> But we only care about TCP connection setup time in *interactive* > sessions (a human using something like the web). If you have a > persistent connection to your dns server from your dns resolver on your > browser machine, you just send the request.... no TCP setup there at > all. You can even pool connections. We do this stuff in LDAP all the time.
Again, if we can change the DNS protocol, then it's easy to solve. Securing host->recursive name server is, at the moment, not an issue - each host is a small target, and often has little bandwidth available. Furthermore, stopping IP spoofing of one's own hosts within one's networks is, well, not trivial, but not hugely difficult either.
