RFC 9824: Compact Denial of Existence in DNSSEC

Ce #RFC permet à un nom de domaine d'être à la fois existant et non-existant. Plus précisément, il permet de fournir une preuve cryptographique avec #DNSSEC, prouvant que le nom existe (alors qu'il n'existe pas) mais n'a pas les données demandées. Cette technique est particulièrement adaptée au cas des signatures dynamiques, mais a l'inconvénient de « mentir ».

https://www.bortzmeyer.org/9824.html

@gregr Hmmm, DNSviz https://dnsviz.net/d/hlaor.realtor/aTEk-A/dnssec/ et Zonemaster https://zonemaster.fr/en/result/4a67792402b3ec73 ne voient pas de problème non plus. Il faut les accuser de laxisme ?

#CiottiPrésident #DNSSEC

TLDs using #ed25519 (algorithm 15) for #DNSSEC :

- .fj (Fiji)
- .pg (Papua New Guinea)
- .ml (Mali)

RE: https://mastodns.net/@diffroot/115657783055191749

Mali going secure!

Third TLD to use #ed25519. Second one to publish its first DS directly with this algorithim

\o/

(poke @camille )

#DNSSEC #DNS

Now that RFC 9905 has been published it's time to check if there are still TLDs using the deprecated algorithm 5 and 7 '.

$ dig +tcp @\c.root-servers.net axfr . > root.zone
$ grep -P 'IN\tDS' root.zone | grep ' 5 ' | wc -l
0
$ grep -P 'IN\tDS' root.zone | grep ' 7 ' | awk '{ print $1}' | sort -u | idn2 -d
gd.
kpn.
la.
samsung.
삼성.
پاکستان.
ລາວ.

Aaaaand... Still seven domains using RSASHA1-NSEC3-SHA1

#DNS #DNSSEC

Ultimately I'd prefer a more decentralised system with a "n out of m" architecture. With more than one root key holder, geographically and politically distributed, where you (as user) can declare which root keys you trust. But that is a more complicated discussion for another time. Having one Ceremony Room and the respective amount of key holders that are NOT under US jurisdiction seems to be an achievable and justified goal, in my personal opinion

3/3

#DNSSEC #ItsAlwaysDNS #DigitalSovereignty

I very well remember the discussions on this question when DNSSEC was introduced back in the days. And while the current system has served us all well in the past years, this fundamental question remains. And now that we have a more complicated world, we should recognise that this is a centralised element that is under the sole jurisdiction of one country that has moved towards more exclusionary, maybe even discrimintaory policies.

2/3

#DNSSEC #ItsAlwaysDNS #DigitalSovereignty

I hope there are some discussions on either moving one of the Ceremony Rooms (AKA Key Management Facilities) to another region/country or maybe add one more outside of the US. Having the responsibility for the DNSSEC root key material in one single country under more and more untrustworthy leadership looks like a risk to me that should be addressed. My personal preference would be a Ceremony Room on UN properties in Geneva.

1/3

https://technotes.seastrom.com/2025/11/23/passing-the-torch.html

#DNSSEC #ItsAlwaysDNS #DigitalSovereignty

Alt...

Slide 15 of the slide deck A BRIEF PRIMER ON MANAGING THE KEYS TO THE INTERNET by DAVID HUBERMAN, ICANN’s OFFICE OF THE CTO, showing the location of the two ceremony rooms. One is in Culpeper, Virginia, teh other one is in El Segundo, California. Slidedeck available at https://technotes.seastrom.com/assets/2025-11-23-passing-the-torch/2-David-Huberman_DNS-security-and-the-Root-DNSSEC-KSK-Ceremony.pdf

Thanks to @jpmens we now have documentation for Cascade describing how to integrate with a Nitrokey NetHSM to store your DNSSEC keys.

Thanks a lot! 🧡

#DNS #DNSSEC #HSM #OpenSource

https://cascade.docs.nlnetlabs.nl/en/latest/nethsm.html

🫡 #DNSSEC #meme

Alt...

'Zohran' sign meme: DNSSEC for every domain

#DNS
Ce matin, si vous avez testé, un de mes domaines personnels, bortzmeyer.fr, présentait des problèmes #DNSSEC. Que s'est-il passé ? Était-ce de ma faute ? Va t-on tous mourir ?

https://www.bortzmeyer.org/dnssec-panne-perso.html

Le rappel du jour que, si vous faites du #DNSSEC, il n'est pas indispensable d'avoir ZSK et KSK. Une seule clé, c'est parfaitement possible et sûr. https://dnsviz.net/d/xn--potamochre-66a.fr/aQnuZg/dnssec/

This week, @terts is working from France, doing field research for our #DNSSEC signer.

Alt...

A road sign in rural France saying “Cascade, Cimetières, Tour Bellana and Panorama”, with a separate sign saying “SNACK”.

