{"id":10477,"date":"2022-10-12T12:48:19","date_gmt":"2022-10-12T19:48:19","guid":{"rendered":"https:\/\/www.xh86.me\/?p=10477"},"modified":"2022-10-12T12:48:19","modified_gmt":"2022-10-12T19:48:19","slug":"%e5%9f%ba%e4%ba%8etcp%e7%9a%84dns%e4%bc%a0%e8%be%93%ef%bc%9a%e6%93%8d%e4%bd%9c%e8%a6%81%e6%b1%82","status":"publish","type":"post","link":"https:\/\/www.xh86.me\/?p=10477","title":{"rendered":"\u57fa\u4e8eTCP\u7684DNS\u4f20\u8f93\uff1a\u64cd\u4f5c\u8981\u6c42"},"content":{"rendered":"
\n
<\/section>\n
\n
RFC9210\uff1aDNS Transport over TCP -Operational Requirements\uff0cMarch 2022<\/span><\/code><\/pre>\n<\/section>\n
\n
\n
\n
<\/div><\/section>\n
\u6897\u6982<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u672c\u6587\u6863\u66f4\u65b0\u4e86RFC 1123\u548cRFC 1536\u3002\u672c\u6587\u6863\u8981\u6c42\u5c06\u5141\u8bb8DNS\u6d88\u606f\u5728Internet\u4e0a\u901a\u8fc7TCP\u4f20\u8f93\u7684\u64cd\u4f5c\u5b9e\u8df5\u4f5c\u4e3a\u5f53\u524d\u6700\u4f73\u5b9e\u8df5\u3002\u6b64\u64cd\u4f5c\u8981\u6c42\u4e0eRFC 7766\u4e2d\u7684\u5b9e\u65bd\u8981\u6c42\u4e00\u81f4\u3002TCP\u7684\u4f7f\u7528\u5305\u62ec\u57fa\u4e8e\u672a\u52a0\u5bc6TCP\u7684DNS\u4ee5\u53ca\u52a0\u5bc6\u7684TLS\u4f1a\u8bdd\u3002\u8be5\u6587\u4ef6\u8fd8\u8003\u8651\u4e86\u8fd9\u79cd\u5f62\u5f0f\u7684DNS\u901a\u4fe1\u7684\u540e\u679c\uff0c\u4ee5\u53ca\u5728\u4e0d\u652f\u6301\u5f53\u524d\u6700\u4f73\u5b9e\u8df5\u65f6\u53ef\u80fd\u51fa\u73b0\u7684\u6f5c\u5728\u8fd0\u8425\u95ee\u9898\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
\u672c\u5907\u5fd8\u5f55\u7684\u72b6\u6001<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u672c\u5907\u5fd8\u5f55\u8bb0\u5f55\u4e86 Internet \u6700\u4f73\u5f53\u524d\u5b9e\u8df5\u3002<\/p>\n
\u672c\u6587\u6863\u662f Internet \u5de5\u7a0b\u4efb\u52a1\u7ec4 (IETF) \u7684\u4ea7\u54c1\u3002\u5b83\u4ee3\u8868\u4e86 IETF \u793e\u533a\u7684\u5171\u8bc6\u3002\u5b83\u5df2\u63a5\u53d7\u516c\u4f17\u5ba1\u67e5\uff0c\u5e76\u5df2\u83b7\u4e92\u8054\u7f51\u5de5\u7a0b\u6307\u5bfc\u5c0f\u7ec4 (IESG) \u6279\u51c6\u51fa\u7248\u3002\u6709\u5173 BCP \u7684\u66f4\u591a\u4fe1\u606f\uff0c\u8bf7\u53c2\u89c1 RFC 7841 \u7684\u7b2c 2 \u8282\u3002<\/p>\n
\u6709\u5173\u672c\u6587\u6863\u5f53\u524d\u72b6\u6001\u3001\u4efb\u4f55\u52d8\u8bef\u8868\u4ee5\u53ca\u5982\u4f55\u63d0\u4f9b\u53cd\u9988\u7684\u4fe1\u606f\uff0c\u8bf7\u8bbf\u95ee https:\/\/www.rfc-editor.org\/info\/rfc9210\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
\u7248\u6743\u58f0\u660e<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u7248\u6743\u6240\u6709 (c) 2022 IETF Trust \u548c\u6587\u4ef6\u4f5c\u8005\u3002\u7248\u6743\u6240\u6709\u3002<\/p>\n
\u672c\u6587\u4ef6\u53d7 BCP 78 \u548c IETF \u4fe1\u6258\u5173\u4e8e IETF \u6587\u4ef6\u7684\u6cd5\u5f8b\u89c4\u5b9a (https:\/\/trustee.ietf.org\/license-info) \u7684\u7ea6\u675f\uff0c\u8be5\u6761\u6b3e\u5728\u672c\u6587\u4ef6\u53d1\u5e03\u4e4b\u65e5\u751f\u6548\u3002\u8bf7\u4ed4\u7ec6\u9605\u8bfb\u8fd9\u4e9b\u6587\u4ef6\uff0c\u56e0\u4e3a\u5b83\u4eec\u63cf\u8ff0\u4e86\u60a8\u5bf9\u672c\u6587\u4ef6\u7684\u6743\u5229\u548c\u9650\u5236\u3002\u4ece\u672c\u6587\u6863\u4e2d\u63d0\u53d6\u7684\u4ee3\u7801\u7ec4\u4ef6\u5fc5\u987b\u5305\u542b Trust Legal Provisions \u7b2c 4.e \u8282\u6240\u8ff0\u7684\u4fee\u8ba2\u7248 BSD \u8bb8\u53ef\u6587\u672c\uff0c\u5e76\u4e14\u6309\u7167\u4fee\u8ba2\u7248 BSD \u8bb8\u53ef\u4e2d\u7684\u8bf4\u660e\u63d0\u4f9b\u65e0\u62c5\u4fdd\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
1\u3001 \u7b80\u4ecb<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
DNS\u6d88\u606f\u4f7f\u7528 UDP \u6216 TCP \u901a\u4fe1\u4f20\u9001\u3002\u867d\u7136\u5927\u591a\u6570 DNS \u4e8b\u52a1\u90fd\u662f\u901a\u8fc7 UDP \u8fdb\u884c\u7684\uff0c\u4f46\u4e00\u4e9b\u8fd0\u8425\u5546\u8ba4\u4e3a\u5bf9\u4e8e\u4e00\u822c\u7684 DNS \u64cd\u4f5c\u6765\u8bf4\uff0c\u4efb\u4f55\u57fa\u4e8e TCP \u7684 DNS \u6d41\u91cf\u90fd\u662f\u4e0d\u9700\u8981\u6216\u4e0d\u5fc5\u8981\u7684\u3002\u5f53DNS over TCP\u53d7\u5230\u9650\u5236\u65f6\uff0c\u7ecf\u5e38\u4f1a\u51fa\u73b0\u5404\u79cd\u901a\u4fe1\u6545\u969c\u548c\u8c03\u8bd5\u6311\u6218\u3002\u968f\u7740 DNS \u548c\u65b0\u7684\u57df\u540d\u7cfb\u7edf\u529f\u80fd\u7684\u53d1\u5c55\uff0cTCP \u4f5c\u4e3a\u4e00\u79cd\u4f20\u8f93\u65b9\u5f0f\u5bf9\u4e8e Internet DNS \u7684\u6b63\u786e\u548c\u5b89\u5168\u8fd0\u884c\u53d8\u5f97\u8d8a\u6765\u8d8a\u91cd\u8981\u3002\u53cd\u6620\u73b0\u4ee3\u7528\u6cd5\uff0cDNS \u6807\u51c6\u58f0\u660e\u5bf9 TCP \u7684\u652f\u6301\u662f DNS \u5b9e\u73b0\u89c4\u8303 [RFC7766] \u7684\u5fc5\u9700\u90e8\u5206\u3002\u672c\u6587\u6863\u76f8\u5f53\u4e8e\u8fd0\u8425\u793e\u533a\u7684\u6b63\u5f0f\u8981\u6c42\uff0c\u9f13\u52b1\u7cfb\u7edf\u7ba1\u7406\u5458\u3001\u7f51\u7edc\u5de5\u7a0b\u5e08\u548c\u5b89\u5168\u4eba\u5458\u786e\u4fdd DNS-over-TCP \u901a\u4fe1\u652f\u6301\u4e0e DNS-over-UDP \u901a\u4fe1\u76f8\u540c\u3002\u5b83\u66f4\u65b0\u4e86 [RFC1123] \u7684\u7b2c 6.1.3.2 \u8282\u4ee5\u9610\u660e\u6240\u6709 DNS \u89e3\u6790\u5668\u548c\u9012\u5f52\u670d\u52a1\u5668\u5fc5\u987b\u652f\u6301\u548c\u670d\u52a1 TCP \u548c UDP \u67e5\u8be2\uff0c\u5e76\u66f4\u65b0 [RFC1536] \u4ee5\u6d88\u9664 TCP \u4ec5\u5bf9\u533a\u57df\u4f20\u8f93\u6709\u7528\u7684\u8bef\u89e3\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
1.1\u3001 \u9700\u6c42\u8bed\u8a00<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u672c\u6587\u6863\u4e2d\u7684\u5173\u952e\u8bcd\u201c\u5fc5\u987b\u201d\u3001\u201c\u4e0d\u5f97\u201d\u3001\u201c\u8981\u6c42\u201d\u3001\u201c\u5e94\u201d\u3001\u201c\u4e0d\u5e94\u201d\u3001\u201c\u5e94\u8be5\u201d\u3001\u201c\u4e0d\u5e94\u201d\u3001\u201c\u63a8\u8350\u201d\u3001\u201c\u4e0d\u63a8\u8350\u201d\u3001\u201c\u53ef\u4ee5\u201d\u548c\u201c\u53ef\u9009\u201d\uff0c\u5f53\u4e14\u4ec5\u5f53\u5b83\u4eec\u4ee5\u5168\u90e8\u5927\u5199\u5b57\u6bcd\u51fa\u73b0\u65f6\uff0c\u5c06\u6309\u7167BCP 14 [RFC2119] [RFC8174] \u4e2d\u7684\u63cf\u8ff0\u8fdb\u884c\u89e3\u91ca\uff0c\u5982\u6b64\u5904\u6240\u793a\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
2\u3001 DNS over TCP\u7684\u5386\u53f2<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u8fd0\u8425\u6700\u4f73\u5b9e\u8df5\u4e0e DNS \u4f20\u8f93\u534f\u8bae\u6307\u5357\u4e4b\u95f4\u7684\u5947\u602a\u5206\u6b67\u6e90\u4e8e\u8fd0\u8425\u5546\u4ece\u5176\u4ed6\u8fd0\u8425\u5546\u3001\u5b9e\u65bd\u8005\u751a\u81f3 IETF \u6536\u5230\u7684\u76f8\u4e92\u51b2\u7a81\u7684\u6d88\u606f\u3002\u6709\u65f6\u8fd9\u4e9b\u6df7\u5408\u4fe1\u53f7\u662f\u660e\u786e\u7684\uff1b\u5728\u5176\u4ed6\u60c5\u51b5\u4e0b\uff0c\u76f8\u4e92\u77db\u76fe\u7684\u4fe1\u606f\u662f\u9690\u542b\u7684\u3002\u672c\u8282\u4ecb\u7ecd\u4e86\u5bfc\u81f4\u672c\u6587\u6863\u7684\u4f20\u5947\u4e14\u76f8\u4e92\u77db\u76fe\u7684\u5386\u53f2\u7684\u89e3\u91ca\u3002\u672c\u8282\u4ec5\u4f9b\u53c2\u8003\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
2.1\u3001\u4e0d\u5747\u5300\u4f20\u8f93\u7684\u7528\u9014\u548c\u504f\u597d<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5728\u6700\u521d\u7684 DNS \u89c4\u8303\u5957\u4ef6\u4e2d\uff0c[RFC1034] \u548c [RFC1035] \u660e\u786e\u89c4\u5b9a DNS \u6d88\u606f\u53ef\u4ee5\u5728 UDP \u6216 TCP \u4e2d\u4f20\u8f93\uff0c\u4f46\u5b83\u4eec\u4e5f\u58f0\u660e\u5728\u4e00\u822c\u60c5\u51b5\u4e0b\u4f18\u5148\u9009\u62e9 UDP \u4f5c\u4e3a\u67e5\u8be2\u7684\u6700\u4f73\u4f20\u8f93\u3002\u5982 [RFC1035] \u4e2d\u6240\u8ff0\uff1a<\/p>\n
\n
\u201c\u867d\u7136\u865a\u62df\u7535\u8def\u53ef\u7528\u4e8e\u4efb\u4f55 DNS \u6d3b\u52a8\uff0c\u4f46\u6570\u636e\u62a5\u66f4\u9002\u5408\u7528\u4e8e\u67e5\u8be2\uff0c\u56e0\u4e3a\u5b83\u4eec\u7684\u5f00\u9500\u8f83\u4f4e\u4e14\u6027\u80fd\u66f4\u597d\u3002\u201d<\/p>\n<\/blockquote>\n
\u53e6\u4e00\u4e2a\u65e9\u671f\u7684\u3001\u91cd\u8981\u7684\u548c\u6709\u5f71\u54cd\u529b\u7684\u6587\u4ef6\uff0c[RFC1123]\uff0c\u66f4\u660e\u786e\u5730\u6807\u8bb0\u4e86\u5bf9\u4f20\u8f93\u534f\u8bae\u7684\u504f\u597d\uff1a<\/p>\n
\n
\u201cDNS \u89e3\u6790\u5668\u548c\u9012\u5f52\u670d\u52a1\u5668\u5fc5\u987b\u652f\u6301 UDP\uff0c\u5e76\u4e14\u5e94\u8be5\u652f\u6301 TCP\uff0c\u4ee5\u53d1\u9001\uff08\u975e\u533a\u57df\u4f20\u8f93\uff09\u67e5\u8be2\u3002\u201d<\/p>\n<\/blockquote>\n
\u5e76\u8fdb\u4e00\u6b65\u89c4\u5b9a\uff1a<\/p>\n
\n
\u201c\u57df\u540d\u670d\u52a1\u5668\u53ef\u4ee5\u9650\u5236\u5b83\u7528\u4e8e TCP \u67e5\u8be2\u7684\u8d44\u6e90\uff0c\u4f46\u5b83\u4e0d\u5e94\u8be5\u4ec5\u4ec5\u56e0\u4e3a\u5b83\u4f1a\u901a\u8fc7 UDP \u6210\u529f\u800c\u62d2\u7edd\u4e3a TCP \u67e5\u8be2\u63d0\u4f9b\u670d\u52a1\u3002\u201d<\/p>\n<\/blockquote>\n
\u5728 [RFC1536] \u4e2d\u8fbe\u5230\u9ad8\u6f6e\uff0c\u57fa\u4e8e TCP \u7684 DNS \u4e3b\u8981\u4e0e\u533a\u57df\u4f20\u8f93\u673a\u5236\u76f8\u5173\u8054\uff0c\u800c\u5927\u591a\u6570 DNS \u67e5\u8be2\u548c\u54cd\u5e94\u88ab\u89c6\u4e3a UDP \u7684\u7edf\u6cbb\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
2.2\u3001 \u7b49\u5f85\u5927\u6d88\u606f\u548c\u53ef\u9760\u6027<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5728\u539f\u59cb\u89c4\u8303\u4e2d\uff0c\u6700\u5927 DNS-over-UDP \u6d88\u606f\u5927\u5c0f\u89c4\u5b9a\u4e3a 512 \u5b57\u8282\u3002\u7136\u800c\uff0c\u5373\u4f7f [RFC1123] \u66f4\u559c\u6b22 UDP \u8fdb\u884c\u975e\u533a\u57df\u4f20\u8f93\u67e5\u8be2\uff0c\u5b83\u4e5f\u9884\u89c1\u5230 DNS over TCP \u5c06\u5728\u672a\u6765\u53d8\u5f97\u66f4\u52a0\u6d41\u884c\uff0c\u4ee5\u514b\u670d\u8fd9\u4e2a\u9650\u5236\uff1a<\/p>\n
\n
\u201c\u5f88\u660e\u663e\uff0c\u672a\u6765\u5b9a\u4e49\u7684\u4e00\u4e9b\u65b0 DNS \u8bb0\u5f55\u7c7b\u578b\u5c06\u5305\u542b\u8d85\u8fc7\u9002\u7528\u4e8e UDP \u7684 512 \u5b57\u8282\u9650\u5236\u7684\u4fe1\u606f\uff0c\u56e0\u6b64\u9700\u8981 TCP\u3002\u201d<\/p>\n<\/blockquote>\n
\u81f3\u5c11\u6709\u4e24\u4e2a\u65b0\u7684\u3001\u88ab\u5e7f\u6cdb\u671f\u5f85\u7684\u53d1\u5c55\u63d0\u9ad8\u4e86\u5bf9 DNS-over-TCP \u4e8b\u52a1\u7684\u9700\u6c42\u3002\u7b2c\u4e00\u4e2a\u662f [RFC2136] \u4e2d\u5b9a\u4e49\u7684\u52a8\u6001\u66f4\u65b0\uff0c\u7b2c\u4e8c\u4e2a\u662f\u7edf\u79f0\u4e3a\u201cDNSSEC\u201d\u7684\u6269\u5c55\u96c6\uff0c\u5176\u64cd\u4f5c\u6ce8\u610f\u4e8b\u9879\u6700\u521d\u5728 [RFC2541] \u4e2d\u7ed9\u51fa\uff08\u6ce8\u610f [RFC2541] \u5df2\u88ab [RFC6781] \u5e9f\u5f03\uff09\u3002\u524d\u8005\u5efa\u8bae\u9700\u8981\u51c6\u786e\u54cd\u5e94\u4ee3\u7801\u7684\u8bf7\u6c42\u8005\u5fc5\u987b\u4f7f\u7528 TCP\u3002<\/p>\n
\u800c\u540e\u8005\u8b66\u544a\u8bf4\uff0c\u8f83\u5927\u7684\u5bc6\u94a5\u4f1a\u589e\u52a0 KEY \u548c SIG RR \u7684\u5927\u5c0f\u3002\u8fd9\u589e\u52a0\u4e86 DNS UDP \u6570\u636e\u5305\u6ea2\u51fa\u7684\u53ef\u80fd\u6027\u4ee5\u53ca\u5728\u54cd\u5e94\u4e2d\u4f7f\u7528\u66f4\u9ad8\u5f00\u9500 TCP \u7684\u53ef\u80fd\u5fc5\u8981\u6027\u3002<\/p>\n
\u7136\u800c\uff0c\u51fa\u4e4e\u4e00\u4e9b\u4eba\u7684\u610f\u6599\uff0c\u5728 1990 \u5e74\u4ee3\u540e\u671f\uff0c\u57fa\u4e8e TCP \u7684 DNS \u5728\u4e92\u8054\u7f51\u4e0a\u7684\u5b9e\u9645\u6d41\u91cf\u4e2d\u4ecd\u7136\u5f88\u5c11\u4f7f\u7528\u3002\u52a8\u6001\u66f4\u65b0\u5728\u81ea\u6cbb\u7f51\u7edc\u4e4b\u95f4\u51e0\u4e4e\u6ca1\u6709\u90e8\u7f72\u3002\u5927\u7ea6\u5728\u9996\u6b21\u5b9a\u4e49 DNSSEC \u7684\u65f6\u5019\uff0c\u53e6\u4e00\u4e2a\u65b0\u529f\u80fd\u5e2e\u52a9\u5de9\u56fa\u4e86 UDP \u4f20\u8f93\u5728\u6d88\u606f\u4e8b\u52a1\u4e2d\u7684\u4e3b\u5bfc\u5730\u4f4d\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
2.3\u3001 EDNS(0)<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
1999 \u5e74\uff0cIETF \u5728 [RFC2671] \u4e2d\u53d1\u5e03\u4e86 DNS \u6269\u5c55\u673a\u5236 (Extension Mechanisms for DNS\uff0cEDNS(0))<\/strong>\uff08\u5728 2013 \u5e74\u88ab [RFC6891] \u5e9f\u5f03\uff09\u3002\u8be5\u6587\u6863\u6807\u51c6\u5316\u4e86\u4e00\u79cd\u7528\u4e8e\u901a\u4fe1 DNS \u8282\u70b9\u4ee5\u6267\u884c\u57fa\u672c\u529f\u80fd\u534f\u5546\u7684\u65b9\u5f0f\u3002\u5199\u5165\u57fa\u672c\u89c4\u8303\u5e76\u51fa\u73b0\u5728\u6bcf\u4e2a\u4e0e EDNS(0) \u517c\u5bb9\u7684\u6d88\u606f\u4e2d\u7684\u6b64\u7c7b\u529f\u80fd\u4e4b\u4e00\u662f\u53d1\u9001\u65b9\u53ef\u4ee5\u652f\u6301\u7684\u6700\u5927 UDP \u6709\u6548\u8d1f\u8f7d\u5927\u5c0f\u7684\u503c\u3002\u8fd9\u4e2a\u65e0\u7b26\u53f7\u7684 16 \u4f4d\u5b57\u6bb5\u4ee5\u5b57\u8282\u4e3a\u5355\u4f4d\u6307\u5b9a\u8282\u70b9\u80fd\u591f\u901a\u8fc7 UDP \u63a5\u6536\u7684\u6700\u5927\uff08\u53ef\u80fd\u662f\u5206\u6bb5\u7684\uff09DNS \u6d88\u606f\u5927\u5c0f\u3002\u5728\u5b9e\u8df5\u4e2d\uff0c\u5178\u578b\u503c\u662f 512 \u5230 4096 \u5b57\u8282\u8303\u56f4\u7684\u5b50\u96c6\u3002\u5728\u63a5\u4e0b\u6765\u7684\u51e0\u5e74\u4e2d\uff0cEDNS(0) \u5f97\u5230\u4e86\u5e7f\u6cdb\u7684\u90e8\u7f72\uff0c\u5927\u91cf\u8c03\u67e5\uff08\u53c2\u89c1 [CASTRO2010] \u548c [NETALYZR]\uff09\u8868\u660e\uff0c\u8bb8\u591a\u7cfb\u7edf\u901a\u8fc7 EDNS(0) \u652f\u6301\u66f4\u5927\u7684 UDP MTU\u3002<\/p>\n
EDNS(0) \u90e8\u7f72\u7684\u81ea\u7136\u6548\u679c\u610f\u5473\u7740\u5927\u4e8e 512 \u5b57\u8282\u7684 DNS \u6d88\u606f\u5bf9 TCP \u7684\u4f9d\u8d56\u7a0b\u5ea6\u5c06\u4f4e\u4e8e\u5176\u4ed6\u60c5\u51b5\u3002\u867d\u7136\u4e0d\u53ef\u5ffd\u7565\u7684 DNS \u7cfb\u7edf\u7fa4\u4f53\u7f3a\u5c11 EDNS(0) \u6216\u5728\u5fc5\u8981\u65f6\u56de\u9000\u5230 TCP\uff0c\u4f46 DNS \u5ba2\u6237\u7aef\u4ecd\u7136\u5f3a\u70c8\u503e\u5411\u4e8e\u4f7f\u7528 UDP \u800c\u4e0d\u662f TCP\u3002\u4f8b\u5982\uff0c\u622a\u81f3 2014 \u5e74\uff0cDNS-over-TCP \u4e8b\u52a1\u5728\u6839\u57df\u540d\u670d\u52a1\u5668 [VERISIGN] \u63a5\u6536\u7684\u6574\u4f53 DNS \u6d41\u91cf\u4e2d\u4ecd\u7136\u53ea\u5360\u5f88\u5c0f\u7684\u4e00\u90e8\u5206\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
