Fränz Friederes
@fraenz.frieder.es
Solo Software Engineer at wierk.lu building a SaaS for DMARC monitoring dmarced.eu, deciphering Enigma cryptograms, and chasing sneaker drops, he/him 🏳️🌈
When correctness and trust matter, leaning on well-established libraries is usually the better choice, even if that means stepping outside the usual stack.
As a bonus, picking up a new language again turns out to be a very welcome detour.
#BuildInPublic #DNS #Rust
As a bonus, picking up a new language again turns out to be a very welcome detour.
#BuildInPublic #DNS #Rust
January 15, 2026 at 10:16 AM
When correctness and trust matter, leaning on well-established libraries is usually the better choice, even if that means stepping outside the usual stack.
As a bonus, picking up a new language again turns out to be a very welcome detour.
#BuildInPublic #DNS #Rust
As a bonus, picking up a new language again turns out to be a very welcome detour.
#BuildInPublic #DNS #Rust
My main takeaway is that reimplementing core Internet protocols in high-level languages can be interesting and educational, but often leads to unreliable results.
January 15, 2026 at 10:16 AM
My main takeaway is that reimplementing core Internet protocols in high-level languages can be interesting and educational, but often leads to unreliable results.
This gives me parallel batch queries, fresh results, DNSSEC validation, support for legacy SPF records, and accurate TTL metadata, all without reimplementing low-level DNS behavior myself.
January 15, 2026 at 10:16 AM
This gives me parallel batch queries, fresh results, DNSSEC validation, support for legacy SPF records, and accurate TTL metadata, all without reimplementing low-level DNS behavior myself.
I step back and explore an alternative. After spending a few hours learning Rust and its approach to memory management, I wrote my first code wrapping libunbound, a widely used DNS resolver. It is clear that this solution would not have been as approachable without AI support.
January 15, 2026 at 10:16 AM
I step back and explore an alternative. After spending a few hours learning Rust and its approach to memory management, I wrote my first code wrapping libunbound, a widely used DNS resolver. It is clear that this solution would not have been as approachable without AI support.
The tree walk gets confused by zone delegation.
What I expect to be a four-hour fix turns into a much deeper problem and several weeks of work. It becomes clear that this is not just a flawed implementation. The underlying model is wrong.
What I expect to be a four-hour fix turns into a much deeper problem and several weeks of work. It becomes clear that this is not just a flawed implementation. The underlying model is wrong.
January 15, 2026 at 10:16 AM
The tree walk gets confused by zone delegation.
What I expect to be a four-hour fix turns into a much deeper problem and several weeks of work. It becomes clear that this is not just a flawed implementation. The underlying model is wrong.
What I expect to be a four-hour fix turns into a much deeper problem and several weeks of work. It becomes clear that this is not just a flawed implementation. The underlying model is wrong.
That leads me to implement a DNS tree walk in Node.js.
Initially, the solution looks promising. Then a single DNS query changes everything. My algorithm reports a record as absent when it clearly exists.
Initially, the solution looks promising. Then a single DNS query changes everything. My algorithm reports a record as absent when it clearly exists.
January 15, 2026 at 10:16 AM
That leads me to implement a DNS tree walk in Node.js.
Initially, the solution looks promising. Then a single DNS query changes everything. My algorithm reports a record as absent when it clearly exists.
Initially, the solution looks promising. Then a single DNS query changes everything. My algorithm reports a record as absent when it clearly exists.
For setup guidance and alerts, I rely on DNS records and metadata that have not been cached, so I can observe changes as they actually happen.
Node.js’ native DNS APIs seem sufficient at first. To get fresh answers, however, I need to identify the closest DNS server myself.
Node.js’ native DNS APIs seem sufficient at first. To get fresh answers, however, I need to identify the closest DNS server myself.
January 15, 2026 at 10:16 AM
For setup guidance and alerts, I rely on DNS records and metadata that have not been cached, so I can observe changes as they actually happen.
Node.js’ native DNS APIs seem sufficient at first. To get fresh answers, however, I need to identify the closest DNS server myself.
Node.js’ native DNS APIs seem sufficient at first. To get fresh answers, however, I need to identify the closest DNS server myself.
I see why, it‘s introducing the leaking issue. On the other hand, I don‘t want to introduce passwords in the first place. To me, 2FA would only be applicable to magic link auth which kind of breaks the multi factor idea with „two things I have.“ Also, it’s more the user needs to learn.
October 15, 2025 at 11:37 PM
I see why, it‘s introducing the leaking issue. On the other hand, I don‘t want to introduce passwords in the first place. To me, 2FA would only be applicable to magic link auth which kind of breaks the multi factor idea with „two things I have.“ Also, it’s more the user needs to learn.
Thank‘s for the hint about the spec mention! I would never have thought they would recommend a hack like providing „plausible imaginary values“ as credential ids for mitigation.
What do you mean by distinct auth flow? Do you consider non-res keys 2fa-only?
What do you mean by distinct auth flow? Do you consider non-res keys 2fa-only?
October 15, 2025 at 11:15 PM
Thank‘s for the hint about the spec mention! I would never have thought they would recommend a hack like providing „plausible imaginary values“ as credential ids for mitigation.
What do you mean by distinct auth flow? Do you consider non-res keys 2fa-only?
What do you mean by distinct auth flow? Do you consider non-res keys 2fa-only?
How do we solve this securely, without introducing #WebAuthn in a way that weakens the login flow?
Would love to hear how others are approaching this problem.
Would love to hear how others are approaching this problem.
