On Fri, Dec 14, 2018 at 4:38 PM Jon Reed <[email protected]> wrote: > > > On Fri, 14 Dec 2018, Warren Kumari wrote: > > > > > > > > > On the call, someone (Wes?) proposed an alternative such as > records in the reverse zones. That would be a huge win for > > us, since we have a small finite set of nameserver IPs, and easily > control our reverse zones (as, I would imagine, do other > > large providers). I wasn't in Bangkok, so I'm not sure if there > were any specific implementation proposals kicked around, > > but I'd like to start talking about what that would look like. > Something TLSA-ish at the reverse name for the nameserver > > IP? There's obviously some overhead with the recursive having to > look up reverse names for NS IPs, but large TTL values > > could help with that. > > > > > > One of the stated reasons for browsers not doing DANE / TLSA was having > to wait for the TLSA record to come back before you can > > connect. > > "Ah! Fine..", says I, "Just do these in parallel -- you will get back > the TLSA record at about the same time as the A or AAAA. You > > could even be smart and start making the TCP connection if you happen to > get back the A first. There, I fixed it for you...[0]". > > Well, TLSA was just an example.
.... yes, and it was for me too :-) > My point was that a signalling method > based on the nameserver IPs (however it is implemented) would be far > preferable for larger operators like us (and is no less onerous for zone > owners/registrants who are also operators). I don't think we want to be > in the position of requiring each of our customers to opt-in to this for > each of their (thousands) of zones. We want to be able to turn this on > in bulk, the same we'd support any new protocol feature. > Yup - fully understand and agree; I just didn't want us to jump to something like "parallel queries solves the latency concern" without this background / checking - it might end up being the right answer (or, even better, something like this coupled with multiple responses, where you query for NS, and get back both NS and NEW (if available) as an additional record). W > > -Jon -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
