On Tue, Jul 28, 2015 at 06:59:17PM -0500, Nico Williams wrote:
> > Another method of reducing the chain size we are considering is client side
> > caching of RR sets and server side omission of the same.
>
> Sure, you can omit keys and signatures nearer to the root.
Only if a client with a slightly warm cache, can tell the server
a list of ancestor domains (of the server domain) for which it
already posesses in its cache already validated DS/DNSKEY records.
But this carries some risk, as a .com server A can insert into a
client's cache valid, but somewhat stale keys for .com, which can't
validate the response from .com server B (signed with more fresh
keys). In all likelihood, such optimization is too difficult to
get right, and should be avoided.
The only optimization is when a client already has recent TLSA
records for the server, and just avoids asking for the extension
entirely. That gets most of the benefit, with least complexity.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
