On 28 May 2015, at 1:25, Wessels, Duane wrote:
>> On May 27, 2015, at 10:32 AM, Joe Abley <[email protected]> wrote: >> >> It's not obvious that this is a problem for anybody, though; it's not like >> you'd expect to see a TLSA RRSet in there. > > Isn't this truly a problem because if my cache is cold (for the zone in > question) my recursive name server > could send it a query for "_443._tcp.www.example.accountant. TLSA" (to keep > picking on them) which would then > just timeout? Oh, that's true. I'm not sure how likely it is that the cache would be cold, though, given that a client looking for a TLSA has probably already just looked for an A/AAAA/MX. But point taken. Joe
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
