1. DNS/TCP
Contents
DNSはTCPを使う時代へ
ゾーンサーバ側ではDNS/TCPサポートが必須とされてきた。(2010年のRFC 5966以来)
- そして、クライアントはUDPを試すことなく、いきなりTCPでqueryを送ってよい。
-- ToshinoriMaeno 2018-04-22 14:42:09
1.1. RFC
DNS Transport over TCP - Implementation Requirements
https://tools.ietf.org/html/rfc5966 (7766でobsoleteになる) August 2010
4. Transport Protocol Selection All general-purpose DNS implementations MUST support both UDP and TCP transport.
https://tools.ietf.org/html/rfc7766 Category: Standards Track
Specification for DNS over Transport Layer Security (TLS) https://tools.ietf.org/html/rfc7858
DNS Transport over TCP - Operational Requirements
- draft-ietf-dnsop-dns-tcp-requirements-01 Best Current Practice
https://tools.ietf.org/html/draft-ietf-dnsop-dns-tcp-requirements-01
Abstract This document encourages the practice of permitting DNS messages to be carried over TCP on the Internet. It also describes some of the consequences of this behavior and the potential operational issues that can arise when this best common practice is not upheld.
1.2. 調査
DNS over TCP A Rudimentary Textual Analysis https://www.nanog.org/sites/default/files/nanog63-dnstrack-kristoff-dnstcp.pdf
DNS over TCP as Seen From the Authoritative Server https://ns1.com/blog/dns-over-tcp-as-seen-from-the-authoritative-server
/JP-domain の調査
1.3. TCP拒否ドメイン
TCP queryに接続拒否ならいいのだが、返事をしないドメインもある。
/heteml.jp /cgi.tbs.co.jp /cwidc.net /datahotel.ne.jp /datacenter.ne.jp
1.4. 部分的サポート
dig +tcp に +noednsを付けないとFORMERRを返すサーバーもある。
1.5. DNS/TCP RFC
https://datatracker.ietf.org/doc/draft-ietf-dnsop-5966bis/
https://tools.ietf.org/html/rfc5966
DNS Transport over TCP - Implementation Requirements
Obsoleted by: 7766 Internet Engineering Task Force (IETF) R. Bellis Request for Comments: 5966 Nominet UK Updates: 1035, 1123 August 2010 Category: Standards Track ISSN: 2070-1721
https://tools.ietf.org/html/rfc7766
Internet Engineering Task Force (IETF) J. Dickinson Request for Comments: 7766 S. Dickinson Obsoletes: 5966 Sinodun Updates: 1035, 1123 R. Bellis Category: Standards Track ISC ISSN: 2070-1721 A. Mankin D. Wessels Verisign Labs March 2016
This document therefore updates the core DNS protocol specifications such that support for TCP is henceforth a REQUIRED part of a full DNS protocol implementation.
Whilst this document makes no specific requirements for operators of DNS servers to meet, it does offer some suggestions to operators to help ensure that support for TCP on their servers and network is optimal. It should be noted that failure to support TCP (or the blocking of DNS over TCP at the network layer) will probably result in resolution failure and/or application-level timeouts.
1.6. ATR
https://blog.apnic.net/2018/04/16/how-well-does-atr-actually-work/
Is it possible to make a hybrid approach for the #DNS — using #UDP when we can, and #TCP only when we must — faster and more robust? https://blog.apnic.net/2018/04/16/how-well-does-atr-actually-work/ …
1.7. 本当に重要なのはセキュリティ
TCPを使うのが筋だろう。 -- ToshinoriMaeno 2018-04-22 15:42:12
UDPを使わせたいのであれば、Cookiesをサポートせよ。