Seb35<p>My Firefox extension DNSSEC/DANE Padlock was just accepted:<br><a href="https://addons.mozilla.org/en-US/firefox/addon/dnssec-dane-padlock/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">addons.mozilla.org/en-US/firef</span><span class="invisible">ox/addon/dnssec-dane-padlock/</span></a><br>It displays a small padlock or key when the website supports DNSSEC or DANE, which is quite rare but a sign of specific attention to security.<br>I’ve done a small list of websites to test: <a href="https://codeberg.org/Seb35/DNSSEC-DANE_Padlock/wiki/Examples-of-websites" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">codeberg.org/Seb35/DNSSEC-DANE</span><span class="invisible">_Padlock/wiki/Examples-of-websites</span></a><br>If you want to participate to development, code and tickets are on <a href="https://codeberg.org/Seb35/DNSSEC-DANE" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">codeberg.org/Seb35/DNSSEC-DANE</span><span class="invisible"></span></a></p><p><a href="https://mamot.fr/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> <a href="https://mamot.fr/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://mamot.fr/tags/DANE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DANE</span></a></p>
lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.
Administered by:
Server stats:
55active users
lingo.lol: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#dnssec
2 posts · 1 participant · 0 posts today
Seb35<p>Mon extension Firefox DNSSEC/DANE Padlock vient d’être acceptée :<br><a href="https://addons.mozilla.org/fr/firefox/addon/dnssec-dane-padlock/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">addons.mozilla.org/fr/firefox/</span><span class="invisible">addon/dnssec-dane-padlock/</span></a><br>Elle affiche un petit cadenas ou une clé si le site supporte DNSSEC ou DANE, ce qui est assez rare mais le signe d’une attention particulière à la sécurité.<br>J’ai fait une petite liste de sites pour tester : <a href="https://codeberg.org/Seb35/DNSSEC-DANE_Padlock/wiki/Examples-of-websites" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">codeberg.org/Seb35/DNSSEC-DANE</span><span class="invisible">_Padlock/wiki/Examples-of-websites</span></a><br>Si vous voulez participer au développement, le code et les tickets sont sur <a href="https://codeberg.org/Seb35/DNSSEC-DANE_Padlock" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">codeberg.org/Seb35/DNSSEC-DANE</span><span class="invisible">_Padlock</span></a></p><p><a href="https://mamot.fr/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> <a href="https://mamot.fr/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://mamot.fr/tags/DANE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DANE</span></a></p>
PowerDNS<p>The all-rounder DNSdist 2.0 is here!</p><p><a href="https://blog.powerdns.com/the-all-rounder-dnsdist-2.0-is-here" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.powerdns.com/the-all-roun</span><span class="invisible">der-dnsdist-2.0-is-here</span></a></p><p><a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
ChaCha20Poly1305<p>For people using <a href="https://mastodon.libre-entreprise.com/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> for their <a href="https://mastodon.libre-entreprise.com/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> zone, what do you use for signing ? Please re-share. For other choices, you can comment and you can ask me to check your domain name in private message.</p>
NLnet Labs<p>We have a retired SafeNet Luna 4 <a href="https://social.nlnetlabs.nl/tags/HSM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HSM</span></a> in the office for testing our Nameshed HSM code, but we're having a bit of a hard time obtaining a PKCS#11 Linux library / SDK for it. </p><p>(Plan B would be someone giving us testing access to their Thales Luna) </p><p>Is there anyone who can help <span class="h-card" translate="no"><a href="https://fosstodon.org/@ximon18" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ximon18</span></a></span> out? Sharing is caring. 💚 <a href="https://social.nlnetlabs.nl/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://social.nlnetlabs.nl/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://social.nlnetlabs.nl/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a></p>
PowerDNS<p>And we're also looking for a Go dev!</p><p><a href="https://careers.open-xchange.com/job/The-Hague-Software-Developer-PowerDNS-%28Go%29-%28mfd%29/1163574455/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">careers.open-xchange.com/job/T</span><span class="invisible">he-Hague-Software-Developer-PowerDNS-%28Go%29-%28mfd%29/1163574455/</span></a></p><p><a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a> <a href="https://fosstodon.org/tags/getfedihired" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>getfedihired</span></a></p>
NLnet Labs<p>Question in relation to our <a href="https://fosstodon.org/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> signing project Nameshed: does anyone have operational experiences with <a href="https://fosstodon.org/tags/KMIP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KMIP</span></a> for interfacing with HSMs, as an alternative to PKCS#11? We'd love to hear from you. — Boosts appreciated 💚 <a href="https://fosstodon.org/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://fosstodon.org/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://fosstodon.org/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a></p>
