We're expecting to have a presentation on their transition at the upcoming DNSSEC and Security Workshop during the ICANN meeting in Prague next month. The workshop is Monday afternoon, 9 June. Registration for the ICANN meeting is required, but it's free. The workshop will be online as well as in person.
The agenda and the individual presentations will be posted online a little bit ahead of the meeting. There should be time available for questions. Steve Sent by a Verified sender On Thu, May 22, 2025 at 6:45 PM Arnold Dechamps via dns-operations < [email protected]> wrote: > > > > ---------- Forwarded message ---------- > From: Arnold Dechamps <[email protected]> > To: Joe Abley <[email protected]> > Cc: Shumon Huque <[email protected]>, [email protected] > Bcc: > Date: Wed, 21 May 2025 15:14:24 +0200 > Subject: Re: [dns-operations] .FI going insecure for two weeks (!) > Hello Everyone, > > I did not have the opportunity to monitor this during the transition. I > see that they transitioned to algo 13 though. Did they went insecure in the > end? Is there somewhere I could see what happened in the past with their > dnssec? > > Kind regards, > > Arnold Dechamps > > > On 17 Dec 2024, at 22:54, Joe Abley <[email protected]> wrote: > > > > Hi Shumon, > > > >> On 18 Dec 2024, at 11:12, Shumon Huque <[email protected]> wrote: > >> > >> Love you Joe, but I have to quibble with this stance a bit. In my view, > going insecure seems valid only because there is a prevailing perception > that nothing critically depends on DNSSEC (your observation of DANE > notwithstanding). > > > > Love you too, sweetie. I agree that prevailing perceptions can be a > problem, but that cuts both ways. Verifiably insecure reaponses are just as > non-bogus as verifiably secure ones. The question of what is reasonable > here is not a matter of protocol, it's a matter of expectations between the > zone operator and its relying parties. > > > >> That's something I hope will change in the future (both the perception > and the reality). The parties involved in the recent GOV TLD > provider+algorithm transition went to great pains to ensure that they did > not go in > >> secure. I hope that other TLDs will follow suit. > > > > Christian did a nice presentation about that at a somewhat-recent > DNS-OARC meeting. That one had the additional excitement of a > multi-provider transition period that mixed NSEC and NSEC3 negative > reaponses, and together Cloudflare and Verisign managed the transition very > elegantly. > > > > So I am definitely not saying it can't be done and I'm not making an > argument for going insecure, I'm just saying going insecure can be a > legitimate option. In some cases it might be the most stable option. Again, > not commenting on the specific circumstances here. > > > > > > Joe > > _______________________________________________ > > dns-operations mailing list > > [email protected] > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > > > ---------- Forwarded message ---------- > From: Arnold Dechamps via dns-operations <[email protected]> > To: Joe Abley <[email protected]> > Cc: [email protected] > Bcc: > Date: Wed, 21 May 2025 15:14:24 +0200 > Subject: Re: [dns-operations] .FI going insecure for two weeks (!) > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
