David Conrad wrote:
However, pragmatically speaking, I suspect it is going to be much, much easier to get DNSSEC deployed than it would be to get every router/firewall/NAT manufacturer and network operator to support/deploy SCTP, not to mention getting every DNSSEC server to support DNS over SCTP.
Shouldn't be difficult. I'm not much into either technology, but since SCTP can be tunneled through UDP, it should be possible to retrofit SCTP adoption onto an existing DNS implementation. On an OS that provides SCTP natively, a module inserted between the DNS daemon and its UDP sockets may operate the UDP/SCTP conversion when the remote hosts support it. Then, it would just discard spurious incoming UDP packets, and manage keep-alive settings for SCTP connections. It can work on a separate host or firewall, without even recompiling the DNS daemon.
_______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf