Paul Hoffman <[email protected]> wrote: > On 2 Nov 2017, at 8:04, Bob Harold wrote: > > > I generally agree with you, but wonder if there is a performance penalty to > > searching every possible path before failing. Is that a reasonable concern? > > These are reasonable questions, ones that were actively discussed in the PKIX > world 20+ years ago. The consensus conclusion was that any performance penalty > was worth the consistency of answers, since the relying part (the stub > resolver in our case) had no control over the order of evaluation.
It's worth noting that the PKIX chain of trust is a directed graph whereas the DNS is a tree, and trees are a lot easier to follow. (No loops etc.) Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode Fitzroy: Cyclonic 4 or 5, increasing 6 at times. Slight or moderate. Rain or thundery showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
