On Fri, 21 Feb 2014, Nicholas Weaver wrote:
The only disadvantage is that on the server side you need to get this data fairly frequently, since the timeout may be fast (first expiring RRSIG on the chain of validation from . to the DANE record), which means the very rarely updating certificate store model common to web servers isn't appropriate, but that's no real-big-deal.
huh? If I put a 9999999 rrsig timeout on my TLSA signature, once you fetched it, it is pretty irrelevant that somewhere upstream an rrsig expired. Are you suggesting resolvers should throw away chains of dns from the cache once a single rrsig expires? Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
