1. DNS/TCP

  

DNSはTCPを使う時代へ

ゾーンサーバ側ではDNS/TCPサポートが必須とされてきた。(2010年のRFC 5966以来)

-- ToshinoriMaeno 2018-04-22 14:42:09

DNS/flag_days

1.1. RFC

DNS Transport over TCP - Implementation Requirements

https://tools.ietf.org/html/rfc5966 (7766でobsoleteになる) August 2010

4.  Transport Protocol Selection
   All general-purpose DNS implementations MUST support both UDP and TCP transport.

https://tools.ietf.org/html/rfc7766  Category: Standards Track

Specification for DNS over Transport Layer Security (TLS) https://tools.ietf.org/html/rfc7858

DNS Transport over TCP - Operational Requirements

https://tools.ietf.org/html/draft-ietf-dnsop-dns-tcp-requirements-01

Abstract

   This document encourages the practice of permitting DNS messages to
   be carried over TCP on the Internet.  It also describes some of the
   consequences of this behavior and the potential operational issues
   that can arise when this best common practice is not upheld.

1.2. 調査

DNS over TCP A Rudimentary Textual Analysis https://www.nanog.org/sites/default/files/nanog63-dnstrack-kristoff-dnstcp.pdf

https://www.networkworld.com/article/2231682/cisco-subnet/cisco-subnet-allow-both-tcp-and-udp-port-53-to-your-dns-servers.html

DNS over TCP as Seen From the Authoritative Server https://ns1.com/blog/dns-over-tcp-as-seen-from-the-authoritative-server

/JP-domain の調査

1.3. TCP拒否ドメイン

TCP queryに接続拒否ならいいのだが、返事をしないドメインもある。

/heteml.jp /cgi.tbs.co.jp /cwidc.net /datahotel.ne.jp /datacenter.ne.jp

/ripe.net

1.4. 部分的サポート

/dreamhost.com


dig +tcp に +noednsを付けないとFORMERRを返すサーバーもある。

1.5. DNS/TCP RFC

https://datatracker.ietf.org/doc/draft-ietf-dnsop-5966bis/

https://tools.ietf.org/html/rfc5966

DNS Transport over TCP - Implementation Requirements

Obsoleted by: 7766
Internet Engineering Task Force (IETF)                         R. Bellis
Request for Comments: 5966                                    Nominet UK
Updates: 1035, 1123                                          August 2010
Category: Standards Track
ISSN: 2070-1721

https://tools.ietf.org/html/rfc7766

Internet Engineering Task Force (IETF)                      J. Dickinson
Request for Comments: 7766                                  S. Dickinson
Obsoletes: 5966                                                  Sinodun
Updates: 1035, 1123                                            R. Bellis
Category: Standards Track                                            ISC
ISSN: 2070-1721                                                A. Mankin
                                                              D. Wessels
                                                           Verisign Labs
                                                              March 2016

This document therefore updates the core DNS protocol specifications
such that support for TCP is henceforth a REQUIRED part of a full DNS
protocol implementation.

Whilst this document makes no specific requirements for operators of
DNS servers to meet, it does offer some suggestions to operators to
help ensure that support for TCP on their servers and network is optimal.

It should be noted that failure to support TCP (or the
blocking of DNS over TCP at the network layer) will probably result
in resolution failure and/or application-level timeouts.

1.6. ATR

https://blog.apnic.net/2018/04/16/how-well-does-atr-actually-work/

Is it possible to make a hybrid approach for the #DNS — using #UDP when we can, and #TCP only when we must — faster and more robust? https://blog.apnic.net/2018/04/16/how-well-does-atr-actually-work/

1.7. 本当に重要なのはセキュリティ

TCPを使うのが筋だろう。 -- ToshinoriMaeno 2018-04-22 15:42:12

UDPを使わせたいのであれば、Cookiesをサポートせよ。

Moin2Qmail: DNS/TCP (last edited 2020-11-22 00:06:03 by ToshinoriMaeno)