[dns-operations] .FI going insecure for two weeks (!)

Thu May 22 22:53:14 UTC 2025

We're expecting to have a presentation on their transition at the upcoming
DNSSEC and Security Workshop during the ICANN meeting in Prague next
month.  The workshop is Monday afternoon, 9 June.  Registration for the
ICANN meeting is required, but it's free.  The workshop will be online as
well as in person.

The agenda and the individual presentations will be posted online a little
bit ahead of the meeting.  There should be time available for questions.

Steve

Sent by a Verified

sender

On Thu, May 22, 2025 at 6:45 PM Arnold Dechamps via dns-operations <
dns-operations at dns-oarc.net> wrote:

>
>
>
> ---------- Forwarded message ----------
> From: Arnold Dechamps <arnold at adechamps.net>
> To: Joe Abley <jabley at strandkip.nl>
> Cc: Shumon Huque <shuque at gmail.com>, dns-operations at dns-oarc.net
> Bcc:
> Date: Wed, 21 May 2025 15:14:24 +0200
> Subject: Re: [dns-operations] .FI going insecure for two weeks (!)
> Hello Everyone,
>
> I did not have the opportunity to monitor this during the transition. I
> see that they transitioned to algo 13 though. Did they went insecure in the
> end? Is there somewhere I could see what happened in the past with their
> dnssec?
>
> Kind regards,
>
> Arnold Dechamps
>
> > On 17 Dec 2024, at 22:54, Joe Abley <jabley at strandkip.nl> wrote:
> >
> > Hi Shumon,
> >
> >> On 18 Dec 2024, at 11:12, Shumon Huque <shuque at gmail.com> wrote:
> >>
> >> Love you Joe, but I have to quibble with this stance a bit. In my view,
> going insecure seems valid only because there is a prevailing perception
> that nothing critically depends on DNSSEC (your observation of DANE
> notwithstanding).
> >
> > Love you too, sweetie. I agree that prevailing perceptions can be a
> problem, but that cuts both ways. Verifiably insecure reaponses are just as
> non-bogus as verifiably secure ones. The question of what is reasonable
> here is not a matter of protocol, it's a matter of expectations between the
> zone operator and its relying parties.
> >
> >> That's something I hope will change in the future (both the perception
> and the reality). The parties involved in the recent GOV TLD
> provider+algorithm transition went to great pains to ensure that they did
> not go in
> >> secure. I hope that other TLDs will follow suit.
> >
> > Christian did a nice presentation about that at a somewhat-recent
> DNS-OARC meeting. That one had the additional excitement of a
> multi-provider transition period that mixed NSEC and NSEC3 negative
> reaponses, and together Cloudflare and Verisign managed the transition very
> elegantly.
> >
> > So I am definitely not saying it can't be done and I'm not making an
> argument for going insecure, I'm just saying going insecure can be a
> legitimate option. In some cases it might be the most stable option. Again,
> not commenting on the specific circumstances here.
> >
> >
> > Joe
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
>
>
> ---------- Forwarded message ----------
> From: Arnold Dechamps via dns-operations <dns-operations at dns-oarc.net>
> To: Joe Abley <jabley at strandkip.nl>
> Cc: dns-operations at dns-oarc.net
> Bcc:
> Date: Wed, 21 May 2025 15:14:24 +0200
> Subject: Re: [dns-operations] .FI going insecure for two weeks (!)
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250522/07af6b5a/attachment.html>