Ethiopia going secure \o/

https://mastodns.net/@diffroot/115233093697891326

#DNSSEC

One more straw on the #DNS camel's back! Yay! \o/

Compact Denial of Existence in #DNSSEC is finally published as RFC 9824

Introducing a new EDNS header flag: CO (Compact Answers OK). As it's the first time a new one is added, it will surely run smoothly with stupid middleboxes \o/

It additionnaly adds more traditionnal stuff: a new RR (NXNAME) and a new EDE (Invalid Query Type)

https://www.rfc-editor.org/info/rfc9824

@nor4 I'm sorry you feel that way nora. We don’t launch a new product very often, and we have a lot depending on the success of this endeavor.

Making our #NonProfit model sustainable is incredibly hard. Everything depends on the #DNS industry being aware of what we're doing, how and why.

We cannot afford solely developing and maintaining a new product and quietly wait for it to become financially self-sustaining. Our continued existence depends on it.

#OpenSource #Sustainability #DNSSEC

@mejofi @nor4 Let's make this a little more personal. Hi Joni! It's Alex from @nlnetlabs and I'm responsible for keeping the lights on. 👋

When NLnet Labs was founded in 1999, the foundation could be run on the bag of money Verizon gave NLnet, the first Dutch ISP with country wide coverage. This money, and two talented developers gave the world NSD authoritative #DNS server, and Unbound recursive resolver; two #OpenSource and liberally licensed projects we maintain to this day.

No marketing was needed, social media didn’t exist — good old word of mouth did the job. And if it didn’t, that was fine too. Talented developers like we're blessed to have can find a job anywhere.

It was only some 15 years later when NLnet Labs almost ran out of money that the internet community realised that they should play a part in our financial sustainablility, instead of doing an `apt install unbound` and resolve happily ever after.

Letting the product speak for itself isn’t enough to keep the lights on. We barely got away with it with Routinator, but that's only because we were the first with a well rounded solution for #RPKI.

With Cascade we're placing a product in an established #DNSSEC signing market, which includes people who are dependent on OpenDNSSEC, which we're EoL-ing. We also need to remind people that “free" in Open Source isn’t just the “as in speech” part.

Without marketing, finance, HR, legal, shareholders or a corporate sugar daddy I’m responsible for the livelihood of 16 people, 6 of which are working on Cascade. I’m betting everything on this. So yes, I turned the volume up to 11, and yes I post the same content to LinkedIn, and yes perhaps I should be fine tuning the messaging to each target audience. I'll put my comms team right on it! Oh, hang on...

I hope you enjoy the things we’ve been doing for the #DNS and #BGP community for the last 25 years. My goal is to make sure we can do this for at least another 25. I promise we'll do in-depth technical blog posts too, but right now the team is trying to make sure we can demo something at @dnsoarc in three weeks.

Please bear with us and stay tuned! 💚 #LoveDNS #rustlang

PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via crafted DoH exchange
(DNSdist 1.9.11 and 2.0.1 released)

https://blog.powerdns.com/2025/09/18/powerdns-security-advisory-2025-05-for-dnsdist-denial-of-service-via-crafted-doh-exchange

#dns #dnssec

#DNSSEC #key #askFedi #bind

@bortzmeyer @nlnetlabs @benno Maybe wait talking about it on TV until you can show a DNSViz result of a domain signed by Cascade? #RealSoonNow #DNS #DNSSEC

@bortzmeyer @nlnetlabs @benno @dnsoarc We'll do a live demo on stage at OARC45—what could possibly go wrong? 😉

So after that, we look forward to you running Cascade through its paces and give us your honest feedback.

That should put us in a position to cross all the t's and dot all the i's before the first production release, towards the end of the year.

#DNS #DNSSEC #rustlang #OpenSource #LoveDNS

@bortzmeyer @benno @alexband We love your enthusiasm, but right now we're putting together all the components that make up Cascade. By the time @dnsoarc 45 comes around, we'll have a package for you that you can just run.

We've got the scaffolding for the installation documentation sitting in a Pull Request here: https://cascade-signer--41.org.readthedocs.build/en/41/installation.html

#DNS #DNSSEC #LoveDNS

@Toch

Bureau d’enregistrement : @lebureau_coop https://lebureau.coop
À voir pour la possibilité de payer pour plusieurs années car c’est une prérogative du registre et pas du BE

Fournisseur DNS : #deSEC https://desec.io

#dns #dnssec

Il semblerait que #dnsmasq active « filterwin2k » silencieusement quand « dnssec » est activé, ce qui filtre les SRV et les TLSA. Bref j’ai viré dnsmasq pour le #DNS et l’ai remplacé par #unbound

#DNSSEC #DefectiveByDesign #BugAsAFeature CC @bortzmeyer @shaft

Tuesday, we dropped our report with insights from 16 top-level domain operators.

