Paul Wouters <[email protected]> wrote: > On Wed, 3 Oct 2012, Tony Finch wrote: > > > In order for DANE not to harm performance, a client needs to be able to > > fetch and validate the TLSA RRset during the time it takes to connect to > > the remote server and receive its certificate (a DNS lookup and two round > > trips, for the TCP handshake and half the TLS handshake). > > Uhm that would be the wrong way of doing it. You fire requests for the > A/AAAA and TLSA records at the same time. There is no point waiting on > the A/AAAA record before requesting the TLSA record.
Yes I included the address lookup in the time budget. You can start setting up the connection when you have the answer to the A / AAAA queries and abort if validation subsequently fails. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
