Search results for tag #dnssec
![[?]](https://cdn.fosstodon.org/accounts/avatars/109/341/877/831/979/795/original/3c5ae8edab93d8f4.jpg)
PowerDNS Security Advisory 2026-01
(aka PowerDNS Recursor 5.1.10, 5.2.8 and 5.3.5 released)
https://blog.powerdns.com/2026/02/09/powerdns-security-advisory-2026-01
![[?]](https://social.dk-libre.fr/social/oldsysops/s/7e93fa6bf16b47da4f57ddf9072aff8c.png)
![[?]](https://files.mastodon.social/accounts/avatars/000/035/771/original/dbd4625dfc8d1170.jpg)
the Proposal for Root Zone KSK Algorithm Rollover has been released for public comment
https://www.icann.org/en/public-comment/proceeding/proposed-root-ksk-algorithm-rollover-03-02-2026
![[?]](https://mastodon-assets.gougere.fr/accounts/avatars/000/000/369/original/22d62f774f88ba53.png)
And this log can now be queried through #DNS https://mastodon.gougere.fr/@DNSresolver/115995045484678683
(and with #DNSSEC authentication)
Built with the excellent Go DNS library https://github.com/miekg/dns
For #DNSSEC, the domain crate can use different crypto backends such as the ring crate or the #OpenSSL bindings. (But there are more.)
There is now a common-line tool to query the DNS, dnsi. And a CLI tool to do misc. manipulations, dnst ("people are using the ldns library example programs in production"). And a key manager, keyset.
I wrote up something along these lines a few years ago using terminology from a presentation I had admired. Not specifically bound (pun!) to BIND9.
https://jpmens.net/2022/09/22/dnssec-signing-with-an-offline-ksk/
This article describes how to configure and operate BIND 9 with an offline KSK. Offline KSK was introduced in BIND 9.20.2, with support for KSK rollover in this mode added in 9.20.4
PowerDNS DNSdist 2.1.0-alpha1 Released
https://blog.powerdns.com/2026/01/29/powerdns-dnsdist-2.1.0-alpha1-released
First beta release of PowerDNS Recursor 5.4.0
https://blog.powerdns.com/2026/01/27/first-beta-release-of-powerdns-recursor-5.4.0 #dns #dnssec
![[?]](https://static.piaille.fr/accounts/avatars/109/343/332/935/811/275/original/5c7869043380d9ee.png)
PowerDNS Recursor 5.3.4 Released
https://blog.powerdns.com/2026/01/14/powerdns-recursor-5.3.4-released
First alpha release of PowerDNS Recursor 5.4.0
https://blog.powerdns.com/2025/12/16-first-alpha-release-of-powerdns-recursor-5.4.0
RFC 9824: Compact Denial of Existence in DNSSEC
Ce #RFC permet à un nom de domaine d'être à la fois existant et non-existant. Plus précisément, il permet de fournir une preuve cryptographique avec #DNSSEC, prouvant que le nom existe (alors qu'il n'existe pas) mais n'a pas les données demandées. Cette technique est particulièrement adaptée au cas des signatures dynamiques, mais a l'inconvénient de « mentir ».
![[?]](https://social.dryusdan.fr/media/0725e1e701588f5ed8f9fad84f0705f8ca3d1bf2ce8565d64ff795365adf6414.jpg)
PowerDNS Authoritative Server 5.0.2 and 4.9.12 Released
https://blog.powerdns.com/2025/12/11/powerdns-authoritative-server-5.0.2-and-4.9.12-released
PowerDNS Security Advisories 2025-07 and 2025-08
a.k.a PowerDNS Recursor 5.1.9, 5.2.7 and 5.3.3 Released
https://blog.powerdns.com/2025/12/08/powerdns-security-advisories-2025-07-and-2025-08
@gregr Hmmm, DNSviz https://dnsviz.net/d/hlaor.realtor/aTEk-A/dnssec/ et Zonemaster https://zonemaster.fr/en/result/4a67792402b3ec73 ne voient pas de problème non plus. Il faut les accuser de laxisme ?
RE: https://mastodns.net/@diffroot/115657783055191749
Mali going secure!
