- I don't see why [DNS timeouts] it can't be long lived, but even normal TTL's would get amortized over a lot of connections. Right now with certs it is a 5 message affair which cannot get better. But that is why one of $BROWSERVENDORS doing an experiment would be helpful.
There are use-cases where a five-second DNS TTL is important. And they’re not amortized over multiple connections from *one* user, but rather affect *many* users. Imagine an e-commerce site connected to two CDN’s who needs to switch.
The worst case is that it devolves into what we already have: 5
messages assuming NS records are cached normally.
Another approach using current infrastructure would be for the
client to cache the certs and hand the server cert the
fingerprint(s) in the ClientHello and the server sends down the
chosen cert's fingerprint instead of the cert which could get it
back to 3 messages too. That would require hacking on TLS though
(assuming that somebody hasn't already thought of this). That has
the upside is that it's the server chooses whether it wants to use
the cached version or not too.
Mike
