Podcasts about dnssec

In this episode of PING, APNIC's Chief Scientist, Geoff Huston, discusses the surprisingly vexed question of how to say ‘no' in the DNS. This conversation follows a presentation by Shumon Huque at the recent DNS OARC meeting, who will be on PING in a future episode talking about another aspect of the DNS protocol. You would hope this is a simple, straightforward answer to a question, but as usual with the DNS, there are more complexities under the surface. The DNS must indicate whether the labels in the requested name do not exist, whether the specific record type is missing, or both. Sometimes, it needs to state both pieces of information, while other times, it only needs to state one. The problem is made worse by the constraints of signing answers with DNSSEC. There needs to be a way to say ‘no' authoritatively, and minimize the risk of leaking any other information. NSEC3 records are designed to limit this exposure by making it harder to enumerate an entire zone. Instead of explicitly listing ‘before' and ‘after' labels in a signed response denying a label's existence, NSEC3 uses hashed values to obscure them. In contrast, the simpler NSEC model reveals adjacent labels, allowing an attacker to systematically map out all existing names — a serious risk for domain registries that depend on name confidentiality. This is documented in RFC 7129. Saying ‘no' with authority also raises the question of where signing occurs — at the zone's centre (by the zone holder) or at the edge (by the zone server). These approaches lead to different solutions, each with its own costs and consequences. In this episode of PING, Geoff explores the differences between a non-standard, vendor-explored solution, and the emergence of a draft standard in how to say ‘no' properly.

In this week's episode, we look at recent Microsoft Tech updates. By popular request, we're expanding the scope beyond just Azure to include Microsoft 365, Power Platform, and similar Microsoft platforms and capabilities. What's new? What's interesting? What's retiring? Also, Tobi asks Jussi an unexpected question.(00:00) - Intro and catching up.(03:50) - Show content starts.Show links- Azure Data Studio retirement- DNSSEC in Azure DNS Public Zones- Deepseek-R1 in Azure AI FoundryMicrosoft Sentinel:- What's new in Microsoft Sentinel- Announcing Public Preview: New STIX Objects in Microsoft Sentinel - (Request access to STIX tables) https://forms.office.com/r/903VU5x3hz?origin=lprLink- Enable the data connector for Microsoft's threat intelligence Find us on Bluesky:- Tobias Zimmergren (@zimmergren.net) — Bluesky- Jussi Roine • Microsoft MVP (@jussiroine.com) — Bluesky - Give us feedback!

In this first episode of 2025, Alexander and Heini discuss news that we didn't get to late last year. Among the news are updates to Fabric, Azure Kubernetes Services and the public preview of DNSSEC! Hosted on Acast. See acast.com/privacy for more information.

In the last episode of PING for 2024, APNIC's Chief Scientist Geoff Huston discusses the shift from existing public-private key cryptography using the RSA and ECC algorithms to the world of ‘Post Quantum Cryptography. These new algorithms are designed to withstand potential attacks from large-scale quantum computers and are capable of implementing Shor's algorithm, a theoretical approach for using quantum computing to break the cryptographic keys of RSA and ECC. Standards agencies like NIST are pushing to develop algorithms that are both efficient on modern hardware and resistant to the potential threats posed by Shor's Algorithm in future quantum computers. This urgency stems from the need to ensure ‘perfect forward secrecy' for sensitive data — meaning that information encrypted today remains secure and undecipherable even decades into the future. To date, maintaining security has been achieved by increasing the recommended key length as computing power improved under Moore's Law, with faster processors and greater parallelism. However, quantum computing operates differently and will be capable of breaking the encryption of current public-private key methods, regardless of the key length. Public-private keys are not used to encrypt entire messages or datasets. Instead, they encrypt a temporary ‘ephemeral' key, which is then used by a symmetric algorithm to secure the data. Symmetric key algorithms (where the same key is used for encryption and decryption) are not vulnerable to Shor's Algorithm. However, if the symmetric key is exchanged using RSA or ECC — common in protocols like TLS and QUIC when parties lack a pre-established way to share keys — quantum computing could render the protection ineffective. A quantum computer could intercept and decrypt the symmetric key, compromising the entire communication. Geoff raises concerns that while post-quantum cryptography is essential for managing risks in many online activities — especially for protecting highly sensitive or secret data—it might be misapplied to DNSSEC. In DNSSEC, public-private keys are not used to protect secrets but to ensure the accuracy of DNS data in real-time. If there's no need to worry about someone decoding these keys 20 years from now, why invest significant effort in adapting DNSSEC for a post-quantum world? Instead, he questions whether simply using longer RSA or ECC keys and rotating key pairs more frequently might be a more practical approach. PING will return in early 2025 This is the last episode of PING for 2024, we hope you've enjoyed listening. The first episode of our new series is expected in late January 2025. In the meantime, catch up on all past episodes.

