PodParley PodParley
PodParley
How (not) to configure your domainname [internet.nl] (WHY2025) episode artwork

EPISODE · Aug 11, 2025 · 50 MIN

How (not) to configure your domainname [internet.nl] (WHY2025)

from Chaos Computer Club - recent audio-only feed · host Benjamin W. Broersma

The most common configurations seen in scanning domain names with [Internet.nl](https://internet.nl), e.g. those found in [biannual governmental measurements](https://www.forumstandaardisatie.nl/metingen/informatieveiligheidstandaarden). This talk will explain how to configure modern security standards on your domain name with the help of [the open source](https://github.com/internetstandards/Internet.nl/) [Internet.nl](https://internet.nl). It will show common misconfigurations in DNS and security headers. Teach you why you should probably want to avoid `www CNAME @`, want to enable IPv6 and other observations from the [biannual measurements](https://www.forumstandaardisatie.nl/metingen/informatieveiligheidstandaarden) of scanning more than 10.000 governmental host names in The Netherlands. After this talk you'll know at least one DNS or security header improvement for your own or organization domain. This presentation will touch: - why enable DNSSEC ([RFC 4033](https://datatracker.ietf.org/doc/html/rfc4033) and many more), some common failures (e.g. CNAME's) - why enable IPv6, not talking about 'IPv4-mapped IPv6 address' here, issues if you're still not supporting IPv6 (almost 30 years after [RFC 1883](https://datatracker.ietf.org/doc/html/rfc1883)) - why not CNAME to your apex domain (if you have an Mx record) - why use Null MX ([RFC 7505](https://datatracker.ietf.org/doc/html/rfc7505)) - why configuration SPF ([RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)) on all hostnames - why there are more reasons to avoid CNAME's - why enable DANE ([RFC 6698](https://datatracker.ietf.org/doc/html/rfc6698)) and TLSRPT ([RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)) and why it's superior to MTA-STA ([RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461)), how to rotate DANE - why monitoring matters - why first doing a `https://` redirect before a domain redirect - why a strict Content-Security-Policy ([CSP v3](https://www.w3.org/TR/CSP3/)) will save you - why configure `ssl_reject_handshake` (nginx only) - why have an accessible security.txt (special allow rule if you have basic auth!) that contains at least one email address - why start cookie names with `__Host-`or `__Secure-` ([MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie-namecookie-value)) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/XVET7C/

What this episode covers

The most common configurations seen in scanning domain names with [Internet.nl](https://internet.nl), e.g. those found in [biannual governmental measurements](https://www.forumstandaardisatie.nl/metingen/informatieveiligheidstandaarden). This talk will explain how to configure modern security standards on your domain name with the help of [the open source](https://github.com/internetstandards/Internet.nl/) [Internet.nl](https://internet.nl). It will show common misconfigurations in DNS and security headers. Teach you why you should probably want to avoid `www CNAME @`, want to enable IPv6 and other observations from the [biannual measurements](https://www.forumstandaardisatie.nl/metingen/informatieveiligheidstandaarden) of scanning more than 10.000 governmental host names in The Netherlands. After this talk you'll know at least one DNS or security header improvement for your own or organization domain. This presentation will touch: - why enable DNSSEC ([RFC 4033](https://datatracker.ietf.org/doc/html/rfc4033) and many more), some common failures (e.g. CNAME's) - why enable IPv6, not talking about 'IPv4-mapped IPv6 address' here, issues if you're still not supporting IPv6 (almost 30 years after [RFC 1883](https://datatracker.ietf.org/doc/html/rfc1883)) - why not CNAME to your apex domain (if you have an Mx record) - why use Null MX ([RFC 7505](https://datatracker.ietf.org/doc/html/rfc7505)) - why configuration SPF ([RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)) on all hostnames - why there are more reasons to avoid CNAME's - why enable DANE ([RFC 6698](https://datatracker.ietf.org/doc/html/rfc6698)) and TLSRPT ([RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)) and why it's superior to MTA-STA ([RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461)), how to rotate DANE - why monitoring matters - why first doing a `https://` redirect before a domain redirect - why a strict Content-Security-Policy ([CSP v3](https://www.w3.org/TR/CSP3/)) will save you - why configure `ssl_reject_handshake` (nginx only) - why have an accessible security.txt (special allow rule if you have basic auth!) that contains at least one email address - why start cookie names with `__Host-`or `__Secure-` ([MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie-namecookie-value)) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/XVET7C/

NOW PLAYING

How (not) to configure your domainname [internet.nl] (WHY2025)

0:00 50:16

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Share this episode

Similar Episodes

I'm ok

Mar 26, 2026 ·1m

🚨SUNO Flips on Artist - Creators, this matters. 🎵🤖

Feb 8, 2026 ·4m

Mastering AI & Prompting

Jan 30, 2026 ·6m

REMIX: Why we over-shop and compulsively acquire, and how to stop, with Dr Jan Eppingstall

Jan 9, 2026 ·61m

REMIX: OCD and hoarding disorder with Jenna Overbaugh

Jan 2, 2026 ·47m

REMIX: Therapy and hoarding disorder - what are the options? With Dr Jan Eppingstall

Dec 26, 2025 ·78m

Similar Podcasts

Breaking News Show | eTurboNews Juergen Thomas Steinmetz News is relevant to the global travel and tourism industry, human rights and global issues.Breaking news when it happens and only from the source. That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. HOMELAND HOMELAND The Church is a body not a building. It's the bride of Jesus Christ! Jesus is coming back for a mature bride. That means it's time for the church of Jesus Christ to move from milk to meat. This is the hour of maturity!HOMELAND is an announcement that the church is being set free. Only the church has the ability to transform the world. The kingdom's of this world will become the kingdoms of our Lord and Savior!All of creation has been waiting for this moment! Sons and daughters of God are rising up and taking their seat! LIGHTS, CAMERA, SMILE! Creatives Club Media Lights, Camera, Smile, is a podcast for anyone with a dream to share something with the world, out of the overflow of themselves - be it their mind, their heart, their personalities, and much more. Each of us are alive in this moment in time, with an innate ability to have ideas and create various things to benefit both ourselves and the people around us for a reason, and here, you will find the encouragement, the inspiration, and the motivation to do just that. Hosted by Cicily, founder of Creatives Club, she dives into various topics surrounding creativity and business. Exploring entrepreneurship for creatives in a corporate reality, sharing tips and tricks in a media centered company, answering questions regarding what a creative actually is are just a few of the things discussed on this podcast. Be encouraged to create for yourself as Cicily gets vulnerable by pivoting the camera to herself for the first time.To submit questions for Cicily to answer, or have her address certain t

Frequently Asked Questions

How long is this episode of Chaos Computer Club - recent audio-only feed?

This episode is 50 minutes long.

When was this Chaos Computer Club - recent audio-only feed episode published?

This episode was published on August 11, 2025.

What is this episode about?

The most common configurations seen in scanning domain names with [Internet.nl](https://internet.nl), e.g. those found in [biannual governmental measurements](https://www.forumstandaardisatie.nl/metingen/informatieveiligheidstandaarden). This talk...

Can I download this Chaos Computer Club - recent audio-only feed episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!