[dns-operations] .FI going insecure for two weeks (!)

[Joe Abley]

Hi Shumon,

On 18 Dec 2024, at 11:12, Shumon Huque <shuque at gmail.com> wrote:

> Love you Joe, but I have to quibble with this stance a bit. In my view, going insecure seems valid only because there is a prevailing perception that nothing critically depends on DNSSEC (your observation of DANE notwithstanding).

Love you too, sweetie. I agree that prevailing perceptions can be a problem, but that cuts both ways. Verifiably insecure reaponses are just as non-bogus as verifiably secure ones. The question of what is reasonable here is not a matter of protocol, it's a matter of expectations between the zone operator and its relying parties. 

> That's something I hope will change in the future (both the perception and the reality). The parties involved in the recent GOV TLD provider+algorithm transition went to great pains to ensure that they did not go in
> secure. I hope that other TLDs will follow suit.

Christian did a nice presentation about that at a somewhat-recent DNS-OARC meeting. That one had the additional excitement of a multi-provider transition period that mixed NSEC and NSEC3 negative reaponses, and together Cloudflare and Verisign managed the transition very elegantly. 

So I am definitely not saying it can't be done and I'm not making an argument for going insecure, I'm just saying going insecure can be a legitimate option. In some cases it might be the most stable option. Again, not commenting on the specific circumstances here. 


Joe