On Thu, 28 May 2020, Ben Schwartz wrote:
Using tls-dnssec-chain would save a roundtrip. So would putting an SPKI pin along with "ns0.nohats.ca" in the DS record. I think both are reasonable optimizations, and should be optional*.
You suggest a hack on top of a hack, to save 1 RTT for a record that should have a TTL of 4h to 2d (based on parent/child TTL of NS records). This would be on resolvers that presumbly resolve many domains, multiple on the same nameserver. So policies for "how long to keep the DoT connection idle/open" will affect performance a lot more than this 1 RTT.
*: To be precise, I think publishing an SPKI pin should be optional, but using it (if present) should be mandatory, so that an authoritative server can include a pin if it can't resolve its own name, as Petr described.
I think this issue requires more discussion... Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
