I am not convinced "regular" is a sensible word to use, here.
I agree that it is very possible to roll algorithms safely, without going insecure, and that this has been demonstrated successfully many times. However, going insecure is also a perfectly valid way to do an algorithm change, as far as DNSSEC is concerned.
The interesting thing here for me is whether there are indeed downstream consequences of this choice. I hear Peter saying that they are hosting records related to DANE. This is different from DANE being used or being important to end users.
Data would speak more loudly than assumption here, I think. On 18 Dec 2024, at 09:41, Steve Crocker <st...@shinkuro.com> wrote:
Why are they not doing a regular rollover so there is NO break in the verification chain?
Steve
.fi customers got a note with:
Traficom changes the DNSSEC implementation used for .fi domain names by
changing the .FI signature algorithm. This change makes the domain name
system (DNS) more reliable and ensures the continued compatibility of
the DNSSEC implementation. Because of the change, .FI DS records will
be removed from the root zone. This will break the verification chain,
and DNSSEC will not be available to .fi domain names approximately from
17 April 2025 to 30 April 2025.
If anyone has some influence there and could perhaps convince them
to reduce "weeks" to "hours", I think that would be a very healthy
improvement of their process.
Paul
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- Sent by a Verified
sender
|
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
