On Mon, Apr 12, 2021 at 04:20:47PM +0000, Salz, Rich wrote:
> > What do you mean by "in real-time"?
>
> I don't know what those other products consider, but I know five seconds happens.
In that case one may need short TTLs for the CNAMEs from the customer's
zone to the CDN zone, though this trades worse performance (higher
average latency) all the time, for faster cutover in rare situations.
One should weigh the tradeoffs with care.
> > And do they keep switching back and forth, or is a one time switch
> > stable for some days or longer?
>
> I've seen both short-term shifts (an hour or two), and long-term
> shifts (measured in days).
That does not sound like rapid back and worth (same ~5s timescale).
The new TTL for the retargetted temporary CDN can be shorter than
default).
> I am sorry I cannot provide specifics, naming our customers for example.
No worries, I wasn't asking for anything nearly that specific.
Bottom line, if DANE/TLSA were adopted for HTTPS, it can be made to work
also with CDNs as described in this thread.
I would in fact recommed DNAME rather than CNAME in this case, because
it in one swoop aliases a subtree of the DNS to the CDN, which includes
both the address records and the TLSA records:
www.example.com. IN DNAME www.somecdn.example.
The main limitation is that this only works for "leaf" names,
redirecting the zone apex is a separate problem, for which we're
inventing "HTTPS" records, ... and in the meantime some folks
are violating specs and publishing zone-apex CNAMEs, ...
--
Viktor.
