A "low priority" perf tweak in go53 — our self-hosted, open-source DNSSEC authoritative DNS server — turned into an afternoon of test-case hell.

Swapped an RWMutex config read for an atomic.Pointer (lock-free immutable snapshots): ~1.9× faster serial, ~19× on 20 cores. Five-minute change → 180 lines across 20 test files, plus a hidden DNSSEC-signing data race it surfaced.

Every shortcut has a price.

https://tenforward.se/blog/a-small-performance-fix-that-turned-into-test-case-hell/

#DNS #DNSSEC #Golang #SelfHosted #OpenSource #SysAdmin #go53

A Small Performance Fix That Turned Into Test-Case Hell | Tenforward

go53 issue #45 was labelled 'Low' priority: stop taking a mutex every time we read the live config on the DNS hot path. The fix was a textbook lock-free swap. The cleanup it triggered across the test suite was the larger half of the work.

Tenforward
PowerDNS Authoritative Server 5.1.3 Released

This is the release of Authoritative Server 5.1.3

It's the silent changes... A #refactor of literally every moving part of https://github.com/madnuttah/unbound-docker took place!

Also implemented @renovatebot.com #renovate, @step_security #hardenrunners, #zizmor, #codeql & #Linting all the things.

CC @nlnetlabs 💚

#dns #dnssec #doq #quic #selfhosting #homelab #foss #opensource

GitHub - madnuttah/unbound-docker: 🛡️ This distroless Unbound Docker image is based on Alpine Linux with focus on security, privacy, performance and a small image size. And with Pi-hole in mind.

🛡️ This distroless Unbound Docker image is based on Alpine Linux with focus on security, privacy, performance and a small image size. And with Pi-hole in mind. - madnuttah/unbound-docker

GitHub
What are the odds I mess up #DNSSEC on my domain while setting up a multi-signer configuration per RFC 8901? I'd say not low 😬
Tootzonechanges (@[email protected])

🇦🇱 al. : Going secure - Added new DS + 26319 13 2

MastoDNS

So, just for our roadmap planning: is anyone else interested in Catalog Zones support in Cascade, our #DNSSEC signer?

#DNS #OpenSource

https://github.com/NLnetLabs/cascade/issues/822

Support for Catalog Zones · Issue #822 · NLnetLabs/cascade

It would be nice if Cascade would support Catalog Zones (RFC 9432) for dynamically configuring and loading zones. Specifically, having Cascade act as a catalog consumer so it can automatically prov...

GitHub

PowerDNS Security Advisory 2026-08 for PowerDNS Recursor
(aka PowerDNS Recursor 5.2.11, 5.3.8 and 5.4.3 released)

https://blog.powerdns.com/2026/06/25/powerdns-security-advisory-2026-08-for-powerdns-recursor

#dns #dnssec

PowerDNS Security Advisory 2026-08 for PowerDNS Recursor

PowerDNS Security Advisories 2026-08 for PowerDNS Recursor: Multiple Issues

Anyone here speaks DNSSEC?

I have a fundamental problem understanding DNSSEC. Perhaps one of you can help me grasp the error (mine or the one in the protocol).

If I am an attacker that can manipulate your DNS traffic, why should I respond to DNSKEY queries?

If I can manipulate DNS, I can just leave out the signature. As long as there is no side channel for DNSKEY queries, and as long as the traffic can be manipulated, I can completely "disable" DNSSEC.

And I'm not yet speaking about the problem with only the DNS resolvers verifying the signatuers (if they actually do it), instead of the clients. I'm thinking of something like HSTS, but for DNS queries...

Or do I have a fundamental error in understanding here?

#dnssec #dnskey #dns #infosec

PowerDNS DNSdist 1.9.15 and 2.0.7 Released (Security Release)

PowerDNS DNSdist 1.9.15 and 2.0.7 Released (Security Release).

PowerDNS Security Advisory 2026-07 for PowerDNS Authoritative Server
(aka PowerDNS Authoritative Server 4.9.16, 5.0.6 and 5.1.2 released)

https://blog.powerdns.com/2026/06/25/powerdns-security-advisory-2026-07-for-powerdns-authoritative-server

#dns #dnssec

PowerDNS Security Advisory 2026-07 for PowerDNS Authoritative Server

This is the release of Authoritative Server 5.1.2, 5.0.6 and 4.9.16 (security release).