<div dir="auto">We're expecting to have a presentation on their transition at the upcoming DNSSEC and Security Workshop during the ICANN meeting in Prague next month. The workshop is Monday afternoon, 9 June. Registration for the ICANN meeting is required, but it's free. The workshop will be online as well as in person.</div><div dir="auto"><br></div><div dir="auto">The agenda and the individual presentations will be posted online a little bit ahead of the meeting. There should be time available for questions.</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">Steve<br clear="all"><br clear="all"><div dir="auto"><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="display:none">Sent by a Verified</div>
<div style="display:block"><br></div>
<div style="display:none">sender</div></div></div></div></div><div><br></div><div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Thu, May 22, 2025 at 6:45 PM Arnold Dechamps via dns-operations <<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br><br>---------- Forwarded message ----------<br>From: Arnold Dechamps <<a href="mailto:arnold@adechamps.net" target="_blank">arnold@adechamps.net</a>><br>To: Joe Abley <<a href="mailto:jabley@strandkip.nl" target="_blank">jabley@strandkip.nl</a>><br>Cc: Shumon Huque <<a href="mailto:shuque@gmail.com" target="_blank">shuque@gmail.com</a>>, <a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a><br>Bcc: <br>Date: Wed, 21 May 2025 15:14:24 +0200<br>Subject: Re: [dns-operations] .FI going insecure for two weeks (!)<br>Hello Everyone,<br>
<br>
I did not have the opportunity to monitor this during the transition. I see that they transitioned to algo 13 though. Did they went insecure in the end? Is there somewhere I could see what happened in the past with their dnssec?<br>
<br>
Kind regards,<br>
<br>
Arnold Dechamps<br>
<br>
> On 17 Dec 2024, at 22:54, Joe Abley <<a href="mailto:jabley@strandkip.nl" target="_blank">jabley@strandkip.nl</a>> wrote:<br>
> <br>
> Hi Shumon,<br>
> <br>
>> On 18 Dec 2024, at 11:12, Shumon Huque <<a href="mailto:shuque@gmail.com" target="_blank">shuque@gmail.com</a>> wrote:<br>
>> <br>
>> Love you Joe, but I have to quibble with this stance a bit. In my view, going insecure seems valid only because there is a prevailing perception that nothing critically depends on DNSSEC (your observation of DANE notwithstanding).<br>
> <br>
> Love you too, sweetie. I agree that prevailing perceptions can be a problem, but that cuts both ways. Verifiably insecure reaponses are just as non-bogus as verifiably secure ones. The question of what is reasonable here is not a matter of protocol, it's a matter of expectations between the zone operator and its relying parties.<br>
> <br>
>> That's something I hope will change in the future (both the perception and the reality). The parties involved in the recent GOV TLD provider+algorithm transition went to great pains to ensure that they did not go in<br>
>> secure. I hope that other TLDs will follow suit.<br>
> <br>
> Christian did a nice presentation about that at a somewhat-recent DNS-OARC meeting. That one had the additional excitement of a multi-provider transition period that mixed NSEC and NSEC3 negative reaponses, and together Cloudflare and Verisign managed the transition very elegantly.<br>
> <br>
> So I am definitely not saying it can't be done and I'm not making an argument for going insecure, I'm just saying going insecure can be a legitimate option. In some cases it might be the most stable option. Again, not commenting on the specific circumstances here.<br>
> <br>
> <br>
> Joe<br>
> _______________________________________________<br>
> dns-operations mailing list<br>
> <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
<br>
<br><br><br>---------- Forwarded message ----------<br>From: Arnold Dechamps via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>To: Joe Abley <<a href="mailto:jabley@strandkip.nl" target="_blank">jabley@strandkip.nl</a>><br>Cc: <a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a><br>Bcc: <br>Date: Wed, 21 May 2025 15:14:24 +0200<br>Subject: Re: [dns-operations] .FI going insecure for two weeks (!)<br>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>