Re: [dnsext] Draft: WGLC draft-ietf-dnsext-dns-tcp-requirements

[Matthew Dempsky <matthew@dempsky.org>]

On Wed, Feb 17, 2010 at 1:18 PM, Alfred HÎnes <ah@tr-sys.de> wrote:
> Such dedicated, special-purpose servers -- entirely independent of
> their particular implementation -- serve a rather small population
> of clients specifically configured to consult this authority in order
> to frequently get data points needed to make policy decisions, isn't it?

No, they're used for serving authoritative zones such as
zen.spamhaus.org and dynablock.njabl.org.

> So these clients would perhaps really appreciate using persistent TCP
> connections to that server -- they can easily amortize the connection
> set-up overhead over thousands of requests and gain the security
> benefits of TCP (in particular improved forgery resilience) vs. UDP.

Which DNS clients are you referring to?  Most stub resolvers still
query these DNS RBLs through a standard DNS recursive resolver (to
benefit from caching), so the protocol those clients use to
communicate has no bearing on what the authoritative server supports.

If you mean the recursive resolver, then are there any recursive
resolver implementations that opt to maintain and use a persistent TCP
connection to pipeline queries rather than just issue multiple UDP
queries in parallel?  If such servers don't exist today, I certainly
don't see a need to mandate that authoritative servers support their
possible existence in the future.

> This perspective would make a serious case to implement TCP on such
> dedicated servers as well.

I'm not convinced, and even if it were, it's not a serious case to
*require* these dedicated servers to implement TCP.  (Note: none of
the authoritative name servers for zen.spamhaus.org or
dynablock.njabl.org currently support DNS queries over TCP.)