On Fri, 14 Dec 2018, Warren Kumari wrote:
One of the stated reasons for browsers not doing DANE / TLSA was having to wait
for the TLSA record to come
back before you can connect.
"Ah! Fine..", says I, "Just do these in parallel -- you will get back the TLSA
record at about the same
time as the A or AAAA. You could even be smart and start making the TCP
connection if you happen to get
back the A first. There, I fixed it for you...[0]".
Turns out this doesn't (or, at least, didn't) work -- yes, ~1/2 the time the
TLSA record will come in
first, and ~1/2 the time it will be second -- but, when it is second:
A: you often don't know if it will ever show up
and
B: sometimes is it really really second / your query got lost and you need to
ask again, after a suitable
backoff..
We fixed that with tls-dnssec-chain :P
I'll leave it up to others to wonder why and how this did not move forward, and
is now going via ISE.
Sorry for the side-track of this discussion.
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
