MoinQ:

DNS/RFC/RFC5966について、ここに記述してください。

http://tools.ietf.org/html/rfc5966

http://tools.ietf.org/html/rfc1123

../RFC5966-参考 http://jprs.jp/tech/notice/2011-03-03-inappropriate-handling-for-long-dns-packet.html


The primary audience for this document is those implementors
   whose failure to support TCP restricts interoperability and limits
   deployment of new DNS features.

new DNS features がDNSSECやIPv6対応を含むとしても、これら以外を排除しているとは解釈すべきではない。

Whilst this document makes no specific recommendations to operators
   of DNS servers, it should be noted that failure to support TCP (or
   the blocking of DNS over TCP at the network layer) may result in
   resolution failure and/or application-level timeouts.

EDNS0 は定義されているが、通らないケースもある:

However, transport of UDP packets that exceed the size of the path
   MTU causes IP packet fragmentation, which has been found to be
   unreliable in some circumstances.  Many firewalls routinely block
   fragmented IP packets, and some do not implement the algorithms
   necessary to reassemble fragmented packets.  Worse still, some
   network devices deliberately refuse to handle DNS packets containing
   EDNS0 options.  Other issues relating to UDP transport and packet
   size are discussed in [RFC5625].


TCPをいきなり使ってもいい場合もある:

That requirement is hereby relaxed.
 A resolver SHOULD send a UDPquery first,
 but MAY elect to send a TCP query instead if it has good
   reason to expect the response would be truncated if it were sent over
   UDP (with or without EDNS0) or for other operational reasons,
 in particular, if it already has an open TCP connection to the server.

ちょっと制約しすぎと感じるが、for other operational reasons に毒盛対策が入っていることとする。

DNS/TCP を使うことへの懸念はない。(DoSなど)

At the time of writing, the vast majority of Top Level Domain (TLD)
   authority servers and all of the root name servers support TCP and
   the author knows of no evidence to suggest that TCP-based DoS attacks
   against existing DNS infrastructure are commonplace.