Paul Hoffman <paul.hoff...@vpnc.org> wrote: > On 2 Nov 2017, at 8:04, Bob Harold wrote: > > > I generally agree with you, but wonder if there is a performance penalty to > > searching every possible path before failing. Is that a reasonable concern? > > These are reasonable questions, ones that were actively discussed in the PKIX > world 20+ years ago. The consensus conclusion was that any performance penalty > was worth the consistency of answers, since the relying part (the stub > resolver in our case) had no control over the order of evaluation.
It's worth noting that the PKIX chain of trust is a directed graph whereas the DNS is a tree, and trees are a lot easier to follow. (No loops etc.) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fitzroy: Cyclonic 4 or 5, increasing 6 at times. Slight or moderate. Rain or thundery showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