Yesterday, we launched Cascade — NLnet Labs’ Rust-built successor to OpenDNSSEC, shaped by what keeps TLDs up at night.

Today, we’re kicking off a series of ultrashort videos where @benno and @alexband break down what makes Cascade different.

First up: the #1 request from the community — observability, please.

We heard you.

🎥. https://youtu.be/CgmVjLv-fy4

#DNS #DNSSEC #OpenSource #Rust #rustlang

🚨 Announcing Cascade — DNSSEC signing, rebuilt from the ground up.

With 25 years of #DNS experience, we set the standard with #DNSSEC signing that delivers under pressure.
Cascade is how we carry the legacy forward.

Explore Cascade at https://blog.nlnetlabs.nl/cascade/

Unbox with us.
Cascade debuts live October 7 @ @dnsoarc 45, Stockholm.
We’ll show you what’s under the hood — and why this changes everything.

A huge thanks to the DNS community for making Cascade possible!
#rustlang #OpenSource

Tomorrow we drop details on the DNSSEC signer we built.
Today, we're dropping the pretence.

Before we wrote a line of code, we asked 16 TLDs:
"What keeps you up at night?"

We expected shop talk.
We got meaningful discussions that taught us DNSSEC in 2025 isn’t just a tech issue.
It’s a control issue.
And the fear of losing it is real.

👉 Read the full report: https://blog.nlnetlabs.nl/dnssec-operations-in-2026-what-keeps-16-tlds-up-at-night/

#DNS #DNSSEC #infosec #TLD #devops #OpenSource

I'm sure I'm being expected to quote this, so I will:

“With OpenDNSSEC, it was a black box. You had to dive into the code — and even then, we sometimes couldn’t figure it out.”

---

“We’ve stopped even trying to Dockerise it — too brittle.”

https://blog.nlnetlabs.nl/dnssec-operations-in-2026-what-keeps-16-tlds-up-at-night/

#dnssec

#IETF Pecha-Kucha (funny talk) of Barbara Jantzen at the last meeting, about #DNSSEC. Next time you have a DNSSEC issue, watch the video. https://www.youtube.com/watch?v=7mQ5x7Jpj4I

(For my French-speaking followers: good level of englsh required.)

A #DNSSEC error I had never seen in the wild before. Discrepancy between the "original TTL" field of the signature and the real original TTL.

https://dnsviz.net/d/culture.gouv.fr/aLmmXA/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

(Look hard, it happens only with one of the three NSEC3 records.)

The industry loves to boast about “five nines” availability — 99.999%. That sounds impressive: just five minutes of downtime a year.

But #DNS isn’t like most industries. Read more about today’s TLD challenges in our blog post The Illusion of Five Nines. https://blog.nlnetlabs.nl/the-illusion-of-five-nines/

#DNSSEC #Resilience #Cascade #OpenSource

But I find strange that #DNSSEC is not mentioned when the author speaks about checking the content of the root zone.
ZONEMD, which is mentioned, works only if the client downloads the entire root zone, something that the typical resolver does not do.

#DNS

I've updated CDS tracking charts to show 360 days of aggregated trends. TBH the trend is pretty clear. CDS usage overall is going down and TLD zones are less correct over time. possibly related

#dns #dnssec #dnssecurity

https://kalfeher.com/analysis/cds-charts/

🤔 Comment déployer DNSSEC et se prévenir du détournement des réponses DNS ?

📅 Webinaire gratuit organisé par l'Afnic le jeudi 25 septembre avec Stéphane Bortzmeyer, Michaël Timbert et Lotfi Benyelles de 14h à 15h.

➡️ Toutes les infos pour vous inscrire : https://webikeo.fr/landing/protocole-dnssec-comment-le-deployer-et-prevenir-le-detournement-des-reponses-dns/14130

#DNSSEC #Webinaire #Formation #DNS

Alt...

Webinaire Protocole DNSSEC Comment le déployer et prévenir le détournement des réponses DNS ? Jeudi 25 septembre 14h-15h

En France, voir en Europe, est-ce que vous seriez d’accord pour rendre obligatoire l’#IPv6 et le #DNSSEC (pour les opérateurs/registrars/zones/routeurs/smartphones/serveurs/services…). Merci de repartager.

For people using #DNSSEC for their #DNS zone, what do you use for signing ? Please re-share. For other choices, you can comment and you can ask me to check your domain name in private message.

I missed the info but Microsoft is deploying #DANE to many Outlook / Hotmail systems:

https://framagit.org/-/snippets/7528

#DNSSEC #email

#nomDeDomaine Changer de BE (Bureau d'Enregistrement), cela implique quoi en pratique ? Un récit très détaillé et très bien vu d'un titulaire qui veut échapper aux augmentations de tarif de Gandi https://shaarli.guiguishow.info/?hCft1w

#DNS #DNSSEC #whois #RDAP