On Sun, Apr 11, 2021 at 11:00 PM Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote:
On Mon, Apr 12, 2021 at 01:54:23AM +0000, Salz, Rich wrote:
> > You publish TLSA RRs for the new one and after the switch you delete the
> ones for the old one. You can have more than one TLSA RR in a TLSA
> RRset.
>
> Thanks for the explanation. I don't know enough DNSSEC to know if
> that's actually deployable, but okay
You can tune down TTLs before the change, etc.
Perhaps there is room for a certificate extension that says "invalidate
cached TLSA RRs cached before this $timestamp" (the timestamp might even
be the certificate's notBefore). Then there would be no need to tune
down TTLs.
Formula One autosport provides a model for what is and is not possible.
If you want to achieve the very highest level of performance it is necessary to abandon the traditional engineering approach by which systems are broken down into independent components and either consider different decompositions that yield better performance or to abandon the compartmentalization entirely and optimize across multiple concerns at once. Thus the engine block is not merely the container for the pistons and bearings, it is a structural member for the vehicle, a part of the aerodynamic systems, etc. etc.
If you start with the assumption that you want to encrypt the client-resolver lookup for privacy then you are going to be making a breaking change there. Once a breaking change is proposed, we should seek to absolutely maximize the value we get in return.
Omnibroker was a proposal that would have allowed the entire trust path to be cached along with the DNS discovery data. Combine DNS resolution with SRV/TXT policy publication, with SCVP delegated path discovery and apply DNSSEC to the ensemble and for the cost of a single IP round trip to the omnibroker and you can receive the network endpoint, the TLS credential path in order so all the RP needs to do is to check the workings, and a shared secret to encrypt the initial TLS handshake.
One round trip would save you many.
