On 4/12/21 3:36 AM, Andrew McConachie wrote:
When looking at how one might implement DANE for HTTPS/TLS I don’t see
any reason to handle these things sequentially. You don’t have to
change TLS you just have to do things asynchronously. Query for TLSA
RRs at the same time as sending the TLS ClientHello, and kill the
connection setup when/if DANE validation fails. On the off chance that
the DNS actually takes longer than TLS, maybe delay sending data via
TLS until DNS responds. But I bet this almost never happens.
Correct. Better: you can do the TLSA request at the same time as the
A/AAAA request speculatively. Plus if you've ever had a TLSA record for
that domain, you know it's pretty likely you'll get a fresh one even if
the last one is expired, so the speculation is minimal.
Mike
