[dns-operations] .FI going insecure for two weeks (!)

Shumon Huque shuque at gmail.com
Tue Dec 17 20:51:35 UTC 2024 

We probably need to know some more details about what exactly is changing.
Do we have any contacts at .FI that can provide them?

If they are not changing platforms and simply moving to a new algorithm,
then yes, they should be able to do a regular algorithm rollover.

If they are also moving to a new provider/platform as part of the algorithm
change, then the situation may be more complicated. They'd need to do
an algorithm rollover and a multi-signer transition to not break the
validation
chain (with present protocol rules) -- and the involved parties would need
to
support the features needed to do that.

Shumon.

On Tue, Dec 17, 2024 at 3:16 PM Steve Crocker <steve at shinkuro.com> wrote:

> Why are they not doing a regular rollover so there is NO break in the
> verification chain?
>
> Steve
>
>
> On Tue, Dec 17, 2024 at 3:10 PM Paul Wouters <paul at nohats.ca> wrote:
>
>>
>> .fi customers got a note with:
>>
>>         Traficom changes the DNSSEC implementation used for .fi domain
>> names by
>>         changing the .FI signature algorithm. This change makes the
>> domain name
>>         system (DNS) more reliable and ensures the continued
>> compatibility of
>>         the DNSSEC implementation. Because of the change, .FI DS records
>> will
>>         be removed from the root zone. This will break the verification
>> chain,
>>         and DNSSEC will not be available to .fi domain names
>> approximately from
>>         17 April 2025 to 30 April 2025.
>>
>> If anyone has some influence there and could perhaps convince them
>> to reduce "weeks" to "hours", I think that would be a very healthy
>> improvement of their process.
>>
>> Paul
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
>
>
> --
> Sent by a Verified
> [image: Sent by a Verified sender]
> <https://wallet.unumid.co/authenticate?referralCode=tcp16fM4W47y>
> sender
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20241217/27792fa5/attachment.html>

More information about the dns-operations mailing list