[dns-operations] .FI going insecure for two weeks (!)
Bill Woodcock
woody at pch.net
Fri Dec 20 07:49:09 UTC 2024
> On Dec 20, 2024, at 05:17, Shumon Huque <shuque at gmail.com> wrote:
>> On Wed, Dec 18, 2024 at 3:07 AM Peter Thomassen <peter at desec.io> wrote:
>> Multi-signer capabilities on both systems are only needed if one can't import the old system's signatures into the new one (e.g., when online-signing), or if one wants to make zone changes during the transition.
>
> And yet, those are both critical features for many folks. It would certainly rule out many zones I operate - that use dynamic signing, and that are highly volatile (hundreds of updates per minute and where we cannot suspend updates for any period of time).
> Our protocol mechanisms should be able to address all possible use cases deployed in the field, not a subset.
I agree with Shumon. These are both common use-cases, particularly the latter, and multi-signer mechanisms must accommodate them if they’re to be relevant.
-Bill
Please consider the environment before using AI to process this email.
More information about the dns-operations
mailing list