[dns-operations] .FI going insecure for two weeks (!)
Shumon Huque
shuque at gmail.com
Fri Dec 20 04:17:40 UTC 2024
On Wed, Dec 18, 2024 at 3:07 AM Peter Thomassen <peter at desec.io> wrote:
>
> Multi-signer capabilities on both systems are only needed if one can't
> import the old system's signatures into the new one (e.g., when
> online-signing), or if one wants to make zone changes during the transition.
>
And yet, those are both critical features for many folks. It would
certainly rule out many zones I operate - that use dynamic signing, and
that are highly volatile (hundreds of updates per minute and where we
cannot suspend updates for any period of time).
Our protocol mechanisms should be able to address all possible use cases
deployed in the field, not a subset.
Even if we limit this particular discussion to TLDs, there are now TLDs
that do online signing (GOV was already mentioned).
Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20241219/061e1747/attachment.html>
More information about the dns-operations
mailing list