[dns-operations] .FI going insecure for two weeks (!)
Shumon Huque
shuque at gmail.com
Tue Dec 17 22:11:48 UTC 2024
On Tue, Dec 17, 2024 at 3:55 PM Joe Abley <jabley at strandkip.nl> wrote:
>
> I agree that it is very possible to roll algorithms safely, without going
> insecure, and that this has been demonstrated successfully many times.
> However, going insecure is also a perfectly valid way to do an algorithm
> change, as far as DNSSEC is concerned.
>
Love you Joe, but I have to quibble with this stance a bit. In my view,
going insecure seems valid only because there is a prevailing perception
that nothing critically depends on DNSSEC (your observation of DANE
notwithstanding). That's something I hope will change in the future (both
the perception and the reality). The parties involved in the recent GOV TLD
provider+algorithm transition went to great pains to ensure that they did
not go insecure. I hope that other TLDs will follow suit.
My more detailed arguments against going insecure can be found in this
short presentation:
https://static.sched.com/hosted_files/icann79/4b/2.4%20Huque%20-%20DoNotGoInsecure-v3.pdf
Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20241217/beb08ba3/attachment.html>
More information about the dns-operations
mailing list