Generating #DNSSEC signatures using the private keys from #RFC 9500 (a bunch a publicly known private keys, which is a strange concept 🤔) : it works nicely. :3 The keytag for "testECCP256" is 56715 or 56716 (whether it's a ZSK or a KSK).
Heureusement, je ne serais sans doute plus là, un peu avant 2106, quand il faudra commencer à se faire des nœuds au cerveau avec l'arithmétique des numéros de série du RFC 1982 appliquée au champs de dates des signatures #DNSSEC
Il y a une vingtaine d'années, l' @afnic avait mis en ligne une auto-formation au #DNS, avec un design très CD-ROM interactif typique de la fin 90's / début du siècle :)
Il y a même du #DNSSEC dans la partie avancée : c'est l'époque des KEY, SIG et autre NXT du DNSSEC 1ère génération
“This document simply moves the canonical list of algorithms from [RFC8624] to the IANA registry, and defines the registry policies for updating the registry. It does not change the status of any of the algorithms listed in [RFC8624];”
Now, in the table in section 3, column "#DNSSEC Signing", algorithms 5 & 7 are listed as "MUST NOT". They are "NOT RECOMMANDED" in RFC 8624 section 3.1. The recommandation for validation also changes (from "MUST" to "SHOULD NOT")
It is slightly different (for the better imo but still) :)
Analysis of existing CDS/CDNSKEY records in the wild. They are sometimes broken, sometimes in funny ways (authortative name servers not returning the samed CDS...)
Why would a domain in .com publish a CDS (.com does not handle CDS) and a broken one (does not match the keys)?
Listening to the #DNSSEC and Security Workshop at #ICANN79 - Kim Davies is currently giving an update about plans to rollover the #KSK (Key Signing Key) for DNSSEC.
Interesting to read about the dilemma of the hardware security module (HSM) vendor ceasing to make the HSMs that #ICANN was using...
To all who are hosting their own #dns#authoritive server with #dnssec - what do you use in 2024?
#Ed25519 or #ECDSA-P256 or still on some #RSA algorithms? Shorter key length is especially in DNS a benefit but still not all resolvers may be able to support this in 2024?!
Now that is interesting: #Unbound reports an #DNSSEC related #EDE, even with the CD flag set. We know there is a problem but still have the desired result. Nice :3
I've made a new #workflow which is tagging and releasing #cd built images automatically too. I can't wait for @nlnetlabs releasing a new #unbound version to watch the #magic. Or to watch it fail.
In my dev-env it works like a charm, though.
I don't want to seem arrogant but I guess this is one of the most feature-rich, secure and advanced image around. And always made with ❤️.
It's week 07 of my #SysAdmin class, high time we talk about the cause of (and solution to) all problems: the #DNS.
We look at the history of the DNS and how we used to copy giant hosts file around, trace DNS packets from resolvers to the root servers and the various authoritative NS using our good friend #tcpdump, talk about #TLDs, fetch the root zone from InterNIC to bootstrap our resolver, look at different RRs, reverse lookups, and touch upon #dnssec.