On Sun, Apr 11, 2021 at 05:23:03PM +0000, Salz, Rich wrote: > * I don't see why [DNS timeouts] it can't be long lived, but even normal TTL's would get amortized over a lot of connections. Right now with certs it is a 5 message affair which cannot get better. But that is why one of $BROWSERVENDORS doing an experiment would be helpful. > > There are use-cases where a five-second DNS TTL is important. And > they’re not amortized over multiple connections from *one* user, but > rather affect *many* users. Imagine an e-commerce site connected to > two CDN’s who needs to switch. Not for DANE though. If you want long-lived TLSA RRs + the ability to quickly change keys, then use TLSA RRs to "certify" an intermediate PKIX CA.