2.4\u3001 \u5206\u7247\u548c\u622a\u65ad<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5c3d\u7ba1 EDNS(0) \u4e3a\u7aef\u70b9\u63d0\u4f9b\u4e86\u4e00\u79cd\u8868\u793a\u652f\u6301\u8d85\u8fc7 512 \u5b57\u8282\u7684 DNS \u6d88\u606f\u7684\u65b9\u6cd5\uff0c\u4f46 Internet \u7684\u591a\u6837\u5316\u548c\u4e0d\u4e00\u81f4\u90e8\u7f72\u7684\u73b0\u5b9e\u53ef\u80fd\u5bfc\u81f4\u4e00\u4e9b\u5927\u578b\u6d88\u606f\u65e0\u6cd5\u5230\u8fbe\u5176\u76ee\u7684\u5730\u3002\u4efb\u4f55\u5927\u5c0f\u8d85\u8fc7\u5176\u4f20\u8f93\u7684\u94fe\u8def\u7684 MTU \u7684 IP \u6570\u636e\u62a5\u90fd\u5c06\u88ab\u5206\u7247\uff0c\u7136\u540e\u7531\u63a5\u6536\u4e3b\u673a\u91cd\u65b0\u7ec4\u5408\u3002\u4e0d\u5e78\u7684\u662f\uff0c\u4e2d\u95f4\u8bbe\u5907\u548c\u9632\u706b\u5899\u963b\u6b62 IP \u7247\u6bb5\u7684\u60c5\u51b5\u5e76\u4e0d\u5c11\u89c1\u3002\u5982\u679c\u4e00\u4e2a\u6216\u591a\u4e2a\u7247\u6bb5\u6ca1\u6709\u5230\u8fbe\uff0c\u5e94\u7528\u7a0b\u5e8f\u4e0d\u4f1a\u6536\u5230\u6d88\u606f\uff0c\u8bf7\u6c42\u8d85\u65f6\u3002<\/p>\n
\u5bf9\u4e8e IPv4 \u8fde\u63a5\u7684\u4e3b\u673a\uff0cMTU \u901a\u5e38\u662f 1500 \u5b57\u8282\u7684\u4ee5\u592a\u7f51\u8d1f\u8f7d\u5927\u5c0f\u3002\u8fd9\u610f\u5473\u7740\u53ef\u4ee5\u901a\u8fc7 IPv4 \u53d1\u9001\u7684\u6700\u5927\u672a\u5206\u6bb5 UDP DNS \u6d88\u606f\u53ef\u80fd\u662f 1472 \u5b57\u8282\uff0c\u5c3d\u7ba1\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u96a7\u9053\u5c01\u88c5\u53ef\u80fd\u4f1a\u51cf\u5c0f\u6700\u5927\u6d88\u606f\u5927\u5c0f\u3002<\/p>\n
\u5bf9\u4e8e IPv6\uff0c\u60c5\u51b5\u7a0d\u5fae\u590d\u6742\u4e00\u4e9b\u3002\u9996\u5148\uff0cIPv6 \u62a5\u6587\u5934\u4e3a 40 \u4e2a\u5b57\u8282\uff08\u800c IPv4 \u4e2d\u4e3a 20 \u4e2a\u5b57\u8282\uff09\u3002\u5176\u6b21\uff0c\u5927\u7ea6\u4e09\u5206\u4e4b\u4e00\u7684 DNS \u9012\u5f52\u89e3\u6790\u5668\u4f7f\u7528 1280 \u5b57\u8282\u7684\u6700\u5c0f MTU [APNIC]\u3002\u7b2c\u4e09\uff0cIPv6 \u4e2d\u7684\u5206\u6bb5\u53ea\u80fd\u7531\u53d1\u8d77\u6570\u636e\u62a5\u7684\u4e3b\u673a\u5b8c\u6210\u3002\u5206\u6bb5\u7684\u9700\u8981\u5728 ICMPv6\u201c\u6570\u636e\u5305\u592a\u5927\u201d\u6d88\u606f\u4e2d\u4f20\u8fbe\u3002\u59cb\u53d1\u4e3b\u673a\u6307\u793a\u5e26\u6709 IPv6 \u6269\u5c55\u5934\u7684\u5206\u6bb5\u6570\u636e\u62a5\u3002\u4e0d\u5e78\u7684\u662f\uff0cICMPv6 \u548c IPv6 \u6269\u5c55\u62a5\u6587\u5934\u90fd\u88ab\u4e2d\u95f4\u8bbe\u5907\u963b\u6b62\u662f\u5f88\u5e38\u89c1\u7684\u3002\u6839\u636e [HUSTON]\uff0c\u5927\u7ea6 35% \u7684\u652f\u6301 IPv6 \u7684\u9012\u5f52\u89e3\u6790\u5668\u65e0\u6cd5\u63a5\u6536\u5206\u6bb5\u7684 IPv6 \u6570\u636e\u5305\u3002\u5f53\u59cb\u53d1\u4e3b\u673a\u6536\u5230\u9700\u8981\u5206\u6bb5\u7684\u4fe1\u53f7\u65f6\uff0c\u5b83\u5e94\u8be5\u4e3a\u8be5\u76ee\u7684\u5730\u586b\u5145\u5176\u8def\u5f84 MTU \u7f13\u5b58\u3002\u5e94\u7528\u7a0b\u5e8f\u5c06\u5728\u8d85\u65f6\u540e\u91cd\u8bd5\u67e5\u8be2\uff0c\u56e0\u4e3a\u4e3b\u673a\u901a\u5e38\u4e0d\u4f1a\u4fdd\u7559\u901a\u8fc7 UDP \u53d1\u9001\u7684\u6d88\u606f\u526f\u672c\u4ee5\u7528\u4e8e\u53ef\u80fd\u7684\u91cd\u4f20\u3002<\/p>\n
\u6240\u6709\u8fd9\u4e00\u5207\u7684\u5b9e\u9645\u540e\u679c\u662f DNS \u8bf7\u6c42\u8005\u5fc5\u987b\u51c6\u5907\u597d\u4f7f\u7528\u4e0d\u540c\u7684 EDNS(0) \u6700\u5927\u6d88\u606f\u5927\u5c0f\u503c\u91cd\u8bd5\u67e5\u8be2\u3002[BIND] \u7684\u7ba1\u7406\u5458\u53ef\u80fd\u719f\u6089\u5728\u4ed6\u4eec\u7684\u7cfb\u7edf\u65e5\u5fd7\u4e2d\u770b\u5230\u4ee5\u4e0b\u6d88\u606f\uff1a\u201c\u6210\u529f\u89e3\u6790……\u5728\u5c06\u901a\u544a\u7684 EDNS(0) UDP \u6570\u636e\u5305\u5927\u5c0f\u51cf\u5c11\u5230 512 \u4e2a\u516b\u4f4d\u5b57\u8282\u540e\u201d\u3002<\/p>\n
\u901a\u5e38\uff0c\u51cf\u5c0f EDNS(0) UDP \u6570\u636e\u5305\u5927\u5c0f\u4f1a\u5bfc\u81f4\u6210\u529f\u54cd\u5e94\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u5fc5\u8981\u7684\u6570\u636e\u9002\u5408\u8f83\u5c0f\u7684\u6d88\u606f\u5927\u5c0f\u3002\u4f46\u662f\uff0c\u5f53\u6570\u636e\u4e0d\u9002\u5408\u65f6\uff0c\u670d\u52a1\u5668\u4f1a\u5728\u5176\u54cd\u5e94\u4e2d\u8bbe\u7f6e\u622a\u65ad\u6807\u5fd7\uff0c\u6307\u793a\u5ba2\u6237\u7aef\u5e94\u901a\u8fc7 TCP \u91cd\u8bd5\u4ee5\u63a5\u6536\u6574\u4e2a\u54cd\u5e94\u3002\u4ece\u5ba2\u6237\u7aef\u7684\u89d2\u5ea6\u6765\u770b\uff0c\u8fd9\u662f\u4e0d\u53ef\u53d6\u7684\uff0c\u56e0\u4e3a\u5b83\u589e\u52a0\u4e86\u66f4\u591a\u7684\u5ef6\u8fdf\uff0c\u5e76\u4e14\u4ece\u670d\u52a1\u5668\u7684\u89d2\u5ea6\u6765\u770b\uff0c\u7531\u4e8e TCP \u7684\u8d44\u6e90\u9700\u6c42\u589e\u52a0\uff0c\u8fd9\u53ef\u80fd\u662f\u4e0d\u53ef\u53d6\u7684\u3002<\/p>\n
\u8bf7\u6ce8\u610f\uff0c\u63a5\u6536\u65b9\u65e0\u6cd5\u533a\u5206\u7531\u4e8e\u62e5\u585e\u800c\u4e22\u5931\u7684\u6570\u636e\u5305\u548c\u9632\u706b\u5899\u6216\u4e2d\u95f4\u8bbe\u5907\u6545\u610f\u4e22\u5f03\u7684\u6570\u636e\u5305\uff08\u7247\u6bb5\uff09\u3002\u5728\u5177\u6709\u5927\u91cf\u4e22\u5305\u7684\u7f51\u7edc\u8def\u5f84\u4e0a\uff0c\u4e0e\u8f83\u5c0f\u7684\u672a\u5206\u6bb5\u54cd\u5e94\u76f8\u6bd4\uff0c\u8f83\u5927\u7684\u5206\u6bb5 DNS \u54cd\u5e94\u66f4\u6709\u53ef\u80fd\u6c38\u8fdc\u4e0d\u4f1a\u5230\u8fbe\u5e76\u8d85\u65f6\u3002\u7531\u4e8e\u9519\u8bef\u7684\u539f\u56e0\uff0c\u5ba2\u6237\u7aef\u53ef\u80fd\u4f1a\u88ab\u8bef\u5bfc\u4f7f\u7528\u4e0d\u540c\u7684 EDNS(0) UDP \u6570\u636e\u5305\u5927\u5c0f\u503c\u91cd\u8bd5\u67e5\u8be2\u3002<\/p>\n
\u56f4\u7ed5\u788e\u7247\u3001\u622a\u65ad\u548c TCP \u7684\u95ee\u9898\u6b63\u5728\u63a8\u52a8 DNS \u4e2d\u7684\u67d0\u4e9b\u5b9e\u65bd\u548c\u653f\u7b56\u51b3\u7b56\u3002\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0cCloudflare \u5b9e\u65bd\u4e86\u4e00\u79cd\u6280\u672f\uff0c\u53ef\u6700\u5927\u9650\u5ea6\u5730\u51cf\u5c11 DNSSEC \u62d2\u7edd\u5b58\u5728\u8bb0\u5f55\u7684\u6570\u91cf\uff08\u9488\u5bf9\u5176\u5728\u7ebf\u7b7e\u540d\u5e73\u53f0\uff09[CLOUDFLARE]\uff0c\u5e76\u4f7f\u7528\u692d\u5706\u66f2\u7ebf\u6570\u5b57\u7b7e\u540d\u7b97\u6cd5 (Elliptic Curve Digital Signature Algorithm\uff0cECDSA)<\/strong>\uff0c\u4f7f\u5176\u7b7e\u540d\u54cd\u5e94\u8f7b\u677e\u653e\u5165 512 \u4e2a\u5b57\u8282\u3002\u5bc6\u94a5\u7b7e\u540d\u5bc6\u94a5 (Key Signing Key\uff0cKSK)<\/strong> \u7ffb\u8f6c\u8bbe\u8ba1\u56e2\u961f [DESIGNTEAM] \u82b1\u4e86\u5f88\u591a\u65f6\u95f4\u601d\u8003\u548c\u62c5\u5fc3\u54cd\u5e94\u5927\u5c0f\u3002DNSSEC \u793e\u533a\u8d8a\u6765\u8d8a\u591a\u7684\u89c2\u70b9\u8ba4\u4e3a\uff0c\u8d85\u8fc7 2048 \u4f4d\u7684 RSA \u5bc6\u94a5\u5927\u5c0f\u662f\u4e0d\u5207\u5b9e\u9645\u7684\uff0c\u5173\u952e\u57fa\u7840\u8bbe\u65bd\u533a\u57df\u5e94\u8fc7\u6e21\u5230\u692d\u5706\u66f2\u7ebf\u7b97\u6cd5\u4ee5\u4fdd\u6301\u54cd\u5e94\u5927\u5c0f\u53ef\u7ba1\u7406 [ECDSA]\u3002<\/p>\n
\u6700\u8fd1\uff0c\u5173\u4e8e\u5206\u6bb5 DNS \u6d88\u606f\u7684\u65b0\u5b89\u5168\u95ee\u9898\uff08\u53c2\u89c1 [AVOID_FRAGS] \u548c [FRAG_POISON]\uff09\u5bfc\u81f4\u5b9e\u65bd\u8005\u8003\u8651\u66f4\u5c0f\u7684\u54cd\u5e94\u548c\u66f4\u4f4e\u7684\u9ed8\u8ba4 EDNS(0) UDP \u6709\u6548\u8d1f\u8f7d\u5927\u5c0f\u503c\uff0c\u7528\u4e8e\u67e5\u8be2\u5668\u548c\u54cd\u5e94\u5668 [FLAGDAY2020]\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
2.5\u3001 \u201c\u4ec5\u533a\u57df\u4f20\u8f93\u4f7f\u7528 TCP\u201d<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4eca\u5929\uff0c\u5927\u591a\u6570 DNS \u793e\u533a\u90fd\u5e0c\u671b\uff0c\u6216\u8005\u81f3\u5c11\u5e0c\u671b\u770b\u5230 DNS-over-TCP \u4e8b\u52a1\u5728\u4e0d\u53d7\u5e72\u6270\u7684\u60c5\u51b5\u4e0b\u53d1\u751f [FLAGDAY2020]\u3002\u7136\u800c\uff0c\u4e00\u4e9b\u8fd0\u8425\u5546\u957f\u671f\u4ee5\u6765\u4e00\u76f4\u8ba4\u4e3a\uff0c\u5c24\u5176\u662f\u51fa\u4e8e\u5b89\u5168\u76f8\u5173\u7684\u539f\u56e0\uff0cDNS-over-TCP \u670d\u52a1\u5e94\u8be5\u88ab\u6545\u610f\u9650\u5236\u6216\u6839\u672c\u4e0d\u63d0\u4f9b [CHES94] [DJBDNS]\u3002\u4e00\u4e2a\u6d41\u884c\u7684\u6897\u662f TCP \u4e0a\u7684 DNS \u4ec5\u7528\u4e8e\u533a\u57df\u4f20\u8f93\uff0c\u5426\u5219\u901a\u5e38\u662f\u4e0d\u5fc5\u8981\u7684\uff0c\u8fc7\u6ee4\u6240\u6709 TCP \u4e0a\u7684 DNS \u6d41\u91cf\u751a\u81f3\u88ab\u63cf\u8ff0\u4e3a\u6700\u4f73\u5b9e\u8df5\u3002<\/p>\n
\u9274\u4e8e DNS \u57df\u540d\u670d\u52a1\u5668\u7684\u5386\u53f2\u5b9e\u73b0\u51e0\u4e4e\u6ca1\u6709\u63d0\u4f9b TCP \u8fde\u63a5\u7ba1\u7406\u7684\u65b9\u5f0f\uff08\u4f8b\u5982\uff0c\u6709\u5173\u66f4\u591a\u8be6\u7ec6\u4fe1\u606f\uff0c\u8bf7\u53c2\u9605 [RFC7766] \u7684\u7b2c 6.1.2 \u8282\uff09\uff0c\u9650\u5236\u57fa\u4e8e TCP \u7684 DNS \u7684\u7acb\u573a\u662f\u6709\u9053\u7406\u7684\u3002\u7136\u800c\uff0c\u73b0\u4ee3\u6807\u51c6\u548c\u5b9e\u65bd\u5df2\u63a5\u8fd1\u4e0e HTTP(S) \u670d\u52a1\u5668\u548c\u8d1f\u8f7d\u5747\u8861\u5668\u7b49\u91c7\u7528\u7684\u66f4\u590d\u6742\u7684 TCP \u7ba1\u7406\u6280\u672f\u76f8\u5f53\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
2.6\u3001 \u590d\u7528\u3001\u6d41\u6c34\u7ebf\u548c\u65e0\u5e8f\u5904\u7406<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
TCP \u8fde\u63a5\u53ef\u4ee5\u652f\u6301\u591a\u4e2a\u4e8b\u52a1\u7684\u60f3\u6cd5\u53ef\u4ee5\u8ffd\u6eaf\u5230 [RFC0883]\uff0c\u5176\u4e2d\u6307\u51fa\uff1a\u201c\u53ef\u4ee5\u901a\u8fc7\u865a\u62df\u7535\u8def\u53d1\u9001\u591a\u4e2a\u6d88\u606f\u3002\u201d\u5c3d\u7ba1\u66f4\u65b0\u524d\u8005\u7684 [RFC1035] \u7701\u7565\u4e86\u8fd9\u4e00\u7279\u5b9a\u7ec6\u8282\uff0c\u4f46\u4eba\u4eec\u666e\u904d\u8ba4\u4e3a TCP \u8fde\u63a5\u53ef\u7528\u4e8e\u591a\u4e2a\u67e5\u8be2\u548c\u54cd\u5e94\u3002<\/p>\n
[RFC5966] \u9610\u660e\u4e86\u670d\u52a1\u5668\u4e0d\u9700\u8981\u5728\u4efb\u4f55\u4f20\u8f93\u4e2d\u4fdd\u7559\u67e5\u8be2\u548c\u54cd\u5e94\u7684\u987a\u5e8f\u3002[RFC7766] \u66f4\u65b0\u4e86\u524d\u8005\uff0c\u8fdb\u4e00\u6b65\u9f13\u52b1\u901a\u8fc7 TCP \u8fdb\u884c\u67e5\u8be2\u6d41\u6c34\u7ebf\u4ee5\u8fbe\u5230\u4e0e UDP \u76f8\u5f53\u7684\u6027\u80fd\u3002\u5f53\u5bf9\u8f83\u65e9\u67e5\u8be2\u7684\u54cd\u5e94\u5728\u5bf9\u8f83\u65e9\u67e5\u8be2\u7684\u54cd\u5e94\u4e4b\u524d\u51c6\u5907\u597d\u65f6\uff0c\u5411\u6d41\u6c34\u7ebf\u67e5\u8be2\u53d1\u9001\u65e0\u5e8f\u54cd\u5e94\u7684\u670d\u52a1\u5668\u907f\u514d\u4e86\u7ebf\u5934\u963b\u585e\u3002<\/p>\n
\u4f46\u662f\uff0c\u7531\u4e8e\u6570\u636e\u5305\u4e22\u5931\uff0cTCP \u53ef\u80fd\u4f1a\u9047\u5230\u4e0d\u540c\u7684\u7ebf\u5934\u963b\u585e\u95ee\u9898\u3002\u7531\u4e8e TCP \u672c\u8eab\u5f3a\u5236\u6267\u884c\u6392\u5e8f\uff0c\u5355\u4e2a\u4e22\u5931\u7684\u6bb5\u4f1a\u5ef6\u8fdf\u4efb\u4f55\u540e\u7eed\u6bb5\u4e2d\u7684\u6570\u636e\u4f20\u9012\uff0c\u76f4\u5230\u4e22\u5931\u7684\u6bb5\u88ab\u91cd\u65b0\u4f20\u8f93\u5e76\u6210\u529f\u63a5\u6536\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
3\u3001 DNS-over-TCP \u8981\u6c42<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
DNS \u6d88\u606f\u5927\u5c0f\u7684\u5e73\u5747\u589e\u52a0\uff08\u4f8b\u5982\uff0c\u7531\u4e8e DNSSEC\uff09\u3001\u65b0 DNS \u529f\u80fd\u7684\u6301\u7eed\u5f00\u53d1\uff08\u9644\u5f55 A\uff09\u4ee5\u53ca\u62d2\u7edd\u670d\u52a1\u7f13\u89e3\u6280\u672f\uff08\u7b2c 8 \u8282\uff09\u90fd\u8868\u660e DNS-over-TCP \u4e8b\u52a1\u662f\u5bf9\u4e8e Internet DNS \u7684\u6b63\u786e\u548c\u5b89\u5168\u8fd0\u884c\uff0c\u4e0e\u4ee5\u5f80\u4e00\u6837\u91cd\u8981\uff0c\u751a\u81f3\u66f4\u91cd\u8981\u3002\u6b64\u5916\uff0c\u6709\u7814\u7a76\u8ba4\u4e3a\u9762\u5411\u8fde\u63a5\u7684 DNS \u4e8b\u52a1\u53ef\u80fd\u6bd4 UDP \u4f20\u8f93 [TDNS] \u63d0\u4f9b\u5b89\u5168\u548c\u9690\u79c1\u4f18\u52bf\u3002\u4e8b\u5b9e\u4e0a\uff0cDNS over TLS [RFC7858] \u7684\u6807\u51c6\u5c31\u662f\u8fd9\u79cd\u89c4\u8303\u3002\u56e0\u6b64\uff0c\u672c\u6587\u6863\u660e\u786e\u6307\u51fa\u7f51\u7edc\u8fd0\u8425\u5546\u4e0d\u5e0c\u671b\u4eba\u4e3a\u5730\u7981\u6b62 DNS-over-TCP \u4f20\u8f93\u3002<\/p>\n
[RFC1123] \u7684\u7b2c 6.1.3.2 \u8282\u66f4\u65b0\u5982\u4e0b\uff1a<\/p>\n
\n
\u4e4b\u524d\u662f\u201cDNS \u89e3\u6790\u5668\u548c\u9012\u5f52\u670d\u52a1\u5668\u5fc5\u987b\u652f\u6301 UDP\uff0c\u5e76\u4e14\u5e94\u8be5\u652f\u6301 TCP\uff0c\u4ee5\u53d1\u9001\uff08\u975e\u533a\u57df\u4f20\u8f93\uff09\u67e5\u8be2\u3002\u201d<\/p>\n
\u73b0\u5728\u662f\u201c\u6240\u6709 DNS \u89e3\u6790\u5668\u548c\u670d\u52a1\u5668\u5fc5\u987b\u652f\u6301\u548c\u670d\u52a1 UDP \u548c TCP \u67e5\u8be2\u3002\u201d<\/p>\n<\/blockquote>\n
\u6ce8\u610f\uff1a<\/p>\n
\n
* DNS \u670d\u52a1\u5668\uff08\u5305\u62ec\u8f6c\u53d1\u5668\uff09\u5fc5\u987b\u652f\u6301\u548c\u670d\u52a1 TCP \u4ee5\u63a5\u6536\u67e5\u8be2\uff0c\u4ee5\u4fbf\u5ba2\u6237\u7aef\u53ef\u4ee5\u53ef\u9760\u5730\u63a5\u6536\u5927\u4e8e\u4efb\u4f55\u4e00\u65b9\u8ba4\u4e3a\u5bf9\u4e8e UDP \u6765\u8bf4\u592a\u5927\u7684\u54cd\u5e94\u3002<\/strong><\/p>\n
* DNS \u5ba2\u6237\u7aef\u5fc5\u987b\u652f\u6301 TCP \u53d1\u9001\u67e5\u8be2\uff0c\u4ee5\u4fbf\u5b83\u4eec\u53ef\u4ee5\u5728\u5fc5\u8981\u65f6\u91cd\u8bd5\u622a\u65ad\u7684 UDP \u54cd\u5e94\u3002<\/strong><\/p>\n<\/blockquote>\n
\u6b64\u5916\uff0c[RFC1123] \u7684\u7b2c 6.1.3.2 \u8282\u4e2d\u5173\u4e8e\u9650\u5236\u670d\u52a1\u5668\u7528\u4e8e\u67e5\u8be2\u7684\u8d44\u6e90\u7684\u8981\u6c42\u5728\u6b64\u66f4\u65b0\uff1a<\/p>\n
\n
\u4e4b\u524d\u662f\u201c\u57df\u540d\u670d\u52a1\u5668\u53ef\u4ee5\u9650\u5236\u5b83\u7528\u4e8e TCP \u67e5\u8be2\u7684\u8d44\u6e90\uff0c\u4f46\u5b83\u4e0d\u5e94\u8be5\u4ec5\u4ec5\u56e0\u4e3a\u5b83\u4f1a\u901a\u8fc7 UDP \u6210\u529f\u800c\u62d2\u7edd\u4e3a TCP \u67e5\u8be2\u63d0\u4f9b\u670d\u52a1\u3002\u201d<\/p>\n
