Re: Quic: the elephant in the room

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Sun, Apr 11, 2021 at 10:18:39PM +0000, Salz, Rich wrote:

> > I don't understand.  Suppose www.ecomm.com, a big e-commerce site
> > (or www.kingdom.com, a government-run broadcasting company, many
> > examples work), uses cdn1 and cdn2 in some specific order and
> > www.ecomm.com is CNAME'd to cdn1. Suppose they want to switch from
> > cdn1 to cdn2 for some reason.
> > 
> > How does www.ecomm.comm switch their DNSSEC records quickly enough?
> > I'm sure I am missing something.
> 
> You publish TLSA RRs for the new one and after the switch you delete the
> ones for the old one.  You can have more than one TLSA RR in a TLSA
> RRset.

I often see CNAMEs used with CDNs:

    www.example.com. IN CNAME www.somecdn.example.

one may as well delegate the TLSA record management to the CDN:

    _443._tcp.www.example.com. IN CNAME _443._tcp.www.somecdn.example.

since the CDN in any case manages the certificate deployment, ...
Therefore, when it is time to switch CDNs:

    www.example.com. IN CNAME www.someothercdn.example.
    _443._tcp.www.example.com. IN CNAME _443._tcp.www.someothercdn.example.

If both providers are known to use the same intermediate CA (say Let's
Encrypt), then the TLSA RRSet can be published on the customer side,
and will survive certificate rollovers so long as the intermediate CA
key is not replaced (as it was recently for Let's Encrypt X3 -> R3).

But any sort of TLSA RR on the customer side, while the cert rollover
are managed by the CDN is too fragile.  The TLSA RRs should properly
be published by the CDN as above.

If indeed sub-minute migration from one CDN to another is required, then
the TTL for the _443._tcp.[...] CNAME would need to be sub-minute.  Is
such a short cutover time really a requirement?

-- 
    Viktor.