PowerDNS<p>PowerDNS Authoritative Server 4.9.8 Released</p><p><a href="https://blog.powerdns.com/powerdns-authoritative-server-4.9.8" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.powerdns.com/powerdns-aut</span><span class="invisible">horitative-server-4.9.8</span></a></p><p><a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.
Administered by:
Server stats:
258active users
toad.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#dnssec
1 post · 1 participant · 1 post today
heise Security<p>Podcast "Passwort" Folge 37: DNSSEC, die DNS Security Extensions</p><p>DNS ist ein Grundpfeiler des Internets – umso wichtiger, dass die Namensauflösung verlässliche Daten liefert. Wie DNSSEC dabei hilft, erklärt ein kundiger Gast.</p><p><a href="https://www.heise.de/news/Podcast-Passwort-Folge-37-DNSSEC-die-DNS-Security-Extensions-10498530.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/news/Podcast-Passwort</span><span class="invisible">-Folge-37-DNSSEC-die-DNS-Security-Extensions-10498530.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon</span></a></p><p><a href="https://social.heise.de/tags/Automatisierung" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Automatisierung</span></a> <a href="https://social.heise.de/tags/DANE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DANE</span></a> <a href="https://social.heise.de/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://social.heise.de/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://social.heise.de/tags/IETF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IETF</span></a> <a href="https://social.heise.de/tags/IT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IT</span></a> <a href="https://social.heise.de/tags/PasswortPodcast" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswortPodcast</span></a> <a href="https://social.heise.de/tags/Podcast" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Podcast</span></a> <a href="https://social.heise.de/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://social.heise.de/tags/news" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>news</span></a></p>
PowerDNS<p>PowerDNS Recursor 5.1.7 and 5.2.5 Released</p><p><a href="https://blog.powerdns.com/powerdns-recursor-5.1.7-and-5.2.5-released" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.powerdns.com/powerdns-rec</span><span class="invisible">ursor-5.1.7-and-5.2.5-released</span></a></p><p><a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
tsk<p>Like little lightbulbs turning on over one's head...<br><a href="https://infosec.exchange/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a> <a href="https://infosec.exchange/tags/https" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>https</span></a> <a href="https://infosec.exchange/tags/tls" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tls</span></a> <a href="https://infosec.exchange/tags/pki" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pki</span></a></p><p><a href="https://www.theregister.com/2025/07/25/systems_approach_column_dns_security/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">theregister.com/2025/07/25/sys</span><span class="invisible">tems_approach_column_dns_security/</span></a></p>
The New Oil<p><a href="https://mastodon.thenewoil.org/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> security is important but <a href="https://mastodon.thenewoil.org/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> may be a failed experiment</p><p><a href="https://www.theregister.com/2025/07/25/systems_approach_column_dns_security/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">theregister.com/2025/07/25/sys</span><span class="invisible">tems_approach_column_dns_security/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
JP Mens<p>Via a mailing list, I get to see a very impressive-looking <a href="https://mastodon.social/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> waterfall:</p><p><a href="https://dnsviz.net/d/time.nist.gov/aID54g/dnssec/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dnsviz.net/d/time.nist.gov/aID</span><span class="invisible">54g/dnssec/</span></a></p><p><a href="https://mastodon.social/tags/kaputt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kaputt</span></a></p>
Loki the Cat<p>DNSSEC: officially the "worst performing technology" of internet protocols at 34% adoption after 28 years. Meanwhile HTTPS is living its best life at 96%. Sometimes being invisible isn't a superpower! 👻</p><p><a href="https://it.slashdot.org/story/25/07/25/1714202/dns-security-is-important-but-dnssec-may-be-a-failed-experiment" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">it.slashdot.org/story/25/07/25</span><span class="invisible">/1714202/dns-security-is-important-but-dnssec-may-be-a-failed-experiment</span></a></p><p><a href="https://toot.community/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://toot.community/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://toot.community/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a></p>
rvstaveren<p>For what it is worth, earlier this month my private <a href="https://mastodon.online/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> zone was <a href="https://mastodon.online/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a> signed 20 years ago. </p><p>First with the perl based RIPE DISI tools, then I tried opendnssec in a way to complicated setup with a nsd/bind combo or bind with separate signed/unsigned views (can’t remember), then it became zkt to end up with running with bind’s dnssec-policy</p><p> What a ride</p>
PowerDNS<p>The all-rounder DNSdist 2.0 is here!</p><p><a href="https://blog.powerdns.com/the-all-rounder-dnsdist-2.0-is-here" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.powerdns.com/the-all-roun</span><span class="invisible">der-dnsdist-2.0-is-here</span></a></p><p><a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
PowerDNS<p>PowerDNS Security Advisory 2025-04<br>(aka PowerDNS Recursor 5.0.12, 5.1.6 and 5.2.4 released)</p><p><a href="https://blog.powerdns.com/powerdns-security-advisory-2025-04" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.powerdns.com/powerdns-sec</span><span class="invisible">urity-advisory-2025-04</span></a></p><p><a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
