On Tue, Dec 17, 2024 at 3:55 PM Joe Abley <[email protected]> wrote:
> > I agree that it is very possible to roll algorithms safely, without going > insecure, and that this has been demonstrated successfully many times. > However, going insecure is also a perfectly valid way to do an algorithm > change, as far as DNSSEC is concerned. > Love you Joe, but I have to quibble with this stance a bit. In my view, going insecure seems valid only because there is a prevailing perception that nothing critically depends on DNSSEC (your observation of DANE notwithstanding). That's something I hope will change in the future (both the perception and the reality). The parties involved in the recent GOV TLD provider+algorithm transition went to great pains to ensure that they did not go insecure. I hope that other TLDs will follow suit. My more detailed arguments against going insecure can be found in this short presentation: https://static.sched.com/hosted_files/icann79/4b/2.4%20Huque%20-%20DoNotGoInsecure-v3.pdf Shumon.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