Send us a textDiscover how a ransomware attack nearly brought vodka titan Stoli to its knees, pushing the company to the brink of bankruptcy with a staggering $78 million debt. This episode promises a compelling exploration of the catastrophic impact on their ERP systems and the urgent need for a solid business resiliency plan. Join me, Sean Gerber, as we unravel the complexities of managing IT risks, the geopolitical challenges faced by companies like Stoli, and the critical importance of conveying these risks to senior leadership—especially when regulatory deadlines loom.On a technical front, we'll demystify the nuances between IPsec transport and tunnel modes, breaking down misconceptions and shining a light on potential vulnerabilities such as outdated TLS versions. Learn why HSTS and DNS over HTTPS might not be the silver bullets they appear to be, and how HTTPS, while robust, isn't immune to phishing threats. This episode is an essential guide for cybersecurity professionals keen on fortifying their defenses against the relentless and evolving threats in today's digital landscape. Tune in for a rich blend of analysis and insights that underscore the vital role of awareness and technical knowledge in safeguarding our digital world.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Twee weken geleden was Microsoft Ignite, en zoals verwacht is er ontzettend veel nieuws aangekondigd. Van CoPilot-updates tot verbeteringen in Server 2025 en Azure DNS. In deze aflevering nemen we je mee door het belangrijkste nieuws van het evenement. CoPilot AgentsNieuwe CoPilot-agents die je workflows in Microsoft 365 verbeteren.Link naar introductieMeer over de nieuwe agents CoPilot ActionsNieuwe tools en agents om IT-teams te ondersteunen.Link naar blogpost Security CoPilot in Intune & EntraIDBeveiligingscopilot nu geïntegreerd in Intune en Entra ID.Meer over IntuneMeer over Entra ID Server 2025 HotpatchWindows Server 2025 krijgt nu hotpatch-functionaliteit.Lees meer over hotpatch DNSSEC Support voor Azure DNSBeveilig DNS-records met DNSSEC in Azure DNS.Link naar documentatie Azure DNS Security PolicyBeheer je DNS-resources veiliger met nieuwe security policies.Link naar documentatie Azure Bastion PremiumNieuwe premium SKU voor verbeterde connectiviteit en beveiliging.Link naar overzicht Windows 365 LinkTransformeer apparaten in Cloud PC's met Windows 365 Link.Meer informatie Azure Stack HCI heet nu Azure LocalNieuwe naam voor Azure Stack HCI, nu Azure Local.Meer informatie Azure Backup Default Soft DeleteVerbeterde beveiliging met soft delete in Azure Backup.Meer over soft delete

This time on PING, Peter Thomassen from SSE and DEsec.io discusses his analysis of the failure modes of CDS and CDNSKEY records between parent and child in the DNS. These records are used to provide in-band signalling of the DS record, fundamental to the maintenance of a secure path from the trust anchor to the delegation through all the intermediate parent and grandparent domains. Many people use out-of-band methods to update this DS information, but the CDS and the CDNSKEY records are designed to signal this critical information inside the DNS, avoiding many of the pitfalls of passing through a registry-registrar web service. The problem is, as Peter has discovered, the information across the various nameservers (denoted by the NS record in the DNS) of the child domain can get out of alignment, and the tests a parent zone need to do checking CDS and CDNSKEY information aren't sufficiently specified to wire down this risk. Peter performed a "meta analysis" inside a far larger cohort of DNS data captured by Florian Steurer and Tobias Fiebig at the Max Planck Institute and discovered a low but persisting error rate, a drift in the critical keying information between a zones NS and the parent. Some of these related to transitional states in the DNS (such as when you move registry or DNS provider) but by no means all, and this has motivated Peter and his co-authors to look at improved recommendations for managing CDS/CDNSKEY data, to minimise the risk of inconsistency, and the consequent loss of secure entry path to a domain name.

Microsoft Ignite is just around the corner but still plenty of updates coming from Microsoft prior to their big tech event. Listen and stay up to date with everything that is happening in the Microsoft Cloud. Resources @directorcia Join my shared channel CIAOPS merch store Become a CIAOPS Patron CIAOPS Blog CIAOPS Brief CIAOPSLabs Support CIAOPS Streamline collaboration with the new chat and channels experience in Microsoft Teams  How to manage false positives – Microsoft Defender for Office 365 Get started with false negative investigations in Microsoft Defender for Office 365 How to investigate email messages in Microsoft Defender for Office 365 How to use the Alert page – Microsoft Defender XDR Defender XDR Monthly news – November 2024 How Microsoft Defender for Office 365 innovated to address QR code phishing attacks Skill up to strengthen your organizations cybersecurity posture Manage Microsoft Entra ID role assignments with Microsoft Entra ID Governance Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online Coming in December: SC-5004: Defend against cyberthreats with Microsoft Defender XDR What's new in Copilot Studio: November  New Copilot agents: Supercharge Microsoft 365 Copilot A strategic approach to assessing your AI readiness Supercharge productivity with Microsoft 365 Copilot AI safety first: Protecting your business and empowering your people Microsoft 365 Copilot — Small Business Guide to Set Up Copilot Quick actions with Copilot now at your fingertips in OneNote  Stay focused in an action-packed meeting with Microsoft 365 Copilot in Teams How to prepare for Windows 10 end of support by moving to Windows 11 today Github Copilot updates A year of innovation- and feedback-driven features in Microsoft Word Updated management features roll out for Microsoft Intune Suite Afterhours Apple intelligence - catch up

In deze aflevering bespreken we de public preview van GitHub Copilot voor Azure in VS Code. Verder praten we over de introductie van IPv6 in Exchange Online en nieuwe security defaults in Entra ID. Public Preview van Azure Migrate: van VMware naar Azure Stack HCIBekijk de public preview van Azure Migrate om workloads van VMware naar Azure Stack HCI te verplaatsen.Link naar artikel Azure Arc JumpstartEen uitgebreid platform om snel aan de slag te gaan met Azure Arc.Link naar artikel Update van security defaults in Entra IDNieuwe beveiligingsstandaarden in Entra ID om je omgeving beter te beveiligen.Link naar artikel Public Preview van GitHub Copilot voor Azure in VS CodeOptimaliseer je Azure-werkstromen met GitHub Copilot in Visual Studio Code.Link naar artikel IPv6 in Exchange OnlineUpdates over de introductie van IPv6 voor Exchange Online.Link naar artikel DANE (DNS-based Authentication of Named Entities)Algemene beschikbaarheid van DANE met DNSSEC voor inkomende SMTP-verificatie.Link naar artikel Azure introduceert Terraform Export-functie in Private PreviewEen nieuwe functie voor het exporteren van Terraform-resources in Azure, nu in private preview.Link naar artikel AzAPI 2.0Aankondiging van AzAPI 2.0 met verbeterde API-ondersteuning voor Azure-resources.Link naar artikel

Critical RCE Vulnerabilty in Cyberpanel https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce Spring WebFlux Vulnerability https://access.redhat.com/security/cve/cve-2024-38821 https://spring.io/security/cve-2024-38821 Inbound SMTP DANE with DNSSEC for Exchange Online https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-general-availability-of-inbound-smtp-dane-with-dnssec/ba-p/4281292 HeptaX: Unauthorized RDP Connections for Cyberespionage Operations https://cyble.com/blog/heptax-unauthorized-rdp-connections-for-cyberespionage-operations/

Mattias Jadesköld och Erik Zalitis tar ett samlat grepp kring teknikområdet DNS. Ja, duon har pratat om DNS i andra avsnitt så detta innehåller uppdaterade tankebanor anno 2024. DNS har attackerats i omgångar genom åren. Hur har dessa gått till? Och det kanske mest ambitiösa försöket under 2008, hur gick det till? Lyckades det så kallade "Mirai botnet" att sänka internet? Skulle man klara det idag? Vad för mekanismer skyddar DNS idag? DNSSEC, anycast och geografiskt distribuerade servrar är en del. Men det andra lagret då? Varför är det så känsligt? PS. Om ni tycker omslagsbilden är lite flummig är det Photoshots AI-genererade bild när man säger att "DNS servrar blick attackerade ibland i svenska skogar" så skyll inte på någon människa i detta läge.  

Text us feedback!In our "DNS Security" podcast, we delve into DNS's critical role in how the internet works, exploring its vulnerabilities and attacks like DNS spoofing, cache poisoning, and DDoS. We discuss DNSSEC and its components, including public and private keys, and examine practical solutions such as DNS and content filtering. The episode also highlights the advantages of cloud-based DNS services, like those offered by Cloudflare.Finally, we share best practices and resources for securing DNS infrastructure, addressing challenges like scalability and false positives. Join us for a concise yet comprehensive exploration of DNS security's complexities and solutions.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

In this episode of PING, Joao Damas from APNIC Labs explores the mechanics of the Labs measurement system. Commencing over a decade ago, with an "actionscript" (better known as flash) mechanism, backed by a static ISC Bind DNS configuration cycling through a namespace, the Labs advertising measurement system now samples over 15 million end users per day, using Javascript and a hand crafted DNS system which can synthesise DNS names on-the-fly and lead users to varying underlying Internet Protocol transport choices, packet sizes, DNS and DNSSEC parameters in general, along with a range of Internet Routing related experiments. Joao explains how the system works, and the mixture of technologies used to achieve the goals. There's almost no end to the variety of Internet behaviour which the system can measure, as long as it's capable of being teased out of the user in a javascript enabled advert backed by the DNS!

Being at the core of the Internet places the DNS under a lot of pressure. New forms of DNS abuse emerge each year, disputes over domain names persist, and all the while, the Internet just keeps getting bigger. Mikhail Anisimov from ICANN talks about the coordinated effort involved in meeting these challenges and shares his views on DNS in Central Asia.As one of the organisations at the core of the Internet that works to coordinate the supply of Internet numbers and domain names, ICANN plays a vital role in helping to support and develop the DNS. Our guest Mikhail has been ICANN's Stakeholder Engagement Senior Manager for Eastern Europe and Central Asia since 2020, so we thought who better to talk to about DNS, DNSSEC, and its ongoing development in Central Asia.Show notes:02:18 - Wikipedia entry on DNS03:30 - You can learn lots about ICANN on their website04:10 – There's a list of all the root DNS servers and their operators on the IANA website. The RIPE NCC operates K-root.05:12 – Statdns has this useful list of DNS related RFCs08:40 – New gTLD program09:10 – FAQ on the next round of the new gTLD15:30 - The 8th Central Asian Internet Governance Forum took place on 21-22 June 2024.15:51 – ICANN's Domain Name Security Threat Information Collection and Reporting (DNSTICR) project16:02 - …and the broader Domain Abuse Activity Reporting (DAAR) project19:07 - Calling Time on DNSSEC by Geoff Huston22:19 – Dan Kaminsky in the Internet Hall of Fame28:00 – ICANN page on DNSSEC33:21 – The next Central Asia Peering and Interconnection Forum, CAPIF 3, takes place in Bishkek, Kyrgyzstan, from 24-25 September 2024.40:42 – Read Chris Buckridge's Fragmentation: Still the Internet's Big Bad here on RIPE Labs. Hosted on Acast. See acast.com/privacy for more information.