PowerDNS<p>We're looking for a C++ dev!</p><p><a href="https://careers.open-xchange.com/job/Software-Developer-PowerDNS-%28C%2B%2B%29-%28mfd%29/1162613555/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">careers.open-xchange.com/job/S</span><span class="invisible">oftware-Developer-PowerDNS-%28C%2B%2B%29-%28mfd%29/1162613555/</span></a></p><p> <a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a> <a href="https://fosstodon.org/tags/GetFediHired" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GetFediHired</span></a></p>
NLnet Labs<p>Another milestone in making Nameshed, our new <a href="https://fosstodon.org/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> solution, a reality: <span class="h-card" translate="no"><a href="https://fosstodon.org/@ximon18" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ximon18</span></a></span> just merged a drop-in replacement for `ldns signzone` - with several improvements for good measure. <a href="https://fosstodon.org/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://fosstodon.org/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://fosstodon.org/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a><br> <a href="https://github.com/NLnetLabs/dnst/pull/8" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/NLnetLabs/dnst/pull</span><span class="invisible">/8</span></a></p>
NLnet Labs<p>Last week, <span class="h-card" translate="no"><a href="https://hachyderm.io/@alexband" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>alexband</span></a></span> introduced our new <a href="https://fosstodon.org/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> signing solution ‘Nameshed’ at the <a href="https://fosstodon.org/tags/CENTRJamboree25" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CENTRJamboree25</span></a>. When we offer a production-grade Nameshed release later this year, this will coincide with the End-of-Life announcement of OpenDNSSEC. You can find the full presentation here: <a href="https://nlnetlabs.nl/downloads/presentations/Nameshed-CENTR-Jamboree-20250522.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nlnetlabs.nl/downloads/present</span><span class="invisible">ations/Nameshed-CENTR-Jamboree-20250522.pdf</span></a> <a href="https://fosstodon.org/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://fosstodon.org/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a> <a href="https://fosstodon.org/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a></p>
Quad9DNS<p>Quad9 Now Supports Ed25519 in 9.9.9.11</p><p><a href="https://www.quad9.net/news/blog/quad9-now-supports-ed25519-in-9-9-9-11" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">quad9.net/news/blog/quad9-now-</span><span class="invisible">supports-ed25519-in-9-9-9-11</span></a></p><p><a href="https://mastodon.social/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://mastodon.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://mastodon.social/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a></p>
Kal Feher<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@BleepingComputer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BleepingComputer</span></a></span> it’s not a big deal bc the client will validate <a href="https://infosec.exchange/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a> and then check sigs on the update.</p><p>Right?</p>
Anton<p>Hat hier wer Connections zur IT-Abteilung von aok.de? Die haben gestern das SSL-Zertifikat ihres mx1.aok.de getauscht, aber den TLSA-Record für DANE übersehen...</p><p><a href="https://dane.sys4.de/smtp/service.bw.aok.de" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dane.sys4.de/smtp/service.bw.a</span><span class="invisible">ok.de</span></a></p><p>20:00 Uhr: geht wieder! Danke :)</p><p><a href="https://mastodon.social/tags/DANE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DANE</span></a> <a href="https://mastodon.social/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://mastodon.social/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a> <a href="https://mastodon.social/tags/aok" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aok</span></a></p>
Jan Schaumann<p>"Nope: Strengthening Domain Authentication with Succinct Proofs"</p><p><a href="https://nope-tools.org/nope.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">nope-tools.org/nope.pdf</span><span class="invisible"></span></a></p><p>Basically:<br>domain owner <a href="https://mstdn.social/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> signs their name, then encodes a proof of that DNSSEC chain into a new domain name, stashes that in a SAN in the cert and wants the client to verify the proof against... the root ZSK? Which it fetches via DoH from Google DNS, but... doesn't verify?</p><p>Not sure I get it.</p><p><a href="https://mstdn.social/tags/realworldcrypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>realworldcrypto</span></a> <a href="https://mstdn.social/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a></p>
