[dns-operations] getting DNSSEC trust chains, was Re: Massive DNS poisoning attacks in Brazil

Tony Finch dot at dotat.at
Wed Oct 3 17:58:23 UTC 2012

Paul Wouters <paul at cypherpunks.ca> wrote:
> On Wed, 3 Oct 2012, Tony Finch wrote:
> > In order for DANE not to harm performance, a client needs to be able to
> > fetch and validate the TLSA RRset during the time it takes to connect to
> > the remote server and receive its certificate (a DNS lookup and two round
> > trips, for the TCP handshake and half the TLS handshake).
> Uhm that would be the wrong way of doing it. You fire requests for the
> A/AAAA and TLSA records at the same time. There is no point waiting on
> the A/AAAA record before requesting the TLSA record.

Yes I included the address lookup in the time budget. You can start
setting up the connection when you have the answer to the A / AAAA
queries and abort if validation subsequently fails.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the dns-operations mailing list