[dns-operations] Lack of tlsa support

Joe Abley jabley at hopcount.ca
Thu May 28 09:28:54 UTC 2015



On 28 May 2015, at 1:25, Wessels, Duane wrote:

>> On May 27, 2015, at 10:32 AM, Joe Abley <jabley at hopcount.ca> wrote:
>>
>> It's not obvious that this is a problem for anybody, though; it's not like you'd expect to see a TLSA RRSet in there.
>
> Isn't this truly a problem because if my cache is cold (for the zone in question) my recursive name server
> could send it a query for "_443._tcp.www.example.accountant. TLSA" (to keep picking on them) which would then
> just timeout?

Oh, that's true. I'm not sure how likely it is that the cache would be cold, though, given that a client looking for a TLSA has probably already just looked for an A/AAAA/MX. But point taken.


Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150528/21b336ee/attachment.sig>


More information about the dns-operations mailing list