ChaCha20Poly1305<p>En France, voir en Europe, est-ce que vous seriez d’accord pour rendre obligatoire l’<a href="https://mastodon.libre-entreprise.com/tags/IPv6" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IPv6</span></a> et le <a href="https://mastodon.libre-entreprise.com/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> (pour les opérateurs/registrars/zones/routeurs/smartphones/serveurs/services…). Merci de repartager.</p>
cynicalsecurity :cm_2:<p>Ha, some <a href="https://bsd.network/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> gotcha for you people out there, especially if you are in RIPE.</p><p>It looks like several ISPs within RIPE have started using DNSSEC also on their in-addr.arpa and ip6.arpa zones! So, when they delegate to you, if your zone is not signed… it doesn't work _if the originating resolver specified the DNSSEC flag_.</p><p>So, what does it look like? You query from a machine which does not automatically request DNSSEC and everything works fine (assuming the intermediate resolver does not use DNSSEC), you query using, say, 9.9.9.9 (Quad9) and it doesn't work (i.e. your PTR records don't resolve).</p><p>This is even more obvious if you are being delegated a sub-/24 zone using the CNAME trick as the NS specified in the delegating zone are not going to be signed and the recursion fails mysteriously.</p><p>Anyway, dig +trace is your friend as are these three wonderful sites:</p><p>* <a href="https://bind9.readthedocs.io/en/stable/dnssec-guide.html#easy-start-guide-for-signing-authoritative-zones" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bind9.readthedocs.io/en/stable</span><span class="invisible">/dnssec-guide.html#easy-start-guide-for-signing-authoritative-zones</span></a><br>* <a href="https://dnssec-debugger.verisignlabs.com" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dnssec-debugger.verisignlabs.c</span><span class="invisible">om</span></a><br>* <a href="https://dnsviz.net" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">dnsviz.net</span><span class="invisible"></span></a></p><p>:flan_hacker:</p>
Stéphane Bortzmeyer<p>Plus post-quantum crypto. in <a href="https://mastodon.gougere.fr/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> : BIND, NSD, Unbound, etc.</p><p><a href="https://mastodon.gougere.fr/tags/IETF123" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IETF123</span></a></p>
ChaCha20Poly1305<p>For people using <a href="https://mastodon.libre-entreprise.com/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> for their <a href="https://mastodon.libre-entreprise.com/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> zone, what do you use for signing ? Please re-share. For other choices, you can comment and you can ask me to check your domain name in private message.</p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://oldbytes.space/@drscriptt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>drscriptt</span></a></span> again: I'd see this as more error-prone than <a href="https://infosec.space/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> and only hindering the transition from <a href="https://infosec.space/tags/IPv4" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IPv4</span></a> to <a href="https://infosec.space/tags/IPv6" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IPv6</span></a> if not bricking <em>proper <a href="https://infosec.space/tags/DualStack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DualStack</span></a></em>…</p>
NLnet Labs<p>Pieces for our new <a href="https://social.nlnetlabs.nl/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> signer Nameshed are falling into place at a steady rate. While Ximon is working on the KMIP/PKCS#11 interface for HSMs, Philip is working on the key manager and Arya just took the first step in the UI with the configuration mechanisms:<br><a href="https://github.com/NLnetLabs/nameshed/pull/13" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/NLnetLabs/nameshed/</span><span class="invisible">pull/13</span></a></p><p>Our goal is to have a proof-of-concept by the end of September, so we have something to talk about at DNS-OARC45 in October. <a href="https://social.nlnetlabs.nl/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://social.nlnetlabs.nl/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://social.nlnetlabs.nl/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a></p>
PowerDNS<p>PowerDNS Recursor 5.3.0-alpha2 Released</p><p><a href="https://blog.powerdns.com/powerdns-recursor-5.3.0-alpha2-released" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.powerdns.com/powerdns-rec</span><span class="invisible">ursor-5.3.0-alpha2-released</span></a></p><p><a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
NLnet Labs<p>We have a retired SafeNet Luna 4 <a href="https://social.nlnetlabs.nl/tags/HSM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HSM</span></a> in the office for testing our Nameshed HSM code, but we're having a bit of a hard time obtaining a PKCS#11 Linux library / SDK for it. </p><p>(Plan B would be someone giving us testing access to their Thales Luna) </p><p>Is there anyone who can help <span class="h-card" translate="no"><a href="https://fosstodon.org/@ximon18" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ximon18</span></a></span> out? Sharing is caring. 💚 <a href="https://social.nlnetlabs.nl/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://social.nlnetlabs.nl/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://social.nlnetlabs.nl/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a></p>
NLnet Labs<p>After putting our Nameshed HSM code through its paces with SoftHSM and YubiHSM, it's time to venture a little deeper into the woods. <a href="https://github.com/NLnetLabs/nameshed-hsm-relay" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/NLnetLabs/nameshed-</span><span class="invisible">hsm-relay</span></a> 🌛 <a href="https://social.nlnetlabs.nl/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://social.nlnetlabs.nl/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a> <a href="https://social.nlnetlabs.nl/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a></p>
PowerDNS<p>First release candidate of PowerDNS DNSdist 2.0.0</p><p><a href="https://blog.powerdns.com/2025/07/08/first-release-candidate-of-powerdns-dnsdist-2.0.0" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.powerdns.com/2025/07/08/f</span><span class="invisible">irst-release-candidate-of-powerdns-dnsdist-2.0.0</span></a></p><p><a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload