> one may as well delegate the TLSA record management to the CDN:
Sure, if you're never going to switch CDN's.
Many big customers switch CDN's and will not delegate because, well, they need to switch.
There is a whole industry and providers around switching CDN's in real time. Web-search "Cdn switch" will find them, for example.
> But any sort of TLSA RR on the customer side, while the cert rollover
are managed by the CDN is too fragile. The TLSA RRs should properly
be published by the CDN as above.
Sure, if there's one CDN.
> If indeed sub-minute migration from one CDN to another is required, then
the TTL for the _443._tcp.[...] CNAME would need to be sub-minute. Is
such a short cutover time really a requirement?
If millions of dollars of commerce are happening per minute, then yes. Or the head of state dies and the official news source is overloaded.
