Show threadsimplix_transportJun 8, 2025
In #TSIG ist ja alles gelb, jetzt geht es mit dem 612(-Doppel) weiter Richtung Tübingen
NLnet LabsSep 6, 2024

Our #DNS `domain` crate for #rustlang is progressing in three parallel tracks: Ximon's #XFR Zone transfers with #TSIG is nearing completion, a proof of concept for query routing by Philip is ready for review so he can turn his attention to the #DNSSEC signing milestone, and Terts and Jannik have kicked off reimplementing the `ldns` tools and example programs in #Rust.

All development is #OpenSource and in the open you can follow the progress and contribute: https://github.com/NLnetLabs/domain/pulls

Pull requests · NLnetLabs/domain

A DNS library for Rust. Contribute to NLnetLabs/domain development by creating an account on GitHub.

GitHub
NLnet LabsAug 28, 2024
When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375
XFR response processing by ximon18 · Pull Request #375 · NLnetLabs/domain

Based on code in the xfr branch which should be replaced by this code, in order to split PR #335 into several smaller PRs. Subsequent PRs will build on this to: Update zones based on the events ou...

GitHub
HabrJul 4, 2024

Опыты в домашней лаборатории: динамически обновляем записи приватной зоны DNS в OpenWRT

Моя домашняя лаборатория подключена к интернету через маршрутизатор с прошивкой OpenWRT. Развертывая локальный ACME сервер, я понял, что, независимо от применяемого типа валидации запросов, ACME должен найти в DNS полное доменное имя сервера, для которого запрошен сертификат. В размышлениях, где же стоит хостить свою приватную DNS зону, меня озарило: «Но у нас уже есть дома DNS-сервер в OpenWRT. Наверняка можно удаленно обновлять записи в его локальной зоне». TL;DR: В итоге пришлось поставить BIND

https://habr.com/ru/articles/826826/

#openwrt #arm64 #dns #bind #hotplug #RFC2136 #RFC2845 #TSIG #DDNS #selfhosted

Опыты в домашней лаборатории: динамически обновляем записи приватной зоны DNS в OpenWRT

Моя домашняя лаборатория подключена к интернету через маршрутизатор с прошивкой OpenWRT. Развертывая локальный ACME сервер, я понял, что, независимо от применяемого типа валидации запросов, ACME...

Хабр
Brad KoehnJun 17, 2024

Today was a good rest day. I upgraded the #Diaspora pod by building a new Docker image for it (and upgrading said image to the current #Debian). I got #pfsense to do #ddns to my #bind nameserver using #tsig, which allowed me to expose it on #ipv6. Lots of technology #winning!

We walked to the local Dairy Queen for a treat, but it closed early for Father’s Day, so we walked to the grocery store and got a treat there instead. Lovely.

s3lph madeMay 13, 2024

Issue Let's Encrypt Certificates with TSIG Zone Updates against Knot

https://s3lph.me/issue-lets-encrypt-certificates-with-tsig-zone-updates-against-knot.html

s3lph made - Issue Let's Encrypt Certificates with TSIG Zone Updates against Knot

To issue wildcard certificates, Let's Encrypt requires the use of the DNS validation method (see Certificate Policy §3.2.2). I'm running my own DNS nameserver using Knot DNS, which does not have e.g. a REST API for updating zones. However, Knot supports RFC 2136 zone updates, where a …

s3lph made
Jote 🏳️‍🌈 Mar 20, 2024
Hey #hivemind ... I need a #deadstupid #dns #application ... all it should do is to take unsigned zone xfer from whitelisted IP's, #sign them with defined #TSIG and send them do another dns with zonexfer. It does not need to be able to do anything else. I'm thinking about cluding #powerdns for that task but is there anything else simpler out there? (#windns does not support tsig for whatever reason and need something simple for a POC)
Stéphane BortzmeyerSep 12, 2021

RFC 9103: DNS Zone Transfer over TLS

Traditionnellement, le transfert d'une zone #DNS depuis le serveur maitre vers ses esclaves se fait en clair. Si l'authentification et l'intégrité sont protégées, par exemple par #TSIG, le transfert en clair ne fournit pas de confidentialité. Ce RFC normalise un transfert de zones sur TLS, #XoT (zone transfer over TLS).

https://www.bortzmeyer.org/9103.html

Blog Stéphane Bortzmeyer: RFC 9103: DNS Zone Transfer over TLS

Stéphane BortzmeyerDec 1, 2020

RFC 8945: Secret Key Transaction Authentication for DNS (TSIG)

Le #DNS a des vulnérabilités à plusieurs endroits, notamment des risques d'usurpation, qui permettent de glisser une réponse mensongère à la place de la bonne. #TSIG, normalisé dans ce RFC (qui remplace le RFC 2845), est une solution de vérification de l'intégrité du canal. TSIG est surtout utilisé entre serveurs DNS maîtres et esclaves, pour sécuriser les transferts de zone.

https://www.bortzmeyer.org/8945.html

Blog Stéphane Bortzmeyer: RFC 8945: Secret Key Transaction Authentication for DNS (TSIG)

Show threadStéphane BortzmeyerNov 13, 2017
Revision of the #TSIG standard (following recent security bugs). #IETF100