In your previous mail you wrote: I thought TCP was the default when the UDP message size is not enough. => with EDNS0 this is a bit more complex but IMHO this is the idea. Note the recommended "connection management" (RFC 1025 4.2.2) suggests multiple queries/responses too. That's, AFAIK, the only advantage of TCP over SCTP: it's already in place and ready. (Yes, one needs to run firewalls and all that stuff.) => this is not a new idea but today no server or resolver implementation supports DNS over SCTP. I have a lot of sympathy for SCTP but for DNS we need a transaction oriented transport, i.e., something more secure than simple stateless query/response over UDP but without the overhead of opening and closing TCP connections. This is a very old idea, cf. RFC 955, but as far as I know this is still an open problem. If I am wrong (I'd like to be :-) please request a BoF in the transport area ASAP! > A single SCTP connection can support thousands of simultaneous streams, I agree SCTP is better, and it's been around for nearly a decade now. => IMHO it is far less than 10 years but arguing about this point is out of topic. Yet, for those who miss it, good old TCP allows, say, a client to hold a couple of connections to its favorite resolver in order to avoid many of the threats illustrated by Kaminsky... => TCP is very expensive in terms of resources for the server and TCP is still vulnerable to in-the-path attacks. > There is also OS support for UDP > tunneling of SCTP when supporting legacy NATs and firewalls. Until > there is an significant incentive to make DNS more robust, use of SCTP > is likely to remain just a good and under appreciated option. It seems that DNS over SCTP would solve 90% of the problems with 10% of the efforts and resources required to implement DNSSEC. However, I hear more often about the latter than the former. How come? => DNSSEC is the only available solution which solves the problems. Others are not available (no specification published in a standard track RFC or simply unfeasible) or don't address the problems (hop-by-hop security for instance, when end-to-end is needed). Both TCP and SCTP are in the others today... Regards Francis.Dupont@xxxxxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf