Paolo RedaelliHow (not) to configure your domainname [internet.nl]
2025-08-11 –, Cassiopeia Language: English
The most common configurations seen in scanning domain names with Internet.nl, e.g. those found in biannual governmental measurements.
This talk will explain how to configure modern security standards on your domain name with the help of the open source Internet.nl. It will show common misconfigurations in DNS and security headers. Teach you why you should probably want to avoid
www CNAME @, want to enable IPv6 and other observations from the biannual measurements of scanning more than 10.000 governmental host names in The Netherlands.After this talk you’ll know at least one DNS or security header improvement for your own or organization domain.
This presentation will touch:
– why enable DNSSEC (RFC 4033 and many more), some common failures (e.g. CNAME’s)
– why enable IPv6, not talking about ‘IPv4-mapped IPv6 address’ here, issues if you’re still not supporting IPv6 (almost 30 years after RFC 1883)
– why not CNAME to your apex domain (if you have an Mx record)
– why use Null MX (RFC 7505)
– why configuration SPF (RFC 7208) on all hostnames
– why there are more reasons to avoid CNAME’s
– why enable DANE (RFC 6698) and TLSRPT (RFC 8460) and why it’s superior to MTA-STA (RFC 8461), how to rotate DANE
– why monitoring matters
– why first doing ahttps://redirect before a domain redirect
– why a strict Content-Security-Policy (CSP v3) will save you
– why configuressl_reject_handshake(nginx only)
– why have an accessible security.txt (special allow rule if you have basic auth!) that contains at least one email address
– why start cookie names with__Host-or__Secure-(MDN)
How (not) to configure your domainname [internet.nl]
Pages: 1 2