In this episode of PING, Casper Schutijser and Ralph Koning from SIDN Labs in the Netherlands discuss their post-quantum testbed project. As mentioned in the previous PING episode about Post Quantum Cryptography (PQC) in DNSSEC with Peter Thomassen from SSE and Jason Goertzen from Sandbox AQ it's vital we understand how this technology shift will affect real-world DNS systems in deployment. The SIDN Labs system has been designed to be a "one stop shop" for DNS operators to test configurations of DNSSEC for their domain management systems, with a complete virtualised environment to run inside. It's fully scriptable so can be modified to suit a number of different situations and potentially include builds of your own critical software components to include with the system under test. Read more about the testbed and PQC on the APNIC Blog and at SIDN Labs.

In deze aflevering bespreken we de grote CrowdStrike-verstoring van afgelopen week. Daarnaast hebben we het over updates in Exchange en de nieuwe mogelijkheid om via Azure Update Management CIS-hardened VM-images bij te werken. CrowdStrikeCrowdStrike heeft onlangs een grote verstoring meegemaakt. Lees meer over de incidentdetails en hoe deze zijn aangepakt.

In his regular monthly spot on PING, APNIC's Chief Scientist Geoff Huston continues his examination of DNSSEC. In the first part of this two-part story, Geoff explored the problem space, with a review of the comparative failure of DNSSEC to be deployed by zone holders, and the lack of validation by the resolvers. This is visible to APNIC labs from carefully crafted DNS zones with validly and invalidly signed DNSSEC states, which are included in the Labs advertising method of user measurement. This second episode offers some hope for the future. It reviews the changes which could be made to the DNS protocol, or use of existing aspects of DNS, to make DNSSEC safer to deploy. There is considerable benefit to having trust in names, especially as a "service" to Transport Layer Security (TLS) which is now ubiquitous worldwide in the web.

The Crowdstrike issue has been the dominant news item recently and I have some information as well as my own thoughts on this which I share. As always the news and updates from Microsoft continue and I share with you what I feel is most relevant including a number of handy videos on various Copilots, so listen along and enjoy. As always love to hear your thoughts and feedback. Resources @directorcia Join my shared channel CIAOPS merch store Become a CIAOPS Patron CIAOPS Blog CIAOPS Brief CIAOPSLabs Support CIAOPS Helping our customers through the CrowdStrike outage Microsoft Bookings | Your Appointment Scheduling Solution Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online Guest sharing now available in Microsoft Loop Make OT security a core part of your SOC strategy with Microsoft Defender XDR Perfect your prompt with Copilot for Microsoft 365 Build a great prompt with Copilot for Microsoft 365 New Outlook for Windows | How to use Coaching by Copilot Copilot Learning Hub: Your Gateway to Mastering Microsoft Copilot Turn PDFs into editable documents in Word for iOS Simplified Zero Trust security with the Microsoft Entra Suite and unified security operations platform, now generally available How to secure access for your workforce with Microsoft Entra Suite  Microsoft Entra Internet Access Overview Microsoft Security Service Edge now generally available Introducing dynamic watermarking for Word, Excel, and PowerPoint SharePoint roadmap pitstop: June 2024  What's New in Microsoft Teams | June 2024 Dealing with Unsatisfactory Responses Promptbooks  File menu improvements in Word, Excel, and PowerPoint for the web 

Oracle Quarterly Critical Patch Update https://www.oracle.com/security-alerts/cpujul2024.html Exchange Online Implementing Inbound SMTP DANE with DNSSEC https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-inbound-smtp-dane-with-dnssec-for/ba-p/4155257 VPN Port Shadowing Vulnerability https://petsymposium.org/popets/2024/popets-2024-0070.pdf

Oracle Quarterly Critical Patch Update https://www.oracle.com/security-alerts/cpujul2024.html Exchange Online Implementing Inbound SMTP DANE with DNSSEC https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-inbound-smtp-dane-with-dnssec-for/ba-p/4155257 VPN Port Shadowing Vulnerability https://petsymposium.org/popets/2024/popets-2024-0070.pdf

This time on PING, Peter Thomassen from deSEC and Jason Goertzen from Sandbox AQ discuss their research project on post quantum cryptography in DNSSEC, funded by NLNet Labs. Post Quantum cryptography is a response to the risk that a future quantum computer will be able to implement Shor's Algorithm -a mechanism to uncover the private key in the RSA public-private key cryptographic mechanism, as well as Diffie-Hellman and Elliptic Curve methods. This would render all existing public-private based security useless, because with knowledge of the private key by a third party, the ability to sign uniquely over things is lost: DNSSEC doesn't depend on secrecy of messages but it does depend on RSA and elliptic curve signatures. We'd lose trust in the DNSSEC protections the private key provides. Post Quantum Cryptography (PQC) addresses this by implementing methods which are not exposed to the weakness that Shor's Algorithm can exploit. But, the cost and complexity of these PQC methods rises. Peter and Jason have been exploring implementations of some of the NIST candidate post quantum algorithms, deployed into bind9 and PowerDNS code. They've been able to use the Atlas system to test how reliably the signed contents can be seen in the DNS and have confirmed that some aspects of packet size in the DNS, and new algorithms will be a problem in deployment as things stand. As they note, it's too soon to move this work into IETF DNS standards process but there is a continuing interest in researching the space, with other activity underway from SIDN which we'll also feature on PING.

