[dns-operations] .FI going insecure for two weeks (!)
cstamas+dns at cstamas.hu
cstamas+dns at cstamas.hu
Tue Dec 17 22:51:07 UTC 2024
hi,
My understanding is that they are using a signer that does not make algorithm rollovers easy. They are going for what seems to be less risky for them.
Regards,
Tamás
Dec 17, 2024 21:17:33 Steve Crocker <steve at shinkuro.com>:
> Why are they not doing a regular rollover so there is NO break in the verification chain?
>
> Steve
>
>
> On Tue, Dec 17, 2024 at 3:10 PM Paul Wouters <paul at nohats.ca> wrote:
>>
>> .fi customers got a note with:
>>
>> Traficom changes the DNSSEC implementation used for .fi domain names by
>> changing the .FI signature algorithm. This change makes the domain name
>> system (DNS) more reliable and ensures the continued compatibility of
>> the DNSSEC implementation. Because of the change, .FI DS records will
>> be removed from the root zone. This will break the verification chain,
>> and DNSSEC will not be available to .fi domain names approximately from
>> 17 April 2025 to 30 April 2025.
>>
>> If anyone has some influence there and could perhaps convince them
>> to reduce "weeks" to "hours", I think that would be a very healthy
>> improvement of their process.
>>
>> Paul
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
> --
> [Image][Sent by a Verified sender][https://unum-id-email-extension-assets.s3.us-west-2.amazonaws.com/Badges/Verified+Badge+200px.png][https://wallet.unumid.co/authenticate?referralCode=tcp16fM4W47y]
More information about the dns-operations
mailing list