[dns-operations] .FI going insecure for two weeks (!)

[Shumon Huque]

On Tue, Dec 17, 2024 at 4:03 PM Peter Thomassen <peter at desec.io> wrote:

> Hi Shumon,
>
> On 12/17/24 21:51, Shumon Huque wrote:
> > We probably need to know some more details about what exactly is
> changing.
> > Do we have any contacts at .FI that can provide them?
>
> According to a statement sent to their registrars, they are moving from
> algorithm 8 to 13.
>

Thanks!


> I agree a contact would be useful.
>
> > If they are also moving to a new provider/platform as part of the
> algorithm
> > change, then the situation may be more complicated. They'd need to do
> > an algorithm rollover and a multi-signer transition
>
> I don't think that is the case.
>
> It's true that changing the algorithm at the same time as a platform
> change might not be easy. However, if both platform and algorithm are
> changing, there's no need to change them at the same time.
>

Agreed, that's why I was asking for more details! :)

When done separately, it seems one can first move to the new platform (if
> needed, using an additional RSA key). As both algorithms are MUST
> implement, the new platform is then expected to support both algorithm 8
> and 13 for a subsequent algorithm rollover.
>

Yup, but moving to the new platform using the same algorithm
non-disruptively still requires some specific features to be supported
(multi-signer ZSK import - I assume that's what you mean by "additional RSA
key") and it's possible these features may be lacking in some platforms.

You could deploy a totally new keypair at the new party without cross
sharing, but that introduces intermittent validation failures and possible
complete failures for resolvers that don't robustly retry queries.

Shumon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20241217/b483309f/attachment.html>