In his regular monthly spot on PING, APNIC's Chief Scientist Geoff Huston discusses DNSSEC and it's apparent failure to deploy at scale in the market after 30 years: Both as the state of signed zone uptake (the supply side) and the low levels of verification seen by DNS client users (the consumption side) there is a strong signal DNSSEC isn't making way, compared to the uptake of TLS which is now ubiquitous in connecting to websites. Geoff can see this by measurement of client DNSSEC use in the APNIC Labs measurement system, and from tests of the DNS behind the Tranco top website rankings. This is both a problem (the market failure of a trust model in the DNS is a pretty big deal!) and an opportunity (what can we do, to make DNSSEC or some replacement viable) which Geoff explores in the first of two parts. A classic "cliffhanger" conversation about the problem side of things will be followed in due course by a second episode which offers some hope for the future. In the meantime here's the first part, discussing the scale of the problem.

New Zealand Energy Corporation shares updates on the company's operations, including the recent investment by Monumental Energy Corporation in DNSSEC on December 12th, 2023. Additionally, info on the successful completion of the first portion of a non-brokered private placement financing through convertible notes by Austral Gold Limited, a well-established gold producer.

Topics covered in this episode:

This week Kali Fencl, Tim Helming, and Taylor Wilkes-Pierce discuss China's involvement with I-Soon along with DNSSEC and the #KeyTrap vulnerability

POTUS has a TikTok account, why? Isn't that a problem (we just had congressional briefings on that exact issue.) How do we think about FUD in our marketing for cyber, and why should or shouldn't we use the data that we have in our GTM? There is a fundamental DNSSEC flaw in the internet, is it getting patched? And more on this one!

ENS partners with GoDaddy. EigenLayer opens its restaking window. Treasure releases the Treasure Chain litepaper. And Ethereum researchers propose paths to increasing the block gas limit. Sponsor: Harpie is an onchain security solution that protects your wallet from theft in real time. Harpie helps you detect and block suspicious transactions before they execute, safeguarding your assets from malicious attacks and scams. Try Harpie for free at harpie.io/ethdaily.

In our "DNS Security" podcast, we delve into DNS's critical role in how the internet works, exploring its vulnerabilities and attacks like DNS spoofing, cache poisoning, and DDoS. We discuss DNSSEC and its components, including public and private keys, and examine practical solutions such as DNS and content filtering. The episode also highlights the advantages of cloud-based DNS services, like those offered by Cloudflare.Finally, we share best practices and resources for securing DNS infrastructure, addressing challenges like scalability and false positives. Join us for a concise yet comprehensive exploration of DNS security's complexities and solutions.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

ENS deploys Gasless DNSSEC on mainnet. Swell introduces rswETH. API3 introduces OEV Network as a ZK-Rollup built on Polygon CDK. And Hey introduces dynamic embeds. Sponsor: Harpie is an onchain security solution that protects your wallet from theft in real time. Harpie helps you detect and block suspicious transactions before they execute, safeguarding your assets from malicious attacks and scams. Try Harpie for free at harpie.io/ethdaily.

In this episode of PING, APNIC's Chief Scientist Geoff Huston discusses the change in IP packet fragmentation behaviour adopted by IPv6, and the implications of a change in IETF “Normative Language” regarding use of IPv6 in the DNS. IPv4 arguably succeeds over so many variant underlying links and networks because it's highly adaptable to fragmentation in the path. IPv6 has a proscriptive requirement that only the end hosts fragment, which limits how intermediate systems can handle IPv6 data in flight. In the DNS, increasing complexity from things like DNSSEC mean the the DNS packet sizes are getting larger and larger, which risks invoking the IPv6 fragmentation behaviour in UDP. This has consequences for the reliability and timeliness of the DNS service. For this reason, a revision of the IETF normative language (the use of capitalised MUST MAY SHOULD and MUST NOT) directing how IPv6 integrates into the DNS service in deployment has risks. Geoff argues for a “first, do no harm” approach to this kind of IETF document. Read more about IPv6, Fragmentation, the DNS and Geoff's measurements on the APNIC Blog and APNIC Labs.

It's that time of year! Neatvember! Adam joins us again to chat about all things omg.lol, Kentucky, and Passkeys! Neatvember! 00:00:00 Happy Neatvember everyone!