\u73b0\u5728\u662f\u201c\u57df\u540d\u670d\u52a1\u5668\u53ef\u4ee5\u9650\u5236\u5b83\u7528\u4e8e\u67e5\u8be2\u7684\u8d44\u6e90\uff0c\u4f46\u5b83\u7edd\u4e0d\u80fd\u4ec5\u4ec5\u56e0\u4e3a\u5b83\u53ef\u4ee5\u4f7f\u7528\u53e6\u4e00\u4e2a\u4f20\u8f93\u534f\u8bae\u6210\u529f\u800c\u62d2\u7edd\u4e3a\u67e5\u8be2\u63d0\u4f9b\u670d\u52a1\u3002\u201d<\/p>\n<\/blockquote>\n
\u6700\u540e\uff0c\u66f4\u65b0\u4e86 [RFC1536] \u7684\u7b2c 1 \u8282\uff0c\u4ee5\u6d88\u9664 TCP \u4ec5\u5bf9\u533a\u57df\u4f20\u8f93\u6709\u7528\u7684\u8bef\u89e3\uff1a<\/p>\n
\n
\u4e4b\u524d\u662f\u201cDNS \u5b9e\u73b0\u4e86\u5ba2\u6237\u7aef-\u670d\u52a1\u5668\u4ea4\u4e92\u7684\u7ecf\u5178\u8bf7\u6c42-\u54cd\u5e94\u65b9\u6848\u3002\u56e0\u6b64\uff0cUDP \u662f\u9009\u62e9\u7684\u901a\u4fe1\u534f\u8bae\uff0c\u5c3d\u7ba1 TCP \u7528\u4e8e\u533a\u57df\u4f20\u8f93\u3002\u201d<\/p>\n
\u73b0\u5728\u662f\u201cDNS \u5b9e\u73b0\u4e86\u5ba2\u6237\u7aef-\u670d\u52a1\u5668\u4ea4\u4e92\u7684\u7ecf\u5178\u8bf7\u6c42-\u54cd\u5e94\u65b9\u6848\u3002\u201d<\/p>\n<\/blockquote>\n
\u5728\u4e00\u822c\u60c5\u51b5\u4e0b\uff0c\u901a\u8fc7 TCP \u8fc7\u6ee4 DNS \u662f\u6709\u5bb3\u7684\u3002DNS \u89e3\u6790\u5668\u548c\u670d\u52a1\u5668\u8fd0\u8425\u5546\u5fc5\u987b\u652f\u6301\u5e76\u901a\u8fc7 UDP \u548c TCP \u4f20\u8f93\u63d0\u4f9b DNS \u670d\u52a1\u3002\u540c\u6837\uff0c\u7f51\u7edc\u8fd0\u8425\u5546\u5fc5\u987b\u5141\u8bb8\u901a\u8fc7 UDP \u548c TCP \u4f20\u8f93\u7684 DNS \u670d\u52a1\u3002\u4f17\u6240\u5468\u77e5\uff0cDNS-over-TCP \u670d\u52a1\u53ef\u80fd\u4f1a\u5e26\u6765\u5355\u72ec\u8fd0\u884c DNS over UDP \u65f6\u4e0d\u5b58\u5728\u7684\u64cd\u4f5c\u6311\u6218\uff0c\u53cd\u4e4b\u4ea6\u7136\u3002\u4f46\u662f\uff0c\u4e0e\u5141\u8bb8\u4f7f\u7528 DNS \u76f8\u6bd4\uff0c\u7981\u6b62 DNS-over-TCP \u670d\u52a1\u6240\u5e26\u6765\u7684\u6f5c\u5728\u635f\u5bb3\u5bf9 DNS \u7684\u6301\u7eed\u5b9e\u7528\u6027\u548c\u6210\u529f\u66f4\u4e3a\u4e0d\u5229\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
4\u3001 \u7f51\u7edc\u548c\u7cfb\u7edf\u6ce8\u610f\u4e8b\u9879<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u672c\u8282\u4ecb\u7ecd\u7cfb\u7edf\u548c\u5e94\u7528\u7a0b\u5e8f\u53ef\u4ee5\u91c7\u53d6\u54ea\u4e9b\u63aa\u65bd\u6765\u4f18\u5316 TCP \u7684\u6027\u80fd\u5e76\u4fdd\u62a4\u81ea\u5df1\u514d\u53d7\u57fa\u4e8e TCP \u7684\u8d44\u6e90\u8017\u5c3d\u548c\u653b\u51fb\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
4.1\u3001 \u8fde\u63a5\u5efa\u7acb\u548c\u51c6\u5165<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u89e3\u6790\u5668\u548c\u5176\u4ed6 DNS \u5ba2\u6237\u7aef\u5e94\u8be5\u77e5\u9053\u67d0\u4e9b\u670d\u52a1\u5668\u53ef\u80fd\u65e0\u6cd5\u901a\u8fc7 TCP \u8bbf\u95ee\u3002\u51fa\u4e8e\u8fd9\u4e2a\u539f\u56e0\uff0c\u5ba2\u6237\u7aef\u53ef\u4ee5\u8ddf\u8e2a\u548c\u9650\u5236\u5bf9\u5355\u4e2a\u670d\u52a1\u5668\u7684 TCP \u8fde\u63a5\u548c\u8fde\u63a5\u5c1d\u8bd5\u7684\u6570\u91cf\u3002\u53ef\u8fbe\u6027\u95ee\u9898\u53ef\u80fd\u662f\u7531\u9760\u8fd1\u670d\u52a1\u5668\u3001\u9760\u8fd1\u5ba2\u6237\u7aef\u6216\u5b83\u4eec\u4e4b\u95f4\u8def\u5f84\u4e0a\u7684\u4efb\u4f55\u5730\u65b9\u7684\u7f51\u7edc\u5143\u7d20\u5f15\u8d77\u7684\u3002\u7f13\u5b58\u8fde\u63a5\u5931\u8d25\u7684\u79fb\u52a8\u5ba2\u6237\u7aef\u53ef\u4ee5\u5728\u6bcf\u4e2a\u7f51\u7edc\u7684\u57fa\u7840\u4e0a\u8fd9\u6837\u505a\uff0c\u6216\u8005\u53ef\u4ee5\u5728\u7f51\u7edc\u66f4\u6539\u65f6\u6e05\u9664\u8fd9\u6837\u7684\u7f13\u5b58\u3002<\/p>\n
\u6b64\u5916\uff0cDNS \u5ba2\u6237\u7aef\u53ef\u4ee5\u5bf9\u672a\u5efa\u7acb\u7684\u8fde\u63a5\u5f3a\u5236\u6267\u884c\u77ed\u6682\u7684\u8d85\u65f6\uff0c\u800c\u4e0d\u662f\u4f9d\u8d56\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u7684 TCP \u8fde\u63a5\u8d85\u65f6\uff0c\u8fd9\u901a\u5e38\u7ea6\u4e3a 60-120 \u79d2\uff08\u5373\uff0c\u7531\u4e8e 1 \u79d2\u7684\u521d\u59cb\u91cd\u4f20\u8d85\u65f6\uff0c\u6307\u6570\u56de\u9000[RFC6298] \u7684\u89c4\u5219\uff0c\u4ee5\u53ca\u516d\u6b21\u91cd\u8bd5\u7684\u9650\u5236\uff0c\u8fd9\u662f Linux \u4e2d\u7684\u9ed8\u8ba4\u503c\uff09\u3002<\/p>\n
SYN \u6cdb\u6d2a\u653b\u51fb\u662f\u4e00\u79cd\u62d2\u7edd\u670d\u52a1\u65b9\u6cd5\uff0c\u5f71\u54cd\u8fd0\u884c TCP \u670d\u52a1\u5668\u8fdb\u7a0b\u7684\u4e3b\u673a [RFC4987]\u3002\u5982\u679c\u4e0d\u52a0\u4ee5\u7f13\u89e3\uff0c\u8fd9\u79cd\u653b\u51fb\u53ef\u80fd\u975e\u5e38\u6709\u6548\u3002\u6700\u6709\u6548\u7684\u7f13\u89e3\u6280\u672f\u4e4b\u4e00\u662f SYN cookie\uff0c\u5728 [RFC4987] \u7684\u7b2c 3.6 \u8282\u4e2d\u8fdb\u884c\u4e86\u63cf\u8ff0\uff0c\u5b83\u5141\u8bb8\u670d\u52a1\u5668\u907f\u514d\u5206\u914d\u4efb\u4f55\u72b6\u6001\uff0c\u76f4\u5230\u6210\u529f\u5b8c\u6210\u4e09\u6b21\u63e1\u624b\u3002<\/p>\n
\u4e0d\u6253\u7b97\u4f9b\u516c\u5171 Internet \u4f7f\u7528\u7684\u670d\u52a1\uff0c\u4f8b\u5982\u5927\u591a\u6570\u9012\u5f52\u57df\u540d\u670d\u52a1\u5668\uff0c\u5e94\u8be5\u53d7\u5230\u8bbf\u95ee\u63a7\u5236\u7684\u4fdd\u62a4\u3002\u7406\u60f3\u60c5\u51b5\u4e0b\uff0c\u8fd9\u4e9b\u63a7\u4ef6\u653e\u7f6e\u5728\u7f51\u7edc\u4e2d\uff0c\u8fdc\u5728\u4efb\u4f55\u4e0d\u9700\u8981\u7684 TCP \u6570\u636e\u5305\u5230\u8fbe DNS \u670d\u52a1\u5668\u4e3b\u673a\u6216\u5e94\u7528\u7a0b\u5e8f\u4e4b\u524d\u3002\u5982\u679c\u8fd9\u662f\u4e0d\u53ef\u80fd\u7684\uff0c\u53ef\u4ee5\u5c06\u63a7\u4ef6\u653e\u7f6e\u5728\u5e94\u7528\u7a0b\u5e8f\u672c\u8eab\u4e2d\u3002\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff08\u4f8b\u5982\uff0c\u653b\u51fb\uff09\uff0c\u53ef\u80fd\u6709\u5fc5\u8981\u4e3a\u539f\u672c\u5e94\u8be5\u53ef\u4ee5\u5168\u5c40\u8bbf\u95ee\u7684 DNS \u670d\u52a1\u90e8\u7f72\u8bbf\u95ee\u63a7\u5236\u3002\u53e6\u89c1 [RFC5358]\u3002<\/p>\n
FreeBSD \u548c NetBSD \u64cd\u4f5c\u7cfb\u7edf\u6709\u4e00\u4e2a\u201c\u63a5\u53d7\u8fc7\u6ee4\u5668\u201d\u7279\u6027\uff08[accept_filter]\uff09\uff0c\u5b83\u53ef\u4ee5\u63a8\u8fdf\u5411\u5e94\u7528\u7a0b\u5e8f\u53d1\u9001 TCP \u8fde\u63a5\uff0c\u76f4\u5230\u6536\u5230\u5b8c\u6574\u3001\u6709\u6548\u7684\u8bf7\u6c42\u3002dns_accf(9) \u8fc7\u6ee4\u5668\u786e\u4fdd\u63a5\u6536\u5230\u6709\u6548\u7684 DNS \u6d88\u606f\u3002\u5982\u679c\u6ca1\u6709\uff0c\u865a\u5047\u8fde\u63a5\u6c38\u8fdc\u4e0d\u4f1a\u5230\u8fbe\u5e94\u7528\u7a0b\u5e8f\u3002Linux TCP_DEFER_ACCEPT \u529f\u80fd\u867d\u7136\u8303\u56f4\u66f4\u6709\u9650\uff0c\u4f46\u53ef\u4ee5\u63d0\u4f9b\u4e0e BSD \u63a5\u53d7\u8fc7\u6ee4\u5668\u529f\u80fd\u76f8\u540c\u7684\u4e00\u4e9b\u597d\u5904\u3002\u8fd9\u4e9b\u529f\u80fd\u662f\u4f5c\u4e3a\u4f4e\u7ea7\u5957\u63a5\u5b57\u9009\u9879\u5b9e\u73b0\u7684\uff0c\u4e0d\u4f1a\u81ea\u52a8\u6fc0\u6d3b\u3002\u5982\u679c\u5e94\u7528\u7a0b\u5e8f\u5e0c\u671b\u4f7f\u7528\u8fd9\u4e9b\u529f\u80fd\uff0c\u4ed6\u4eec\u9700\u8981\u8fdb\u884c\u7279\u5b9a\u8c03\u7528\u4ee5\u8bbe\u7f6e\u6b63\u786e\u7684\u9009\u9879\uff0c\u5e76\u4e14\u7ba1\u7406\u5458\u53ef\u80fd\u8fd8\u9700\u8981\u914d\u7f6e\u5e94\u7528\u7a0b\u5e8f\u4ee5\u9002\u5f53\u5730\u4f7f\u7528\u8fd9\u4e9b\u529f\u80fd\u3002<\/p>\n
\u6839\u636e [RFC7766]\uff0c\u5efa\u8bae\u5e94\u7528\u7a0b\u5e8f\u548c\u7ba1\u7406\u5458\u8bb0\u4f4f\u5728\u53d1\u9001\u4efb\u4f55 UDP \u67e5\u8be2\u4e4b\u524d\u53ef\u4ee5\u4f7f\u7528 TCP\u3002\u4e0d\u5f97\u5c06\u7f51\u7edc\u548c\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e\u4e3a\u62d2\u7edd\u524d\u9762\u6ca1\u6709 UDP \u67e5\u8be2\u7684 TCP \u67e5\u8be2\u3002<\/p>\n
TCP \u5feb\u901f\u6253\u5f00 (TCP Fast Open\uff0cTFO)<\/strong> [RFC7413] \u5141\u8bb8 TCP \u5ba2\u6237\u7aef\u7f29\u77ed\u4e0e\u540c\u4e00\u670d\u52a1\u5668\u7684\u540e\u7eed\u8fde\u63a5\u7684\u63e1\u624b\u3002TFO \u5728\u8fde\u63a5\u8bbe\u7f6e\u4e2d\u8282\u7701\u4e86\u4e00\u6b21\u5f80\u8fd4\u65f6\u95f4\u3002DNS \u670d\u52a1\u5668\u5e94\u8be5\u5c3d\u53ef\u80fd\u542f\u7528 TFO\u3002\u6b64\u5916\uff0c\u96c6\u7fa4\u5728\u5355\u4e2a\u670d\u52a1\u5730\u5740\u540e\u9762\u7684 DNS \u670d\u52a1\u5668\uff08\u4f8b\u5982\uff0c\u4efb\u64ad\u6216\u8d1f\u8f7d\u5747\u8861\uff09\u5e94\u8be5\u5728\u6240\u6709\u5b9e\u4f8b\u4e0a\u4f7f\u7528\u76f8\u540c\u7684 TFO \u670d\u52a1\u5668\u5bc6\u94a5\uff0c\u6216\u8005\u4e3a\u96c6\u7fa4\u7684\u6240\u6709\u6210\u5458\u7981\u7528 TFO\u3002<\/p>\n
DNS \u5ba2\u6237\u7aef\u4e5f\u53ef\u4ee5\u542f\u7528 TFO\u3002\u5728\u64b0\u5199\u672c\u6587\u65f6\uff0c\u5b83\u5c1a\u672a\u5728\u67d0\u4e9b\u64cd\u4f5c\u7cfb\u7edf\u4e0a\u5b9e\u73b0\u6216\u9ed8\u8ba4\u7981\u7528\u3002[WIKIPEDIA_TFO] \u63cf\u8ff0\u4e86\u652f\u6301 TFO \u7684\u5e94\u7528\u7a0b\u5e8f\u548c\u64cd\u4f5c\u7cfb\u7edf\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
4.2\u3001 \u8fde\u63a5\u7ba1\u7406<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u7531\u4e8e TCP \u72b6\u6001\u7684\u4e3b\u673a\u5185\u5b58\u662f\u6709\u9650\u8d44\u6e90\uff0cDNS \u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u5e94\u8be5\u4e3b\u52a8\u7ba1\u7406\u5b83\u4eec\u7684\u8fde\u63a5\u3002\u4e0d\u4e3b\u52a8\u7ba1\u7406\u5176\u8fde\u63a5\u7684\u5e94\u7528\u7a0b\u5e8f\u53ef\u80fd\u4f1a\u9047\u5230\u8d44\u6e90\u8017\u5c3d\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u5bf9\u4e8e DNS\uff0c\u4e0e\u5728\u5176\u4ed6\u534f\u8bae\u4e2d\u4e00\u6837\uff0c\u5728\u4fdd\u6301\u8fde\u63a5\u5f00\u653e\u4ee5\u4f9b\u672a\u6765\u53ef\u80fd\u4f7f\u7528\u548c\u9700\u8981\u4e3a\u5373\u5c06\u5230\u6765\u7684\u65b0\u8fde\u63a5\u91ca\u653e\u8d44\u6e90\u4e4b\u95f4\u8fdb\u884c\u6743\u8861\u3002<\/p>\n
DNS \u670d\u52a1\u5668\u8f6f\u4ef6\u7684\u8fd0\u8425\u5546\u5e94\u8be5\u77e5\u9053\uff0c\u64cd\u4f5c\u7cfb\u7edf\u548c\u5e94\u7528\u7a0b\u5e8f\u4f9b\u5e94\u5546\u53ef\u80fd\u4f1a\u5bf9\u5df2\u5efa\u7acb\u7684\u8fde\u63a5\u603b\u6570\u65bd\u52a0\u9650\u5236\u3002\u8fd9\u4e9b\u9650\u5236\u53ef\u80fd\u65e8\u5728\u9632\u6b62 DDoS \u653b\u51fb\u6216\u6027\u80fd\u4e0b\u964d\u3002\u8fd0\u8425\u5546\u5e94\u8be5\u4e86\u89e3\u5982\u4f55\u5728\u5fc5\u8981\u65f6\u589e\u52a0\u8fd9\u4e9b\u9650\u5236\u4ee5\u53ca\u8fd9\u6837\u505a\u7684\u540e\u679c\u3002\u5e94\u7528\u7a0b\u5e8f\u65bd\u52a0\u7684\u9650\u5236\u5e94\u8be5\u4f4e\u4e8e\u64cd\u4f5c\u7cfb\u7edf\u65bd\u52a0\u7684\u9650\u5236\uff0c\u4ee5\u4fbf\u5e94\u7528\u7a0b\u5e8f\u53ef\u4ee5\u5c06\u81ea\u5df1\u7684\u7b56\u7565\u5e94\u7528\u4e8e\u8fde\u63a5\u7ba1\u7406\uff0c\u4f8b\u5982\u9996\u5148\u5173\u95ed\u6700\u65e7\u7684\u7a7a\u95f2\u8fde\u63a5\u3002<\/p>\n
DNS \u670d\u52a1\u5668\u8f6f\u4ef6\u53ef\u4ee5\u5bf9\u6bcf\u4e2a\u6e90 IP \u5730\u5740\u6216\u5b50\u7f51\u7684\u5df2\u5efa\u7acb\u8fde\u63a5\u6570\u63d0\u4f9b\u53ef\u914d\u7f6e\u7684\u9650\u5236\u3002\u8fd9\u53ef\u7528\u4e8e\u786e\u4fdd\u5355\u4e2a\u6216\u4e00\u5c0f\u7ec4\u7528\u6237\u4e0d\u80fd\u6d88\u8017\u6240\u6709 TCP \u8d44\u6e90\u5e76\u62d2\u7edd\u5411\u5176\u4ed6\u7528\u6237\u63d0\u4f9b\u670d\u52a1\u3002\u4f46\u662f\u8bf7\u6ce8\u610f\uff0c\u5982\u679c\u542f\u7528\u6b64\u9650\u5236\uff0c\u5b83\u53ef\u80fd\u4f1a\u9650\u5236\u5ba2\u6237\u7aef\u6027\u80fd\uff0c\u540c\u65f6\u4f7f\u67d0\u4e9b TCP \u8d44\u6e90\u672a\u88ab\u4f7f\u7528\u3002\u8fd0\u8425\u5546\u5e94\u8be5\u610f\u8bc6\u5230\u8fd9\u4e9b\u6743\u8861\uff0c\u5e76\u786e\u4fdd\u6839\u636e\u7528\u6237\u7684\u6570\u91cf\u548c\u591a\u6837\u6027\u4ee5\u53ca\u7528\u6237\u662f\u4ece\u552f\u4e00\u7684 IP \u5730\u5740\u8fd8\u662f\u901a\u8fc7\u5171\u4eab\u7684\u7f51\u7edc\u5730\u5740\u8f6c\u6362\u5668 (Network Address Translator\uff0cNAT) <\/strong>[RFC3022] \u6765\u9002\u5f53\u8bbe\u7f6e\u6b64\u9650\u5236\uff08\u5982\u679c\u5df2\u914d\u7f6e\uff09 .<\/p>\n
DNS \u670d\u52a1\u5668\u8f6f\u4ef6\u5e94\u8be5\u4e3a\u7a7a\u95f2 TCP \u8fde\u63a5\u63d0\u4f9b\u53ef\u914d\u7f6e\u7684\u8d85\u65f6\u3002\u8fd9\u53ef\u7528\u4e8e\u4e3a\u65b0\u8fde\u63a5\u91ca\u653e\u8d44\u6e90\u5e76\u786e\u4fdd\u6700\u7ec8\u5173\u95ed\u7a7a\u95f2\u8fde\u63a5\u3002\u540c\u65f6\uff0c\u5b83\u53ef\u80fd\u4f1a\u9650\u5236\u5ba2\u6237\u7aef\u6027\u80fd\uff0c\u540c\u65f6\u4f7f\u4e00\u4e9b TCP \u8d44\u6e90\u672a\u88ab\u5229\u7528\u3002\u5bf9\u4e8e\u975e\u5e38\u7e41\u5fd9\u7684\u57df\u540d\u670d\u52a1\u5668\uff0c\u8fd9\u53ef\u80fd\u4f1a\u8bbe\u7f6e\u4e3a\u8f83\u4f4e\u7684\u503c\uff0c\u4f8b\u5982\u51e0\u79d2\u949f\u3002\u5bf9\u4e8e\u4e0d\u592a\u7e41\u5fd9\u7684\u670d\u52a1\u5668\uff0c\u5b83\u53ef\u80fd\u4f1a\u8bbe\u7f6e\u4e3a\u66f4\u9ad8\u7684\u503c\uff0c\u4f8b\u5982\u51e0\u5341\u79d2\u3002DNS \u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u5e94\u8be5\u4f7f\u7528 edns-tcp-keepalive EDNS(0) \u9009\u9879 [RFC7828] \u6765\u901a\u77e5\u5b83\u4eec\u7684\u8d85\u65f6\u503c\u3002<\/p>\n
DNS \u670d\u52a1\u5668\u8f6f\u4ef6\u53ef\u4ee5\u5bf9\u6bcf\u4e2a TCP \u8fde\u63a5\u7684\u4e8b\u52a1\u6570\u91cf\u63d0\u4f9b\u53ef\u914d\u7f6e\u7684\u9650\u5236\u3002\u8fd9\u6709\u52a9\u4e8e\u9632\u6b62\u4e0d\u516c\u5e73\u7684\u8fde\u63a5\u4f7f\u7528\uff08\u4f8b\u5982\uff0c\u4e0d\u5411\u5176\u4ed6\u5ba2\u6237\u7aef\u91ca\u653e\u8fde\u63a5\u69fd\uff09\u548c\u7f51\u7edc\u89c4\u907f\u653b\u51fb\u3002<\/p>\n
\u540c\u6837\uff0cDNS \u670d\u52a1\u5668\u8f6f\u4ef6\u53ef\u4ee5\u5bf9 TCP \u8fde\u63a5\u7684\u603b\u6301\u7eed\u65f6\u95f4\u63d0\u4f9b\u53ef\u914d\u7f6e\u7684\u9650\u5236\u3002\u8fd9\u6709\u52a9\u4e8e\u9632\u6b62\u4e0d\u516c\u5e73\u7684\u8fde\u63a5\u4f7f\u7528\u3001\u6162\u8bfb\u653b\u51fb\u548c\u7f51\u7edc\u89c4\u907f\u653b\u51fb\u3002<\/p>\n
\u7531\u4e8e\u5ba2\u6237\u7aef\u53ef\u80fd\u4e0d\u77e5\u9053\u670d\u52a1\u5668\u65bd\u52a0\u7684\u9650\u5236\uff0c\u56e0\u6b64\u4f7f\u7528 TCP \u8fdb\u884c DNS \u7684\u5ba2\u6237\u7aef\u9700\u8981\u59cb\u7ec8\u51c6\u5907\u597d\u91cd\u65b0\u5efa\u7acb\u8fde\u63a5\u6216\u91cd\u8bd5\u672a\u5b8c\u6210\u7684\u67e5\u8be2\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
