Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

16K
active users

mstdn.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.4

#dnssec

6 posts6 participants0 posts today
Continued thread
Public
Jan Schaumann

System Administration

Week 7, The Domain Name System, Part III

In this video, we try to wrap up our discussion of the Domain Name System by addressing the nature of the root nameservers, looking at various different resource record types, observing reverse lookups, and thinking about how we can have assurance of authenticity and integrity of the results returned to us via .

youtu.be/XDJEJFVNoko

youtu.be- YouTubeEnjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
#SysAdmin#DevOps#SRE
Public
JP Mens

I wrote about #OctoDNS recently (jpmens.net/2025/02/22/notes-to). At the tail end of that post I linked to DNScontrol which I shied away from because "JavaScript".

Later I read a piece by @tobru on how he uses it, slept on that a couple of nights, and that may be a solution to a problem. Here's a screenshot showing what it's capable of. Details might be upcoming in a blog post.

Here creating a zone and keys and #DNSSEC on #PowerDNS as well as #BIND zone master files.

screenshot depicting dnscontrol running and adding a zone to PowerDNS as well as a zone master file.
Public *
John Shaft

Have not pay much attention to the Compact Denial of Existence in #DNSSEC yet.

Should have : there are nice straws for the #DNSCamel. :3

Eg. A new optional EDNS0 header flag (CO - for "Compact Answers OK"). Would be the first one since DO.

datatracker.ietf.org/doc/draft

Logo of the IETF
IETF DatatrackerCompact Denial of Existence in DNSSECThis document describes a technique to generate a signed DNS response on demand for a non-existent name by claiming that the name exists but doesn't have any data for the queried record type. Such answers require only one minimally covering NSEC or NSEC3 record, allow online signing servers to minimize signing operations and response sizes, and prevent zone content disclosure. This document updates RFC 4034 and 4035.
Public *
Carlos Rodrigues 🪣

I don't usually post about work-related stuff, but here's something...

The state of DNSSEC on the wider Internet is sad, to say the least. Most large services don't sign their domains and most OSes can't do validation —
"systemd-resolved" can, but not by default.

It looks better regarding encryption at the OS level but, again, not by default.

Combining these two, not even 0.5% of queries are fully protected from tampering.

blog.cloudflare.com/new-dns-se 📜
radar.cloudflare.com/dns 📈

Two graphs from Cloudflare Radar. One shows the fraction of DNS queries (over time) from clients that announce themselves as being DNSSEC-aware (capable of validating answers signed with DNSSEC). The other shows the fraction of queries considered fully protected from tampering (where the domain is DNSSEC-signed, and the client is able to validate that, or deferred validation to 1.1.1.1 and used encryption instead). The former shows an average of 11% DNSSEC-awareness. The latter shows 0.3% protected from tampering.
#dns#dnssec
Public
Cloudflare Radar

In addition to global, location, and ASN-level DNS traffic trends on the new DNS page on Cloudflare Radar, we are also providing perspectives on protocol usage, query/response characteristics, and #DNSSEC usage.

Read the announcement blog post at blog.cloudflare.com/new-dns-se and check out the new page at radar.cloudflare.com/dns

The Cloudflare Blog · Some TXT about, and A PTR to, new DNS insights on Cloudflare RadarThe new Cloudflare Radar DNS page provides increased visibility into aggregate traffic and usage trends seen by our 1.1.1.1 resolver. In addition to global, location, and ASN traffic trends, we are also providing perspectives on protocol usage, query/response characteristics, and DNSSEC usage.
Public
SIDN

Vanuit de DNS-wereld klinkt nog weleens kritiek op DNSSEC, onder meer vanwege de complexiteit. We bespreken de belangrijkste kritiekpunten en laten zien dat DNSSEC probleemloos ingezet kan worden in grootschalige kritische toepassingen. sidn.nl/nieuws-en-blogs/geen-v
#DNSSEC #DNS #SIDN

Banner-insecure-internet
SIDN - Het bedrijf achter .nlGeen van grootste internetdiensten beveiligd met DNSSEC | Cybersecurity | SIDNVanuit de DNS-wereld klinkt nog weleens kritiek op DNSSEC. De belangrijkste punten zijn de complexiteit van het protocol, de slechte adoptie ervan door de markt en de veroudering van het ontwerp. In dit artikel bespreken we de belangrijkste kritiekpunten en laten we zien dat DNSSEC probleemloos ingezet kan worden in grootschalige kritische toepassingen.
Public
nan0

Does anyone has a contact to the Joint Research Centre (#JRC) [0] or My Email Communications Security Assessment (#MECSA) [1] (both from the #EU)?

I find the tool great... if it would parse #SPF/#IPv6 correctly und actually check for #DNSSEC...

I've tried emailing them, but no response :/

Links:
[0]: joint-research-centre.ec.europ
[1]: mecsa.jrc.ec.europa.eu/

EU Science Hub
EU Science HubEU Science Hub homepageThe EU Science Hub - the website of the Joint Research Centre (JRC), the European Commission's science and knowledge service, providing scientific evidence throughout the whole policy cycle.
ExploreLive feeds
About