IntroductionIn this episode, we'll be discussing domain name registrars. We'll talk about what they are, how they work, and how to choose the best one for your needs.What is a domain name registrar?A domain name registrar is a company that registers and sells domain names. When you buy a domain name from a registrar, you're essentially renting it for a certain amount of time. The registrar is responsible for keeping track of who owns the domain name and making sure that it's properly pointed to your website.How do domain name registrars work?When you buy a domain name from a registrar, they'll add your name and contact information to a database called the Domain Name System (DNS). The DNS is a big list of all the domain names in the world and their corresponding IP addresses. When someone types your domain name into their browser, their computer will query the DNS to find the IP address of your website.How to choose the best domain name registrar for youThere are a few factors to consider when choosing a domain name registrar. These include:Price: Domain name registrars typically charge different prices for domain names. It's important to compare prices before you buy a domain name.Features: Different registrars offer different features, such as free domain privacy, email forwarding, and DNSSEC. Make sure to choose a registrar that offers the features you need.Customer support: If you have any problems with your domain name, you'll need to contact the registrar's customer support team. Make sure to choose a registrar with a good reputation for customer support.Popular domain name registrarsHere are some of the most popular domain name registrars:Domain.comNamecheapBluehostGoogle DomainsGoDaddyHostGatorName.comNameSiloDynadotDreamHosthttps://url.amit.so/bio

In this episode of PING, Verisign Fellow Duane Wessels discusses notable changes in the DNS root zone over the last 13 years.Duane joined Verisign in the early stages of DNSSEC deployment and has conducted measurements of DNS for many years, in his measurement factory days, and in DNS OARC as well as inside Verisign. The significant changes to the DNS root zone, and it's implications for the root zone operators are discussed: Deploying DNSSEC, the first DNSSEC KSK key changes, the increase in packet sizes with RSA keylength changes, and the future KSK and ZSK algorithm changesRead more about DNS and DNSSEC on the APNIC Blog.Here's some articles from the blog which discuss the issues:The views expressed by the featured speakers are their own and do not necessarily reflect the views of APNIC.

In this episode of PING, APNIC's Chief Scientist Geoff Huston discusses DNSSEC and presents a case "for" and "against" deployment, in the context of complexity, fragility, and impact on the DNS process at large. DNSSEC is net beneficial but its by no means automatic to deploy it protecting a zone. And for Geoff's continuing measurement of DNSSEC see https://stats.labs.apnic.net/dnssec for his daily updated measurements of DNSSEC validation. The views expressed by the featured speakers are their own and do not necessarily reflect the views of APNIC.

Howdy Data Center Therapy regulars and new “Therapy Clients” alike! On this episode, your hosts Matt “Release and Report” Yette and Matt “Reverse Lookup” Cozzolino break down email security for you, our listeners, with a little history, a little humor, and a little education around all those three, five and six letter acronyms.  The Matts share their deep technical knowledge and experiences so that you can understand what those acronyms add, protocol-wise, to enhancing the integrity of the email system as a whole.  During the course of this podcast, you'll get to hear about: The relationship of email to the ever growing threat of ransomware (“i.e. the malicious clicks”.) Technical protocols like DNSSEC, TXT, BIMI, DMARC, SPF and DKIM, and how those contribute to strengthening email security (while not breaking compatibility with the forty (40!)-year-old email protocol) How solutions like ProofPoint can easily add a strong layer of security to your own Office365 implementations After you've listened to the episode, if you're interested in the free IVOXY Email Integrity Assessment to check your own incoming and outgoing email security postures, please reach out to your local IVOXY representative, and if you don't have one, hit us up at podcasts@ivoxy.com.  If you're an Office365 customer, the Consultants assisting you will include a Rapid Risk Report as stated earlier.   We hope you enjoyed this episode, and if you did, please be sure to like, share and subscribe wherever quality podcasts like DCT are found.  We appreciate it! Guard that front door (of email activity!), stay safe, and stay as secure as you can, listeners.  Catch you on the next informative episode of Data Center Therapy!

Musts kryptostrateg tar över nyckeln till internet. Under en ceremoni i torsdags tog kryptostrategen Pia Gruvö över en av de 14 nycklar som ser till att internet fungerar säkert. ”Det är verkligen en ära”, säger Pia Gruvö, kryptostrateg vid Militära underrättelse- och säkerhetstjänsten, Must. 14 personer globalt är utsedda som väktare till internet. De är nyckelbärare, eller kryptoofficerare som det kallas, för att kunna hålla efter ”internets telefonkatalog”, domännamnssystemet, DNS. Den nya kryptoofficeren Pia Gruvö har en tung bakgrund inom Försvarsmakten och började redan 1988 på FRA som kryptograf och är sedan två år tillbaka kryptostrateg för MUST och NCSA-direktör (National Communications Security Authority). ”Det är verkligen en ära att utnämnas till kryptoofficer och bli en del av detta meriterade gäng”, säger Pia Gruvö i ett uttalande. DNS-katalogen är en databas som håller reda på var du ska hamna när du skriver i en domänadress, till exempel ”di.se” genom att översätta det till datorernas rena ip-adresser som består av siffror och punkter. Skulle någon komma åt detta system så kan de peka om adresserna, vilket skulle ställa till med stora problem som manipulation av information och andra säkerhetshot. Det finns därför ett säkerhetssystem, DNSSEC, som skyddas med säkerhetsnycklar. För att nycklarna ska vara säkra förnyas de återkommande. Två gånger per år kommer Pia Gruvö därför att åka till Culpeper utanför Washington DC i USA med sin nyckel och eskorteras genom olika säkerhetszoner för att kunna låsa upp sin box. I den finns ett smart kort som tillsammans med de övriga kryptoofficerarnas kort kan användas för att skapa nya nycklar. Före Pia Gruvö höll cybersäkerhetsexperten Anne-Marie Eklund Löwinder nyckeln i tolv år, men hon går nu i pension. #CarlNorberg #DeFria De Fria är en folkrörelse som jobbar för demokrati genom en upplyst och medveten befolkning! Stöd oss: SWISH: 070 - 621 19 92 (mottagare Sofia S) PATREON: https://patreon.com/defria_se HEMSIDA: https://defria.se FACEBOOK: https://facebook.com/defria.se

