[dns-operations] .FI going insecure for two weeks (!)
Peter Thomassen
peter at desec.io
Tue Dec 17 21:03:30 UTC 2024
Hi Shumon,
On 12/17/24 21:51, Shumon Huque wrote:
> We probably need to know some more details about what exactly is changing.
> Do we have any contacts at .FI that can provide them?
According to a statement sent to their registrars, they are moving from algorithm 8 to 13.
I agree a contact would be useful.
> If they are also moving to a new provider/platform as part of the algorithm
> change, then the situation may be more complicated. They'd need to do
> an algorithm rollover and a multi-signer transition
I don't think that is the case.
It's true that changing the algorithm at the same time as a platform change might not be easy. However, if both platform and algorithm are changing, there's no need to change them at the same time.
When done separately, it seems one can first move to the new platform (if needed, using an additional RSA key). As both algorithms are MUST implement, the new platform is then expected to support both algorithm 8 and 13 for a subsequent algorithm rollover.
Best,
Peter
--
https://desec.io/
More information about the dns-operations
mailing list