--- Begin Message ---
Hello Everyone,
I did not have the opportunity to monitor this during the transition. I see
that they transitioned to algo 13 though. Did they went insecure in the end? Is
there somewhere I could see what happened in the past with their dnssec?
Kind regards,
Arnold Dechamps
> On 17 Dec 2024, at 22:54, Joe Abley <[email protected]> wrote:
>
> Hi Shumon,
>
>> On 18 Dec 2024, at 11:12, Shumon Huque <[email protected]> wrote:
>>
>> Love you Joe, but I have to quibble with this stance a bit. In my view,
>> going insecure seems valid only because there is a prevailing perception
>> that nothing critically depends on DNSSEC (your observation of DANE
>> notwithstanding).
>
> Love you too, sweetie. I agree that prevailing perceptions can be a problem,
> but that cuts both ways. Verifiably insecure reaponses are just as non-bogus
> as verifiably secure ones. The question of what is reasonable here is not a
> matter of protocol, it's a matter of expectations between the zone operator
> and its relying parties.
>
>> That's something I hope will change in the future (both the perception and
>> the reality). The parties involved in the recent GOV TLD provider+algorithm
>> transition went to great pains to ensure that they did not go in
>> secure. I hope that other TLDs will follow suit.
>
> Christian did a nice presentation about that at a somewhat-recent DNS-OARC
> meeting. That one had the additional excitement of a multi-provider
> transition period that mixed NSEC and NSEC3 negative reaponses, and together
> Cloudflare and Verisign managed the transition very elegantly.
>
> So I am definitely not saying it can't be done and I'm not making an argument
> for going insecure, I'm just saying going insecure can be a legitimate
> option. In some cases it might be the most stable option. Again, not
> commenting on the specific circumstances here.
>
>
> Joe
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
