On 4/12/21 5:57 AM, Salz, Rich wrote:
So the whole world needs to revolve around somebody's corner case. But this is all rather pointless: short TTL DNS devolves into the certificate case's message count. For normal TTL records, it would be usually be a 3 way handshake. Also: certificates are not going to be deprecated; if they work better keep using them. It's really that simple.one may as well delegate the TLSA record management to the CDN:Sure, if you're never going to switch CDN's. Many big customers switch CDN's and will not delegate because, well, they need to switch. There is a whole industry and providers around switching CDN's in real time. Web-search "Cdn switch" will find them, for example.But any sort of TLSA RR on the customer side, while the cert rolloverare managed by the CDN is too fragile. The TLSA RRs should properly be published by the CDN as above. Sure, if there's one CDN.If indeed sub-minute migration from one CDN to another is required, thenthe TTL for the _443._tcp.[...] CNAME would need to be sub-minute. Is such a short cutover time really a requirement? If millions of dollars of commerce are happening per minute, then yes. Or the head of state dies and the official news source is overloaded.
Mike
