On Sun, Apr 11, 2021 at 10:18:39PM +0000, Salz, Rich wrote: > > Imagine an e-commerce site connected to > > two CDN’s who needs to switch. > > > Not for DANE though. If you want long-lived TLSA RRs + the ability to > quickly change keys, then use TLSA RRs to "certify" an intermediate PKIX > CA. > > I don't understand. Suppose www.ecomm.com, a big e-commerce site (or www.kingdom.com, a government-run broadcasting company, many examples work), uses cdn1 and cdn2 in some specific order and www.ecomm.com is CNAME'd to cdn1. Suppose they want to switch from cdn1 to cdn2 for some reason. > > How does www.ecomm.comm switch their DNSSEC records quickly enough? I'm sure I am missing something. You publish TLSA RRs for the new one and after the switch you delete the ones for the old one. You can have more than one TLSA RR in a TLSA RRset.