--- Begin Message ---
On Wed, May 21, 2025 at 03:14:24PM +0200, Arnold Dechamps via dns-operations
wrote:
> Date: Wed, 21 May 2025 15:14:24 +0200
> From: Arnold Dechamps <[email protected]>
> To: Joe Abley <[email protected]>
> Cc: Shumon Huque <[email protected]>, [email protected]
> Subject: Re: [dns-operations] .FI going insecure for two weeks (!)
>
> Hello Everyone,
>
> I did not have the opportunity to monitor this during the transition. I see
> that they transitioned to algo 13 though. Did they went insecure in the end?
> Is there somewhere I could see what happened in the past with their dnssec?
>
From what is recorded at dnsviz with a ~1 day granularity, yes.
20250417-193258 UTC - Last alg #8
https://dnsviz.net/d/fi/aAFXag/dnssec/
20250418-204723 UTC - First insecure
https://dnsviz.net/d/fi/aAK6Ww/dnssec/
20250419-100553 UTC - Last insecure
https://dnsviz.net/d/fi/aAN1gQ/dnssec/
20250420-075539 UTC - First alg #13
https://dnsviz.net/d/fi/aASoew/dnssec/
> Kind regards,
>
> Arnold Dechamps
[]s
Fred
>
> > On 17 Dec 2024, at 22:54, Joe Abley <[email protected]> wrote:
> >
> > Hi Shumon,
> >
> >> On 18 Dec 2024, at 11:12, Shumon Huque <[email protected]> wrote:
> >>
> >> Love you Joe, but I have to quibble with this stance a bit. In my view,
> >> going insecure seems valid only because there is a prevailing perception
> >> that nothing critically depends on DNSSEC (your observation of DANE
> >> notwithstanding).
> >
> > Love you too, sweetie. I agree that prevailing perceptions can be a
> > problem, but that cuts both ways. Verifiably insecure reaponses are just as
> > non-bogus as verifiably secure ones. The question of what is reasonable
> > here is not a matter of protocol, it's a matter of expectations between the
> > zone operator and its relying parties.
> >
> >> That's something I hope will change in the future (both the perception and
> >> the reality). The parties involved in the recent GOV TLD
> >> provider+algorithm transition went to great pains to ensure that they did
> >> not go in
> >> secure. I hope that other TLDs will follow suit.
> >
> > Christian did a nice presentation about that at a somewhat-recent DNS-OARC
> > meeting. That one had the additional excitement of a multi-provider
> > transition period that mixed NSEC and NSEC3 negative reaponses, and
> > together Cloudflare and Verisign managed the transition very elegantly.
> >
> > So I am definitely not saying it can't be done and I'm not making an
> > argument for going insecure, I'm just saying going insecure can be a
> > legitimate option. In some cases it might be the most stable option. Again,
> > not commenting on the specific circumstances here.
> >
> >
> > Joe
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
