<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">I am not convinced "regular" is a sensible word to use, here. </div><div dir="ltr"><br></div><div dir="ltr">I agree that it is very possible to roll algorithms safely, without going insecure, and that this has been demonstrated successfully many times. However, going insecure is also a perfectly valid way to do an algorithm change, as far as DNSSEC is concerned. </div><div dir="ltr"><br></div><div dir="ltr">The interesting thing here for me is whether there are indeed downstream consequences of this choice. I hear Peter saying that they are hosting records related to DANE. This is different from DANE being used or being important to end users. </div><div dir="ltr"><br></div><div dir="ltr">Data would speak more loudly than assumption here, I think. </div><div dir="ltr"><br><blockquote type="cite">On 18 Dec 2024, at 09:41, Steve Crocker <steve@shinkuro.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:arial,sans-serif;font-size:small;color:#000000">Why are they not doing a regular rollover so there is NO break in the verification chain?</div><div class="gmail_default" style="font-family:arial,sans-serif;font-size:small;color:#000000"><br></div><div class="gmail_default" style="font-family:arial,sans-serif;font-size:small;color:#000000">Steve</div><div class="gmail_default" style="font-family:arial,sans-serif;font-size:small;color:#000000"><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Tue, Dec 17, 2024 at 3:10 PM Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
.fi customers got a note with:<br>
<br>
Traficom changes the DNSSEC implementation used for .fi domain names by<br>
changing the .FI signature algorithm. This change makes the domain name<br>
system (DNS) more reliable and ensures the continued compatibility of<br>
the DNSSEC implementation. Because of the change, .FI DS records will<br>
be removed from the root zone. This will break the verification chain,<br>
and DNSSEC will not be available to .fi domain names approximately from<br>
17 April 2025 to 30 April 2025.<br>
<br>
If anyone has some influence there and could perhaps convince them<br>
to reduce "weeks" to "hours", I think that would be a very healthy<br>
improvement of their process.<br>
<br>
Paul<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div><div><br clear="all"></div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div style="display:none">Sent by a Verified</div>
<div style="display:block">
<a href="https://wallet.unumid.co/authenticate?referralCode=tcp16fM4W47y" target="_blank">
<img width="100" height="24.4" src="https://unum-id-email-extension-assets.s3.us-west-2.amazonaws.com/Badges/Verified+Badge+200px.png" alt="Sent by a Verified sender" data-unique-identifier="">
</a>
</div>
<div style="display:none">sender</div></div>
<span>_______________________________________________</span><br><span>dns-operations mailing list</span><br><span>dns-operations@lists.dns-oarc.net</span><br><span>https://lists.dns-oarc.net/mailman/listinfo/dns-operations</span><br></div></blockquote></body></html>