On Mon, Apr 12, 2021 at 12:57:21PM +0000, Salz, Rich wrote:
> > one may as well delegate the TLSA record management to the CDN:
>
> Sure, if you're never going to switch CDN's.
No, to *each* CDN. Each one can publish the appropriate TLSA RRs for
its service.
> There is a whole industry and providers around switching CDN's in real
> time. Web-search "Cdn switch" will find them, for example.
What do you mean by "in real-time"?
> > But any sort of TLSA RR on the customer side, while the cert rollover
> are managed by the CDN is too fragile. The TLSA RRs should properly
> be published by the CDN as above.
>
> Sure, if there's one CDN.
It also works for multiple CDNs, provided they don't keep switching back
and forth, or proving some modest set of trust-anchors is known to cover
them all.
> > If indeed sub-minute migration from one CDN to another is required, then
> the TTL for the _443._tcp.[...] CNAME would need to be sub-minute. Is
> such a short cutover time really a requirement?
>
> If millions of dollars of commerce are happening per minute, then yes.
> Or the head of state dies and the official news source is overloaded.
And do they keep switching back and forth, or is a one time switch
stable for some days or longer?
--
Viktor.
