> Imagine an e-commerce site connected to > two CDN’s who needs to switch. > Not for DANE though. If you want long-lived TLSA RRs + the ability to quickly change keys, then use TLSA RRs to "certify" an intermediate PKIX CA. I don't understand. Suppose www.ecomm.com, a big e-commerce site (or www.kingdom.com, a government-run broadcasting company, many examples work), uses cdn1 and cdn2 in some specific order and www.ecomm.com is CNAME'd to cdn1. Suppose they want to switch from cdn1 to cdn2 for some reason. How does www.ecomm.comm switch their DNSSEC records quickly enough? I'm sure I am missing something.