J'ai déjà parlé de #Cascade, un logiciel de @nlnetlabs actuellement en développement, qui automatise un certain nombre de tâches nécessaires pour #DNSSEC comme la re-signature ou le remplacement des clés. Le projet avance vite donc voyons quelques nouveaux essais.

https://www.bortzmeyer.org/cascade-deux.html

@alexband

Just before the weekend starts, we're happy to introduce Cascade 0.1.0-alpha3 'Rue des Cascades'. 🚏

This release of our stand-alone #DNSSEC signer primarily expands the documentation, but also fixes a few important bugs.

Our plan is to do one or two more alpha releases and then focus on the road ahead toward betas and production.

Once again, many thanks to everyone who provided feedback, in particular @jpmens, @bortzmeyer and @oli. 🧡

https://github.com/NLnetLabs/cascade/releases/tag/v0.1.0-alpha3

#DNS #OpenSource #rustlang

Thanks to @diffroot, we can see that .pg wasn't using #DNSSEC until last April. .pg is thus the 1st TLD to implement DNSSEC directly with ed25519

https://mastodns.net/@diffroot/114400824189723556

Yay, another #TLD using algorithm 15 (ed25519) for its KSK : .pg! (Papua New Guinea 🇵🇬) #DNSSEC

(Other one being .fj :) )

https://piaille.fr/@shaft/115422575883434990

Unbound 1.24.1 is now available.

This security release fixes CVE-2025-11411.

Several multi-vendor cache poisoning vulnerabilities have been discovered in caching resolvers for non-DNSSEC protected data. Unbound is vulnerable for some of these cases that could lead to domain hijacking.

Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

#DNS #DNSSEC

https://nlnetlabs.nl/news/2025/Oct/22/unbound-1.24.1-released/

🚀 Cascade v0.1.0-alpha2 'Cascader la Vertu' is now available!

Over the last week we diligently processed your feedback to fix bugs, clarify error messages, add commands, improve performance, expand documentation and much, much more.

Read the release notes for all the details!

Note that you cannot simply upgrade from alpha1, read the installation docs for details.

Many thanks to everyone who provided feedback, particularly @jpmens and @bortzmeyer. 🧡

#DNS #DNSSEC

https://github.com/NLnetLabs/cascade/releases/tag/v0.1.0-alpha2

Plaignons toustes ensemble le nouveau Bureau d'Enregistrement de mes noms de domaine, que j'assomme avec plein de tickets.

#clientPénible #DNS #DNSSEC

In the recent ICANN Registrations Operation Workshop 30th September 2025, the
following data was shared about DNSSEC Validation Rates

- Region / Rate / Increase since 2023
- Asia 32% +4%
- Oceania 54% +11%
- Africa 46% +15%
- Americas 37% +4%
- Europe 48% +8%

#dns #dnssec #infra

The #DNS community is amazing because people like @bortzmeyer will take your alpha software, turn it inside out, blog about it in French and then give you meticulous feedback on your work.

As a result, a stand-out feature of Cascade—the Review Hooks—have now made it into the documentation using an example provided by Stéphane: using `validns` to validate the unsigned zone, and `dnssec-verify` to validate the signed zone.

https://cascade.docs.nlnetlabs.nl/en/latest/review-hooks.html

Docs with 🧡 by @themozzie
#DNSSEC #OpenSource

Alt...

A bash script that shows how Cascade’s review hooks can use validns to validate the unsigned zone, and dnssec-verify to validate the signed zone.

We're incredibly grateful for the feedback we're receiving on the first alpha release of Cascade. Please keep an eye on the issues that were created so far, and the milestone we set for the next release:

https://github.com/NLnetLabs/cascade/milestone/2

We aiming for the end of this week for alpha2.Meanwhile, the documentation is growing every day.

#DNS #DNSSEC #LoveDNS #OpenSource #rustlang

Annoncé officiellement le 7 octobre, #Cascade est le successeur d'#OpenDNSSEC. Ce programme sert à gérer automatiquement les opérations répétitives liées à #DNSSEC comme la re-signature ou le remplacement d'une clé. Premiers essais : https://www.bortzmeyer.org/cascade-debut.html

Because @jpmens is absolutely awesome, we now have Cascade documentation for integrating with the Smartcard-HSM.

https://cascade.docs.nlnetlabs.nl/en/latest/smartcard-hsm.html

#DNS #DNSSEC #OpenSource

In case you missed Verisign's presentation on Post-Quantum Diversity for #DNSSEC at #OARC45 yesterday, it mentions the use of Jannik Peters’ master's thesis for the University of Amsterdam.

Jannik has since joined NLnet Labs full-time and is both on the Cascade team *and* gave you support for AF_XDP sockets in NSD.

We feel so blessed to have so much bright young talent on the team now.

#PQC #OpenSource #DNS #Research #LoveDNS

Cascade feedback is already rolling in!

https://github.com/NLnetLabs/cascade/issues

Thank you, this is what makes the DNS community great.

#DNS #DNSSEC #LoveDNS #OARC45

@jpmens @bortzmeyer @oli You're all just in time to watch Arya’s demo. This in itself is a fantastic achievement. #DNS #DNSSEC #OARC45 #LoveDNS

Live from DNS-OARC 45, happy Cascade launch day everyone! 🚀

There are now alpha packages available for Debian, Ubuntu, RHEL and derivatives.