4.3\u3001 \u8fde\u63a5\u7ec8\u6b62<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u53d1\u8d77\u8fde\u63a5\u5173\u95ed\u7684 TCP \u5bf9\u7b49\u4f53\u5c06\u5957\u63a5\u5b57\u4fdd\u6301\u5728 TIME_WAIT \u72b6\u6001\u4e00\u6bb5\u65f6\u95f4\uff0c\u53ef\u80fd\u662f\u51e0\u5206\u949f\u3002\u901a\u5e38\u6700\u597d\u7531\u5ba2\u6237\u7aef\u53d1\u8d77\u5173\u95ed TCP \u8fde\u63a5\uff0c\u8fd9\u6837\u7e41\u5fd9\u7684\u670d\u52a1\u5668\u5c31\u4e0d\u4f1a\u79ef\u7d2f\u5f88\u591a\u5904\u4e8e TIME_WAIT \u72b6\u6001\u7684\u5957\u63a5\u5b57\uff0c\u8fd9\u53ef\u80fd\u4f1a\u5bfc\u81f4\u6027\u80fd\u95ee\u9898\u751a\u81f3\u62d2\u7edd\u670d\u52a1\u3002edns-tcp-keepalive EDNS(0) \u9009\u9879 [RFC7828] \u53ef\u7528\u4e8e\u9f13\u52b1\u5ba2\u6237\u7aef\u5173\u95ed\u8fde\u63a5\u3002<\/p>\n
\u5728 TIME_WAIT \u4e2d\u89c2\u5bdf\u5230\u5927\u91cf\u5957\u63a5\u5b57\uff08\u4f5c\u4e3a\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\uff09\u5e76\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u6027\u80fd\u7684\u7cfb\u7edf\u4e0a\uff0c\u8c03\u6574\u672c\u5730 TCP \u53c2\u6570\u53ef\u80fd\u5f88\u8bf1\u4eba\u3002\u4f8b\u5982\uff0cLinux \u5185\u6838\u6709\u4e00\u4e2a\u540d\u4e3a net.ipv4.tcp_tw_reuse \u7684\u201csysctl\u201d\u53c2\u6570\uff0c\u5b83\u5141\u8bb8\u5728\u7279\u5b9a\u60c5\u51b5\u4e0b\u590d\u7528\u5904\u4e8e TIME_WAIT \u72b6\u6001\u7684\u8fde\u63a5\u3002\u4f46\u662f\u8bf7\u6ce8\u610f\uff0c\u8fd9\u4ec5\u5f71\u54cd\u4f20\u51fa\uff08\u5ba2\u6237\u7aef\uff09\u8fde\u63a5\uff0c\u5bf9\u670d\u52a1\u5668\u6ca1\u6709\u5f71\u54cd\u3002\u5728\u5927\u591a\u6570\u60c5\u51b5\u4e0b\uff0c\u4e0d\u5efa\u8bae\u66f4\u6539\u4e0e TIME_WAIT \u72b6\u6001\u76f8\u5173\u7684\u53c2\u6570\u3002\u5b83\u53ea\u80fd\u7531\u5bf9 TCP \u548c\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u6709\u8be6\u7ec6\u4e86\u89e3\u7684\u4eba\u5458\u6765\u5b8c\u6210\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
4.4\u3001 \u57fa\u4e8e TLS \u7684 DNS<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
DNS \u6d88\u606f\u53ef\u4ee5\u901a\u8fc7 TLS \u53d1\u9001\uff0c\u4ee5\u5728\u5b58\u6839\u548c\u9012\u5f52\u89e3\u6790\u5668\u4e4b\u95f4\u63d0\u4f9b\u9690\u79c1\u3002[RFC7858] \u662f\u4e00\u4e2a\u6807\u51c6\u8ddf\u8e2a\u6587\u6863\uff0c\u63cf\u8ff0\u4e86\u5b83\u662f\u5982\u4f55\u5de5\u4f5c\u7684\u3002\u5c3d\u7ba1 DNS over TLS \u4f7f\u7528 TCP \u7aef\u53e3 853 \u800c\u4e0d\u662f\u7aef\u53e3 53\uff0c\u4f46\u672c\u6587\u6863\u540c\u6837\u9002\u7528\u4e8e DNS over TLS\u3002\u4f46\u662f\u8bf7\u6ce8\u610f\uff0c\u5728\u64b0\u5199\u672c\u6587\u65f6\uff0c\u4ec5\u5728\u5b58\u6839\u548c\u9012\u5f52\u4e4b\u95f4\u5b9a\u4e49\u4e86\u57fa\u4e8e TLS \u7684 DNS\u3002<\/p>\n
TLS \u7684\u4f7f\u7528\u7ed9 DNS \u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u5e26\u6765\u4e86\u66f4\u5927\u7684\u8fd0\u8425\u8d1f\u62c5\u3002\u7528\u4e8e\u8eab\u4efd\u9a8c\u8bc1\u548c\u52a0\u5bc6\u7684\u52a0\u5bc6\u529f\u80fd\u9700\u8981\u989d\u5916\u7684\u5904\u7406\u3002\u4e0e TCP \u76f8\u6bd4\uff0c\u4f7f\u7528 TLS 1.3 [RFC8446] \u7684\u672a\u4f18\u5316\u8fde\u63a5\u8bbe\u7f6e\u9700\u8981\u591a\u4e00\u6b21\u5f80\u8fd4\u3002\u4f7f\u7528 TLS 1.2 \u7684 TCP Fast Open \u548c TLS False Start [RFC7918] \u53ef\u4ee5\u51cf\u5c11\u8fde\u63a5\u8bbe\u7f6e\u65f6\u95f4\u3002TLS 1.3 \u4f1a\u8bdd\u6062\u590d\u4e0d\u4f1a\u51cf\u5c11\u5f80\u8fd4\u5ef6\u8fdf\uff0c\u56e0\u4e3a\u5728\u64b0\u5199\u672c\u6587\u65f6\u5c1a\u672a\u53d1\u5e03\u4f7f\u7528 DNS \u7684 TLS 0-RTT \u6570\u636e\u7684\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e\u6587\u4ef6\u3002\u4f46\u662f\uff0cTLS \u4f1a\u8bdd\u6062\u590d\u53ef\u4ee5\u51cf\u5c11\u52a0\u5bc6\u64cd\u4f5c\u7684\u6570\u91cf\uff0c\u5e76\u4e14\u5728 TLS 1.2 \u4e2d\uff0c\u4f1a\u8bdd\u6062\u590d\u786e\u5b9e\u5c06\u989d\u5916\u7684\u5f80\u8fd4\u6b21\u6570\u4ece\u4e24\u6b21\u51cf\u5c11\u5230\u4e00\u6b21\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
4.5\u3001 \u9ed8\u8ba4\u503c\u548c\u63a8\u8350\u9650\u5236<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5728\u64b0\u5199\u672c\u6587\u65f6\uff0c\u5bf9\u6d41\u884c\u7684\u5f00\u6e90 DNS \u670d\u52a1\u5668\u5b9e\u65bd\u8fdb\u884c\u4e86\u529f\u80fd\u548c\u9ed8\u8ba4\u8bbe\u7f6e\u7684\u8c03\u67e5\u3002\u672c\u8282\u8bb0\u5f55\u4e86\u8fd9\u4e9b\u9ed8\u8ba4\u503c\uff0c\u5e76\u5c31\u53ef\u5728\u6ca1\u6709\u4efb\u4f55\u5176\u4ed6\u4fe1\u606f\u7684\u60c5\u51b5\u4e0b\u4f7f\u7528\u7684\u53ef\u914d\u7f6e\u9650\u5236\u63d0\u51fa\u5efa\u8bae\u3002\u672c\u6587\u6863\u4e2d\u7684\u4efb\u4f55\u63a8\u8350\u503c\u4ec5\u4f9b\u4e0d\u786e\u5b9a\u54ea\u79cd\u9650\u5236\u53ef\u80fd\u662f\u5408\u7406\u7684\u7ba1\u7406\u5458\u7684\u8d77\u70b9\u3002\u8fd0\u8425\u5546\u5e94\u8be5\u4f7f\u7528\u7279\u5b9a\u4e8e\u5e94\u7528\u7a0b\u5e8f\u7684\u76d1\u63a7\u3001\u7cfb\u7edf\u65e5\u5fd7\u548c\u7cfb\u7edf\u76d1\u63a7\u5de5\u5177\u6765\u8861\u91cf\u4ed6\u4eec\u7684\u670d\u52a1\u662f\u5426\u5728\u8fd9\u4e9b\u9650\u5236\u8303\u56f4\u5185\u6216\u8d85\u8fc7\u8fd9\u4e9b\u9650\u5236\u8303\u56f4\u5185\u8fd0\u884c\uff0c\u5e76\u8fdb\u884c\u76f8\u5e94\u7684\u8c03\u6574\u3002<\/p>\n
\u5927\u591a\u6570\u5f00\u6e90 DNS \u670d\u52a1\u5668\u5b9e\u73b0\u5bf9\u5df2\u5efa\u7acb\u7684\u8fde\u63a5\u603b\u6570\u63d0\u4f9b\u4e86\u53ef\u914d\u7f6e\u7684\u9650\u5236\u3002\u9ed8\u8ba4\u503c\u8303\u56f4\u4ece 20 \u5230 150\u3002\u5728\u5927\u591a\u6570\u60c5\u51b5\u4e0b\uff0c\u5927\u591a\u6570\u67e5\u8be2\u901a\u8fc7 UDP \u8fdb\u884c\uff0c150 \u662f\u4e00\u4e2a\u5408\u7406\u7684\u9650\u5236\u3002\u5bf9\u4e8e\u5927\u591a\u6570\u67e5\u8be2\u901a\u8fc7 TCP \u6216 TLS \u8fdb\u884c\u7684\u670d\u52a1\u6216\u73af\u5883\uff0c5000 \u662f\u66f4\u5408\u9002\u7684\u9650\u5236\u3002<\/p>\n
\u53ea\u6709\u4e00\u4e9b\u5f00\u6e90\u5b9e\u73b0\u63d0\u4f9b\u4e86\u4e00\u79cd\u65b9\u6cd5\u6765\u9650\u5236\u6bcf\u4e2a\u6e90 IP \u5730\u5740\u6216\u5b50\u7f51\u7684\u8fde\u63a5\u6570\uff0c\u4f46\u9ed8\u8ba4\u8bbe\u7f6e\u662f\u6ca1\u6709\u9650\u5236\u3002\u5bf9\u4e8e\u53ef\u80fd\u9700\u8981\u542f\u7528\u6b64\u9650\u5236\u7684\u73af\u5883\u6216\u60c5\u51b5\uff0c\u6bcf\u4e2a\u6e90 IP \u5730\u5740 25 \u4e2a\u8fde\u63a5\u662f\u4e00\u4e2a\u5408\u7406\u7684\u8d77\u70b9\u3002\u5f53\u6309\u5b50\u7f51\u805a\u5408\u6216\u5927\u591a\u6570\u67e5\u8be2\u901a\u8fc7 TCP \u6216 TLS \u8fdb\u884c\u7684\u670d\u52a1\u65f6\uff0c\u5e94\u589e\u52a0\u9650\u5236\u3002<\/p>\n
\u5927\u591a\u6570\u5f00\u6e90\u5b9e\u73b0\u90fd\u63d0\u4f9b\u4e86\u53ef\u914d\u7f6e\u7684\u8fde\u63a5\u7a7a\u95f2\u8d85\u65f6\u3002\u9ed8\u8ba4\u503c\u8303\u56f4\u4e3a 2 \u5230 30 \u79d2\u3002\u5728\u5927\u591a\u6570\u60c5\u51b5\u4e0b\uff0c10 \u79d2\u662f\u6b64\u9650\u5236\u7684\u5408\u7406\u9ed8\u8ba4\u503c\u3002\u66f4\u957f\u7684\u8d85\u65f6\u65f6\u95f4\u53ef\u4ee5\u63d0\u9ad8\u8fde\u63a5\u590d\u7528\uff0c\u4f46\u7e41\u5fd9\u7684\u670d\u52a1\u5668\u53ef\u80fd\u9700\u8981\u4f7f\u7528\u4e0b\u9650\u3002<\/p>\n
\u53ea\u6709\u4e00\u4e9b\u5f00\u6e90\u5b9e\u73b0\u63d0\u4f9b\u4e86\u4e00\u79cd\u65b9\u6cd5\u6765\u9650\u5236\u6bcf\u4e2a\u8fde\u63a5\u7684\u4e8b\u52a1\u6570\uff0c\u4f46\u9ed8\u8ba4\u8bbe\u7f6e\u662f\u6ca1\u6709\u9650\u5236\u3002\u672c\u6587\u6863\u4e0d\u63d0\u4f9b\u6709\u5173\u6b64\u7c7b\u9650\u5236\u7684\u7279\u5b9a\u503c\u7684\u5efa\u8bae\u3002<\/p>\n
\u53ea\u6709\u4e00\u4e9b\u5f00\u6e90\u5b9e\u73b0\u63d0\u4f9b\u4e86\u4e00\u79cd\u9650\u5236\u8fde\u63a5\u6301\u7eed\u65f6\u95f4\u7684\u65b9\u6cd5\uff0c\u4f46\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u662f\u6ca1\u6709\u9650\u5236\u7684\u3002\u672c\u6587\u6863\u4e0d\u63d0\u4f9b\u6709\u5173\u6b64\u7c7b\u9650\u5236\u7684\u7279\u5b9a\u503c\u7684\u5efa\u8bae\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
5\u3001 DNS-over-TCP \u8fc7\u6ee4\u98ce\u9669<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u901a\u8fc7 TCP \u8fc7\u6ee4 DNS \u7684\u7f51\u7edc\u53ef\u80fd\u4f1a\u5931\u53bb\u5bf9 DNS \u57df\u540d\u7a7a\u95f4\u7684\u91cd\u8981\u6216\u91cd\u8981\u90e8\u5206\u7684\u8bbf\u95ee\u6743\u9650\u3002\u7531\u4e8e\u5404\u79cd\u539f\u56e0\uff0cDNS \u5e94\u7b54\u53ef\u80fd\u9700\u8981 DNS-over-TCP \u67e5\u8be2\u3002\u8fd9\u53ef\u80fd\u5305\u62ec\u5927\u578b\u6d88\u606f\u3001\u7f3a\u4e4f EDNS(0) \u652f\u6301\u6216 DDoS \u7f13\u89e3\u6280\u672f\uff08\u5305\u62ec\u54cd\u5e94\u901f\u7387\u9650\u5236 [Response Rate Limiting\uff0cRRL]<\/strong>\uff09\uff1b\u6b64\u5916\uff0c\u4e5f\u8bb8\u4e00\u4e9b\u5c1a\u672a\u9884\u89c1\u7684\u672a\u6765\u80fd\u529b\u4e5f\u5c06\u9700\u8981 TCP \u4f20\u8f93\u3002<\/p>\n
\u4f8b\u5982\uff0c[RFC7901] \u63cf\u8ff0\u4e86\u4e00\u79cd\u5728 DNS \u54cd\u5e94\u4e2d\u53d1\u9001\u989d\u5916\u6570\u636e\u7684\u5ef6\u8fdf\u907f\u514d\u6280\u672f\u3002\u8fd9\u4f7f\u5f97\u54cd\u5e94\u66f4\u5927\uff0c\u5e76\u53ef\u80fd\u63d0\u9ad8 DDoS \u53cd\u5c04\u653b\u51fb\u7684\u6709\u6548\u6027\u3002\u8be5\u89c4\u8303\u8981\u6c42\u4f7f\u7528 TCP \u6216 DNS cookie [RFC7873]\u3002<\/p>\n
\u5373\u4f7f\u8fc7\u53bb\u4f7f\u7528 UDP \u6210\u529f\u8fd4\u56de\u4e86\u4efb\u4f55\u6216\u6240\u6709\u7279\u5b9a\u54cd\u5e94\uff0c\u4f46\u5728\u81ea\u6cbb\u7cfb\u7edf\u4e4b\u95f4\u4ea4\u6362 DNS \u6d88\u606f\u65f6\uff0c\u65e0\u6cd5\u4fdd\u8bc1\u8fd9\u79cd\u6301\u7eed\u884c\u4e3a\u3002\u56e0\u6b64\uff0c\u901a\u8fc7 TCP \u8fc7\u6ee4 DNS \u88ab\u8ba4\u4e3a\u662f\u6709\u5bb3\u7684\uff0c\u5e76\u4e14\u4e0e Internet \u7684\u5b89\u5168\u548c\u6210\u529f\u8fd0\u884c\u80cc\u9053\u800c\u9a70\u3002\u672c\u8282\u5217\u4e3e\u4e86\u5728\u64b0\u5199\u672c\u6587\u65f6\u7f51\u7edc\u901a\u8fc7 TCP \u8fc7\u6ee4 DNS \u65f6\u7684\u4e00\u4e9b\u5df2\u77e5\u98ce\u9669\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
5.1\u3001 \u622a\u65ad\u3001\u91cd\u8bd5\u548c\u8d85\u65f6<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u901a\u8fc7 TCP \u8fc7\u6ee4 DNS \u7684\u7f51\u7edc\u53ef\u80fd\u4f1a\u65e0\u610f\u4e2d\u5bfc\u81f4\u7b2c\u4e09\u65b9\u89e3\u6790\u5668\u51fa\u73b0\u95ee\u9898\uff0c\u6b63\u5982 [TOYAMA] \u6240\u7ecf\u5386\u7684\u90a3\u6837\u3002\u4f8b\u5982\uff0c\u89e3\u6790\u5668\u63a5\u6536\u5bf9\u4e2d\u7b49\u6d41\u884c\u57df\u7684\u67e5\u8be2\u3002\u89e3\u6790\u5668\u5c06\u67e5\u8be2\u8f6c\u53d1\u5230\u57df\u7684\u6743\u5a01\u57df\u540d\u670d\u52a1\u5668\uff0c\u4f46\u8fd9\u4e9b\u670d\u52a1\u5668\u4ee5\u8bbe\u7f6e\u7684 TC \u4f4d\u8fdb\u884c\u54cd\u5e94\u3002\u89e3\u6790\u5668\u901a\u8fc7 TCP \u91cd\u8bd5\uff0c\u4f46\u6743\u5a01\u670d\u52a1\u5668\u901a\u8fc7 TCP \u963b\u6b62 DNS\u3002\u6302\u8d77\u7684\u8fde\u63a5\u4f1a\u6d88\u8017\u89e3\u6790\u5668\u4e0a\u7684\u8d44\u6e90\uff0c\u76f4\u5230\u8d85\u65f6\u3002\u5982\u679c\u8fd9\u4e9b\u88ab\u622a\u65ad\u7136\u540e\u963b\u585e\u7684\u67e5\u8be2\u7684\u6570\u91cf\u548c\u9891\u7387\u8db3\u591f\u9ad8\uff0c\u90a3\u4e48\u89e3\u6790\u5668\u4f1a\u5c06\u5b9d\u8d35\u7684\u8d44\u6e90\u6d6a\u8d39\u5728\u6c38\u8fdc\u65e0\u6cd5\u56de\u7b54\u7684\u67e5\u8be2\u4e0a\u3002\u53d7\u5f71\u54cd\u7684 DNS \u89e3\u6790\u5668\u8fd0\u8425\u5546\u901a\u5e38\u4e0d\u4f1a\u8f7b\u6613\u6216\u5b8c\u5168\u7f13\u89e3\u8fd9\u79cd\u60c5\u51b5\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
5.2\u3001 DNS \u6839\u533a KSK \u8f6e\u8f6c<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4e3a\u6839\u533a\u57df\u90e8\u7f72 DNSSEC KSK \u7684\u8ba1\u5212\u7a81\u51fa\u4e86\u68c0\u7d22\u6839\u533a\u57df\u5bc6\u94a5\u96c6 [LEWIS] \u7684\u6f5c\u5728\u95ee\u9898\u3002\u5728 KSK \u7ffb\u8f6c\u8fc7\u7a0b\u7684\u67d0\u4e9b\u9636\u6bb5\uff0c\u6839\u533a\u57df DNSKEY \u54cd\u5e94\u5927\u4e8e 1280 \u5b57\u8282\uff0c\u8fd9\u662f\u627f\u8f7d IPv6 \u6d41\u91cf\u7684\u94fe\u8def\u7684 IPv6 \u6700\u5c0f MTU [RFC8200]\u3002\u6709\u4eba\u62c5\u5fc3\u4efb\u4f55\u65e0\u6cd5\u901a\u8fc7 UDP \u63a5\u6536\u5927\u578b DNS \u6d88\u606f\u6216\u4efb\u4f55\u901a\u8fc7 TCP \u7684 DNS \u6d88\u606f\u7684 DNS \u670d\u52a1\u5668\u5728\u6267\u884c DNSSEC \u9a8c\u8bc1\u65f6\u4f1a\u9047\u5230\u4e2d\u65ad [KSK_ROLLOVER_ARCHIVES]\u3002<\/p>\n
\u4f46\u662f\uff0c\u5728\u957f\u8fbe\u4e00\u5e74\u7684 KSK \u8f6e\u8f6c\u5ef6\u671f\u671f\u95f4\uff0c\u5f53\u65b0\u65e7\u5bc6\u94a5\u90fd\u5728\u533a\u57df\u4e2d\u53d1\u5e03\u65f6\uff0c\u6ca1\u6709\u62a5\u544a\u53ef\u5f52\u56e0\u4e8e 1414 \u516b\u4f4d\u5b57\u8282 DNSKEY \u54cd\u5e94\u7684\u95ee\u9898\u3002\u6b64\u5916\uff0c\u5728\u65e7\u5bc6\u94a5\u53d1\u5e03\u4e3a\u5df2\u64a4\u9500\u4e14 DNSKEY \u54cd\u5e94\u5927\u5c0f\u4e3a 1425 \u4e2a\u516b\u4f4d\u5b57\u8282 [ROLL_YOUR_ROOT] \u7684\u4e24\u4e2a\u6708\u671f\u95f4\uff0c\u6ca1\u6709\u62a5\u544a\u4efb\u4f55\u95ee\u9898\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
6\u3001 \u8bb0\u5f55\u548c\u76d1\u63a7<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u8bb0\u5f55\u6216\u76d1\u63a7 DNS \u7684\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u4eba\u5458\u4e0d\u5e94\u56e0\u4e3a\u8ba4\u4e3a TCP \u5f88\u5c11\u4f7f\u7528\u6216\u96be\u4ee5\u5904\u7406\u800c\u5ffd\u7565\u5b83\u3002\u8fd0\u8425\u5546\u5e94\u786e\u4fdd\u5176\u76d1\u63a7\u548c\u65e5\u5fd7\u8bb0\u5f55\u5e94\u7528\u7a0b\u5e8f\u901a\u8fc7 TCP \u6b63\u786e\u6355\u83b7 DNS \u6d88\u606f\u3002\u5426\u5219\uff0c\u53ef\u80fd\u65e0\u6cd5\u68c0\u6d4b\u5230\u653b\u51fb\u3001\u6e17\u900f\u5c1d\u8bd5\u548c\u6b63\u5e38\u6d41\u91cf\u3002<\/p>\n