October 15, 2025 at 12:04 PM
How do we solve this securely, without introducing #WebAuthn in a way that weakens the login flow?
Would love to hear how others are approaching this problem.
Would love to hear how others are approaching this problem.
If we return credential IDs based on an email address, we leak whether an account exists for that email.
That’s introducing an account-enumeration risk when implementing a new authentication method that is supposed to strengthen security. Many providers seem to accept it.
That’s introducing an account-enumeration risk when implementing a new authentication method that is supposed to strengthen security. Many providers seem to accept it.
October 15, 2025 at 12:04 PM
If we return credential IDs based on an email address, we leak whether an account exists for that email.
That’s introducing an account-enumeration risk when implementing a new authentication method that is supposed to strengthen security. Many providers seem to accept it.
That’s introducing an account-enumeration risk when implementing a new authentication method that is supposed to strengthen security. Many providers seem to accept it.
One open question: How should we handle non-residential credentials (like security keys) in a passwordless login flow?
These credentials need a credential ID created during setup. But to fetch that ID, we first need to identify the user e.g. by email.
These credentials need a credential ID created during setup. But to fetch that ID, we first need to identify the user e.g. by email.
October 15, 2025 at 12:04 PM
One open question: How should we handle non-residential credentials (like security keys) in a passwordless login flow?
These credentials need a credential ID created during setup. But to fetch that ID, we first need to identify the user e.g. by email.
These credentials need a credential ID created during setup. But to fetch that ID, we first need to identify the user e.g. by email.
Actually, I was also rooting for a DNS issue rather than a cyber attack 👀
July 25, 2025 at 8:23 PM
Actually, I was also rooting for a DNS issue rather than a cyber attack 👀
Serverless doesn’t mean no servers. It means no servers I need to manage.
It shifts responsibility to experts, so I can focus on what I do best: building the product.
#BuildInPublic #Serverless
It shifts responsibility to experts, so I can focus on what I do best: building the product.
#BuildInPublic #Serverless
July 14, 2025 at 5:48 PM
Serverless doesn’t mean no servers. It means no servers I need to manage.
It shifts responsibility to experts, so I can focus on what I do best: building the product.
#BuildInPublic #Serverless
It shifts responsibility to experts, so I can focus on what I do best: building the product.
#BuildInPublic #Serverless
Serverless (for me, AWS Lambda) lets me draw a clear boundary: Code is my responsibility. The OS, hardware, and network security? Amazon’s.
It’s not a shortcut, it’s a conscious tradeoff.
It’s not a shortcut, it’s a conscious tradeoff.
July 14, 2025 at 5:48 PM
Serverless (for me, AWS Lambda) lets me draw a clear boundary: Code is my responsibility. The OS, hardware, and network security? Amazon’s.
It’s not a shortcut, it’s a conscious tradeoff.
It’s not a shortcut, it’s a conscious tradeoff.
As a solo dev, I can’t stay on top of every CVE, kernel patch, or OS-level exploit. Owning the full stack means signing up for a 24/7 job in security and ops, on top of product, support, and everything else.
July 14, 2025 at 5:48 PM
As a solo dev, I can’t stay on top of every CVE, kernel patch, or OS-level exploit. Owning the full stack means signing up for a 24/7 job in security and ops, on top of product, support, and everything else.
This is Rocky a.k.a. Klenge Miiss
July 11, 2025 at 6:32 PM
This is Rocky a.k.a. Klenge Miiss
Hosting an Enigma simulator for over a decade now, it felt natural to put a portion of @cryptii.com’s ad revenue toward a brick in Pamela’s name: Brick B2:64 on the Codebreakers’ Wall.
Find out more about Pamela Downing and Bletchley Park here: www.bletchleypark.org.uk/roll-of-hon...
Find out more about Pamela Downing and Bletchley Park here: www.bletchleypark.org.uk/roll-of-hon...
Roll of Honour
Find a Veteran by searching the Bletchley Park Roll of Honour, which lists all those believed to have worked in signals intelligence during World War Two.
www.bletchleypark.org.uk
July 11, 2025 at 2:31 PM
Hosting an Enigma simulator for over a decade now, it felt natural to put a portion of @cryptii.com’s ad revenue toward a brick in Pamela’s name: Brick B2:64 on the Codebreakers’ Wall.
Find out more about Pamela Downing and Bletchley Park here: www.bletchleypark.org.uk/roll-of-hon...
Find out more about Pamela Downing and Bletchley Park here: www.bletchleypark.org.uk/roll-of-hon...
Like many at Bletchley, her contributions went unrecognised for decades.
I first came across Pamela’s name earlier this year, while asking which names were still missing from the Codebreakers’ Wall at Bletchley Park.
I first came across Pamela’s name earlier this year, while asking which names were still missing from the Codebreakers’ Wall at Bletchley Park.
July 11, 2025 at 2:31 PM
Like many at Bletchley, her contributions went unrecognised for decades.
I first came across Pamela’s name earlier this year, while asking which names were still missing from the Codebreakers’ Wall at Bletchley Park.
I first came across Pamela’s name earlier this year, while asking which names were still missing from the Codebreakers’ Wall at Bletchley Park.
She worked in the “Netz” room, handling raw Enigma signals, and later as a Modified Typex operator decoding messages using keys discovered by the Bombe, a unique electro-mechanical cryptanalysis machine.
July 11, 2025 at 2:31 PM
She worked in the “Netz” room, handling raw Enigma signals, and later as a Modified Typex operator decoding messages using keys discovered by the Bombe, a unique electro-mechanical cryptanalysis machine.