In your previous mail you wrote:
I thought TCP was the default when the UDP message size is not enough.
=> with EDNS0 this is a bit more complex but IMHO this is the idea.
Note the recommended "connection management" (RFC 1025 4.2.2) suggests
multiple queries/responses too.
That's, AFAIK, the only advantage of TCP over SCTP: it's already in
place and ready. (Yes, one needs to run firewalls and all that stuff.)
=> this is not a new idea but today no server or resolver implementation
supports DNS over SCTP.
I have a lot of sympathy for SCTP but for DNS we need a transaction
oriented transport, i.e., something more secure than simple stateless
query/response over UDP but without the overhead of opening and closing
TCP connections. This is a very old idea, cf. RFC 955, but as far as
I know this is still an open problem. If I am wrong (I'd like to be :-)
please request a BoF in the transport area ASAP!
> A single SCTP connection can support thousands of simultaneous streams,
I agree SCTP is better, and it's been around for nearly a decade now.
=> IMHO it is far less than 10 years but arguing about this point is
out of topic.
Yet, for those who miss it, good old TCP allows, say, a client to hold
a couple of connections to its favorite resolver in order to avoid
many of the threats illustrated by Kaminsky...
=> TCP is very expensive in terms of resources for the server and
TCP is still vulnerable to in-the-path attacks.
> There is also OS support for UDP
> tunneling of SCTP when supporting legacy NATs and firewalls. Until
> there is an significant incentive to make DNS more robust, use of SCTP
> is likely to remain just a good and under appreciated option.
It seems that DNS over SCTP would solve 90% of the problems with 10%
of the efforts and resources required to implement DNSSEC. However, I
hear more often about the latter than the former. How come?
=> DNSSEC is the only available solution which solves the problems.
Others are not available (no specification published in a standard
track RFC or simply unfeasible) or don't address the problems
(hop-by-hop security for instance, when end-to-end is needed).
Both TCP and SCTP are in the others today...
Ietf mailing list