[dns-operations] .FI going insecure for two weeks (!)

Arnold Dechamps arnold at adechamps.net
Wed May 21 13:14:24 UTC 2025


Hello Everyone,

I did not have the opportunity to monitor this during the transition. I see that they transitioned to algo 13 though. Did they went insecure in the end? Is there somewhere I could see what happened in the past with their dnssec?

Kind regards,

Arnold Dechamps

> On 17 Dec 2024, at 22:54, Joe Abley <jabley at strandkip.nl> wrote:
> 
> Hi Shumon,
> 
>> On 18 Dec 2024, at 11:12, Shumon Huque <shuque at gmail.com> wrote:
>> 
>> Love you Joe, but I have to quibble with this stance a bit. In my view, going insecure seems valid only because there is a prevailing perception that nothing critically depends on DNSSEC (your observation of DANE notwithstanding).
> 
> Love you too, sweetie. I agree that prevailing perceptions can be a problem, but that cuts both ways. Verifiably insecure reaponses are just as non-bogus as verifiably secure ones. The question of what is reasonable here is not a matter of protocol, it's a matter of expectations between the zone operator and its relying parties.
> 
>> That's something I hope will change in the future (both the perception and the reality). The parties involved in the recent GOV TLD provider+algorithm transition went to great pains to ensure that they did not go in
>> secure. I hope that other TLDs will follow suit.
> 
> Christian did a nice presentation about that at a somewhat-recent DNS-OARC meeting. That one had the additional excitement of a multi-provider transition period that mixed NSEC and NSEC3 negative reaponses, and together Cloudflare and Verisign managed the transition very elegantly.
> 
> So I am definitely not saying it can't be done and I'm not making an argument for going insecure, I'm just saying going insecure can be a legitimate option. In some cases it might be the most stable option. Again, not commenting on the specific circumstances here.
> 
> 
> Joe
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list