS #DNSSEC #Censorship #NTP #PasswordManagers #AFRINIC

Der DENIC-Ausfall ist regulatorisch unangenehm. Wer unter #DORA fällt, darf jetzt sein Third-Party-Risk-Register aktualisieren und erklären, warum das kein modelliertes Szenario war.

#denic ist kein klassischer ICT Third-Party Service Provider: kein Vertrag, keine Auswahl, kein Wechselpfad. Ein nicht substituierbares Restrisiko.

"Unser Risk-Universum ist endlich, wir modellieren nicht jede TLD-Registry als kritische Tier-1 Abhängigkeit" akzeptiert der Auditor sicherlich nicht 😂

#DNSSEC #NIS2

@alvar
Haben große Provider w̶i̶e̶ d̶i̶e̶ T̶e̶l̶e̶k̶o̶m̶ nach dem jüngsten Incident überhaupt noch Lust auf #DNSSEC ?

Weil deren DNS-Resolver DNSSEC gar nicht validieren, blieben ihre Kunden verschont. Die Paradoxie: Fehlende Sicherheit schützte vor dem Ausfall.

Kaum ein ISP wird sich freiwillig einen Single Point of Failure ins Netz holen, der den Support lahmlegt – für Fehler, die er nicht selbst verursacht hat. Ops-Stabilität schlägt hier vermutlich (leider) Security-Incentives.

#CyberSecurity #Networking #DNS #SysAdmin #DE #DENIC #Internet

Today's top ten tag trends:

10: #chrome
9: #cincodemayo
8: #dns
7: #guitarsandstrings
6: #tercinema
5: #dnssec
4: #TuneTuesday
3: #denic
2: #randstad
1: #FitnessTVShowsOrCartoons

#trendytoots 📈

Das wird heute ein interessanter Tag im Support werden.

----------------------------

DNSSEC disruption affecting .de domains

Incident Status: Partial Service Disruption

Components: DNS

Services: DNS Nameservice

May 5, 2026 23:28 CEST
May 5, 2026 21:28 UTC

INVESTIGATING

Frankfurt am Main, 5 May 2026 – DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability.

The root cause of the disruption has not yet been fully identified. DENIC’s technical teams are working intensively on analysis and on restoring stable operations as quickly as possible.

Based on current information, users and operators of .de domains may experience impairments in domain resolution. Further updates will be provided as soon as reliable findings on the cause and recovery are available.

DENIC asks all affected parties for their understanding.
For further enquiries, DENIC can be contacted via the usual channels.

#DNSSEC #DNS #DE #DOMAIN #DENIC #internet #störung #IT #OUTAGE

immerhin geht netflix.com #dnssec #de #tld #denic

Damit ihr den Status weiter abrufen könnt

/etc/hosts (bzw. C:\Windows\System32\drivers\etc\hosts)

54.192.35.4 status.denic.de

https://status.denic.de/pages/incident/592577eab611ce1e0d00046f/69fa60ef9d12f5057a974f38

sollte es tun 😆

#de #denic #dnssec

Important Information:

The “.de” domains currently do not resolve.
DNSSEC seems f’cked up.
“Denic” technicians are currently trying to solve this issue.

See more on here: https://status.denic.de/

—
#de #germany #deutschland #dns #dnssec #denic #incident

#KRITIS Sektor #IT und #TK

Ah, DENIC eG hat #DNSSEC verbaselt und viele .de Domains tun deswegen nicht mehr...

It's always DNS 😂

Das gibt dann wohl ne Meldung an das @bsi wegen NIS2 und KritisV 🧐

https://dnsviz.net/d/chaoswelle.de/dnssec/

Mehr Infos hier:
https://ffmuc.net/freifunk/infrastruktur/2026/05/05/denic-dnssec-stoerung/

#DNS #DNSSEC #DE

#de #denic #dnssec

klick klick

#denic #dnssec #de

Ich frage mich gerade, ob in gängigen High-Availability-Konzepten das Versagen der TLD mit berücksichtigt wird

#de #denic #dnssec

This is probably the biggest internet disruption I have seen in the thirty years I have been using this Interweb thing.

See you tomorrow ...