TCP \u4e0a\u7684 DNS \u6d88\u606f\u4e0d\u80fd\u4fdd\u8bc1\u5728\u5355\u4e2a\u6bb5\u4e2d\u5230\u8fbe\u3002\u4e8b\u5b9e\u4e0a\uff0c\u806a\u660e\u7684\u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u8bd5\u56fe\u901a\u8fc7\u5c06\u67d0\u4e9b\u6d88\u606f\u5f3a\u5236\u901a\u8fc7\u975e\u5e38\u5c0f\u7684 TCP \u6bb5\u6765\u9690\u85cf\u67d0\u4e9b\u6d88\u606f\u3002\u6355\u83b7\u7f51\u7edc\u6570\u636e\u5305\u7684\u5e94\u7528\u7a0b\u5e8f\uff08\u4f8b\u5982\uff0c\u4f7f\u7528 libpcap [libpcap]\uff09\u5e94\u8be5\u5b9e\u73b0\u5e76\u6267\u884c\u5b8c\u6574\u7684 TCP \u6d41\u91cd\u7ec4\u5e76\u5206\u6790\u91cd\u7ec4\u540e\u7684\u6d41\u800c\u4e0d\u662f\u5355\u4e2a\u6570\u636e\u5305\u3002\u5426\u5219\uff0c\u5b83\u4eec\u5f88\u5bb9\u6613\u53d7\u5230\u7f51\u7edc\u89c4\u907f\u653b\u51fb [phrack]\u3002\u6b64\u5916\uff0c\u6b64\u7c7b\u5e94\u7528\u7a0b\u5e8f\u9700\u8981\u901a\u8fc7\u9650\u5236\u5206\u914d\u7ed9\u8ddf\u8e2a\u672a\u786e\u8ba4\u7684\u8fde\u63a5\u72b6\u6001\u6570\u636e\u7684\u5185\u5b58\u91cf\u6765\u4fdd\u62a4\u81ea\u5df1\u514d\u53d7\u8d44\u6e90\u8017\u5c3d\u653b\u51fb\u3002dnscap [dnscap] \u662f\u5b9e\u73b0 TCP \u6d41\u91cd\u7ec4\u7684 DNS \u65e5\u5fd7\u8bb0\u5f55\u7a0b\u5e8f\u7684\u5f00\u6e90\u793a\u4f8b\u3002<\/p>\n
\u5728\u6784\u5efa\u548c\u6d4b\u8bd5 DNS \u76d1\u63a7\u5e94\u7528\u7a0b\u5e8f\u65f6\uff0c\u5f00\u53d1\u4eba\u5458\u8fd8\u5e94\u8be5\u7262\u8bb0\u8fde\u63a5\u590d\u7528\u3001\u67e5\u8be2\u7ba1\u9053\u548c\u4e71\u5e8f\u54cd\u5e94\u3002<\/p>\n
\u4f5c\u4e3a\u6570\u636e\u5305\u6355\u83b7\u7684\u66ff\u4ee3\u65b9\u6848\uff0c\u4e00\u4e9b DNS \u670d\u52a1\u5668\u8f6f\u4ef6\u652f\u6301 dnstap [dnstap] \u4f5c\u4e3a\u65e8\u5728\u4fc3\u8fdb\u5927\u89c4\u6a21 DNS \u76d1\u63a7\u7684\u96c6\u6210\u76d1\u63a7\u534f\u8bae\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
7\u3001 IANA \u8003\u8651\u4e8b\u9879<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u672c\u6587\u6863\u6ca1\u6709 IANA \u64cd\u4f5c\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
8\u3001 \u5b89\u5168\u8003\u8651<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u672c\u6587\u6863\u63d0\u4f9b\u4e86\u64cd\u4f5c\u8981\u6c42\uff0c\u662f [RFC7766] \u4e2d\u63d0\u4f9b\u7684\u57fa\u4e8e TCP \u7684 DNS \u5b9e\u65bd\u8981\u6c42\u7684\u914d\u5957\u6587\u4ef6\u3002[RFC7766] \u4e2d\u7684\u5b89\u5168\u8003\u8651\u4ecd\u7136\u9002\u7528\u3002<\/p>\n
\u5177\u6709\u8bbd\u523a\u610f\u5473\u7684\u662f\uff0c\u8fd4\u56de\u622a\u65ad\u7684 DNS-over-UDP \u54cd\u5e94\u4ee5\u8bf1\u5bfc\u5ba2\u6237\u7aef\u67e5\u8be2\u5207\u6362\u5230\u57fa\u4e8e TCP \u7684 DNS \u5df2\u6210\u4e3a\u5bf9\u6e90\u5730\u5740\u6b3a\u9a97\u3001DNS \u62d2\u7edd\u670d\u52a1\u653b\u51fb [RRL] \u7684\u5e38\u89c1\u54cd\u5e94\u3002\u4ece\u5386\u53f2\u4e0a\u770b\uff0c\u8fd0\u8425\u5546\u4e00\u76f4\u5bf9\u57fa\u4e8e TCP \u7684\u653b\u51fb\u4fdd\u6301\u8b66\u60d5\uff0c\u4f46\u8fd1\u5e74\u6765\uff0c\u57fa\u4e8e UDP \u7684\u6cdb\u6d2a\u653b\u51fb\u5df2\u88ab\u8bc1\u660e\u662f\u6700\u5e38\u89c1\u7684 DNS \u534f\u8bae\u653b\u51fb\u3002\u7136\u800c\uff0cTCP \u4e0a\u7684\u9ad8\u901f\u7387\u77ed\u671f DNS \u4e8b\u52a1\u53ef\u80fd\u4f1a\u5e26\u6765\u6311\u6218\u3002\u4e8b\u5b9e\u4e0a\uff0c\u5982\u679c\u53ef\u4ee5\u9884\u6d4b IP \u6807\u8bc6\u7b26\u5b57\u6bb5\uff08IPv4 \u4e2d\u7684 16 \u4f4d\u548c IPv6 \u4e2d\u7684 32 \u4f4d\uff09\u5e76\u4e14\u7cfb\u7edf\u88ab\u5f3a\u5236\u5206\u7247\u800c\u4e0d\u662f\u91cd\u4f20\u6d88\u606f\uff0c\u5219 [DAI21] \u8be6\u7ec6\u4ecb\u7ecd\u4e86\u9488\u5bf9 DNS \u4e8b\u52a1\u7684\u4e00\u7c7b IP \u5206\u7247\u653b\u51fb\u3002\u5c3d\u7ba1\u8bb8\u591a\u8fd0\u8425\u5546\u591a\u5e74\u6765\u4e00\u76f4\u5728\u6beb\u65e0\u80c1\u8feb\u5730\u63d0\u4f9b DNS-over-TCP \u670d\u52a1\uff0c\u4f46\u8fc7\u53bb\u7684\u7ecf\u9a8c\u5e76\u4e0d\u80fd\u4fdd\u8bc1\u672a\u6765\u7684\u6210\u529f\u3002<\/p>\n
\u57fa\u4e8e TCP \u7684 DNS \u7c7b\u4f3c\u4e8e\u8bb8\u591a\u5176\u4ed6 Internet TCP \u670d\u52a1\u3002TCP \u5a01\u80c1\u548c\u8bb8\u591a\u7f13\u89e3\u7b56\u7565\u5df2\u5728 [RFC4953]\u3001[RFC4987]\u3001[RFC5927] \u548c [RFC5961] \u7b49\u4e00\u7cfb\u5217\u6587\u6863\u4e2d\u8be6\u7ec6\u8bb0\u5f55\u3002<\/p>\n
\u5982\u7b2c 6 \u8282\u6240\u8ff0\uff0c\u5b9e\u73b0 TCP \u6d41\u91cd\u7ec4\u7684\u5e94\u7528\u7a0b\u5e8f\u9700\u8981\u9650\u5236\u5206\u914d\u7ed9\u8fde\u63a5\u8ddf\u8e2a\u7684\u5185\u5b58\u91cf\u3002\u4e0d\u8fd9\u6837\u505a\u53ef\u80fd\u4f1a\u5bfc\u81f4\u65e5\u5fd7\u8bb0\u5f55\u6216\u76d1\u63a7\u5e94\u7528\u7a0b\u5e8f\u5b8c\u5168\u5931\u8d25\u3002\u5f3a\u52a0\u8d44\u6e90\u9650\u5236\u5728\u5141\u8bb8\u67d0\u4e9b\u6d41\u91cd\u7ec4\u7ee7\u7eed\u548c\u5141\u8bb8\u67d0\u4e9b\u89c4\u907f\u653b\u51fb\u6210\u529f\u4e4b\u95f4\u8fdb\u884c\u6743\u8861\u3002<\/p>\n
\u672c\u6587\u6863\u5efa\u8bae DNS \u670d\u52a1\u5668\u5c3d\u53ef\u80fd\u542f\u7528 TFO\u3002[RFC7413] \u5efa\u8bae\u8d1f\u8f7d\u5747\u8861\u5668\u540e\u9762\u7684\u670d\u52a1\u5668\u6c60\u4e0e\u5171\u4eab\u670d\u52a1\u5668 IP \u5730\u5740\u5171\u4eab\u7528\u4e8e\u751f\u6210\u5feb\u901f\u6253\u5f00 cookie \u7684\u5bc6\u94a5\uff0c\u4ee5\u9632\u6b62\u8fc7\u5ea6\u56de\u9000\u5230\u4e09\u6b21\u63e1\u624b (three-way handshake\uff0c3WHS)<\/strong>\u3002\u8be5\u6307\u5357\u4ecd\u7136\u51c6\u786e\uff0c\u4f46\u6709\u4e00\u4e2a\u8b66\u544a\uff1a\u7834\u574f\u4e00\u53f0\u670d\u52a1\u5668\u4f1a\u6cc4\u9732\u6b64\u7ec4\u5171\u4eab\u5bc6\u94a5\uff0c\u5e76\u5141\u8bb8\u901a\u8fc7\u4f2a\u9020\u65e0\u6548\u7684\u5feb\u901f\u6253\u5f00 cookie \u6765\u8fdb\u884c\u6d89\u53ca\u6c60\u4e2d\u5176\u4ed6\u670d\u52a1\u5668\u7684\u653b\u51fb\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
9\u3001 \u9690\u79c1\u6ce8\u610f\u4e8b\u9879<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u7531\u4e8e UDP \u548c TCP \u4e0a\u7684 DNS \u4f7f\u7528\u76f8\u540c\u7684\u5e95\u5c42\u6d88\u606f\u683c\u5f0f\uff0c\u4f7f\u7528\u4e00\u79cd\u4f20\u8f93\u800c\u4e0d\u662f\u53e6\u4e00\u79cd\u4f20\u8f93\u4e0d\u4f1a\u6539\u53d8\u6d88\u606f\u5185\u5bb9\u7684\u9690\u79c1\u7279\u5f81\uff08\u5373\u88ab\u67e5\u8be2\u7684\u540d\u79f0\uff09\u3002\u6700\u8fd1\u5f00\u53d1\u4e86\u8bb8\u591a\u534f\u8bae\u6765\u63d0\u4f9b DNS \u9690\u79c1\uff0c\u5305\u62ec\u57fa\u4e8e TLS \u7684 DNS [RFC7858]\u3001\u57fa\u4e8e DTLS \u7684 DNS [RFC8094]\u3001\u57fa\u4e8e HTTPS \u7684 DNS [RFC8484]\uff0c\u8fd8\u6709\u66f4\u591a\u534f\u8bae\u6b63\u5728\u5f00\u53d1\u4e2d\u3002<\/p>\n
\u56e0\u4e3a TCP \u6bd4 UDP \u7a0d\u5fae\u590d\u6742\u4e00\u4e9b\uff0c\u6240\u4ee5 TCP \u5bf9\u8bdd\u7684\u67d0\u4e9b\u7279\u5f81\u53ef\u80fd\u4f1a\u542f\u7528 DNS \u5ba2\u6237\u7aef\u6307\u7eb9\u8bc6\u522b\u548c\u8ddf\u8e2a\uff0c\u800c\u8fd9\u5728 UDP \u4e2d\u662f\u4e0d\u53ef\u80fd\u7684\u3002\u4f8b\u5982\uff0c\u521d\u59cb\u5e8f\u5217\u53f7\u3001\u7a97\u53e3\u5927\u5c0f\u548c\u9009\u9879\u7684\u9009\u62e9\u53ef\u80fd\u80fd\u591f\u8bc6\u522b\u7279\u5b9a\u7684 TCP \u5b9e\u73b0\uff0c\u751a\u81f3\u53ef\u4ee5\u8bc6\u522b\u5171\u4eab\u8d44\u6e90\uff08\u5982 NAT\uff09\u540e\u9762\u7684\u5355\u4e2a\u4e3b\u673a\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
10\u3001 \u53c2\u8003\u6587\u732e<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
\n
\n
<\/div><\/section>\n
10.1\u3001 \u89c4\u8303\u6027\u53c2\u8003<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
[RFC1035<\/span>] Mockapetris, P., \"Domain names -implementation and specification\"<\/span>, STD 13<\/span>, RFC 1035<\/span>, DOI 10.17487<\/span>\/RFC1035, November 1987<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc1035>.<\/span><\/span><\/code>[RFC2119<\/span>] Bradner, S., \"Key words for use in RFCs to Indicate Requirement Levels\"<\/span>, BCP 14<\/span>, RFC 2119<\/span>, DOI 10.17487<\/span>\/RFC2119, March 1997<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc2119>.<\/span><\/span><\/code>[RFC2181<\/span>] Elz, R. and R. Bush, \"Clarifications to the DNS Specification\"<\/span>, RFC 2181<\/span>, DOI 10.17487<\/span>\/RFC2181, July 1997<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc2181>.<\/span><\/span><\/code>[RFC6891<\/span>] Damas, J., Graff, M., and P. Vixie, \"Extension Mechanisms for DNS (EDNS(0))\"<\/span>, STD 75<\/span>, RFC 6891<\/span>, DOI 10.17487<\/span>\/RFC6891, April 2013<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc6891>.<\/span><\/span><\/code>[RFC7766<\/span>] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and D. Wessels, \"DNS Transport over TCP -Implementation Requirements\"<\/span>, RFC 7766<\/span>, DOI 10.17487<\/span>\/RFC7766, March 2016<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7766>.<\/span><\/span><\/code>[RFC7828<\/span>] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, \"The edns-tcp-keepalive EDNS0 Option\"<\/span>, RFC 7828<\/span>, DOI 10.17487<\/span>\/RFC7828, April 2016<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7828>.<\/span><\/span><\/code>[RFC7873<\/span>] Eastlake 3<\/span>rd, D. and M. Andrews, \"Domain Name System (DNS) Cookies\"<\/span>, RFC 7873<\/span>, DOI 10.17487<\/span>\/RFC7873, May 2016<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7873>.<\/span><\/span><\/code>[RFC8174<\/span>] Leiba, B., \"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words\"<\/span>, BCP 14<\/span>, RFC 8174<\/span>, DOI 10.17487<\/span>\/RFC8174, May 2017<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8174>.<\/span><\/span><\/code><\/pre>\n<\/section>\n
\n
\n
\n
<\/div><\/section>\n
10.2\u3001 \u53c2\u8003\u8d44\u6599<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\n
[accept_filter<\/span>] FreeBSD, \"FreeBSD accept_filter(9)\"<\/span>, June 2000<\/span>, <https:\/\/www.freebsd.org\/cgi\/man.cgi?query=accept_filter>.<\/span><\/span><\/code>[APNIC<\/span>] Huston, G., \"DNS XL\"<\/span>, October 2020<\/span>, <https:\/\/labs.apnic.net\/?p=1380>.<\/span><\/span><\/code>[AVOID_FRAGS<\/span>] Fujiwara, K. and P. Vixie, \"Fragmentation Avoidance in DNS\"<\/span>, Work in<\/span> Progress, Internet-Draft, draft-ietf-dnsop-avoid-fragmentation-06<\/span>, 23<\/span> December 2021<\/span>, <https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-dnsop-avoid-fragmentation-06>.<\/span><\/span><\/code>[BIND<\/span>] Internet Systems Consortium, \"BIND 9\"<\/span>, <https:\/\/www.isc.org\/bind\/>.<\/span><\/span><\/code>[CASTRO2010<\/span>] Castro, S., Zhang, M., John, W., Wessels, D., and K. claffy, \"Understanding and Preparing for DNS Evolution\"<\/span>, DOI 10.1007<\/span>\/978<\/span>-3<\/span>-642<\/span>-12365<\/span>-8<\/span>_1, April 2010<\/span>, <https:\/\/doi.org\/10.1007\/978-3-642-12365-8_1>.<\/span><\/span><\/code>[CHES94<\/span>] Cheswick, W. and S. Bellovin, \"Firewalls and Internet Security: Repelling the Wily Hacker\"<\/span>, First Edition, 1994.<\/span><\/span><\/code>[CLOUDFLARE<\/span>] Grant, D., \"Economical With The Truth: Making DNSSEC Answers Cheap\"<\/span>, June 2016<\/span>, <https:\/\/blog.cloudflare.com\/black-lies\/>.<\/span><\/span><\/code>[DAI21<\/span>] Dai, T., Shulman, H., and M. Waidner, \"DNS-over-TCP Considered Vulnerable\"<\/span>, DOI 10.1145<\/span>\/3472305.3472884<\/span>, July 2021<\/span>, <https:\/\/doi.org\/10.1145\/3472305.3472884>.<\/span><\/span><\/code>[DESIGNTEAM<\/span>] ICANN, \"Root Zone KSK Rollover Plan\"<\/span>, March 2016<\/span>, <https:\/\/www.iana.org\/reports\/2016\/root-ksk-rollover-design-20160307.pdf>.<\/span><\/span><\/code>[DJBDNS<\/span>] Bernstein, D., \"When are TCP queries sent?\"<\/span>, November 2002<\/span>, <https:\/\/cr.yp.to\/djbdns\/tcp.html#why>.<\/span><\/span><\/code>[dnscap<\/span>] DNS-OARC, \"DNSCAP\"<\/span>, February 2014<\/span>, <https:\/\/www.dns-oarc.net\/tools\/dnscap>.<\/span><\/span><\/code>[dnstap<\/span>] \"dnstap\"<\/span>, <https:\/\/dnstap.info>.<\/span><\/span><\/code>[ECDSA<\/span>] van Rijswijk-Deij, R., Sperotto, A., and A. Pras, \"Making the Case for Elliptic Curves in DNSSEC\"<\/span>, DOI 10.1145<\/span>\/2831347.2831350<\/span>, October 2015<\/span>, <https:\/\/dl.acm.org\/doi\/10.1145\/2831347.2831350>.<\/span><\/span><\/code>[FLAGDAY2020<\/span>] DNS Software and Service Providers, \"DNS Flag Day 2020\"<\/span>, October 2020<\/span>, <https:\/\/dnsflagday.net\/2020\/>.<\/span><\/span><\/code>[FRAG_POISON<\/span>] Herzberg, A. and H. Shulman, \"Fragmentation Considered Poisonous\"<\/span>, May 2012<\/span>, <https:\/\/arxiv.org\/pdf\/1205.4011.pdf>.<\/span><\/span><\/code>[HUSTON<\/span>] Huston, G., \"Dealing with IPv6 fragmentation in the DNS\"<\/span>, August 2017<\/span>, <https:\/\/blog.apnic.net\/2017\/08\/22\/dealing-ipv6-fragmentation-dns\/>.<\/span><\/span><\/code>[KSK_ROLLOVER_ARCHIVES<\/span>]ICANN, \"KSK Rollover List Archives\"<\/span>, January 2019<\/span>,<https:\/\/mm.icann.org\/pipermail\/ksk-rollover\/2019-January\/date.html>.<\/span><\/span><\/code>[LEWIS<\/span>] Lewis, E., \"2017 DNSSEC KSK Rollover\"<\/span>, RIPE 74<\/span>, May 2017<\/span>, <https:\/\/ripe74.ripe.net\/presentations\/25-RIPE74-lewis-submission.pdf>.<\/span><\/span><\/code>[libpcap<\/span>] The Tcpdump Group, \"Tcpdump and Libpcap\"<\/span>, <https:\/\/www.tcpdump.org>.<\/span><\/span><\/code>[NETALYZR<\/span>] Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson, \"Netalyzr: Illuminating The Edge Network\"<\/span>, DOI 10.1145<\/span>\/1879141.1879173<\/span>, November 2010<\/span>, <https:\/\/doi.org\/10.1145\/1879141.1879173>.<\/span><\/span><\/code>[phrack<\/span>] horizon, \"Defeating Sniffers and Intrusion Detection Systems\"<\/span>, Phrack Magazine, December 1998<\/span>, <http:\/\/phrack.org\/issues\/54\/10.html>.<\/span><\/span><\/code>[RFC0768<\/span>] Postel, J., \"User Datagram Protocol\"<\/span>, STD 6<\/span>, RFC 768<\/span>, DOI 10.17487<\/span>\/RFC0768, August 1980<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc768>.