otto@openbsd

@[email protected]
793 Followers
109 Following
213 Posts
OpenBSD greybeard who has created malloc(3) because your memory is precious.
dayjob="PowerDNS senior engineer"
githubhttps://github.com/omoerbeek
webhttps://www.drijf.net
Show threadotto@openbsd3d ago

@mnordhoff Bind moved to 50 in version 9.19: https://kb.isc.org/v1/docs/dnssec-signed-zones-best-practice-guidance-for-nsec3-iterations#changes-introduced-to-bind-from-919

Knot resolver also uses 50 since 6.0.6: https://www.knot-resolver.cz/documentation/master/NEWS.html#knot-resolver-6-0-6-2024-02-13

DNSSEC signed zones - best practice guidance relating to NSEC3 signing and validation

DNSSEC-signed zones offer protection against response spoofing to both DNSSEC-validating resolvers and authoritative DNS zone operators who choose to sign their published zones.

Show threadotto@openbsd4d ago
@mnordhoff Some validators will refuse to validate these NSEC3 records and they will go Insecure for results containing them. See https://www.rfc-editor.org/rfc/rfc9276.html#name-recommendation-for-validati
RFC 9276: Guidance for NSEC3 Parameter Settings

NSEC3 is a DNSSEC mechanism providing proof of nonexistence by asserting that there are no names that exist between two domain names within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly disclosing the bounding domain name pairs. This document provides guidance on setting NSEC3 parameters based on recent operational deployment experience. This document updates RFC 5155 with guidance about selecting NSEC3 iteration and salt parameters.

otto@openbsd4d ago
Miod Vallat4d ago

How about a new #OpenBSD story for breakfast (if you're having breakfast now, that is)?

The first episode of the story of OpenBSD and Motorola 88000 processors can be read at http://miod.online.fr/software/openbsd/stories/m88k1.html. With pictures!

OpenBSD on Motorola 88000 processors

Show threadotto@openbsd4d ago
@JonaLendering ik ga vanavond helpen tellen. Hopelijk telt dat ook! 🙂
otto@openbsdMar 15
VeeMar 14
otto@openbsdMar 12
PowerDNSMar 12

PowerDNS DNSdist 2.1.0-beta2 Released

https://blog.powerdns.com/2026/03/12/powerdns-dnsdist-2.1.0-beta2-released

#dns #dnssec

PowerDNS DNSdist 2.1.0-beta2 Released

PowerDNS DNSdist 2.1.0-beta2 Released.

otto@openbsdMar 11
aeriqueMar 11

This is great.

https://www.moryan.com/an-open-letter-to-grammarly-and-other-plagiarists-thieves-and-slop-merchants/

otto@openbsdMar 9
PowerDNSMar 9

PowerDNS Recursor 5.4.0 Released

https://blog.powerdns.com/2026/03/09/powerdns-recursor-5.4.0-released

#dns #dnssec

PowerDNS Recursor 5.4.0 Released

We are proud to announce the release of PowerDNS Recursor 5.4.0

Show threadotto@openbsdMar 9
@mnordhoff at last a good use for a moon-based data center. Though we would need to adjust some defaults here and there, as 2.5s round trip time is stretching it.
Show threadotto@openbsdMar 6
@florian @mwl as for the timing of things: we'll burn that bridge when we get there