How many entries approx can fit without requiring the fallback? I believe I have calculated this years ago, but. I normally have my systems manage 3, future, current, and past
Quoting Viktor Dukhovni ietf-dane@dukhovni.org:
Some MTA operators neglect to prune outdated TLSA records with "usage" DANE-EE(3). As keys or certificates are replaced, they add new matching TLSA records, never dropping the records matching the outdated keys.
This largely defeats the purpose of key or certificate rollover, since it blesses (at least in the context of DANE) ongoing misuse of any past compromise of the old key. And it results in ever growing TLSA records DNS payload sizes, resulting initially in needlessly large UDP payloads, and ultimately failover to TCP for every lookup.
It is best to avoid this pattern and prune outdated TLSA records once the corresponding key (3 1 X) or certificate (3 0 X) is no longer in use.
The authoritative DNS server returns a truncated (TC=1) response, leading to TCP fallback and high, from my vantage point, latency:
$ dig @ns1.evocat.net +norecur +dnssec +noall +stats -t tlsa_25._tcp.mail.evocat.net ;; Query time: 1014 msec ;; SERVER: 185.157.233.76#53(ns1.evocat.net) (TCP) ;; WHEN: Mon Jun 23 04:03:04 UTC 2025 ;; MSG SIZE rcvd: 2886
By way of comparison, the "A" RRset response fits in UDP and the latency I see is 5x lower:
$ dig @ns1.evocat.net +norecur +dnssec +noall +stats -t a mail.evocat.net ;; Query time: 201 msec ;; SERVER: 185.157.233.76#53(ns1.evocat.net) (UDP) ;; WHEN: Mon Jun 23 04:04:55 UTC 2025 ;; MSG SIZE rcvd: 1106-- Viktor.