Traficom changes the DNSSEC implementation used for .fi domain names by changing the .FI signature algorithm. Because of the change, .FI DS records will be removed from the root zone AND this will break the verification chain, and DNSSEC will not be available to .fi domain names approximately from 17 April 2025 to 30 April 2025. The exact start and end dates depend on the measures taken by IANA, which maintains the internet root zone.
The change applies to all .fi domain names that use DNSSEC.
During the implementation of the change, domain names will function as usual, but resolver name servers will not perform DNSSEC validation on .fi domain names. When new .fi DS records are added to the root zone after the change, DNSSEC validation will be automatically activated.
The change does not require domain name registrars or name server administrators to take any measures.
All domain name DS records will remain in use and they can be administered even when .FI DS records are not in the root zone.
During the process, the .FI signature algorithm will be updated from the current RSASHA256 algorithm to ECDSAP256SHA256. As a result, certain responses will more likely fit in a UDP packet instead of a TCP packet, which will significantly improve name server performance.
If your domain name uses DNSSEC, here is what to do:
While Traficom implements the changes, DNSSEC validation will not be performed during the time specified above. The domain name registrar will see to all the necessary measures to administer DS records in the service provided by Traficom.
In certain rare cases, it may be possible that an information system relies on the DNSSEC chain of trust. Traficom is not aware of any such systems. If they do exist, the system administrators are responsible for considering how the algorithm change may affect service performance.
DNSSEC is a key part of the overall security of .fi domain names and the internet in Finland. Traficom recommends that you use DNSSEC with all the .fi domain names you administer or use.
Posted on
Jan 09, 2025 - 15:23 UTC