I thought that one of the ideas behind TLSA is the ability to validate CA certificates. In the event that a certificate is compromised, I would have thought that removing any information that might make the compromised cert appear valid should be removed ASAP. In the event that the certificate is replaced then that information should be updated to reflect the old cert is "gone" and that new cert is in use. As I believe there is not a particularly good mechanism for publishing certificate revocations TLSA appears to provide a mechanism assist in revoking certs.
On 3/28/17 2:06 PM, Peter Koch wrote:
On Tue, Mar 28, 2017 at 01:18:57PM -0400, John Allen wrote:
What would be a "good" TTL for TLSA records. Because of there use in validating encryption certs, etc I assume that the shorter the better. I currently use 15min, is this too long or too short?
the TTL is part of the DNS control plane and not strongly related to validity of the data (and neither is the DNSSEC signature lifetime, btw).
What threat or failure would suggest that 15 minutes was "too long"?
-Peter