----- Original Message ----- > > > ----- Original Message ----- > > 60 seconds is still a large enough window for some users to be > > affected by DNS changes, right? We're just looking for a reason why > > fxa might be more affected than our other properties, and "it's the > > only service with such frequent DNS changes" seems like a decent one. > > No matter how small you set a window, there will always be someone in it :-) > > Combine that with the fact that there are always resolvers in between clients > and our nameservers that can and will mess with things and can have their > own ideas about TTLs. It is less common these days but it still happens. > > Do we have a page that explains the pinning we do?
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning/SiteOperators > Maybe for IP changes we need we different strategy? Like keeping the old IP > alive for a longer time? Or pin to multiple IPs during changes? Pinning doesn't have anything to do with IPs directly. It's just a way to assert that the site uses certificates issued by root CA X. If DNS is pointing to the wrong IP, then there are bigger problems. At this point we could either 1) Broaden the pinset (only makes sense if we think it is incorrect), or 2) Turn it on and wait for bugs to flow in. 3) Continue waiting an unbounded amount of time for SSL error reporting to be finished to diagnose the problem further. I don't think 1) makes sense. Thanks, Monica _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
