This is quite rare - the C root-servers are out of sync with the rest of the world by 3 days. Since that time there have been no changes in the root zone, except for DNSSEC signature updates. It appears all C instances (operated by #cogent) are serving an outdated zone. For now this has no operational impact, but that might change #DNSSEC
More details about the end of #IPv4 in state services: On 18th of December 2013 Czech #government decided that every service provided by Czech state has to be available on #IPv6 and be protected by #DNSSEC by 30th of June 2015. Yesterday a followed up action has been agreed on. On 6th of June 2032, IPv4 will be disabled on all services offered by Czech republic and they will be only available on IPv6 from that day on. Apart from that, every June starting from 2025, Czech government will get a report on how are the preparations.
Overall seems like a bold move, but I totally support it! IT sends a message, that #IPv4 is over and everybody should move to #IPv6 already. And even government - the definition of conservative and bureaucratic institution - gets it. Then why shouldn't you embrace it 😉
I, humbly, consider myself pretty conversant in the basics of (modern and classical) cryptography and information security.
For most of my career, I've been mystified as to what problem #DNSSEC purports to solve.
Has there ever been a case of a DNS-based attack (spoofing, hijacking, transfer, DDoS, etc) that's been thwarted by DNSSEC? Or, in the reverse, has there been an attack that was successful that DNSSEC would have solved?
I don't know what it is, but the upsides of DNSSEC just hasn't clicked in my brain.
We have new KSK for the root!
Today a mega ceremony was held where new HSMs were introduced and a new root key was generated in them. This key will be pre-publicated at the end of this year, and the rollover will be at the end of 2026. It'll be the third in the history of the DNS. The first was in 2010 and the second in 2017. #dns#dnssec
Coordinating and responsibly disclosing today’s two #DNSSEC#security vulnerabilities has been a huge coordination effort amongst researchers, #DNS implementers and early-access testing by our collective customers. It is a true testament to #OpenSource security and resilience. Our thanks go out to everyone involved! 💚🛡️💚 https://nlnetlabs.nl/projects/unbound/security-advisories/
Transportsicherheit: BSI zertifiziert E-Mail-Dienste nach neuer Richtlinie
Das BSI hat ein neues Zertifizierungsverfahren für E-Mail-Provider auf Basis einer aktualisierten Technischen Richtlinie zur Transportsicherheit aufgesetzt.
For those of us in the admittedly obscure world of #DNS security and #DNSSEC, this is very important as it marks a transition to elliptic curve algorithms…
… but for probably 99.9% of Internet users, this is serious “eyes glaze over” territory. 😃
I've released version 1.19.0-3 of my @nlnetlabs#unbound#docker image with updated build environments and unbound base to #alpinelinux 3.19.0. I have reduced two image layers by adding a separate build stage. The tags of the build environments got pinned for better #reproducibility, too.
I've made a new #workflow which is tagging and releasing #cd built images automatically too. I can't wait for @nlnetlabs releasing a new #unbound version to watch the #magic. Or to watch it fail.
In my dev-env it works like a charm, though.
I don't want to seem arrogant but I guess this is one of the most feature-rich, secure and advanced image around. And always made with ❤️.
@shane_kerr@jpmens I just had the opposite train of thought: (aggressively) discard all cached entries when I know a zone has been updated (increased ZONEVERSION).
Maybe this could make the CDNs stop using dramatically low #DNS TTLs on all their records, just in case they might update their zone (or we could more comfortably use higher min-ttl values).
I also some potential to limit of outages caused by #DNSSEC bad practice.