APNIC's Chief Scientist, Geoff Huston joins us again on the show, this time to discuss three related presentations by Google, ISC and Mozilla that caught his attention during the recent IETF 114 and DNS-OARC 38 meetings on securing the DNS against spoofing. DNS spoofing involves third parties intercepting and responding to queries for benign or malicious purposes; recent studies show that DNS spoofing has more doubled since 2016. Google is protecting its DNS service against spoofing using multiple methods including using a combination of DNS cookies, randomizing the choice of name servers, stripping duplicate queries from the outbound queues, performing rate limiting and unilaterally probing for support of Authoritative DNS over TLS (ADoT); it projects that these measures will cover 99% of queries after the various rollouts are complete. While such results are impressive, Geoff and others argue that the widespread use of DNSSEC could do just as good as a job and with little impact on performance, as per ISC's and Mozilla's findings in their recent studies. Read more about DNS Spoofing and DNSSEC on the APNIC Blog. The views expressed by the featured speakers are their own and do not necessarily reflect the views of APNIC.

Amazon acquires iRobot, Zero-day defense tips, DNS security, and more! Amazon acquires iRobot. Amazon & IBM are moving quickly on Post-Quantum Cryptographic Algorithms. T-Mobile store owner made $25 million using stolen employee credentials. North Korea-backed hackers with a way to read your Gmail. Zero-Day defense: tips for defusing the threat. Josh Kuo: DNSSEC Nerd for InfoBlox and co-author of the "BIND DNSSEC Guide" & "DNS Security for Dummies" Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Josh Kuo Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: newrelic.com/enterprise Compiler - TWIET UserWay.org/twit

Amazon acquires iRobot, Zero-day defense tips, DNS security, and more! Amazon acquires iRobot. Amazon & IBM are moving quickly on Post-Quantum Cryptographic Algorithms. T-Mobile store owner made $25 million using stolen employee credentials. North Korea-backed hackers with a way to read your Gmail. Zero-Day defense: tips for defusing the threat. Josh Kuo: DNSSEC Nerd for InfoBlox and co-author of the "BIND DNSSEC Guide" & "DNS Security for Dummies" Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Josh Kuo Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: newrelic.com/enterprise Compiler - TWIET UserWay.org/twit

Amazon acquires iRobot, Zero-day defense tips, DNS security, and more! Amazon acquires iRobot. Amazon & IBM are moving quickly on Post-Quantum Cryptographic Algorithms. T-Mobile store owner made $25 million using stolen employee credentials. North Korea-backed hackers with a way to read your Gmail. Zero-Day defense: tips for defusing the threat. Josh Kuo: DNSSEC Nerd for InfoBlox and co-author of the "BIND DNSSEC Guide" & "DNS Security for Dummies" Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Josh Kuo Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: newrelic.com/enterprise Compiler - TWIET UserWay.org/twit

Amazon acquires iRobot, Zero-day defense tips, DNS security, and more! Amazon acquires iRobot. Amazon & IBM are moving quickly on Post-Quantum Cryptographic Algorithms. T-Mobile store owner made $25 million using stolen employee credentials. North Korea-backed hackers with a way to read your Gmail. Zero-Day defense: tips for defusing the threat. Josh Kuo: DNSSEC Nerd for InfoBlox and co-author of the "BIND DNSSEC Guide" & "DNS Security for Dummies" Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Josh Kuo Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: newrelic.com/enterprise Compiler - TWIET UserWay.org/twit

Geoff Huston joins us again for his monthly chat, this time to consider the contradictory theory of a resolverless DNS. Contradictory because the DNS is by its nature reliant on resolvers. We'll discuss the historical process of how DNS names are resolved and how content providers, through their open DNS services, have sought to optimise this process. This optimisation has led some, including Geoff, to consider 'server push' combined with DNSSEC, as a viable means to speed up the DNS, reduce privacy leakage and constrain the potential for failures. You can read more on the APNIC Blog https://blog.apnic.net/2022/05/17/the-path-to-resolverless-dns/ The views expressed by the featured speakers are their own and do not necessarily reflect the views of APNIC.

