Vernon Schryver <[email protected]> wrote: > > That's a good point, except I can only go with "somewhat useful".
Try www.apple.com which is a typically pathological akamaized site: www.apple.com. 1756 IN CNAME www.isg-apple.com.akadns.net. www.isg-apple.com.akadns.net. 16 IN CNAME www.apple.com.edgekey.net. www.apple.com.edgekey.net. 21557 IN CNAME e3191.c.akamaiedge.net. e3191.c.akamaiedge.net. 20 IN A 2.19.157.15 Which is four round trips and 38 queries, for A and AAAA and all the DNSKEY and DS RRsets - it would only need 22 queries if the client knows where the zone cuts are, but to find that out requires extra round trips. The actual amount of data to validate this CNAME chain (if it were signed) is about 9KB. If you gather the data with separate queries then it'll be more like 20KB because of all the negative responses for missing zone cuts. So if you have a 1 Mbit/s downlink with 50 ms latency that's getting on for half a second delay, about twice as long as if you could get the whole chain in one (TCP) request. In order for DANE not to harm performance, a client needs to be able to fetch and validate the TLSA RRset during the time it takes to connect to the remote server and receive its certificate (a DNS lookup and two round trips, for the TCP handshake and half the TLS handshake). Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