#DNS #DE #DENIC #DNSSEC

https://news.ycombinator.com/item?id=48027897

We are monitoring a #DNSSEC-related issue with #DE ccTLD. The issue is not specific to Quad9. We will update once more information becomes available.

You can subscribe for updates at: https://uptime.quad9.net/

Our thoughts are with DENIC staff responding to this incident. #HugOps

#DNS #infosec

Wow, #DENIC has crashed the #DE domain zone with a bogous #dnssec signature. Causes #outtage of a lot of #DE domains due to signature error. Google DNS denies resolution because of bogous signature

The 47-day certificate: faster treadmill, same broken foundation

Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

(1/6)

https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation

#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

The 47-day certificate: faster treadmill, same broken foundation

Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

(1/6)

https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation

#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

The 47-day certificate: faster treadmill, same broken foundation

Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

(1/6)

https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation

#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

The 47-day certificate: faster treadmill, same broken foundation

Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

(1/6)

https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation

#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

The 47-day certificate: faster treadmill, same broken foundation

Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.

(1/6)

https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation

#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting

Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk

• DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
• #DNSSEC reenabled
• #ExternalDNS and #CertManager configuration vastly simplified.
• #Ingress controller migrated from #Nginx to #Traefik

Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.

Now that's off the TODO-list :-)

#mstdndk

Toujours au boulot, refus assez fort d'envoyer des rapports #DMARC, de durcir les parefeux (anti-#DDoS, filtrer des bots et attaquants), de redémarrer des serveurs après des correctifs noyaux (4 ans sans appliquer la mise à jour). Refus du #DNSSEC. Refus de Wireguard jusque récemment. Refus de diversifier les AS pour nos #MX et #NS (tout chez un opérateur). Refus du #DoT/ #DoH/ #DoQ sur notre resolver public… un peu ras-le-cul 😫

Toujours au boulot, refus assez fort d'envoyer des rapports #DMARC, de durcir les parefeux (anti-#DDoS, filtrer des bots et attaquants), de redémarrer des serveurs après des correctifs noyaux (4 ans sans appliquer la mise à jour). Refus du #DNSSEC. Refus de Wireguard jusque récemment. Refus de diversifier les AS pour nos #MX et #NS (tout chez un opérateur). Refus du #DoT/ #DoH/ #DoQ sur notre resolver public… un peu ras-le-cul 😫

Обновление Ideco NGFW Novum: что изменилось в архитектуре и почему это важно

В апреле 2026 года мы выпускаем обновление Ideco NGFW Novum. Это плановый релиз, в котором развиваются пять направлений: централизованное управление, защита DNS, управление удалённым доступом, SD-WAN и кластеризация. Ниже разбираем, что именно изменилось и какие задачи это решает.

https://habr.com/ru/companies/ideco/articles/1024272/

#кластеризация #sdwan #ngfw #dnssec #dns #ztna #vpn #ips #waf

On Tuesday, 7 April, the Global Internet Standards Testing Community (GISTC) held its 3rd online meeting, which was chaired by Alena Muravska from @ripencc.

The GISTC brings together organisations from all over the world around #InternetStandards the Internet.nl test tool and open-source code.

Its goal is to enable knowledge exchange, coordination of efforts, and of course to collaboratively improve the adoption of modern internet standards like #IPv6, #DNSSEC, #DANE, #DMARC, and #RPKI.

1/3

Running #OpenBSD 7.8 ​:openbsd:​

DNS: #nsd (3 Master Zones), #DNSSEC & #DANE (RFC6698) + #unbound
Firewall: #pf with auto-fed tables (IPS-style), spambot-tarpitting & service rate limits.
Mail: #smtpd (Multi-domain, RFC8461/MTA-STS) + #rspamd (DKIM) + #dovecot (IMAPS-only).
Spam-Defense: #spamd with auto-SPF-walk (no more greylisting issues).
Web: #relayd (TLS-Terminator, HSTS, CSP) + #httpd (NIP-05, Autoconfig, security.txt).
Performance: Lightweight "Fail2Ban" via 1-liner shell script (No Python crap!).

#Nostr Relay in Rust building...