If you can’t wait for Arya’s presentation and demo at 16:35 CEST, you can already try to follow our installation and quick start guide in the documentation.

https://cascade.docs.nlnetlabs.nl/

Who will be the first person to show the log output of a zone signed with Cascade — will it be @jpmens, @bortzmeyer or a surprise challenger?

#DNS #DNSSEC #LoveDNS #OARC45

Alt...

The result of `sudo apt install cascade` on a Debian Trixie VM.

@RadND @oemb1905 nope. An OV (or any web #pki) cert must first confirm domain ownership and without #dnssec that verification is not very reliable.

@oemb1905 So as a consumer, with #DNSSEC I can assurance a given domain is belong to a specific owner?
I just realized an OV ssl certificate can do the same thing.

#DNSSEC

Déjà, le domaine utilisé pour les travaux pratiques fonctionne. https://dnsviz.net/d/courbu.re/aN4hFw/dnssec/

Ethiopia going secure \o/

https://mastodns.net/@diffroot/115233093697891326

#DNSSEC

One more straw on the #DNS camel's back! Yay! \o/

Compact Denial of Existence in #DNSSEC is finally published as RFC 9824

Introducing a new EDNS header flag: CO (Compact Answers OK). As it's the first time a new one is added, it will surely run smoothly with stupid middleboxes \o/

It additionnaly adds more traditionnal stuff: a new RR (NXNAME) and a new EDE (Invalid Query Type)

https://www.rfc-editor.org/info/rfc9824

#DNSSEC #key #askFedi #bind

@bortzmeyer @benno @alexband We love your enthusiasm, but right now we're putting together all the components that make up Cascade. By the time @dnsoarc 45 comes around, we'll have a package for you that you can just run.

We've got the scaffolding for the installation documentation sitting in a Pull Request here: https://cascade-signer--41.org.readthedocs.build/en/41/installation.html

#DNS #DNSSEC #LoveDNS

Tuesday, we dropped our report with insights from 16 top-level domain operators.

Yesterday, we launched Cascade — NLnet Labs’ Rust-built successor to OpenDNSSEC, shaped by what keeps TLDs up at night.

Today, we’re kicking off a series of ultrashort videos where @benno and @alexband break down what makes Cascade different.

First up: the #1 request from the community — observability, please.

We heard you.

🎥. https://youtu.be/CgmVjLv-fy4

#DNS #DNSSEC #OpenSource #Rust #rustlang

🚨 Announcing Cascade — DNSSEC signing, rebuilt from the ground up.

With 25 years of #DNS experience, we set the standard with #DNSSEC signing that delivers under pressure.
Cascade is how we carry the legacy forward.

Explore Cascade at https://blog.nlnetlabs.nl/cascade/

Unbox with us.
Cascade debuts live October 7 @ @dnsoarc 45, Stockholm.
We’ll show you what’s under the hood — and why this changes everything.

A huge thanks to the DNS community for making Cascade possible!
#rustlang #OpenSource

Tomorrow we drop details on the DNSSEC signer we built.
Today, we're dropping the pretence.

Before we wrote a line of code, we asked 16 TLDs:
"What keeps you up at night?"

We expected shop talk.
We got meaningful discussions that taught us DNSSEC in 2025 isn’t just a tech issue.
It’s a control issue.
And the fear of losing it is real.

👉 Read the full report: https://blog.nlnetlabs.nl/dnssec-operations-in-2026-what-keeps-16-tlds-up-at-night/

#DNS #DNSSEC #infosec #TLD #devops #OpenSource

#IETF Pecha-Kucha (funny talk) of Barbara Jantzen at the last meeting, about #DNSSEC. Next time you have a DNSSEC issue, watch the video. https://www.youtube.com/watch?v=7mQ5x7Jpj4I

(For my French-speaking followers: good level of englsh required.)

A #DNSSEC error I had never seen in the wild before. Discrepancy between the "original TTL" field of the signature and the real original TTL.

https://dnsviz.net/d/culture.gouv.fr/aLmmXA/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

(Look hard, it happens only with one of the three NSEC3 records.)

The industry loves to boast about “five nines” availability — 99.999%. That sounds impressive: just five minutes of downtime a year.

But #DNS isn’t like most industries. Read more about today’s TLD challenges in our blog post The Illusion of Five Nines. https://blog.nlnetlabs.nl/the-illusion-of-five-nines/

#DNSSEC #Resilience #Cascade #OpenSource

But I find strange that #DNSSEC is not mentioned when the author speaks about checking the content of the root zone.
ZONEMD, which is mentioned, works only if the client downloads the entire root zone, something that the typical resolver does not do.

#DNS

#nomDeDomaine Changer de BE (Bureau d'Enregistrement), cela implique quoi en pratique ? Un récit très détaillé et très bien vu d'un titulaire qui veut échapper aux augmentations de tarif de Gandi https://shaarli.guiguishow.info/?hCft1w

#DNS #DNSSEC #whois #RDAP