Third TLD to use #ed25519. Second one to publish its first DS directly with this algorithim
\o/
(poke @camille )
![[?]](https://nyc3.digitaloceanspaces.com/mastodns-data/accounts/avatars/110/744/157/605/408/178/original/898ba56b2c53d2d9.png)
PowerDNS DNSdist 2.0.2 Released
https://blog.powerdns.com/2025/12/02/powerdns-dnsdist-2.0.2-released
Now that RFC 9905 has been published it's time to check if there are still TLDs using the deprecated algorithm 5 and 7 '.
$ dig +tcp @\c.root-servers.net axfr . > root.zone
$ grep -P 'IN\tDS' root.zone | grep ' 5 ' | wc -l
0
$ grep -P 'IN\tDS' root.zone | grep ' 7 ' | awk '{ print $1}' | sort -u | idn2 -d
gd.
kpn.
la.
samsung.
삼성.
پاکستان.
ລາວ.
Aaaaand... Still seven domains using RSASHA1-NSEC3-SHA1
![[?]](https://cdn.masto.host/socialwildeboernet/accounts/avatars/000/000/001/original/7a247866b9436e4b.jpeg)
Ultimately I'd prefer a more decentralised system with a "n out of m" architecture. With more than one root key holder, geographically and politically distributed, where you (as user) can declare which root keys you trust. But that is a more complicated discussion for another time. Having one Ceremony Room and the respective amount of key holders that are NOT under US jurisdiction seems to be an achievable and justified goal, in my personal opinion
3/3
I very well remember the discussions on this question when DNSSEC was introduced back in the days. And while the current system has served us all well in the past years, this fundamental question remains. And now that we have a more complicated world, we should recognise that this is a centralised element that is under the sole jurisdiction of one country that has moved towards more exclusionary, maybe even discrimintaory policies.
2/3
I hope there are some discussions on either moving one of the Ceremony Rooms (AKA Key Management Facilities) to another region/country or maybe add one more outside of the US. Having the responsibility for the DNSSEC root key material in one single country under more and more untrustworthy leadership looks like a risk to me that should be addressed. My personal preference would be a Ceremony Room on UN properties in Geneva.
1/3
https://technotes.seastrom.com/2025/11/23/passing-the-torch.html
#DNSSEC #ItsAlwaysDNS #DigitalSovereignty
Alt...
Slide 15 of the slide deck A BRIEF PRIMER ON MANAGING THE KEYS TO THE INTERNET by DAVID HUBERMAN, ICANN’s OFFICE OF THE CTO, showing the location of the two ceremony rooms. One is in Culpeper, Virginia, teh other one is in El Segundo, California. Slidedeck available at https://technotes.seastrom.com/assets/2025-11-23-passing-the-torch/2-David-Huberman_DNS-security-and-the-Root-DNSSEC-KSK-Ceremony.pdf
FOSDEM 2026 DNS Devroom Call For Presentations
https://blog.powerdns.com/2025/11/04/fosdem-2026-dns-devroom-call-for-presentations
Le rappel du jour que, si vous faites du #DNSSEC, il n'est pas indispensable d'avoir ZSK et KSK. Une seule clé, c'est parfaitement possible et sûr. https://dnsviz.net/d/xn--potamochre-66a.fr/aQnuZg/dnssec/
J'ai déjà parlé de #Cascade, un logiciel de @nlnetlabs actuellement en développement, qui automatise un certain nombre de tâches nécessaires pour #DNSSEC comme la re-signature ou le remplacement des clés. Le projet avance vite donc voyons quelques nouveaux essais.
https://www.bortzmeyer.org/cascade-deux.html
PowerDNS Security Advisory 2025-06
(aka PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1 released)
https://blog.powerdns.com/powerdns-security-advisory-2025-06-2025-10-22
Plaignons toustes ensemble le nouveau Bureau d'Enregistrement de mes noms de domaine, que j'assomme avec plein de tickets.
![[?]](https://static.piaille.fr/accounts/avatars/109/270/440/383/710/359/original/37f84169cb378067.jpg)
#nomDeDomaine Changer de BE (Bureau d'Enregistrement), cela implique quoi en pratique ? Un récit très détaillé et très bien vu d'un titulaire qui veut échapper aux augmentations de tarif de Gandi https://shaarli.guiguishow.info/?hCft1w