<\/span><\/span><\/code>[RFC0793<\/span>] Postel, J., \"Transmission Control Protocol\"<\/span>, STD 7<\/span>, RFC 793<\/span>, DOI 10.17487<\/span>\/RFC0793, September 1981<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc793>.<\/span><\/span><\/code>[RFC0883<\/span>] Mockapetris, P., \"Domain names: Implementation specification\"<\/span>, RFC 883<\/span>, DOI 10.17487<\/span>\/RFC0883, November 1983<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc883>.<\/span><\/span><\/code>[RFC1034<\/span>] Mockapetris, P., \"Domain names -concepts and facilities\"<\/span>, STD 13<\/span>, RFC 1034<\/span>, DOI 10.17487<\/span>\/RFC1034, November 1987<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc1034>.<\/span><\/span><\/code>[RFC1123<\/span>] Braden, R., Ed., \"Requirements for Internet Hosts -Application and Support\"<\/span>, STD 3<\/span>, RFC 1123<\/span>, DOI 10.17487<\/span>\/RFC1123, October 1989<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc1123>.<\/span><\/span><\/code>[RFC1536<\/span>] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. Miller, \"Common DNS Implementation Errors and Suggested Fixes\"<\/span>, RFC 1536<\/span>, DOI 10.17487<\/span>\/RFC1536, October 1993<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc1536>.<\/span><\/span><\/code>[RFC1995<\/span>] Ohta, M., \"Incremental Zone Transfer in DNS\"<\/span>, RFC 1995<\/span>, DOI 10.17487<\/span>\/RFC1995, August 1996<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc1995>.<\/span><\/span><\/code>[RFC1996<\/span>] Vixie, P., \"A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)\"<\/span>, RFC 1996<\/span>, DOI 10.17487<\/span>\/RFC1996, August 1996<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc1996>.<\/span><\/span><\/code>[RFC2136<\/span>] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, \"Dynamic Updates in the Domain Name System (DNS UPDATE)\"<\/span>, RFC 2136<\/span>, DOI 10.17487<\/span>\/RFC2136, April 1997<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc2136>.<\/span><\/span><\/code>[RFC2541<\/span>] Eastlake 3<\/span>rd, D., \"DNS Security Operational Considerations\"<\/span>, RFC 2541<\/span>, DOI 10.17487<\/span>\/RFC2541, March 1999<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc2541>.<\/span><\/span><\/code>[RFC2671<\/span>] Vixie, P., \"Extension Mechanisms for DNS (EDNS0)\"<\/span>, RFC 2671<\/span>, DOI 10.17487<\/span>\/RFC2671, August 1999<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc2671>.<\/span><\/span><\/code>[RFC2694<\/span>] Srisuresh, P., Tsirtsis, G., Akkiraju, P., and A. Heffernan, \"DNS extensions to Network Address Translators (DNS_ALG)\"<\/span>, RFC 2694<\/span>, DOI 10.17487<\/span>\/RFC2694, September 1999<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc2694>.<\/span><\/span><\/code>[RFC3022<\/span>] Srisuresh, P. and K. Egevang, \"Traditional IP Network Address Translator (Traditional NAT)\"<\/span>, RFC 3022<\/span>, DOI 10.17487<\/span>\/RFC3022, January 2001<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc3022>.<\/span><\/span><\/code>[RFC3225<\/span>] Conrad, D., \"Indicating Resolver Support of DNSSEC\"<\/span>, RFC 3225<\/span>, DOI 10.17487<\/span>\/RFC3225, December 2001<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc3225>.<\/span><\/span><\/code>[RFC3226<\/span>] Gudmundsson, O., \"DNSSEC and IPv6 A6 aware server\/resolver message size requirements\"<\/span>, RFC 3226<\/span>, DOI 10.17487<\/span>\/RFC3226, December 2001<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc3226>.<\/span><\/span><\/code>[RFC4472<\/span>] Durand, A., Ihren, J., and P. Savola, \"Operational Considerations and Issues with IPv6 DNS\"<\/span>, RFC 4472<\/span>, DOI 10.17487<\/span>\/RFC4472, April 2006<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc4472>.<\/span><\/span><\/code>[RFC4953<\/span>] Touch, J., \"Defending TCP Against Spoofing Attacks\"<\/span>, RFC 4953<\/span>, DOI 10.17487<\/span>\/RFC4953, July 2007<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc4953>.<\/span><\/span><\/code>[RFC4987<\/span>] Eddy, W., \"TCP SYN Flooding Attacks and Common Mitigations\"<\/span>, RFC 4987<\/span>, DOI 10.17487<\/span>\/RFC4987, August 2007<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc4987>.<\/span><\/span><\/code>[RFC5358<\/span>] Damas, J. and F. Neves, \"Preventing Use of Recursive Nameservers in Reflector Attacks\"<\/span>, BCP 140<\/span>, RFC 5358<\/span>, DOI 10.17487<\/span>\/RFC5358, October 2008<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc5358>.<\/span><\/span><\/code>[RFC5452<\/span>] Hubert, A. and R. van Mook, \"Measures for Making DNS More Resilient against Forged Answers\"<\/span>, RFC 5452<\/span>, DOI 10.17487<\/span>\/RFC5452, January 2009<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc5452>.<\/span><\/span><\/code>[RFC5507<\/span>] IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch, Ed., \"Design Choices When Expanding the DNS\"<\/span>, RFC 5507<\/span>, DOI 10.17487<\/span>\/RFC5507, April 2009<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc5507>.<\/span><\/span><\/code>[RFC5625<\/span>] Bellis, R., \"DNS Proxy Implementation Guidelines\"<\/span>, BCP 152<\/span>, RFC 5625<\/span>, DOI 10.17487<\/span>\/RFC5625, August 2009<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc5625>.<\/span><\/span><\/code>[RFC5927<\/span>] Gont, F., \"ICMP Attacks against TCP\"<\/span>, RFC 5927<\/span>, DOI 10.17487<\/span>\/RFC5927, July 2010<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc5927>.<\/span><\/span><\/code>[RFC5936<\/span>] Lewis, E. and A. Hoenes, Ed., \"DNS Zone Transfer Protocol (AXFR)\"<\/span>, RFC 5936<\/span>, DOI 10.17487<\/span>\/RFC5936, June 2010<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc5936>.<\/span><\/span><\/code>[RFC5961<\/span>] Ramaiah, A., Stewart, R., and M. Dalal, \"Improving TCP's Robustness to Blind In-Window Attacks\"<\/span>, RFC 5961<\/span>, DOI 10.17487<\/span>\/RFC5961, August 2010<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc5961>.<\/span><\/span><\/code>[RFC5966<\/span>] Bellis, R., \"DNS Transport over TCP -Implementation Requirements\"<\/span>, RFC 5966<\/span>, DOI 10.17487<\/span>\/RFC5966, August 2010<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc5966>.<\/span><\/span><\/code>[RFC6298<\/span>] Paxson, V., Allman, M., Chu, J., and M. Sargent, \"Computing TCP's Retransmission Timer\"<\/span>, RFC 6298<\/span>, DOI 10.17487<\/span>\/RFC6298, June 2011<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc6298>.<\/span><\/span><\/code>[RFC6762<\/span>] Cheshire, S. and M. Krochmal, \"Multicast DNS\"<\/span>, RFC 6762<\/span>, DOI 10.17487<\/span>\/RFC6762, February 2013<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc6762>.<\/span><\/span><\/code>[RFC6781<\/span>] Kolkman, O., Mekking, W., and R. Gieben, \"DNSSEC Operational Practices, Version 2\"<\/span>, RFC 6781<\/span>, DOI 10.17487<\/span>\/RFC6781, December 2012<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc6781>.<\/span><\/span><\/code>[RFC6950<\/span>] Peterson, J., Kolkman, O., Tschofenig, H., and B. Aboba, \"Architectural Considerations on Application Features in the DNS\"<\/span>, RFC 6950<\/span>, DOI 10.17487<\/span>\/RFC6950, October 2013<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc6950>.<\/span><\/span><\/code>[RFC7413<\/span>] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, \"TCP Fast Open\"<\/span>, RFC 7413<\/span>, DOI 10.17487<\/span>\/RFC7413, December 2014<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7413>.<\/span><\/span><\/code>[RFC7477<\/span>] Hardaker, W., \"Child-to-Parent Synchronization in DNS\"<\/span>, RFC 7477<\/span>, DOI 10.17487<\/span>\/RFC7477, March 2015<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7477>.<\/span><\/span><\/code>[RFC7534<\/span>] Abley, J. and W. Sotomayor, \"AS112 Nameserver Operations\"<\/span>, RFC 7534<\/span>, DOI 10.17487<\/span>\/RFC7534, May 2015<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7534>.<\/span><\/span><\/code>[RFC7720<\/span>] Blanchet, M. and L-J. Liman, \"DNS Root Name Service Protocol and Deployment Requirements\"<\/span>, BCP 40<\/span>, RFC 7720<\/span>, DOI 10.17487<\/span>\/RFC7720, December 2015<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7720>.<\/span><\/span><\/code>[RFC7858<\/span>] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., and P. Hoffman, \"Specification for DNS over Transport Layer Security (TLS)\"<\/span>, RFC 7858<\/span>, DOI 10.17487<\/span>\/RFC7858, May 2016<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7858>.<\/span><\/span><\/code>[RFC7901<\/span>] Wouters, P., \"CHAIN Query Requests in DNS\"<\/span>, RFC 7901<\/span>, DOI 10.17487<\/span>\/RFC7901, June 2016<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7901>.<\/span><\/span><\/code>[RFC7918<\/span>] Langley, A., Modadugu, N., and B. Moeller, \"Transport Layer Security (TLS) False Start\"<\/span>, RFC 7918<\/span>, DOI 10.17487<\/span>\/RFC7918, August 2016<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc7918>.<\/span><\/span><\/code>[RFC8027<\/span>] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy, \"DNSSEC Roadblock Avoidance\"<\/span>, BCP 207<\/span>, RFC 8027<\/span>, DOI 10.17487<\/span>\/RFC8027, November 2016<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8027>.<\/span><\/span><\/code>[RFC8094<\/span>] Reddy, T., Wing, D., and P. Patil, \"DNS over Datagram Transport Layer Security (DTLS)\"<\/span>, RFC 8094<\/span>, DOI 10.17487<\/span>\/RFC8094, February 2017<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8094>.<\/span><\/span><\/code>[RFC8162<\/span>] Hoffman, P. and J. Schlyter, \"Using Secure DNS to Associate Certificates with Domain Names for S\/MIME\"<\/span>, RFC 8162<\/span>, DOI 10.17487<\/span>\/RFC8162, May 2017<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8162>.<\/span><\/span><\/code>[RFC8200<\/span>] Deering, S. and R. Hinden, \"Internet Protocol, Version 6 (IPv6) Specification\"<\/span>, STD 86<\/span>, RFC 8200<\/span>, DOI 10.17487<\/span>\/RFC8200, July 2017<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8200>.<\/span><\/span><\/code>[RFC8324<\/span>] Klensin, J., \"DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for Another Look?\"<\/span>, RFC 8324<\/span>, DOI 10.17487<\/span>\/RFC8324, February 2018<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8324>.<\/span><\/span><\/code>[RFC8446<\/span>] Rescorla, E., \"The Transport Layer Security (TLS) Protocol Version 1.3\"<\/span>, RFC 8446<\/span>, DOI 10.17487<\/span>\/RFC8446, August 2018<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8446>.<\/span><\/span><\/code>[RFC8467<\/span>] Mayrhofer, A., \"Padding Policies for Extension Mechanisms for DNS (EDNS(0))\"<\/span>, RFC 8467<\/span>, DOI 10.17487<\/span>\/RFC8467, October 2018<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8467>.<\/span><\/span><\/code>[RFC8482<\/span>] Abley, J., Gudmundsson, O., Majkowski, M., and E. Hunt, \"Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY\"<\/span>, RFC 8482<\/span>, DOI 10.17487<\/span>\/RFC8482, January 2019<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8482>.<\/span><\/span><\/code>[RFC8483<\/span>] Song, L., Ed., Liu, D., Vixie, P., Kato, A., and S. Kerr, \"Yeti DNS Testbed\"<\/span>, RFC 8483<\/span>, DOI 10.17487<\/span>\/RFC8483, October 2018<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8483>.<\/span><\/span><\/code>[RFC8484<\/span>] Hoffman, P. and P. McManus, \"DNS Queries over HTTPS (DoH)\"<\/span>, RFC 8484<\/span>, DOI 10.17487<\/span>\/RFC8484, October 2018<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8484>.<\/span><\/span><\/code>[RFC8490<\/span>] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., Lemon, T., and T. Pusateri, \"DNS Stateful Operations\"<\/span>, RFC 8490<\/span>, DOI 10.17487<\/span>\/RFC8490, March 2019<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8490>.<\/span><\/span><\/code>[RFC8501<\/span>] Howard, L., \"Reverse DNS in IPv6 for Internet Service Providers\"<\/span>, RFC 8501<\/span>, DOI 10.17487<\/span>\/RFC8501, November 2018<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8501>.<\/span><\/span><\/code>[RFC8806<\/span>] Kumari, W. and P. Hoffman, \"Running a Root Server Local to a Resolver\"<\/span>, RFC 8806<\/span>, DOI 10.17487<\/span>\/RFC8806, June 2020<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8806>.<\/span><\/span><\/code>[RFC8906<\/span>] Andrews, M. and R. Bellis, \"A Common Operational Problem in DNS Servers: Failure to Communicate\"<\/span>, BCP 231<\/span>, RFC 8906<\/span>, DOI 10.17487<\/span>\/RFC8906, September 2020<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8906>.<\/span><\/span><\/code>[RFC8932<\/span>] Dickinson, S., Overeinder, B., van Rijswijk-Deij, R., and A. Mankin, \"Recommendations for DNS Privacy Service Operators\"<\/span>, BCP 232<\/span>, RFC 8932<\/span>, DOI 10.17487<\/span>\/RFC8932, October 2020<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8932>.<\/span><\/span><\/code>[RFC8945<\/span>] Dupont, F., Morris, S., Vixie, P., Eastlake 3<\/span>rd, D., Gudmundsson, O., and B. Wellington, \"Secret Key Transaction Authentication for DNS (TSIG)\"<\/span>, STD 93<\/span>, RFC 8945<\/span>, DOI 10.17487<\/span>\/RFC8945, November 2020<\/span>, <https:\/\/www.rfc-editor.org\/info\/rfc8945>.<\/span><\/span><\/code>[ROLL_YOUR_ROOT<\/span>] M\u00fcller, M., Thomas, M., Wessels, D., Hardaker, W., Chung, T., Toorop, W., and R. van Rijswijk-Deij, \"Roll, Roll, Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover\"<\/span>, DOI 10.1145<\/span>\/3355369.3355570<\/span>, October 2019<\/span>, <https:\/\/dl.acm.org\/doi\/10.1145\/3355369.3355570>.<\/span><\/span><\/code>[RRL<\/span>] Vixie, P. and V. Schryver, \"DNS Response Rate Limiting (DNS RRL)\"<\/span>, ISC-TN-2012<\/span>-1<\/span>-Draft1, April 2012.<\/span><\/span><\/code>[TDNS<\/span>] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N. Somaiya, \"Connection-Oriented DNS to Improve Privacy and Security\"<\/span>, DOI 10.1109<\/span>\/SP.2015<\/span>.18<\/span>, May 2015<\/span>, <https:\/\/doi.org\/10.1109\/SP.2015.18>.<\/span><\/span><\/code>[TOYAMA<\/span>] Toyama, K., Ishibashi, K., Toyono, T., Ishino, M., Yoshimura, C., and K. Fujiwara, \"DNS Anomalies and Their Impacts on DNS Cache Servers\"<\/span>, NANOG 32<\/span>, October 2004.<\/span><\/span><\/code>[VERISIGN<\/span>] Thomas, M. and D. Wessels, \"An Analysis of TCP Traffic in Root Server DITL Data\"<\/span>, DNS-OARC 2014<\/span> Fall Workshop, October 2014.<\/span><\/span><\/code>[WIKIPEDIA_TFO<\/span>] Wikipedia, \"TCP Fast Open\"<\/span>, February 2022<\/span>, <https:\/\/en.wikipedia.org\/w\/index.php?title=TCP_Fast_Open&oldid=1071397204>.<\/span><\/span><\/code><\/pre>\n<\/section>\n
