DNS/RFC/RFC5966について、ここに記述してください。
http://tools.ietf.org/html/rfc5966
http://tools.ietf.org/html/rfc1123
../RFC5966-参考 http://jprs.jp/tech/notice/2011-03-03-inappropriate-handling-for-long-dns-packet.html
The primary audience for this document is those implementors whose failure to support TCP restricts interoperability and limits deployment of new DNS features.
new DNS features がDNSSECやIPv6対応を含むとしても、これら以外を排除しているとは解釈すべきではない。
Whilst this document makes no specific recommendations to operators of DNS servers, it should be noted that failure to support TCP (or the blocking of DNS over TCP at the network layer) may result in resolution failure and/or application-level timeouts.
EDNS0 は定義されているが、通らないケースもある:
However, transport of UDP packets that exceed the size of the path MTU causes IP packet fragmentation, which has been found to be unreliable in some circumstances. Many firewalls routinely block fragmented IP packets, and some do not implement the algorithms necessary to reassemble fragmented packets. Worse still, some network devices deliberately refuse to handle DNS packets containing EDNS0 options. Other issues relating to UDP transport and packet size are discussed in [RFC5625].
TCPをいきなり使ってもいい場合もある:
That requirement is hereby relaxed. A resolver SHOULD send a UDPquery first, but MAY elect to send a TCP query instead if it has good reason to expect the response would be truncated if it were sent over UDP (with or without EDNS0) or for other operational reasons, in particular, if it already has an open TCP connection to the server.
ちょっと制約しすぎと感じるが、for other operational reasons に毒盛対策が入っていることとする。
DNS/TCP を使うことへの懸念はない。(DoSなど)
At the time of writing, the vast majority of Top Level Domain (TLD) authority servers and all of the root name servers support TCP and the author knows of no evidence to suggest that TCP-based DoS attacks against existing DNS infrastructure are commonplace.