PowerDNS<p>First alpha release of PowerDNS DNSdist 2.0.0<br><a href="https://blog.powerdns.com/2025/03/18/first-alpha-release-of-powerdns-dnsdist-2.0.0" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.powerdns.com/2025/03/18/f</span><span class="invisible">irst-alpha-release-of-powerdns-dnsdist-2.0.0</span></a> <a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
Jan Schaumann<p>System Administration</p><p>Week 7, The Domain Name System, Part III</p><p>In this video, we try to wrap up our discussion of the Domain Name System by addressing the nature of the root nameservers, looking at various different resource record types, observing reverse lookups, and thinking about how we can have assurance of authenticity and integrity of the <a href="https://mstdn.social/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> results returned to us via <a href="https://mstdn.social/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a>.</p><p><a href="https://youtu.be/XDJEJFVNoko" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/XDJEJFVNoko</span><span class="invisible"></span></a></p><p><a href="https://mstdn.social/tags/SysAdmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SysAdmin</span></a> <a href="https://mstdn.social/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DevOps</span></a> <a href="https://mstdn.social/tags/SRE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SRE</span></a></p>
Christian<p>🚨 Fixing the PKI Mess: CAA + Your Own CA via DNS 🚨 </p><p>Right now, any CA can issue a certificate for your domain. Even if you set a CAA record (`issue "letsencrypt.org"`), it only controls *who* can issue, not what cert is valid. This is broken. </p><p>🔐 What if we could fix this using DNS? </p><p><a href="https://social.uggs.io/tags/Introducing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Introducing</span></a> CAA+CA Fingerprint: Self-Sovereign Certificate Authority<br>Instead of just saying *which CA can issue*, you publish your own CA's fingerprint in DNS. If your CA issues a cert for `awesomecars.com`, browsers should validate it against the DNS-published CA key. </p><p>🔥 How It Works<br>You run your own CA (because why trust the cartel?). You then publish: <br>1️⃣ A CAA record specifying your own CA (with a fingerprint! 🔥) <br>2️⃣ A DNS record with your CA’s public key (like DKIM but for TLS!) </p><p>🔹 Example DNS Setup for `awesomecars.com`: <br>```<br>awesomecars.com. IN CAA 0 issue "pki.awesomecars.com; sha256=abcd1234..."<br>pki.awesomecars.com. IN CERT 6 0 0 (--BEGIN CERTIFICATE-- ....)<br>```<br>Now, only certs signed by your CA are valid for `awesomecars.com`, even if another CA is tricked into issuing a rogue cert. No more CA hijacking! </p><p>🚀 Why Is This Better Than the Current CA Model?<br>✅ Self-Sovereign Identity: If you own the domain, you should own its PKI. <br>✅ Prevents Rogue Certs: No government or rogue CA can fake a cert for your domain. <br>✅ Works Like DKIM for Email: Your CA’s public key is stored in DNSSEC-protected records, just like DKIM keys for email signing. <br>✅ No More External Trust Issues: You control your CA entirely, instead of relying on Google’s CA store. <br>✅ Perfect for Self-Hosting & Internal Networks: No need for external CA trust—your DNS is your trust model. </p><p>🔥 Why Isn’t This a Thing Already?<br>Big Tech hates this idea because it removes their control: <br>❌ Google wants Certificate Transparency (CT), where they control which certs are logged. <br>❌ Commercial CAs make $$$ selling certs. This kills their business. <br>❌ DNSSEC adoption is intentionally kept low by the same companies who don’t want this to succeed. </p><p>Browsers refuse to support TLSA for the same reason—they want centralized CA trust, not self-hosted PKI. </p><p>🔗 Who Needs to Implement This?<br>🚀 Self-hosters & Homelabs: Use this for your own infrastructure. <br>🚀 Email providers: Stop relying on public CAs! <br>🚀 Privacy-focused projects (Tor, Matrix, XMPP, Fediverse, etc.): A true decentralized PKI alternative. <br>🚀 Fediverse devs: Let’s push for DNS-based CA validation! </p><p>What do you think? Would you trust your own CA in DNS over some random commercial CA? </p><p>🔁 Boost this if you want a decentralized PKI revolution! </p><p>🔥 This keeps the focus on self-hosting your own CA, highlights the security flaws of current PKI, and calls out Big Tech’s resistance to decentralized trust. </p><p><a href="https://social.uggs.io/tags/PKI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PKI</span></a> <a href="https://social.uggs.io/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://social.uggs.io/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> <a href="https://social.uggs.io/tags/DANE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DANE</span></a> <a href="https://social.uggs.io/tags/TLSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLSA</span></a> <a href="https://social.uggs.io/tags/CAA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CAA</span></a> <a href="https://social.uggs.io/tags/SelfHosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SelfHosting</span></a> <a href="https://social.uggs.io/tags/Fediverse" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fediverse</span></a> <a href="https://social.uggs.io/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Privacy</span></a> <a href="https://social.uggs.io/tags/Decentralization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Decentralization</span></a> <a href="https://social.uggs.io/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://social.uggs.io/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a></p>
