[dns-operations] .FI going insecure for two weeks (!)

Frederico A C Neves fneves at registro.br
Fri May 23 10:43:18 UTC 2025 

On Wed, May 21, 2025 at 03:14:24PM +0200, Arnold Dechamps via dns-operations wrote:
> Date: Wed, 21 May 2025 15:14:24 +0200
> From: Arnold Dechamps <arnold at adechamps.net>
> To: Joe Abley <jabley at strandkip.nl>
> Cc: Shumon Huque <shuque at gmail.com>, dns-operations at dns-oarc.net
> Subject: Re: [dns-operations] .FI going insecure for two weeks (!)
> 
> Hello Everyone,
> 
> I did not have the opportunity to monitor this during the transition. I see that they transitioned to algo 13 though. Did they went insecure in the end? Is there somewhere I could see what happened in the past with their dnssec?
> 

 From what is recorded at dnsviz with a ~1 day granularity, yes.

20250417-193258 UTC - Last alg #8
https://dnsviz.net/d/fi/aAFXag/dnssec/

20250418-204723 UTC - First insecure
https://dnsviz.net/d/fi/aAK6Ww/dnssec/

20250419-100553 UTC - Last insecure
https://dnsviz.net/d/fi/aAN1gQ/dnssec/

20250420-075539 UTC - First alg #13
https://dnsviz.net/d/fi/aASoew/dnssec/

> Kind regards,
> 
> Arnold Dechamps

[]s
Fred

> 
> > On 17 Dec 2024, at 22:54, Joe Abley <jabley at strandkip.nl> wrote:
> > 
> > Hi Shumon,
> > 
> >> On 18 Dec 2024, at 11:12, Shumon Huque <shuque at gmail.com> wrote:
> >> 
> >> Love you Joe, but I have to quibble with this stance a bit. In my view, going insecure seems valid only because there is a prevailing perception that nothing critically depends on DNSSEC (your observation of DANE notwithstanding).
> > 
> > Love you too, sweetie. I agree that prevailing perceptions can be a problem, but that cuts both ways. Verifiably insecure reaponses are just as non-bogus as verifiably secure ones. The question of what is reasonable here is not a matter of protocol, it's a matter of expectations between the zone operator and its relying parties.
> > 
> >> That's something I hope will change in the future (both the perception and the reality). The parties involved in the recent GOV TLD provider+algorithm transition went to great pains to ensure that they did not go in
> >> secure. I hope that other TLDs will follow suit.
> > 
> > Christian did a nice presentation about that at a somewhat-recent DNS-OARC meeting. That one had the additional excitement of a multi-provider transition period that mixed NSEC and NSEC3 negative reaponses, and together Cloudflare and Verisign managed the transition very elegantly.
> > 
> > So I am definitely not saying it can't be done and I'm not making an argument for going insecure, I'm just saying going insecure can be a legitimate option. In some cases it might be the most stable option. Again, not commenting on the specific circumstances here.
> > 
> > 
> > Joe

More information about the dns-operations mailing list