\n
\n
\n
<\/div><\/section>\n
\u9644\u5f55A\u3001 \u4e0e\u57fa\u4e8eTCP\u7684DNS\u4f20\u8f93\u76f8\u5173\u7684RFC<\/strong><\/span><\/section>\n
<\/div><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u672c\u8282\u5217\u4e3e\u4e86\u6240\u6709\u5df2\u77e5\u7684 RFC\uff0c\u5176\u72b6\u6001\u4e3a Internet \u6807\u51c6\u3001\u63d0\u8bae\u7684\u6807\u51c6\u3001\u4fe1\u606f\u6027\u3001\u6700\u4f73\u5f53\u524d\u5b9e\u8df5\u6216\u5b9e\u9a8c\u6027\uff0c\u8fd9\u4e9b RFC \u9690\u542b\u6216\u660e\u786e\u5730\u5bf9\u4f7f\u7528 TCP \u4f5c\u4e3a\u4e0e\u672c\u6587\u6863\u5bc6\u5207\u76f8\u5173\u7684 DNS \u4f20\u8f93\u505a\u51fa\u5047\u8bbe\u6216\u9648\u8ff0\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.1\u3001 RFC 1035\uff1a\u57df\u540d-\u5b9e\u65bd\u548c\u89c4\u8303<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
Internet \u6807\u51c6 [RFC1035] \u662f\u57fa\u672c DNS \u89c4\u8303\uff0c\u660e\u786e\u5b9a\u4e49\u4e86\u5bf9\u57fa\u4e8e TCP \u7684 DNS \u7684\u652f\u6301\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.2\u3001 RFC 1536\uff1a\u5e38\u89c1\u7684 DNS \u5b9e\u65bd\u9519\u8bef\u548c\u5efa\u8bae\u7684\u4fee\u590d<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC1536] \u6307\u51fa UDP \u662f\u201c\u9009\u62e9\u7684\u901a\u4fe1\u534f\u8bae\uff0c\u5c3d\u7ba1 TCP \u7528\u4e8e\u533a\u57df\u4f20\u8f93\u201d\u3002\u8be5\u58f0\u660e\u73b0\u5728\u5e94\u8be5\u5728\u5176\u5386\u53f2\u80cc\u666f\u4e0b\u8003\u8651\uff0c\u4e0d\u518d\u662f\u73b0\u4ee3\u671f\u671b\u7684\u6b63\u786e\u53cd\u6620\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.3\u3001 RFC 1995\uff1aDNS \u4e2d\u7684\u589e\u91cf\u533a\u57df\u4f20\u8f93<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC1995] \u8bb0\u5f55\u4e86\u5f53\u589e\u91cf\u533a\u57df\u4f20\u8f93 (Incremental Zone Transfer\uff0cIXFR) <\/strong>\u54cd\u5e94\u4e0d\u9002\u5408\u5355\u4e2a UDP \u54cd\u5e94\u65f6\u4f7f\u7528 TCP \u4f5c\u4e3a\u56de\u9000\u4f20\u8f93\u3002\u4e0e\u6743\u5a01\u4f20\u8f93 (Authoritative Transfer\uff0cAXFR) \u4e00\u6837\uff0cIXFR \u6d88\u606f\u901a\u5e38\u5728\u5b9e\u8df5\u4e2d\u9ed8\u8ba4\u901a\u8fc7 TCP \u4f20\u9012\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.4\u3001 RFC 1996\uff1a\u533a\u57df\u66f4\u6539\u63d0\u793a\u901a\u77e5\u673a\u5236 (DNS NOTIFY)<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC1996] \u5efa\u8bae\u4e3b\u670d\u52a1\u5668\u53ef\u4ee5\u51b3\u5b9a\u901a\u8fc7 TCP \u53d1\u51fa NOTIFY \u6d88\u606f\u3002\u5728\u5b9e\u8df5\u4e2d\uff0cNOTIFY \u6d88\u606f\u901a\u5e38\u901a\u8fc7 UDP \u53d1\u9001\uff0c\u4f46\u8be5\u89c4\u8303\u7559\u4e0b\u4e86\u4f20\u8f93\u534f\u8bae\u7684\u9009\u62e9\u53d6\u51b3\u4e8e\u4e3b\u670d\u52a1\u5668\u7684\u53ef\u80fd\u6027\u3002\u56e0\u6b64\uff0c\u8f85\u52a9\u670d\u52a1\u5668\u5e94\u8be5\u80fd\u591f\u901a\u8fc7 UDP \u548c TCP \u8fd0\u884c\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.5\u3001 RFC 2181\uff1a\u5bf9 DNS \u89c4\u8303\u7684\u6f84\u6e05<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC2181] \u5305\u62ec\u9610\u660e\u5ba2\u6237\u7aef\u5e94\u5982\u4f55\u5bf9\u54cd\u5e94\u4e2d\u8bbe\u7f6e\u7684 TC \u4f4d\u4f5c\u51fa\u53cd\u5e94\u7684\u6587\u672c\u3002\u5efa\u8bae\u4e22\u5f03\u54cd\u5e94\u5e76\u4f7f\u7528 TCP \u91cd\u65b0\u53d1\u9001\u67e5\u8be2\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.6\u3001 RFC 2694\uff1a\u7f51\u7edc\u5730\u5740\u8f6c\u6362\u5668 (DNS_ALG) \u7684 DNS \u6269\u5c55<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC2694] \u5217\u4e3e\u4e86 NAT \u8bbe\u5907\u6b63\u786e\u5904\u7406 DNS \u6d41\u91cf\u7684\u6ce8\u610f\u4e8b\u9879\u3002\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u8be5\u6587\u6863\u7684\u5efa\u8bae\u201c[t] \u901a\u5e38\uff0cTCP \u7528\u4e8e AXFR \u8bf7\u6c42\u201d\uff0c\u4f5c\u4e3a\u8fdb\u4e00\u6b65\u7684\u8bc1\u636e\uff0c\u6709\u52a9\u4e8e\u89e3\u91ca\u4e3a\u4ec0\u4e48 DNS over TCP \u7684\u5904\u7406\u65b9\u5f0f\u901a\u5e38\u4e0e DNS over UDP \u5728\u8fd0\u8425\u7f51\u7edc\u4e2d\u7684\u5904\u7406\u65b9\u5f0f\u622a\u7136\u4e0d\u540c\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.7\u3001 RFC 3225\uff1a\u6307\u793a DNSSEC \u7684\u89e3\u6790\u5668\u652f\u6301<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC3225] \u58f0\u660e\u8868\u660e\u57fa\u4e8e TCP \u7684 DNS \u7531\u4e8e\u6d41\u91cf\u3001\u5ef6\u8fdf\u548c\u670d\u52a1\u5668\u8d1f\u8f7d\u7684\u589e\u52a0\u800c\u201c\u6709\u5bb3\u201d\u3002\u672c\u6587\u6863\u662f RFC \u7cfb\u5217\u4e2d\u7684\u4e0b\u4e00\u4e2a\u6587\u6863\u7684\u914d\u5957\u6587\u6863\uff0c\u8be5\u6587\u6863\u63cf\u8ff0\u4e86\u5bf9 DNSSEC \u7684 EDNS(0) \u652f\u6301\u8981\u6c42\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.8\u3001 RFC 3226\uff1aDNSSEC \u548c IPv6 A6 \u611f\u77e5\u670d\u52a1\u5668\/\u89e3\u6790\u5668\u6d88\u606f\u5927\u5c0f\u8981\u6c42<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5c3d\u7ba1\u88ab\u540e\u6765\u7684 DNSSEC RFC \u66f4\u65b0\uff0c\u63d0\u8bae\u7684\u6807\u51c6 [RFC3226] \u5f3a\u70c8\u4e3b\u5f20\u652f\u6301 UDP \u6d88\u606f\u800c\u4e0d\u662f TCP\uff0c\u4e3b\u8981\u662f\u51fa\u4e8e\u6027\u80fd\u539f\u56e0\u3002\u8be5\u6587\u6863\u58f0\u660e EDNS(0) \u662f DNSSEC \u670d\u52a1\u5668\u7684\u4e00\u9879\u8981\u6c42\uff0c\u5e76\u4e3b\u5f20\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u6570\u636e\u5305\u5206\u6bb5\u53ef\u80fd\u6bd4 TCP \u66f4\u53ef\u53d6\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.9\u3001 RFC 4472\uff1aIPv6 DNS \u7684\u64cd\u4f5c\u6ce8\u610f\u4e8b\u9879\u548c\u95ee\u9898<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC4472] \u6307\u51fa\uff0cIPv6 \u6570\u636e\u53ef\u80fd\u4f1a\u589e\u52a0 DNS \u54cd\u5e94\uff0c\u8d85\u51fa UDP \u6d88\u606f\u7684\u8303\u56f4\u3002\u7279\u522b\u503c\u5f97\u4e00\u63d0\u7684\u662f\uff0c\u4f46\u4eca\u5929\u53ef\u80fd\u6bd4\u64b0\u5199\u672c\u6587\u6863\u65f6\u5c11\u89c1\u7684\u662f\uff0c\u5b83\u6307\u7684\u662f\u5728\u4e0d\u8bbe\u7f6e TC \u4f4d\u7684\u60c5\u51b5\u4e0b\u622a\u65ad\u6570\u636e\u4ee5\u9f13\u52b1\u5ba2\u6237\u7aef\u4f7f\u7528 TCP \u91cd\u65b0\u53d1\u9001\u67e5\u8be2\u7684\u5b9e\u73b0\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.10\u3001 RFC 5452\uff1a\u4f7f DNS \u5bf9\u4f2a\u9020\u54cd\u5e94\u66f4\u5177\u5f39\u6027\u7684\u63aa\u65bd<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC5452] \u5e94\u8fd0\u800c\u751f\uff0c\u56e0\u4e3a\u516c\u5171 DNS \u7cfb\u7edf\u5f00\u59cb\u906d\u53d7\u6765\u81ea\u6b3a\u9a97\u6027\u67e5\u8be2\u7684\u5e7f\u6cdb\u6ee5\u7528\uff0c\u4ece\u800c\u5bfc\u81f4\u5bf9\u4e0d\u77e5\u60c5\u7684\u53d7\u5bb3\u8005\u8fdb\u884c\u653e\u5927\u548c\u53cd\u5c04\u653b\u51fb\u3002[RFC5452]\uff08\u201c\u6b3a\u9a97\u68c0\u6d4b\u548c\u5bf9\u7b56\u201d\uff09\u7684\u7b2c 9.3 \u8282\u7b80\u8981\u63cf\u8ff0\u4e86\u652f\u6301\u57fa\u4e8e TCP \u7684 DNS \u4ee5\u963b\u6b62\u8fd9\u4e9b\u653b\u51fb\u7684\u4e3b\u8981\u7406\u7531\u4e4b\u4e00\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.11\u3001 RFC 5507\uff1a\u6269\u5c55 DNS \u65f6\u7684\u8bbe\u8ba1\u9009\u62e9<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC5507] \u4e3b\u8981\u662f\u8bd5\u56fe\u963b\u6b62\u65b0\u7684 DNS \u6570\u636e\u7c7b\u578b\u4f7f TXT \u8d44\u6e90\u8bb0\u5f55\u7c7b\u578b\u8fc7\u8f7d\u3002\u5728\u6b64\u8fc7\u7a0b\u4e2d\uff0c\u5b83\u603b\u7ed3\u4e86 DNS \u8bbe\u8ba1\u548c\u5b9e\u65bd\u5b9e\u8df5\u7684\u4f20\u7edf\u667a\u6167\u3002\u4f5c\u8005\u8ba4\u4e3a\uff0c\u4e0e UDP \u76f8\u6bd4\uff0cTCP \u5f00\u9500\u548c\u6709\u72b6\u6001\u5c5e\u6027\u6784\u6210\u4e86\u6311\u6218\uff0c\u5e76\u6697\u793a UDP \u901a\u5e38\u66f4\u9002\u5408\u6027\u80fd\u548c\u5065\u58ee\u6027\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.12\u3001 RFC 5625\uff1aDNS \u4ee3\u7406\u5b9e\u65bd\u6307\u5357<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
Best Current Practice \u6587\u6863 [RFC5625] \u63d0\u4f9b\u4e86 DNS \u4ee3\u7406\u5b9e\u65bd\u6307\u5357\uff0c\u5305\u62ec\u8981\u6c42\u4ee3\u7406\u201c\u5fc5\u987b […] \u51c6\u5907\u901a\u8fc7 TCP \u63a5\u6536\u548c\u8f6c\u53d1\u67e5\u8be2\u201d\uff0c\u5c3d\u7ba1\u5b83\u8868\u660e\uff0c\u4ece\u5386\u53f2\u4e0a\u770b\uff0cTCP \u4f20\u8f93\u5e76\u672a\u4e25\u683c\u5728\u5b58\u6839\u89e3\u6790\u5668\u6216\u9012\u5f52\u670d\u52a1\u5668\u4e2d\u662f\u5fc5\u9700\u7684\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.13\u3001 RFC 5936\uff1aDNS \u533a\u57df\u4f20\u8f93\u534f\u8bae (AXFR)<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC5936] \u63d0\u4f9b\u4e86\u533a\u57df\u4f20\u8f93\u534f\u8bae\u7684\u8be6\u7ec6\u89c4\u8303\uff0c\u6b63\u5982\u65e9\u671f DNS \u6807\u51c6\u4e2d\u6700\u521d\u6982\u8ff0\u7684\u90a3\u6837\u3002AXFR \u64cd\u4f5c\u4ec5\u9650\u4e8e TCP\uff0c\u800c\u4e0d\u662f\u4e3a UDP \u6307\u5b9a\u3002\u672c\u6587\u6863\u8be6\u7ec6\u8ba8\u8bba\u4e86 TCP \u7684\u4f7f\u7528\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.14\u3001 RFC 7534\uff1aAS112 \u57df\u540d\u670d\u52a1\u5668\u64cd\u4f5c<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC7534] \u5217\u4e3e\u4e86 AS112 \u9879\u76ee DNS \u670d\u52a1\u5668\u7684\u64cd\u4f5c\u8981\u6c42\u3002\u6d4b\u8bd5\u4e86\u65b0\u7684 AS112 \u8282\u70b9\u5728 UDP \u548c TCP \u4f20\u8f93\u4e0a\u63d0\u4f9b\u670d\u52a1\u7684\u80fd\u529b\uff0c\u8fd9\u610f\u5473\u7740 TCP \u670d\u52a1\u662f\u6b63\u5e38\u64cd\u4f5c\u7684\u9884\u671f\u90e8\u5206\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.15\u3001 RFC 6762\uff1a\u7ec4\u64ad DNS<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5728\u63d0\u8bae\u7684\u6807\u51c6 [RFC6762] \u4e2d\uff0cTC \u4f4d\u88ab\u8ba4\u4e3a\u5177\u6709\u4e0e\u539f\u59cb DNS \u89c4\u8303\u4e2d\u63cf\u8ff0\u7684\u57fa\u672c\u76f8\u540c\u7684\u542b\u4e49\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u5982\u679c\u63a5\u6536\u5230\u8bbe\u7f6e\u4e86 TC \u4f4d\u7684\u54cd\u5e94\uff0c\u201c[…] \u67e5\u8be2\u5668\u5e94\u8be5\u4f7f\u7528 TCP \u91cd\u65b0\u53d1\u51fa\u5176\u67e5\u8be2\uff0c\u4ee5\u4fbf\u63a5\u6536\u66f4\u5927\u7684\u54cd\u5e94\u3002\u201d<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.16\u3001 RFC 6891\uff1aDNS \u7684\u6269\u5c55\u673a\u5236 (EDNS(0))<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
Internet \u6807\u51c6 [RFC6891] \u6709\u52a9\u4e8e\u51cf\u7f13 DNS-over-TCP \u6d88\u606f\u7684\u4f7f\u7528\u548c\u9700\u6c42\u3002\u672c\u6587\u6863\u5f3a\u8c03\u4e86\u5e7f\u6cdb\u4f7f\u7528\u57fa\u4e8e TCP \u7684 DNS \u65f6\u5bf9\u670d\u52a1\u5668\u8d1f\u8f7d\u548c\u53ef\u6269\u5c55\u6027\u7684\u62c5\u5fe7\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.17\u3001 IAB RFC 6950\uff1aDNS \u4e2d\u5e94\u7528\u7a0b\u5e8f\u529f\u80fd\u7684\u67b6\u6784\u6ce8\u610f\u4e8b\u9879<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC6950] \u63d0\u8bf7\u6ce8\u610f DNS \u4e2d\u7684\u5927\u6570\u636e\u3002TCP \u5728\u4e0a\u4e0b\u6587\u4e2d\u88ab\u5f15\u7528\u4e3a\u4e00\u79cd\u5e38\u89c1\u7684\u56de\u9000\u673a\u5236\u5e76\u5bf9\u6297\u4e00\u4e9b\u6b3a\u9a97\u653b\u51fb\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.18\u3001 RFC 7477\uff1aDNS \u4e2d\u7684\u5b50\u5230\u7236\u540c\u6b65<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC7477] \u6307\u5b9a\u4e86\u4e00\u4e2a RRType \u548c\u4e00\u4e2a\u534f\u8bae\uff0c\u4ee5\u53d1\u4fe1\u53f7\u901a\u77e5\u548c\u540c\u6b65\u4ece\u5b50\u5230\u7236\u533a\u57df\u7684 NS\u3001A \u548c AAAA \u8d44\u6e90\u8bb0\u5f55\u66f4\u6539\u3002\u7531\u4e8e\u8be5\u534f\u8bae\u53ef\u80fd\u9700\u8981\u591a\u4e2a\u8bf7\u6c42\u548c\u54cd\u5e94\uff0c\u56e0\u6b64\u5efa\u8bae\u4f7f\u7528\u57fa\u4e8e TCP \u7684 DNS \u6765\u786e\u4fdd\u5728\u4e00\u5bf9\u4e00\u81f4\u7684\u7aef\u8282\u70b9\u4e4b\u95f4\u8fdb\u884c\u5bf9\u8bdd\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.19\u3001 RFC 7720\uff1aDNS \u6839\u540d\u79f0\u670d\u52a1\u534f\u8bae\u548c\u90e8\u7f72\u8981\u6c42<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
