🫡 #DNSSEC #meme

Alt...

'Zohran' sign meme: DNSSEC for every domain

The case of the missing WALLET

What I make sound like an adventure story is not something I am making fun of; having a domain kaputted by something like this sucks big time.

https://lists.opendnssec.org/pipermail/opendnssec-user/2025-November/004796.html

The full story, by @bortzmeyer, in French at https://www.bortzmeyer.org/dnssec-panne-perso.html

#dnssec

#DNS
Ce matin, si vous avez testé, un de mes domaines personnels, bortzmeyer.fr, présentait des problèmes #DNSSEC. Que s'est-il passé ? Était-ce de ma faute ? Va t-on tous mourir ?

https://www.bortzmeyer.org/dnssec-panne-perso.html

Refaire tout son setup réseau en ipv6 et en profiter pour déménager son authorité DNS chez soi, chercher comment activer #DNSSEC avec #knot et...

Retomber sur un article de @lord datant de 2018 et détaillant exactement ce que je cherchais :D

https://lord.re/posts/129-dnssec-chez-ovh-et-online/

My goto example for a zone signed with a flags=256 CSK only, .co.uk, appears to be going ZSK/KSK as was whispered to me some weeks ago in https://jpmens.net/2025/05/19/migrating-bind9-auto-dnssec-to-dnssec-policy/

(Note to self: need bigger phone)

https://dnsviz.net/d/co.uk/dnssec/

#dnssec

Le rappel du jour que, si vous faites du #DNSSEC, il n'est pas indispensable d'avoir ZSK et KSK. Une seule clé, c'est parfaitement possible et sûr. https://dnsviz.net/d/xn--potamochre-66a.fr/aQnuZg/dnssec/

This week, @terts is working from France, doing field research for our #DNSSEC signer.

Alt...

A road sign in rural France saying “Cascade, Cimetières, Tour Bellana and Panorama”, with a separate sign saying “SNACK”.

J'ai déjà parlé de #Cascade, un logiciel de @nlnetlabs actuellement en développement, qui automatise un certain nombre de tâches nécessaires pour #DNSSEC comme la re-signature ou le remplacement des clés. Le projet avance vite donc voyons quelques nouveaux essais.

https://www.bortzmeyer.org/cascade-deux.html

@alexband

Looking forward to present @nlnetlabs’ research on TLD operations in the #DNSSEC and Security Workshop at #ICANN84, starting today at 13:15 hrs UTC.

Alt...

Title slide reading “DNSSEC in 2026: What keeps TLDs up at night”

My blurred background was somehow disabled so everyone could enjoy "sleeping cat in front of piano"-view. 😅 #ICANN84 #DNS #DNSSEC

Alt...

A red cat sleeping on the piano bench in front of a black piano.

Just before the weekend starts, we're happy to introduce Cascade 0.1.0-alpha3 'Rue des Cascades'. 🚏

This release of our stand-alone #DNSSEC signer primarily expands the documentation, but also fixes a few important bugs.

Our plan is to do one or two more alpha releases and then focus on the road ahead toward betas and production.

Once again, many thanks to everyone who provided feedback, in particular @jpmens, @bortzmeyer and @oli. 🧡

https://github.com/NLnetLabs/cascade/releases/tag/v0.1.0-alpha3

#DNS #OpenSource #rustlang

@bortzmeyer @jpmens @themozzie @terts @bal4e Our original plan was to gather all fixes and improvements we have merged in Cascade 0.1.0-alpha3 today, but we feel it better to first fully understand and resolve issue #252 before proceeding.

We intend to get Cascade to an alpha stage where it does all the basic operations correctly in a predictable manner. Then we'll pause the alphas, while we plan and execute the path towards beta and production releases.

#DNS #DNSSEC #ProductDevelopment #ProductManagement #rustlang #OpenSource

Thanks to @diffroot, we can see that .pg wasn't using #DNSSEC until last April. .pg is thus the 1st TLD to implement DNSSEC directly with ed25519

https://mastodns.net/@diffroot/114400824189723556

Yay, another #TLD using algorithm 15 (ed25519) for its KSK : .pg! (Papua New Guinea 🇵🇬) #DNSSEC

(Other one being .fj :) )

https://piaille.fr/@shaft/115422575883434990

Unbound 1.24.1 is now available.

This security release fixes CVE-2025-11411.

Several multi-vendor cache poisoning vulnerabilities have been discovered in caching resolvers for non-DNSSEC protected data. Unbound is vulnerable for some of these cases that could lead to domain hijacking.

Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

#DNS #DNSSEC

https://nlnetlabs.nl/news/2025/Oct/22/unbound-1.24.1-released/

🚀 Cascade v0.1.0-alpha2 'Cascader la Vertu' is now available!

Over the last week we diligently processed your feedback to fix bugs, clarify error messages, add commands, improve performance, expand documentation and much, much more.

Read the release notes for all the details!

Note that you cannot simply upgrade from alpha1, read the installation docs for details.

Many thanks to everyone who provided feedback, particularly @jpmens and @bortzmeyer. 🧡

#DNS #DNSSEC

https://github.com/NLnetLabs/cascade/releases/tag/v0.1.0-alpha2

@bortzmeyer y'a @lebureau_coop qui est au poil pour le #DNSSEC. J'ai même pas eu le temps de contrôler que tout marchait.

Plaignons toustes ensemble le nouveau Bureau d'Enregistrement de mes noms de domaine, que j'assomme avec plein de tickets.

#clientPénible #DNS #DNSSEC

In the recent ICANN Registrations Operation Workshop 30th September 2025, the
following data was shared about DNSSEC Validation Rates

- Region / Rate / Increase since 2023
- Asia 32% +4%
- Oceania 54% +11%
- Africa 46% +15%
- Americas 37% +4%
- Europe 48% +8%

#dns #dnssec #infra

The #DNS community is amazing because people like @bortzmeyer will take your alpha software, turn it inside out, blog about it in French and then give you meticulous feedback on your work.

As a result, a stand-out feature of Cascade—the Review Hooks—have now made it into the documentation using an example provided by Stéphane: using `validns` to validate the unsigned zone, and `dnssec-verify` to validate the signed zone.

https://cascade.docs.nlnetlabs.nl/en/latest/review-hooks.html

Docs with 🧡 by @themozzie
#DNSSEC #OpenSource

Alt...

A bash script that shows how Cascade’s review hooks can use validns to validate the unsigned zone, and dnssec-verify to validate the signed zone.

Thank you @paulehoffman and Fujiwara-san for RFC 9499 “DNS Terminology”.

I’ve used it as the basis for a glossary in the documentation of @nlnetlabs’ new DNSSEC signer, Cascade.

It's incredibly helpful when creating a comprehensive user guide to have all these terms available as a reference. 🙏

https://cascade.docs.nlnetlabs.nl/en/latest/glossary.html

#DNS #DNSSEC #IETF #OpenSource #OpenStandards #rustlang

We're incredibly grateful for the feedback we're receiving on the first alpha release of Cascade. Please keep an eye on the issues that were created so far, and the milestone we set for the next release:

https://github.com/NLnetLabs/cascade/milestone/2

We aiming for the end of this week for alpha2.Meanwhile, the documentation is growing every day.

#DNS #DNSSEC #LoveDNS #OpenSource #rustlang

@bortzmeyer @jpmens Your stance on compiling alphas and betas gets a lot of respect from the @nlnetlabs dev team!

With regards to the comments about Cascade waiting to display the DS record, this is not by design. We currently lack commands to get the DS (and DNSKEY, CDS, CDNSKEY) records out of keyset and show them to the user. We’ll add this in an upcoming release.

Here's what we have lined up so far, with more to come:
https://github.com/NLnetLabs/cascade/milestone/2

#DNS #DNSSEC #OpenSource #LoveDNS #rustlang

@bortzmeyer @jpmens Thanks a lot for sharing your experiences with Cascade.

We have a couple of questions. First is why you compiled the Rust code yourself, instead of using a Deb/RPM package. Is that a matter of preference or do you use a platform we don’t offer packages for?

#DNS #DNSSEC #OpenSource #rustlang

Annoncé officiellement le 7 octobre, #Cascade est le successeur d'#OpenDNSSEC. Ce programme sert à gérer automatiquement les opérations répétitives liées à #DNSSEC comme la re-signature ou le remplacement d'une clé. Premiers essais : https://www.bortzmeyer.org/cascade-debut.html

I'm honored to have been elected as Board Member at @dnsoarc.

#DNS #LoveDNS #DNSSEC #NonProfit

Because @jpmens is absolutely awesome, we now have Cascade documentation for integrating with the Smartcard-HSM.

https://cascade.docs.nlnetlabs.nl/en/latest/smartcard-hsm.html

#DNS #DNSSEC #OpenSource

In case you missed Verisign's presentation on Post-Quantum Diversity for #DNSSEC at #OARC45 yesterday, it mentions the use of Jannik Peters’ master's thesis for the University of Amsterdam.

