[dns-operations] getting DNSSEC trust chains, was Re: Massive DNS poisoning attacks in Brazil

Paul Wouters paul at cypherpunks.ca
Wed Oct 3 17:50:09 UTC 2012


On Wed, 3 Oct 2012, Tony Finch wrote:

> In order for DANE not to harm performance, a client needs to be able to
> fetch and validate the TLSA RRset during the time it takes to connect to
> the remote server and receive its certificate (a DNS lookup and two round
> trips, for the TCP handshake and half the TLS handshake).

Uhm that would be the wrong way of doing it. You fire requests for the
A/AAAA and TLSA records at the same time. There is no point waiting on
the A/AAAA record before requesting the TLSA record.

Paul



More information about the dns-operations mailing list