On Wed, 3 Oct 2012, Tony Finch wrote:
In order for DANE not to harm performance, a client needs to be able to fetch and validate the TLSA RRset during the time it takes to connect to the remote server and receive its certificate (a DNS lookup and two round trips, for the TCP handshake and half the TLS handshake).
Uhm that would be the wrong way of doing it. You fire requests for the A/AAAA and TLSA records at the same time. There is no point waiting on the A/AAAA record before requesting the TLSA record. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
