[dns-operations] .FI going insecure for two weeks (!)
Arnold Dechamps
arnold at adechamps.net
Wed May 21 13:14:24 UTC 2025
Hello Everyone,
I did not have the opportunity to monitor this during the transition. I see that they transitioned to algo 13 though. Did they went insecure in the end? Is there somewhere I could see what happened in the past with their dnssec?
Kind regards,
Arnold Dechamps
> On 17 Dec 2024, at 22:54, Joe Abley <jabley at strandkip.nl> wrote:
>
> Hi Shumon,
>
>> On 18 Dec 2024, at 11:12, Shumon Huque <shuque at gmail.com> wrote:
>>
>> Love you Joe, but I have to quibble with this stance a bit. In my view, going insecure seems valid only because there is a prevailing perception that nothing critically depends on DNSSEC (your observation of DANE notwithstanding).
>
> Love you too, sweetie. I agree that prevailing perceptions can be a problem, but that cuts both ways. Verifiably insecure reaponses are just as non-bogus as verifiably secure ones. The question of what is reasonable here is not a matter of protocol, it's a matter of expectations between the zone operator and its relying parties.
>
>> That's something I hope will change in the future (both the perception and the reality). The parties involved in the recent GOV TLD provider+algorithm transition went to great pains to ensure that they did not go in
>> secure. I hope that other TLDs will follow suit.
>
> Christian did a nice presentation about that at a somewhat-recent DNS-OARC meeting. That one had the additional excitement of a multi-provider transition period that mixed NSEC and NSEC3 negative reaponses, and together Cloudflare and Verisign managed the transition very elegantly.
>
> So I am definitely not saying it can't be done and I'm not making an argument for going insecure, I'm just saying going insecure can be a legitimate option. In some cases it might be the most stable option. Again, not commenting on the specific circumstances here.
>
>
> Joe
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list