[dns-operations] .FI going insecure for two weeks (!)
Merike Kaeo
merike at doubleshotsecurity.com
Tue Dec 17 21:01:04 UTC 2024
I reached out to someone in Finland who may have added insights and connections to Traficom. I encourage others to do so as well who have connections.
Would be useful to hear added details from Traficom.
- merike
On Dec 17, 2024, at 12:51 PM, Shumon Huque <shuque at gmail.com> wrote:
We probably need to know some more details about what exactly is changing.
Do we have any contacts at .FI that can provide them?
If they are not changing platforms and simply moving to a new algorithm,
then yes, they should be able to do a regular algorithm rollover.
If they are also moving to a new provider/platform as part of the algorithm
change, then the situation may be more complicated. They'd need to do
an algorithm rollover and a multi-signer transition to not break the validation
chain (with present protocol rules) -- and the involved parties would need to
support the features needed to do that.
Shumon.
On Tue, Dec 17, 2024 at 3:16 PM Steve Crocker <steve at shinkuro.com <mailto:steve at shinkuro.com>> wrote:
> Why are they not doing a regular rollover so there is NO break in the verification chain?
>
> Steve
>
>
> On Tue, Dec 17, 2024 at 3:10 PM Paul Wouters <paul at nohats.ca <mailto:paul at nohats.ca>> wrote:
>>
>> .fi customers got a note with:
>>
>> Traficom changes the DNSSEC implementation used for .fi domain names by
>> changing the .FI signature algorithm. This change makes the domain name
>> system (DNS) more reliable and ensures the continued compatibility of
>> the DNSSEC implementation. Because of the change, .FI DS records will
>> be removed from the root zone. This will break the verification chain,
>> and DNSSEC will not be available to .fi domain names approximately from
>> 17 April 2025 to 30 April 2025.
>>
>> If anyone has some influence there and could perhaps convince them
>> to reduce "weeks" to "hours", I think that would be a very healthy
>> improvement of their process.
>>
>> Paul
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
>
> --
> <https://wallet.unumid.co/authenticate?referralCode=tcp16fM4W47y>_______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20241217/d898de62/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20241217/d898de62/attachment-0001.sig>
More information about the dns-operations
mailing list