Douglas Otis wrote:
Just using TCP would prevent most of the DNS poisoning attacks that
Amir's paper reports.
TCP is prone to DDoS attack. As such, TCP is seldom used with DNS.
I thought TCP was the default when the UDP message size is not enough.
That's, AFAIK, the only advantage of TCP over SCTP: it's already in
place and ready. (Yes, one needs to run firewalls and all that stuff.)
A single SCTP connection can support thousands of simultaneous streams,
I agree SCTP is better, and it's been around for nearly a decade now.
Yet, for those who miss it, good old TCP allows, say, a client to hold
a couple of connections to its favorite resolver in order to avoid
many of the threats illustrated by Kaminsky...
There is also OS support for UDP
tunneling of SCTP when supporting legacy NATs and firewalls. Until
there is an significant incentive to make DNS more robust, use of SCTP
is likely to remain just a good and under appreciated option.
It seems that DNS over SCTP would solve 90% of the problems with 10%
of the efforts and resources required to implement DNSSEC. However, I
hear more often about the latter than the former. How come?
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf