On 8/19/14, 11:59 AM, James Cloos wrote:
Also one needs TLSA lookups which should only follow the address
lookups because the TLSA lookup should not be made when the address
records are not secure.
The TLSA lookup does not need to wait until the status of the address
lookup is known. The adress status affects whether one should care
about and use the tlsa, not whether one can check for it.
I think that's a more precise way to put it. Thus I propose the
following revised text:
Developers of application clients that depend on DANE-SRV often would
like to prepare as quickly as possible for making a connection to the
intended service, thus reducing the wait time for end users. To make
this possible, a DNS library might perform the SRV queries, address
queries, and TLSA queries in parallel (although the TLSA records are
not usable if the address records are not secure, performing the TLSA
queries in parallel is not harmful from a security perspective).
Peter
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