F. Maury ⏚<p>Je suis disponible en tant que freelance pour... plein de trucs, en fait 😅 </p><p>J'ai un passé de développeur en <a href="https://infosec.exchange/tags/Python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Python</span></a> et <a href="https://infosec.exchange/tags/Go" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Go</span></a> (7 ans+). J'ai un passé de <a href="https://infosec.exchange/tags/DevOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DevOps</span></a> (3 ans). J'ai un passé d'architecture système et réseau (12 ans). J'ai même un passé d'auditeur en sécurité (2 ans) et de chercheur en sécurité réseau avec de la crypto dedans (5 ans). J'ai aussi assuré un certain nombre de formations, notamment en sécurité informatique (<a href="https://infosec.exchange/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a>, identité et authentification, administration sécurisée, sécurité web, git, IPFS...)</p><p>Je tiens un blog (<a href="https://broken-by-design.fr" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">broken-by-design.fr</span><span class="invisible"></span></a>) et un podcast (<a href="https://pod.broken-by-design.fr" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">pod.broken-by-design.fr</span><span class="invisible"></span></a>).</p><p>Je bouffe du Terraform au petit dej ; j'ai d'ailleurs publié un provider pour aider à la distribution des secrets dans les infrastructures : <a href="https://registry.terraform.io/providers/X-Cli/ssh2vsock/latest" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">registry.terraform.io/provider</span><span class="invisible">s/X-Cli/ssh2vsock/latest</span></a></p><p>J'adore taffer sur des technologies immuables (notamment Fedora CoreOS mais Flatcar m'a fait beaucoup de pied, récemment) ; systemd, c'est la vie.</p><p>Voilà, si vous m'avez pas bloqué avec cette dernière affirmation, et que vous avez besoin d'un coup de main sur vos projets, venez on discute !</p><p>Le boost est doux 💗 </p><p><a href="https://infosec.exchange/tags/getfedihired" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>getfedihired</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybersecurite" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurite</span></a></p>
Esk 🐌⚡💜<p>today in <a href="https://hachyderm.io/tags/hachyderm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hachyderm</span></a> infra: it turns out selecting a non-US DNS zone provider isn't that straightforward. :blobfoxconfused: </p><p>the dualing features right now are: flexibility in geo-based responses vs. DNSSEC.</p><p>geo-routing is supported usually in one of two ways:</p><p>- anycast points of presence in target regions that are loaded with geo-specific zones (dnsimple)<br>- some kind of scripting interface (bunny? anyone else?)</p><p>the folks that set up pops generally don't have them where we want them -- usually missing south america, africa, india, and asia other than tokyo/sydney.</p><p>the folks with the flexible scripting interfaces don't support DNSSEC.</p><p>we don't use DNSSEC today, but it seems like a generally good-ish thing -- I'm not 100% convinced, but I'm starting from a default position that we *should* enable it, and i'll want to convince myself the value there isn't there before deciding to not do it. up for thoughts/ideas!</p><p>current thoughts:</p><p>- dnsimple is just that: very simple, straightforward. they're also our current registrar. supports the pop-style geo routing, but no pops in sa, africa, limited asia pops<br>- bunnydns seems very neat. the scripting platform for dns responses seems *very* powerful. big downside: no dnssec. i don't know how they'd support dnssec with the dynamic nature of scripting.<br>- deSEC looks VERY clean, and is powered by <a href="https://hachyderm.io/tags/foss" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>foss</span></a> ❤️ . pops are a bit better than dnsimple, but still missing SA/africa/india and japan (which we use today). unfortunately, no geo-based responses that I can find. oh and it's also FREE (we'd donate tho)!</p><p>leaning toward bunnydns but need to think through consequences of not having dnssec available. likely will write a longer-form post with moar thinking.</p><p>anyway. this has been a rambly-post of inner-monologue thinking. happy hachyderming! :hachyderm: </p><p><a href="https://hachyderm.io/tags/sre" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sre</span></a> <a href="https://hachyderm.io/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>devops</span></a> <a href="https://hachyderm.io/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://hachyderm.io/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a></p>
Stéphane Bortzmeyer<p>"I don't understand why <a href="https://mastodon.gougere.fr/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNSSEC</span></a> is not yet the default for resolvers on Linux machines."</p><p><a href="https://mastodon.gougere.fr/tags/FOSDEM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSDEM</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload