Carsten Strotmann1h ago

And an update to the DNS-resolver checks script

https://github.com/cstrotm/dns-resolver-monitoring

#DNS #DNSSEC #monitoring

Carsten Strotmann2h ago

Update for the DNS (zone/authoritative) monitoring test suite

https://github.com/cstrotm/dns-monitoring-scripts

#dns #dnssec #monitoring

GitHub - cstrotm/dns-monitoring-scripts: Simple shell scripts for DNS and DNSSEC monitoring

Simple shell scripts for DNS and DNSSEC monitoring - cstrotm/dns-monitoring-scripts

GitHub
JP Mens2h ago

Ooh, I like that acronym: BYOK (bring your own key)

(Seen on the BIND9-users mailing list 🙂)

#dnssec

Andreas Taudte8h ago

RE: https://mastodon.social/@quad9dns/116211030194032280

An #NTA may reduce short term pain when a #DNSSEC signed zone is broken, but it also weakens validation consistency and can delay proper fixes. That's why @quad9dns wants to keep the use of Negative Trust Anchors to an absolute minimum and handle it with more transparency.

پویان Pouyan 1d ago

Ouch! @mailbox_org uses RSASHA1-NSEC3-SHA1 for #dnssec, which is not recommended for signing.

How do I know? unbound refuses to resolve it for me.

See also: https://dnsviz.net/d/mailbox.org/dnssec/

RFC 8624: Algorithm Implementation Requirements and Usage Guidance for DNSSEC

Stéphane Bortzmeyer1d ago
If we start to use Merkle trees for #DNSSEC signatures, as currently discussed at #IETF125, this would create a lot of new interesting blog posts and @dnsoarc meeting talks 😋
Show threadStéphane Bortzmeyer1d ago

So, previously on post-quantum #DNSSEC: not a lot of action. Standardized post-quantum cryptography algorithms like ML-DSA have keys and signatures which are way too long for the #DNS.

https://mastodon.gougere.fr/@DNSresolver/116241567126448201

TLS can deal with it (they run on TCP or QUIC) but we cannot, with UDP. No obvious solution.

#IETF125

DNS resolver bot (@[email protected])

@bortzmeyer Sorry, answer is 1828 characters, too large for Mastodon

Mastodon - Gougère Network
GripNews1d ago
🌗 即日起,憑證機構必須強制執行 DNSSEC 驗證
➤ 網路安全新標準:憑證機構強制驗證 DNSSEC 正式上路
https://www.grepular.com/Cert_Authorities_Check_for_DNSSEC_From_Today
隨著網際網路安全標準的演進,DNSSEC(域名系統安全擴充)迎來了重要的里程碑。從今日起,所有憑證機構(CA)在處理數位憑證申請時,若域名啟用 DNSSEC,CA 必須強制驗證其 DNS 記錄的完整性與正確性。作者以自身十四年來的 DNSSEC 實踐經驗為背景,強調此舉不僅能提升網路通訊的信任鏈,更呼籲網域擁有者檢視其註冊商是否支援 DNSSEC,透過簡單的設定即可大幅強化域名安全性。
+ 這是網路安全的一大進步。過去常擔心 DNS 劫持導致 CA 核發偽造憑證,強制驗證 DNSSEC 後,整個域名驗證的信任鏈將更加穩固。
+ 對於一般使用者來說,DNSSEC 設定確實有點門檻。希望能有更多域名註冊商像文中建議的那樣,提供「一鍵啟用」功能,降低推廣阻力。
#資訊安全 #DNSSEC #網路基礎設施
Cert Authorities Check for DNSSEC From Today

About 14 years ago I set up DNSSEC . I've been running it on all of my domains ever since, without issue. First using bind9 and then later using PowerDNS...

grepular.com
N-gated Hacker News1d ago
🔍 Oh joy, the cyber elite have finally discovered DNSSEC—only a decade too late! 🌐 Apparently, we've all been mindlessly trusting domain security without these omniscient cert authorities' divine intervention. 🙄 Bravo, tech wizards, for catching up to 2012! 🎩✨
https://www.grepular.com/Cert_Authorities_Check_for_DNSSEC_From_Today #DNSSEC #Cybersecurity #TechNews #Innovation #DomainSecurity #HackerNews #ngated
Cert Authorities Check for DNSSEC From Today

About 14 years ago I set up DNSSEC . I've been running it on all of my domains ever since, without issue. First using bind9 and then later using PowerDNS...

grepular.com
Hacker News1d ago

Cert Authorities Check for DNSSEC from Today

https://www.grepular.com/Cert_Authorities_Check_for_DNSSEC_From_Today

#HackerNews #CertAuthorities #DNSSec #CyberSecurity #TechNews #OnlineSafety

Cert Authorities Check for DNSSEC From Today

About 14 years ago I set up DNSSEC . I've been running it on all of my domains ever since, without issue. First using bind9 and then later using PowerDNS...

grepular.com