> On Mar 5, 2018, at 4:32 AM, Willem Toorop <wil...@nlnetlabs.nl> wrote:
>
>> Therefore, any long-term caching of a destination's support for the extension
>> should require server opt-in, and must have a maximum duration.
>
> How do you (all) feel about using the expiry date on the RRSIG for the
> TLSA to be used for this purpose?
I don't think the expiry date is adequate for this purpose. To reduce
the scope for replay attacks, my domain has 14 day RRSIG lifetimes, and
automated re-signing happens as records age, so they are often as close
as ~4 days away from expiration when re-signed. And yet, if were to
deploy a web server that implements this extension, I'd want to commit
to DANE for a considerably longer time.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
