On Thu, Jul 19, 2018 at 12:16:18PM -0400, Viktor Dukhovni wrote: > On Wed, Jul 18, 2018 at 10:23:49PM -0500, Nico Williams wrote: > > > At yesterday's WG meeting, Sam Weiler suggested that the pinning > > > information could be conveyed via the DNS. That way you would not need new > > > holes/fields in the TLS extension. Paul said it doesn't work. But Willem > > > Toorop and I discussed it after the meeting, and think that it does. > > > > I agree that it _could_ be done with a DNS RR. However, that has two > > negative effects: 1) it will bloat the extension's payload more than the > > two bytes we're asking for, 2) it complicates deployment / the > > operator's life. > > In any realistic deployment, the publisher of the TLSA records is > the *same* entity that provisions the certificate chain, anything > else is operationally untenable.
To make it short, the problem is that with A RRs the customer has to update TLSA RRs to match the hosting site's, and has to do this on a timely basis. That can certainly be arranged, but I agree that at least initially, and until this is generally automated, that will indeed be a problem. But I'm not too concerned because it is just a matter of automation. My issues with a new DNS RR for specification of pinning remain. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