Best Current Practice \u6587\u6863 [RFC7720] \u58f0\u660e\u6839\u540d\u79f0\u670d\u52a1\u201c\u5fc5\u987b\u652f\u6301 DNS \u67e5\u8be2\u548c\u54cd\u5e94\u7684 UDP [RFC0768] \u548c TCP [RFC0793] \u4f20\u8f93\u201d\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.20\u3001 RFC 7766\uff1a\u57fa\u4e8e TCP \u7684 DNS \u4f20\u8f93 – \u5b9e\u65bd\u8981\u6c42<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC7766] \u6307\u793a DNS \u5b9e\u65bd\u8005\u4e3a\u5728\u5176\u8f6f\u4ef6\u4e2d\u627f\u8f7d DNS-over-TCP \u6d88\u606f\u63d0\u4f9b\u652f\u6301\uff0c\u5e76\u4e14\u53ef\u80fd\u88ab\u8ba4\u4e3a\u662f\u6b64\u64cd\u4f5c\u8981\u6c42\u6587\u6863\u7684\u76f4\u63a5\u7956\u5148\u3002\u5b9e\u65bd\u8981\u6c42\u6587\u6863\u89c4\u5b9a\u4e86\u5728\u517c\u5bb9\u7684 DNS \u8f6f\u4ef6\u4e2d\u5bf9 DNS-over-TCP \u7684\u5f3a\u5236\u652f\u6301\uff0c\u4f46\u6ca1\u6709\u5411\u8fd0\u8425\u5546\u63d0\u4f9b\u4efb\u4f55\u5efa\u8bae\uff0c\u6211\u4eec\u5728\u6b64\u5bfb\u6c42\u89e3\u51b3\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.21\u3001 RFC 7828\uff1aedns-tcp-keepalive EDNS(0) \u9009\u9879<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC7828] \u5b9a\u4e49\u4e86\u4e00\u4e2a EDNS(0) \u9009\u9879\u6765\u534f\u5546\u957f\u671f DNS-over-TCP \u8fde\u63a5\u7684\u7a7a\u95f2\u8d85\u65f6\u503c\u3002\u56e0\u6b64\uff0c\u672c\u6587\u6863\u4ec5\u9002\u7528\u4e8e\u548c\u76f8\u5173\u7684 DNS-over-TCP \u4f1a\u8bdd\u4ee5\u53ca\u652f\u6301\u6b64\u9009\u9879\u7684\u5b9e\u73b0\u4e4b\u95f4\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.22\u3001 RFC 7858\uff1a\u4f20\u8f93\u5c42\u5b89\u5168 (TLS) \u4e0a\u7684 DNS \u89c4\u8303<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC7858] \u5b9a\u4e49\u4e86\u4e00\u79cd\u4f7f\u7528 TLS \u5c06 DNS \u6d88\u606f\u653e\u5165\u57fa\u4e8e TCP \u7684\u52a0\u5bc6\u901a\u9053\u7684\u65b9\u6cd5\u3002\u8be5\u89c4\u8303\u503c\u5f97\u6ce8\u610f\u7684\u662f\u660e\u786e\u9488\u5bf9\u5b58\u6839\u5230\u9012\u5f52\u7684\u6d41\u91cf\uff0c\u4f46\u4e0d\u6392\u9664\u5176\u5e94\u7528\u4ece\u9012\u5f52\u5230\u6743\u5a01\u7684\u6d41\u91cf\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.23\u3001 RFC 7873\uff1a\u57df\u540d\u7cfb\u7edf (DNS) Cookie<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC7873] \u63cf\u8ff0\u4e86\u4e00\u4e2a EDNS(0) \u9009\u9879\uff0c\u4ee5\u63d0\u4f9b\u989d\u5916\u7684\u4fdd\u62a4\u4ee5\u9632\u6b62\u67e5\u8be2\u548c\u5e94\u7b54\u4f2a\u9020\u3002\u5f53 DNS cookie \u4e0d\u53ef\u7528\u65f6\uff0c\u8be5\u89c4\u8303\u63d0\u5230\u57fa\u4e8e TCP \u7684 DNS \u4f5c\u4e3a\u66ff\u4ee3\u673a\u5236\u3002\u8be5\u89c4\u8303\u786e\u5b9e\u5728\u4e24\u79cd\u7279\u5b9a\u60c5\u51b5\u4e0b\u63d0\u5230\u4e86 DNS-over-TCP \u5904\u7406\u3002\u4e00\u65b9\u9762\uff0c\u5f53\u670d\u52a1\u5668\u5728\u8bf7\u6c42\u4e2d\u4ec5\u63a5\u6536\u5230\u5ba2\u6237\u7aef cookie \u65f6\uff0c\u670d\u52a1\u5668\u5e94\u8003\u8651\u8bf7\u6c42\u662f\u5426\u901a\u8fc7 TCP \u5230\u8fbe\uff0c\u5982\u679c\u662f\uff0c\u5219\u5e94\u8003\u8651\u63a5\u53d7 TCP \u8db3\u4ee5\u9a8c\u8bc1\u8bf7\u6c42\u5e76\u505a\u51fa\u76f8\u5e94\u7684\u54cd\u5e94\u3002\u5728\u53e6\u4e00\u79cd\u60c5\u51b5\u4e0b\uff0c\u5f53\u5ba2\u6237\u7aef\u4f7f\u7528\u65b0\u7684\u670d\u52a1\u5668 cookie \u63a5\u6536\u5230 BADCOOKIE \u56de\u590d\u65f6\uff0c\u5ba2\u6237\u7aef\u5e94\u4f7f\u7528 TCP \u4f5c\u4e3a\u4f20\u8f93\u91cd\u8bd5\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.24\u3001 RFC 7901\uff1aDNS \u4e2d\u7684\u94fe\u67e5\u8be2\u8bf7\u6c42<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5b9e\u9a8c\u89c4\u8303 [RFC7901] \u63cf\u8ff0\u4e86\u4e00\u4e2a EDNS(0) \u9009\u9879\uff0c\u4e00\u4e2a\u5b89\u5168\u611f\u77e5\u9a8c\u8bc1\u89e3\u6790\u5668\u53ef\u4ee5\u4f7f\u7528\u8be5\u9009\u9879\u6765\u8bf7\u6c42\u548c\u83b7\u53d6\u4efb\u4f55\u5355\u4e2a\u67e5\u8be2\u7684\u5b8c\u6574 DNSSEC \u9a8c\u8bc1\u8def\u5f84\u3002\u672c\u6587\u6863\u8981\u6c42\u4f7f\u7528\u57fa\u4e8e TCP \u7684 DNS \u6216\u7531\u6e90 IP \u5730\u5740\u9a8c\u8bc1\u7684\u4f20\u8f93\u673a\u5236\uff0c\u4f8b\u5982 EDNS-COOKIE [RFC7873]\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.25\u3001 RFC 8027\uff1aDNSSEC \u8def\u969c\u89c4\u907f<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u6700\u4f73\u5f53\u524d\u5b9e\u8df5\u6587\u6863 [RFC8027] \u8be6\u7ec6\u8bf4\u660e\u4e86 DNSSEC \u90e8\u7f72\u548c\u7f13\u89e3\u6280\u672f\u6240\u89c2\u5bdf\u5230\u7684\u95ee\u9898\u3002\u7f51\u7edc\u6d41\u91cf\u963b\u585e\u548c\u9650\u5236\uff0c\u5305\u62ec DNS-over-TCP \u6d88\u606f\uff0c\u88ab\u5f3a\u8c03\u4e3a DNSSEC \u90e8\u7f72\u95ee\u9898\u7684\u539f\u56e0\u4e4b\u4e00\u3002\u867d\u7136\u672c\u6587\u6863\u8868\u660e\u6b64\u7c7b\u95ee\u9898\u662f\u7531\u201c\u4e0d\u5408\u89c4\u7684\u57fa\u7840\u8bbe\u65bd\u201d\u5f15\u8d77\u7684\uff0c\u4f46\u8be5\u6587\u6863\u7684\u8303\u56f4\u4ec5\u9650\u4e8e\u68c0\u6d4b\u548c\u7f13\u89e3\u6280\u672f\uff0c\u4ee5\u907f\u514d\u6240\u8c13\u7684 DNSSEC \u969c\u788d\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.26\u3001 RFC 8094\uff1a\u6570\u636e\u62a5\u4f20\u8f93\u5c42\u5b89\u5168\u6027 (DTLS) \u4e0a\u7684 DNS<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5b9e\u9a8c\u89c4\u8303 [RFC8094] \u8be6\u7ec6\u8bf4\u660e\u4e86\u4f7f\u7528\u6570\u636e\u62a5\u4f20\u8f93 (UDP) \u7684\u534f\u8bae\uff0c\u4f46\u89c4\u5b9a\u201c\u5728 DTLS \u4e0a\u5b9e\u73b0 DNS \u7684 DNS \u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u5fc5\u987b\u4e5f\u901a\u8fc7 TLS \u5b9e\u73b0 DNS\uff0c\u4ee5\u4fbf\u4e3a\u9700\u8981\u4e25\u683c\u9690\u79c1\u7684\u5ba2\u6237\u7aef\u63d0\u4f9b\u9690\u79c1 [.. .]\u3002\u201d\u6b64\u8981\u6c42\u610f\u5473\u7740\u5fc5\u987b\u652f\u6301\u57fa\u4e8e TCP \u7684 DNS\uff0c\u4ee5\u9632\u6d88\u606f\u5927\u5c0f\u5927\u4e8e\u8def\u5f84 MTU\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.27\u3001 RFC 8162\uff1a\u4f7f\u7528\u5b89\u5168 DNS \u5c06\u8bc1\u4e66\u4e0e S\/MIME \u57df\u540d\u76f8\u5173\u8054<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5b9e\u9a8c\u89c4\u8303 [RFC8162] \u63cf\u8ff0\u4e86\u4e00\u79cd\u901a\u8fc7 DNS \u5728 S\/MIME \u7cfb\u7edf\u4e2d\u9a8c\u8bc1\u7528\u6237 X.509 \u8bc1\u4e66\u7684\u6280\u672f\u3002\u8be5\u6587\u4ef6\u6307\u51fa\uff0c\u65b0\u7684\u5b9e\u9a8c\u6027\u8d44\u6e90\u8bb0\u5f55\u7c7b\u578b\u9884\u8ba1\u4f1a\u643a\u5e26\u5927\u91cf\u6709\u6548\u8f7d\u8377\uff0c\u56e0\u6b64\u5efa\u8bae\u201c\u5e94\u7528\u7a0b\u5e8f\u5e94\u8be5\u4f7f\u7528 TCP\u2014\u2014\u800c\u4e0d\u662f UDP\u2014\u2014\u6765\u6267\u884c\u5bf9 SMIMEA \u8d44\u6e90\u8bb0\u5f55\u7684\u67e5\u8be2\u201d\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.28\u3001 RFC 8324\uff1aDNS \u9690\u79c1\u3001\u6388\u6743\u3001\u7279\u6b8a\u7528\u9014\u3001\u7f16\u7801\u3001\u5b57\u7b26\u3001\u5339\u914d\u548c\u6839\u7ed3\u6784\uff1a\u662f\u65f6\u5019\u518d\u770b\u770b\uff1f<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC8324] \u7b80\u8981\u8ba8\u8bba\u4e86 DNS over TCP \u5728\u6574\u4e2a DNS \u5386\u53f2\u4e2d\u7684\u5171\u540c\u4f5c\u7528\u548c\u6311\u6218\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.29\u3001 RFC 8467\uff1aDNS \u6269\u5c55\u673a\u5236\u7684\u586b\u5145\u7b56\u7565 (EDNS(0))<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u5b9e\u9a8c\u6587\u6863 [RFC8467] \u63d0\u9192\u5b9e\u73b0\u8005\u5728\u4f7f\u7528 EDNS(0) \u586b\u5145\u9009\u9879\u4eba\u4e3a\u589e\u52a0 DNS \u6d88\u606f\u5927\u5c0f\u65f6\uff0c\u5728\u8ba1\u7b97\u586b\u5145\u957f\u5ea6\u65f6\u8003\u8651\u5e95\u5c42\u4f20\u8f93\u534f\u8bae\uff08\u4f8b\u5982 TCP\uff09\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.30\u3001 RFC 8482\uff1a\u4e3a\u5177\u6709 QTYPE=ANY \u7684 DNS \u67e5\u8be2\u63d0\u4f9b\u6700\u5c0f\u5927\u5c0f\u7684\u54cd\u5e94<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC8482] \u63cf\u8ff0\u4e86 DNS \u670d\u52a1\u5668\u53ef\u4ee5\u54cd\u5e94 ANY \u7c7b\u578b\u7684\u67e5\u8be2\u7684\u66ff\u4ee3\u65b9\u5f0f\uff0c\u8fd9\u4e9b\u67e5\u8be2\u6709\u65f6\u7528\u4e8e\u5728 DDoS \u653b\u51fb\u4e2d\u63d0\u4f9b\u653e\u5927\u3002\u89c4\u8303\u6307\u51fa\uff0c\u54cd\u5e94\u8005\u7684\u884c\u4e3a\u53ef\u80fd\u4f1a\u6709\u6240\u4e0d\u540c\uff0c\u5177\u4f53\u53d6\u51b3\u4e8e\u4f20\u8f93\u65b9\u5f0f\u3002\u4f8b\u5982\uff0c\u6700\u5c0f\u5927\u5c0f\u7684\u54cd\u5e94\u53ef\u4ee5\u901a\u8fc7 UDP \u4f20\u8f93\u4f7f\u7528\uff0c\u800c\u5b8c\u6574\u7684\u54cd\u5e94\u53ef\u4ee5\u901a\u8fc7 TCP \u7ed9\u51fa\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.31\u3001 RFC 8483\uff1aYeti DNS \u6d4b\u8bd5\u5e73\u53f0<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC8483] \u63cf\u8ff0\u4e86\u4e00\u4e2a\u6d4b\u8bd5\u5e73\u53f0\u73af\u5883\uff0c\u8be5\u73af\u5883\u7a81\u51fa\u4e86\u4e00\u4e9b DNS-over-TCP \u884c\u4e3a\uff0c\u5305\u62ec\u6d89\u53ca\u6570\u636e\u5305\u5206\u6bb5\u548c TCP \u6d41\u7ec4\u88c5\u7684\u64cd\u4f5c\u8981\u6c42\u7684\u95ee\u9898\uff0c\u4ee5\u4fbf\u8fdb\u884c DNS \u6d4b\u91cf\u548c\u5206\u6790\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.32\u3001 RFC 8484\uff1a\u901a\u8fc7 HTTPS\u7684 DNS \u67e5\u8be2(DoH)<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC8484] \u5b9a\u4e49\u4e86\u4e00\u79cd\u901a\u8fc7 HTTPS \u53d1\u9001 DNS \u67e5\u8be2\u548c\u54cd\u5e94\u7684\u534f\u8bae\u3002\u672c\u89c4\u8303\u5047\u8bbe\u5e95\u5c42\u5b89\u5168\u5c42\u548c\u4f20\u8f93\u5c42\u5206\u522b\u4f7f\u7528 TLS \u548c TCP\u3002DoH \u81ea\u79f0\u662f\u4e00\u79cd\u66f4\u7c7b\u4f3c\u4e8e\u96a7\u9053\u673a\u5236\u7684\u6280\u672f\uff0c\u4f46\u5728\u67d0\u79cd\u610f\u4e49\u4e0a\uff0c\u5373\u4f7f\u4e0d\u662f\u76f4\u63a5\u7684\uff0c\u4e5f\u53ef\u80fd\u6697\u793a DNS over TCP\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.33\u3001 RFC 8490\uff1aDNS \u6709\u72b6\u6001\u64cd\u4f5c<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u63d0\u8bae\u7684\u6807\u51c6 [RFC8490] \u4f7f\u7528\u65b0\u7684 OPCODE \u66f4\u65b0\u4e86\u57fa\u672c\u534f\u8bae\u89c4\u8303\uff0c\u4ee5\u5e2e\u52a9\u7ba1\u7406\u6301\u4e45\u4f1a\u8bdd\u4e2d\u7684\u6709\u72b6\u6001\u64cd\u4f5c\uff0c\u4f8b\u5982 DNS over TCP \u53ef\u80fd\u4f7f\u7528\u7684\u90a3\u4e9b\u64cd\u4f5c\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.34\u3001 RFC 8501\uff1aInternet \u670d\u52a1\u63d0\u4f9b\u5546\u7684 IPv6 \u4e2d\u7684\u53cd\u5411 DNS<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC8501] \u786e\u5b9a\u4e86\u52a8\u6001 DNS \u7684\u6f5c\u5728\u8fd0\u8425\u6311\u6218\uff0c\u5305\u62ec\u62d2\u7edd\u670d\u52a1\u5a01\u80c1\u3002\u8be5\u6587\u6863\u5efa\u8bae TCP \u53ef\u80fd\u63d0\u4f9b\u4e00\u4e9b\u4f18\u52bf\uff0c\u4f46\u66f4\u65b0\u4e3b\u673a\u9700\u8981\u660e\u786e\u914d\u7f6e\u4e3a\u4f7f\u7528 TCP \u800c\u4e0d\u662f UDP\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.35\u3001 RFC 8806\uff1a\u8fd0\u884c\u89e3\u6790\u5668\u672c\u5730\u7684\u6839\u670d\u52a1\u5668<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
\u4fe1\u606f\u6587\u6863 [RFC8806] \u63cf\u8ff0\u4e86\u5982\u4f55\u83b7\u53d6\u548c\u64cd\u4f5c\u6839\u533a\u57df\u7684\u672c\u5730\u526f\u672c\uff0c\u5e76\u4e3e\u4f8b\u8bf4\u660e\u4e86\u5982\u4f55\u4f7f\u7528 DNS-over-TCP \u533a\u57df\u4f20\u8f93\u4ece\u6743\u5a01\u6765\u6e90\u4e2d\u63d0\u53d6\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.36\u3001 RFC 8906\uff1aDNS \u670d\u52a1\u5668\u4e2d\u7684\u5e38\u89c1\u64cd\u4f5c\u95ee\u9898\uff1a\u65e0\u6cd5\u901a\u4fe1<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
Best Current Practice \u6587\u6863 [RFC8906] \u8ba8\u8bba\u4e86\u8bb8\u591a DNS \u64cd\u4f5c\u5931\u8d25\u573a\u666f\u4ee5\u53ca\u5982\u4f55\u907f\u514d\u5b83\u4eec\u3002\u8fd9\u5305\u62ec\u6d89\u53ca DNS-over-TCP \u67e5\u8be2\u3001EDNS over TCP \u548c\u6d4b\u8bd5\u65b9\u6cd5\u7684\u8ba8\u8bba\uff0c\u5176\u4e2d\u5305\u62ec\u5173\u4e8e\u9a8c\u8bc1 DNS-over-TCP \u529f\u80fd\u7684\u90e8\u5206\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.37\u3001 RFC 8932\uff1aDNS \u9690\u79c1\u670d\u52a1\u8fd0\u8425\u5546\u7684\u5efa\u8bae<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
Best Current Practice \u6587\u6863 [RFC8932] \u5411 DNS \u9690\u79c1\u670d\u52a1\u8fd0\u8425\u5546\u4ecb\u7ecd\u4e86\u9690\u79c1\u6ce8\u610f\u4e8b\u9879\u3002\u8fd9\u4e9b\u673a\u5236\u6709\u65f6\u5305\u62ec TCP \u7684\u4f7f\u7528\uff0c\u56e0\u6b64\u5bb9\u6613\u53d7\u5230\u4fe1\u606f\u6cc4\u9732\u7684\u5f71\u54cd\uff0c\u4f8b\u5982\u57fa\u4e8e TCP \u7684\u6307\u7eb9\u8bc6\u522b\u3002\u672c\u6587\u6863\u8fd8\u5f15\u7528\u4e86\u672c\u6587\u6863\u7684\u65e9\u671f\u8349\u7a3f\u7248\u672c\u3002<\/p>\n
\n
\n
\n
<\/div><\/section>\n
A.38\u3001 RFC 8945\uff1aDNS\u7684\u5bc6\u94a5\u4e8b\u52a1\u8ba4\u8bc1(TSIG)<\/strong><\/span><\/section>\n<\/section>\n<\/section>\n<\/section>\n
Internet \u6807\u51c6 [RFC8945] \u5efa\u8bae\u5ba2\u6237\u7aef\u5728\u6536\u5230\u622a\u65ad\u7684 TSIG \u6d88\u606f\u65f6\u4f7f\u7528 TCP\u3002<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
RFC9210\uff1aDNS Transport over TCP -Operational Requirement […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,2],"tags":[],"class_list":["post-10477","post","type-post","status-publish","format-standard","hentry","category-cisco","category-network"],"_links":{"self":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/10477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10477"}],"version-history":[{"count":1,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/10477\/revisions"}],"predecessor-version":[{"id":10940,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/10477\/revisions\/10940"}],"wp:attachment":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}