Re: Quic: the elephant in the room

Viktor Dukhovni <> Mon, 12 April 2021 03:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9B0213A2B71 for <>; Sun, 11 Apr 2021 20:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FlT9JKBKLwjV for <>; Sun, 11 Apr 2021 20:38:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DBB943A2B70 for <>; Sun, 11 Apr 2021 20:38:10 -0700 (PDT)
Received: by (Postfix, from userid 1001) id 8B9B7B92E3; Sun, 11 Apr 2021 23:38:09 -0400 (EDT)
Date: Sun, 11 Apr 2021 23:38:09 -0400
From: Viktor Dukhovni <>
To: IETF Discussion Mailing List <>
Subject: Re: Quic: the elephant in the room
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210412021224.GP9612@localhost> <> <20210412002634.GO9612@localhost> <>
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Apr 2021 03:38:16 -0000

On Sun, Apr 11, 2021 at 10:18:39PM +0000, Salz, Rich wrote:

> > I don't understand.  Suppose, a big e-commerce site
> > (or, a government-run broadcasting company, many
> > examples work), uses cdn1 and cdn2 in some specific order and
> > is CNAME'd to cdn1. Suppose they want to switch from
> > cdn1 to cdn2 for some reason.
> > 
> > How does www.ecomm.comm switch their DNSSEC records quickly enough?
> > I'm sure I am missing something.
> You publish TLSA RRs for the new one and after the switch you delete the
> ones for the old one.  You can have more than one TLSA RR in a TLSA
> RRset.

I often see CNAMEs used with CDNs: IN CNAME www.somecdn.example.

one may as well delegate the TLSA record management to the CDN: IN CNAME _443._tcp.www.somecdn.example.

since the CDN in any case manages the certificate deployment, ...
Therefore, when it is time to switch CDNs: IN CNAME www.someothercdn.example. IN CNAME _443._tcp.www.someothercdn.example.

If both providers are known to use the same intermediate CA (say Let's
Encrypt), then the TLSA RRSet can be published on the customer side,
and will survive certificate rollovers so long as the intermediate CA
key is not replaced (as it was recently for Let's Encrypt X3 -> R3).

But any sort of TLSA RR on the customer side, while the cert rollover
are managed by the CDN is too fragile.  The TLSA RRs should properly
be published by the CDN as above.

If indeed sub-minute migration from one CDN to another is required, then
the TTL for the _443._tcp.[...] CNAME would need to be sub-minute.  Is
such a short cutover time really a requirement?