Jannik has since joined NLnet Labs full-time and is both on the Cascade team *and* gave you support for AF_XDP sockets in NSD.

We feel so blessed to have so much bright young talent on the team now.

#PQC #OpenSource #DNS #Research #LoveDNS

Cascade feedback is already rolling in!

https://github.com/NLnetLabs/cascade/issues

Thank you, this is what makes the DNS community great.

#DNS #DNSSEC #LoveDNS #OARC45

@jpmens @bortzmeyer @oli You're all just in time to watch Arya’s demo. This in itself is a fantastic achievement. #DNS #DNSSEC #OARC45 #LoveDNS

Live from DNS-OARC 45, happy Cascade launch day everyone! 🚀

There are now alpha packages available for Debian, Ubuntu, RHEL and derivatives.

If you can’t wait for Arya’s presentation and demo at 16:35 CEST, you can already try to follow our installation and quick start guide in the documentation.

https://cascade.docs.nlnetlabs.nl/

Who will be the first person to show the log output of a zone signed with Cascade — will it be @jpmens, @bortzmeyer or a surprise challenger?

#DNS #DNSSEC #LoveDNS #OARC45

Alt...

The result of `sudo apt install cascade` on a Debian Trixie VM.

#DNSSEC

Déjà, le domaine utilisé pour les travaux pratiques fonctionne. https://dnsviz.net/d/courbu.re/aN4hFw/dnssec/

@beasts @onepict Thanks for joining the panel! These kinds of funds are an absolute life saver for the #OpenSource community.

Maintaining our existing #DNS product portfolio is relatively sustainable for a #NonProfit like ours, but doing something new to stay current and relevant, like we're now doing with our #DNSSEC signer Cascade, is incredibly difficult.

📢 J-1 avant le webinaire sur le protocole DNSSEC

🤔 Vous voulez savoir comment déployer DNSSEC et vous protéger contre le détournement des réponses DNS ?

📅 Jeudi 25 septembre, de 14h à 15h, participez à notre webinaire gratuit organisé par l'Afnic et animé par Stéphane Bortzmeyer, Michaël Timbert et Lotfi Benyelles.

🔗 Pour vous inscrire : https://webikeo.fr/landing/protocole-dnssec-comment-le-deployer-et-prevenir-le-detournement-des-reponses-dns/14130

#DNSSEC #Webinaire #Formation #DNS

Alt...

Webinaire Protocole DNSSEC Comment le déployer et prévenir le détournement des réponses DNS ? Jeudi 25 septembre 14h - 15h

@bortzmeyer @benno @alexband You'll be happy to hear we were able to remove 18 direct dependencies, so building Cascade with `cargo` went from 343 to 304 crates. #DNS #DNSSEC #rustlang

https://github.com/NLnetLabs/cascade/pull/76

Ethiopia going secure \o/

https://mastodns.net/@diffroot/115233093697891326

#DNSSEC

One more straw on the #DNS camel's back! Yay! \o/

Compact Denial of Existence in #DNSSEC is finally published as RFC 9824

Introducing a new EDNS header flag: CO (Compact Answers OK). As it's the first time a new one is added, it will surely run smoothly with stupid middleboxes \o/

It additionnaly adds more traditionnal stuff: a new RR (NXNAME) and a new EDE (Invalid Query Type)

https://www.rfc-editor.org/info/rfc9824

#DNSSEC #key #askFedi #bind

@bortzmeyer @nlnetlabs @benno Maybe wait talking about it on TV until you can show a DNSViz result of a domain signed by Cascade? #RealSoonNow #DNS #DNSSEC

@bortzmeyer @nlnetlabs @benno @dnsoarc We'll do a live demo on stage at OARC45—what could possibly go wrong? 😉

So after that, we look forward to you running Cascade through its paces and give us your honest feedback.

That should put us in a position to cross all the t's and dot all the i's before the first production release, towards the end of the year.

#DNS #DNSSEC #rustlang #OpenSource #LoveDNS

@bortzmeyer @benno @alexband We love your enthusiasm, but right now we're putting together all the components that make up Cascade. By the time @dnsoarc 45 comes around, we'll have a package for you that you can just run.

We've got the scaffolding for the installation documentation sitting in a Pull Request here: https://cascade-signer--41.org.readthedocs.build/en/41/installation.html

#DNS #DNSSEC #LoveDNS

Il semblerait que #dnsmasq active « filterwin2k » silencieusement quand « dnssec » est activé, ce qui filtre les SRV et les TLSA. Bref j’ai viré dnsmasq pour le #DNS et l’ai remplacé par #unbound

#DNSSEC #DefectiveByDesign #BugAsAFeature CC @bortzmeyer @shaft

Tuesday, we dropped our report with insights from 16 top-level domain operators.

