Incremental #DNSSEC signing for Cascade is coming along nicely, now also supporting NSEC3. #DNS #OpenSource #rustlang https://github.com/NLnetLabs/dnst/commit/0d3cc116f903a801653df0acdab8eaf448301a86
Which Prometheus metrics would you like to see in our #DNSSEC signer Cascade? #DNS #OpenSource https://community.nlnetlabs.nl/t/selecting-the-promtheus-metrics-exposed-by-cascade/70
NLnet Labs
boosted
NLnet Labs
boosted
For #DNSSEC, the domain crate can use different crypto backends such as the ring crate or the #OpenSSL bindings. (But there are more.)
There is now a common-line tool to query the DNS, dnsi. And a CLI tool to do misc. manipulations, dnst ("people are using the ldns library example programs in production"). And a key manager, keyset.
For #DNSSEC, the domain crate can use different crypto backends such as the ring crate or the #OpenSSL bindings. (But there are more.)
There is now a common-line tool to query the DNS, dnsi. And a CLI tool to do misc. manipulations, dnst ("people are using the ldns library example programs in production"). And a key manager, keyset.
Are you doing something interesting with #DNS #security, #DNSSEC, routing security, or other forms of #Internet security that you would like to share with the wider (DNS-related) technical community?
If so, consider submitting a proposal for the "DNSSEC and Security Workshop" that will be held at ICANN 85 in Mumbai in March 2026.
Deadline is January 30. Note that you do NOT have to be in Mumbai (I will not be) - you can present remotely.
We're experimenting with incremental DNSSEC signing in ‘dnst signer’, to prepare for this functionality in Cascade.
Currently we can sign the changes in the .se zone between last Saturday and Sunday in 3 seconds. Loading the unsigned zone takes 6 seconds and writing out the new signed zone another 12 seconds.
For comparison, the non-incremental signer took ~35 seconds (vs 3s for incremental), even with parallelism.
Incremental signing will be part of the first Cascade production release. https://github.com/NLnetLabs/dnst/pull/148
Dear DNS operators, do you have any need for setting NSEC3 salt and iterations?
https://community.nlnetlabs.nl/t/any-need-for-setting-nsec3-salt-and-iterations/62
Michał "rysiek" Woźniak · 🇺🇦
boosted
PowerDNS Recursor 5.3.4 Released
https://blog.powerdns.com/2026/01/14/powerdns-recursor-5.3.4-released
PowerDNS Recursor 5.3.4 Released
https://blog.powerdns.com/2026/01/14/powerdns-recursor-5.3.4-released
From an operator perspective, how would you like clustering of your #DNSSEC signing solution to work? #OpenSource #Community #DevOps
https://community.nlnetlabs.nl/t/some-thoughts-on-clustering/59
pvergain (framapiaf)
boosted
Thanks to @jpmens we now have documentation for Cascade describing how to integrate with a Nitrokey NetHSM to store your DNSSEC keys.
Thanks a lot! 🧡
RFC 9824: Compact Denial of Existence in DNSSEC
Ce #RFC permet à un nom de domaine d'être à la fois existant et non-existant. Plus précisément, il permet de fournir une preuve cryptographique avec #DNSSEC, prouvant que le nom existe (alors qu'il n'existe pas) mais n'a pas les données demandées. Cette technique est particulièrement adaptée au cas des signatures dynamiques, mais a l'inconvénient de « mentir ».
Since launching Cascade early October, we’ve been pumping out alpha releases of our #DNSSEC signer at a fairly high velocity.
We're now at alpha5 and decided to slow down releases for the time being, while we're working on a lot of parallel tasks that a dependent on one another.
We'll resurface in a few weeks with some big steps forward! You can stay up to date with our progress here:
@gregr Hmmm, DNSviz https://dnsviz.net/d/hlaor.realtor/aTEk-A/dnssec/ et Zonemaster https://zonemaster.fr/en/result/4a67792402b3ec73 ne voient pas de problème non plus. Il faut les accuser de laxisme ?
Thanks to @jpmens we now have documentation for Cascade describing how to integrate with a Nitrokey NetHSM to store your DNSSEC keys.
Thanks a lot! 🧡
Passing the Torch – My Last Root DNSSEC KSK Ceremony as Crypto Officer 4
https://technotes.seastrom.com/2025/11/23/passing-the-torch.html
#HackerNews #PassingTheTorch #DNSSEC #KSK #Ceremony #CryptoOfficer #InternetSecurity #Cybersecurity
We're excited to send you into the weekend with Cascade 0.1.0-alpha5 ‘Colline de la Croix’.
This release of our #DNSSEC signer prints information about keys and rollovers across all known zones. It will prioritize keys with the soonest rollover actions. It also changes how information is logged at runtime, which is a useful debugging aid.
As always, many thanks to everyone who provided us with feedback and bug reports. We love being on this journey with you! 🧡 #DNS
https://github.com/NLnetLabs/cascade/releases/tag/v0.1.0-alpha5