April weather over in Sweden - a couple of degrees and windy. Building a porch for my Dad. Last week I talked about DNS - and I have also mentioned my Email-project even if I haven't done a deep-dive into it yet. Related to both of these are SPF and DKIM.  SPF - stand for Sender Policy Framework - this is a policy you can set that will hinder spammers  and scammers from sending email as you.  It is a short text string that you can add to the DNS for your domain. Mainly three sections - SPF-version, allowed ip-ranges and what should happen if not a match.  IP-ranges means which mail-servers that are allowed to send email for the domain. That should only be your email-providers domain. The policy or what should happen can be everything from do nothing - to block. The harder you set this rules the less spam will be sent and impersonated as your domain.  This works by receiving email servers checking the SPF-records before accepting an email - spam filters can also use this data and score unmatched records higher if block is not on.  DKIM - stands for DomainKeys Identified Email - it reminds a lot of SPF but takes it a bit further.  Also with this standard you enter a text message into your DNS. This time it contains a bit more information - but the important part is a public key. This should be a key generated by the sender domains email-server(s). When sending email the email server will sign the message using the private key and receiving email server can then use the key in the DNS to verify that it was sent by an approved sender.  This is a bit more technical to setup than SPF and it also requires that the email server supports DKIM-signing.  DMARC - stands for Domain-based Message Authentication, Reporting and Conformance - this is the glue that ties it all together.  In DMARC - again a DNS-text record, a policy can be defined what should happen when a message is breaking the SPF-policy or is missing or has a false DKIM signature. This can tell the receiving email-servers as an example to quarantine or block the message and also report back to a specific email adress.  I am using SPF and DKIM - I have not yet setup a DMARC policy - it is probably something I should do together with DNSsec to improve my overall domain security. Are you using any of these techniques to stop spam and spoofing from your domain?  The most common reason to not implement SPF or DKIM is not knowing that it exists or the belief it will be hard and risking the correct email to be rejected. Domains with good SPF and DKIM setup has a better chance to pass spam-filters since they are specifically configured to not allow uncontrolled senders. o the internet a service and set it up on your domains today.  I hope you enjoyed todays episode of Martin Uncut. 

Restoring a Tadpole SPARCbook 3, The FreeBSD Boot Process, Debugging an ioctl Problem on OpenBSD, Why my game PC runs FreeBSD and Kubuntu, DNSSEC, Badgers, and Orcs, Oh My, and more. NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) and the BSDNow Patreon (https://www.patreon.com/bsdnow) Headlines Restoring a Tadpole SPARCbook 3 Part 1: Introduction (https://www.rs-online.com/designspark/restoring-a-tadpole-sparcbook-3-part-1-introduction) The FreeBSD Boot Process (https://klarasystems.com/articles/the-freebsd-boot-process/) News Roundup Debugging an ioctl Problem on OpenBSD (https://jcs.org/2022/02/16/ioctl) Why my game PC runs FreeBSD and Kubuntu (https://rubenerd.com/why-my-game-pc-also-runs-freebsd/) DNSSEC, Badgers, and Orcs, Oh My! (https://mwl.io/archives/14708) Beastie Bits • [LibreSSL 3.5.0 development branch released](https://undeadly.org/cgi?action=article;sid=20220301063844) • [OpenSSH updated to 8.9](https://undeadly.org/cgi?action=article;sid=20220301063428) • [Recent developments in OpenBSD, 2022-02-21 summary](https://undeadly.org/cgi?action=article;sid=20220221060700) Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions Jonathan - X-Wing and Tie Fighter (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/446/Jonathan%20-%20X-Wing%20and%20Tie%20Fighter.md) Joshontech - pool options (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/446/joshontech%20-%20pool%20options.md) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) ***

We recorded this months ago, and now it's finally up! Colm MacCárthaigh joined us to chat about all things TLS, S2N, MTLS, SSH, fuzzing, formal verification, implementing state machines, and of course, DNSSEC.Transcript: https://share.descript.com/view/tjrQu8wZKT0Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian

In our fifth episode, we are talking again to APNIC's Chief Scientist, Geoff Huston, regarding a recent presentation he sat in on at DNS OARC 36 about Slack's unfortunate 24-hour outage on 30 September 2021, where 1% of its users (almost 100,000 users) weren't able to access Slack, due to an issue with deploying it's DNSSEC. We'll discuss two themes that Geoff has blogged about and discussed on this show this year: managing and securing the DNS is difficult but necessary, and the need for greater transparency in the industry when discussing things that have gone wrong, so that the community can learn from them to make sure they don't happen again. You can read Geoff's account on this presentation here: Notes from DNS-OARC 36 [ https://blog.apnic.net/2021/12/07/notes-from-dns-oarc-36/?utm_source=podcast&utm_medium=organic&utm_campaign=PING&utm_term=E5&utm_content=description] Also, here is a link to Slack's account of the situation that we refer to in the show: The Case of the Recursive Resolvers [https://slack.engineering/what-happened-during-slacks-dnssec-rollout/] The views expressed by the featured speakers are their own and do not necessarily reflect the views of APNIC.

Not the hero the internet deserves, but the one we need: it's Ryan Sleevi!We get into the weeds on becoming a certificate authority, auditing said authorities, DNSSEC, DANE, taking over country code top level domains, Luxembourg, X.509, ASN.1, CBOR, more JSON (!), ACME, Let's Encrypt, and more, on this extra lorge episode with the web PKI's Batman.Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian

This week's Network Break discusses the jaw-dropping $3.5 billion purchase of Pluralsight; welcomes a new network OS to life, the universe, and everything; debates whether ICANN was cautious or tardy in implementing DNSSEC for gTLD name servers, catches up on the SolarWinds hack, and more tech conversation.

This week's Network Break discusses the jaw-dropping $3.5 billion purchase of Pluralsight; welcomes a new network OS to life, the universe, and everything; debates whether ICANN was cautious or tardy in implementing DNSSEC for gTLD name servers, catches up on the SolarWinds hack, and more tech conversation.

This week's Network Break discusses the jaw-dropping $3.5 billion purchase of Pluralsight; welcomes a new network OS to life, the universe, and everything; debates whether ICANN was cautious or tardy in implementing DNSSEC for gTLD name servers, catches up on the SolarWinds hack, and more tech conversation.