#SelfHosted #SysAdmin #Security #Privacy

91% малвари используют DNS. Кто и чем его защищает в России и мире

Подавляющее большинство вредоносного ПО использует DNS-протокол для связи с командными серверами, эксфильтрации данных или перенаправления трафика. При этом почти 60% организаций не осуществляют мониторинг DNS-трафика на регулярной основе. Между тем защита DNS это довольно крупный продуктовый домен в сфере информационной безопасности. Мировой рынок DNS Security уже оценивается в $1,6–2,0 млрд и растёт на 10–14% ежегодно. Разбираемся, что стоит за этой технологией, кто её развивает за рубежом и в России, и чего от нее ждать в ближайшие годы.

https://habr.com/ru/articles/1014854/

#DoH #DoT #threat_intelligence #sinkhole #NXDOMAIN #dns #dnssec #dnsтуннель #dns_по_https #dns_security

91% малвари используют DNS. Кто и чем его защищает в России и мире

Подавляющее большинство вредоносного ПО использует DNS-протокол для связи с командными серверами, эксфильтрации данных или перенаправления трафика. При этом почти 60% организаций не осуществляют мониторинг DNS-трафика на регулярной основе. Между тем защита DNS это довольно крупный продуктовый домен в сфере информационной безопасности. Мировой рынок DNS Security уже оценивается в $1,6–2,0 млрд и растёт на 10–14% ежегодно. Разбираемся, что стоит за этой технологией, кто её развивает за рубежом и в России, и чего от нее ждать в ближайшие годы.

https://habr.com/ru/articles/1014854/

#DoH #DoT #threat_intelligence #sinkhole #NXDOMAIN #dns #dnssec #dnsтуннель #dns_по_https #dns_security

91% малвари используют DNS. Кто и чем его защищает в России и мире

Подавляющее большинство вредоносного ПО использует DNS-протокол для связи с командными серверами, эксфильтрации данных или перенаправления трафика. При этом почти 60% организаций не осуществляют мониторинг DNS-трафика на регулярной основе. Между тем защита DNS это довольно крупный продуктовый домен в сфере информационной безопасности. Мировой рынок DNS Security уже оценивается в $1,6–2,0 млрд и растёт на 10–14% ежегодно. Разбираемся, что стоит за этой технологией, кто её развивает за рубежом и в России, и чего от нее ждать в ближайшие годы.

https://habr.com/ru/articles/1014854/

#DoH #DoT #threat_intelligence #sinkhole #NXDOMAIN #dns #dnssec #dnsтуннель #dns_по_https #dns_security

91% малвари используют DNS. Кто и чем его защищает в России и мире

Подавляющее большинство вредоносного ПО использует DNS-протокол для связи с командными серверами, эксфильтрации данных или перенаправления трафика. При этом почти 60% организаций не осуществляют мониторинг DNS-трафика на регулярной основе. Между тем защита DNS это довольно крупный продуктовый домен в сфере информационной безопасности. Мировой рынок DNS Security уже оценивается в $1,6–2,0 млрд и растёт на 10–14% ежегодно. Разбираемся, что стоит за этой технологией, кто её развивает за рубежом и в России, и чего от нее ждать в ближайшие годы.

https://habr.com/ru/articles/1014854/

#DoH #DoT #threat_intelligence #sinkhole #NXDOMAIN #dns #dnssec #dnsтуннель #dns_по_https #dns_security

The Internet Last Week

* IETF 125
https://www.ietf.org/meeting/125/
* Cuba power outage effects
https://noc.social/@cloudflareradar/116240190351546459
https://mastodon.social/@IODA/116246041272623316
https://infosec.exchange/@dougmadory/116240466331483809
https://mastodon.social/@netblocks/116240861464667713
* IoT DDoS botnets disrupted
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
* Unallocated IP4 /13 announced
https://infosec.exchange/@spamhaus/116250561577999852
https://bgp.he.net/net/102.224.0.0/13
https://stat.ripe.net/widget/routing-history#resource=102.224.0.0/13&starttime=2026-03-15
* CAs must perform DNSSEC validation
https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/
https://infosec.exchange/@mnordhoff/116240122433847371