Yesterday, we launched Cascade — NLnet Labs’ Rust-built successor to OpenDNSSEC, shaped by what keeps TLDs up at night.

Today, we’re kicking off a series of ultrashort videos where @benno and @alexband break down what makes Cascade different.

First up: the #1 request from the community — observability, please.

We heard you.

🎥. https://youtu.be/CgmVjLv-fy4

#DNS #DNSSEC #OpenSource #Rust #rustlang

🚨 Announcing Cascade — DNSSEC signing, rebuilt from the ground up.

With 25 years of #DNS experience, we set the standard with #DNSSEC signing that delivers under pressure.
Cascade is how we carry the legacy forward.

Explore Cascade at https://blog.nlnetlabs.nl/cascade/

Unbox with us.
Cascade debuts live October 7 @ @dnsoarc 45, Stockholm.
We’ll show you what’s under the hood — and why this changes everything.

A huge thanks to the DNS community for making Cascade possible!
#rustlang #OpenSource

Tomorrow we drop details on the DNSSEC signer we built.
Today, we're dropping the pretence.

Before we wrote a line of code, we asked 16 TLDs:
"What keeps you up at night?"

We expected shop talk.
We got meaningful discussions that taught us DNSSEC in 2025 isn’t just a tech issue.
It’s a control issue.
And the fear of losing it is real.

👉 Read the full report: https://blog.nlnetlabs.nl/dnssec-operations-in-2026-what-keeps-16-tlds-up-at-night/

#DNS #DNSSEC #infosec #TLD #devops #OpenSource

#IETF Pecha-Kucha (funny talk) of Barbara Jantzen at the last meeting, about #DNSSEC. Next time you have a DNSSEC issue, watch the video. https://www.youtube.com/watch?v=7mQ5x7Jpj4I

(For my French-speaking followers: good level of englsh required.)

A #DNSSEC error I had never seen in the wild before. Discrepancy between the "original TTL" field of the signature and the real original TTL.

https://dnsviz.net/d/culture.gouv.fr/aLmmXA/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

(Look hard, it happens only with one of the three NSEC3 records.)

The industry loves to boast about “five nines” availability — 99.999%. That sounds impressive: just five minutes of downtime a year.

But #DNS isn’t like most industries. Read more about today’s TLD challenges in our blog post The Illusion of Five Nines. https://blog.nlnetlabs.nl/the-illusion-of-five-nines/

#DNSSEC #Resilience #Cascade #OpenSource

But I find strange that #DNSSEC is not mentioned when the author speaks about checking the content of the root zone.
ZONEMD, which is mentioned, works only if the client downloads the entire root zone, something that the typical resolver does not do.

#DNS

🤔 Comment déployer DNSSEC et se prévenir du détournement des réponses DNS ?

📅 Webinaire gratuit organisé par l'Afnic le jeudi 25 septembre avec Stéphane Bortzmeyer, Michaël Timbert et Lotfi Benyelles de 14h à 15h.

➡️ Toutes les infos pour vous inscrire : https://webikeo.fr/landing/protocole-dnssec-comment-le-deployer-et-prevenir-le-detournement-des-reponses-dns/14130

#DNSSEC #Webinaire #Formation #DNS

Alt...

Webinaire Protocole DNSSEC Comment le déployer et prévenir le détournement des réponses DNS ? Jeudi 25 septembre 14h-15h

En France, voir en Europe, est-ce que vous seriez d’accord pour rendre obligatoire l’#IPv6 et le #DNSSEC (pour les opérateurs/registrars/zones/routeurs/smartphones/serveurs/services…). Merci de repartager.

For people using #DNSSEC for their #DNS zone, what do you use for signing ? Please re-share. For other choices, you can comment and you can ask me to check your domain name in private message.

I missed the info but Microsoft is deploying #DANE to many Outlook / Hotmail systems:

https://framagit.org/-/snippets/7528

#DNSSEC #email

#nomDeDomaine Changer de BE (Bureau d'Enregistrement), cela implique quoi en pratique ? Un récit très détaillé et très bien vu d'un titulaire qui veut échapper aux augmentations de tarif de Gandi https://shaarli.guiguishow.info/?hCft1w

#DNS #DNSSEC #whois #RDAP