Rolling the root key
Have DNSSEC-validating recursive resolvers updated their Trust Anchor sets to include KSK-2024, and how can we measure whether this transition has been successfully adopted?
Tag: DNSSEC
Revocation of X.509 certificates
‘Revocation is broken’ is a catchphrase in the world of certificates and Certificate Authorities. Certification infrastructure may not have been designed for the Internet of today.
NIST updates its secure DNS deployment guide: What operators need to know
NIST’s updated DNS deployment guide treats DNS as a core security control, offering practical guidance on protective DNS, encryption, DNSSEC, and both authoritative and recursive operations to help operators strengthen resilience, visibility, and policy enforcement.
How to talk about the trust in your devices: An IRTF draft
A review of Michael Richardson’s IRTF draft, a taxonomy of operational security considerations for manufacturer installed keys and trust anchors.
Towards an industry best practice for DNSSEC automation
Guest Post: DNSSEC adoption, while steadily rising, is still low after 20 years. Why care about DNSSEC adoption anyway?
Three of the best: RPKI
The use of RPKI to secure Internet routing is increasingly standard practice. While there were many significant events in the region throughout 2025, readers maintained an interest in local, regional, and global RPKI stories throughout the year.
Edge cases in DNSSEC validation with multiple algorithms
Guest Post: Investigating transition requirements for PQC DNSSEC.
From OpenDNSSEC to Knot DNS
Guest Post: How to use Knot with HSMs, seamlessly transition from OpenDNSSEC, and switch to in-memory keys.
Signing the root in public: The foundations of trust
Inside the ceremony that safeguards global DNSSEC, and why community oversight still matters.
[Podcast] Downloading the root
Geoff Huston discusses the DNS root zone and how query load at the root could be reduced by using trusted local copies of the zone.