#IETF125 #Cuba #Botnets #Bogons #DNSSEC #X509

Weekend Reads

* Post-quantum RPKI framework
https://arxiv.org/abs/2603.06968
* DNSSEC negative trust anchors
https://quad9.net/news/blog/dnssec-ntas-no-good-compromises/
* AS112 deployment characteristics
https://0x03c0.com/files/pam26-as112-camera-ready-with-notice.pdf
* Geoff Huston on Internet timekeeping
https://www.potaroo.net/ispcol/2026-03/nts.html
* Measuring IX route servers prefix coverage
https://blog.benjojo.co.uk/post/how-far-can-you-get-with-ix-route-servers

#RPKI #DNSSEC #DNS #NTP #BGP

We need to simplify client certificates for IoT and MTLS. One way is to anchor client certs in DNS.
The IETF DANCE working group needs more energy to complete our work. Want to join? Get on the mailing list now and help out!
https://datatracker.ietf.org/group/dance/about/

#PKI #DNSsec #MTLS #IOT

RE: https://infosec.exchange/@paulehoffman/115889970411988081

Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.

When every single packet to .ir nameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any .ir domain or any server located in Iran.

#x509 #dns #dnssec #certificate

From the latest Linux Update newsletter: Marcin Gąstół looks at the Unbound DNS resolver, which offers comprehensive security and many other useful features
https://www.linux-magazine.com/Issues/2025/293/Unbound-DNS-Resolver?utm_source=mlm
#DNS #security #resolver #DNSSEC #Unbound #Linux #DataCenter #cloud

#Dnsmasq 2.91 has been released (#DNS / #AAAA / #CNAME / #PTR / #DNSSEC / #DHCP / #DHCPv4 / #DHCPv6 / #BOOTP / #TFTP / #PXE) https://thekelleys.org.uk/dnsmasq/doc.html

Did you know your DNS security could accidentally leak your entire subdomain structure? Enter DNSSEC with NSEC/NSEC3 records, which is great for ensuring integrity and authentication but can also be a sneaky way for attackers to ‘zone walk’ and enumerate your domains...

Darrell Hall breaks it down in our latest blog post: https://www.pentestpartners.com/security-blog/dnssec-nsec-the-accidental-treasure-map-to-your-subdomains/

What's covered:
• How NSEC/NSEC3 can inadvertently expose DNS data
• The difference between zone transfers and zone walking
• How to crack NSEC3 records (and why you should care)
• Real-world examples and mitigation strategies

#DNSSEC #CyberSecurity #Infosec #DNS #NSEC #NSEC3 #ZoneWalking #ThreatIntel

Does anyone has a contact to the Joint Research Centre (#JRC) [0] or My Email Communications Security Assessment (#MECSA) [1] (both from the #EU)?

I find the tool great... if it would parse #SPF/#IPv6 correctly und actually check for #DNSSEC...

I've tried emailing them, but no response :/

Links:
[0]: https://joint-research-centre.ec.europa.eu/
[1]: https://mecsa.jrc.ec.europa.eu/

We have a canary build of our @nlnetlabs #unbound #docker image with #quic support available for testing, yay! 💚

➡️ madnuttah/unbound:canary-quic ⬅️

https://github.com/madnuttah/unbound-docker/

https://hub.docker.com/r/madnuttah/unbound

#selfhosting #homelab #opensource #foss #dnssec #doq #dnsoverquic #quictls #distroless

We have a canary build of our @nlnetlabs #unbound #docker image with #quic support available for testing, yay! 💚

➡️ madnuttah/unbound:canary-quic ⬅️

https://github.com/madnuttah/unbound-docker/

https://hub.docker.com/r/madnuttah/unbound

#selfhosting #homelab #opensource #foss #dnssec #doq #dnsoverquic #quictls #distroless

Apparently, there is a #DNSSEC related issue on the #Liberia #ccTLD lr.. To quote: "All of the systems [...] have been shut down". Quite a hefty statement on the #DNSOARC mailing list. Haven't digged into it, but couldn't operators temporarily disable the DNSSEC validation?

Curious if there will be any updates or a post-mortem.

#DNS #TLD #infosec