truncated, but it's equally valid to do TCP in the first place.
I'm aware of that. But with traditional DNS, you start with UDP, and may fall back to TCP. DoS'ing the TCP support doesn't DoS the whole system. (If it were the case that 100% of UDP-based resolutions result in a subsequnt TCP-based resolution (which I'm not saying is not the case..I just don't know), then I wouldn't have this concern)
With DNSSEC, the results are large enough that a whole lot of the traffic is over TCP, particularly on IPv6 where packet fragmentation doesn't work reliably. And in any event, as someone else pointed out, https is hardly an untried protocol in hostile enviroments.
Regards, John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
