Given these DNS poisoning attacks come up every now and then, I have a question, and maybe someone here can answer: My understanding is that this is purely an UDP problem. So... why not just say we'll deprecate DNS over UDP at least for the communication between the resolver and the authoritative server? DNS over TCP is required since like forever (was it ever not required?), so it shouldn't be a problem.

I doubt there's a performance problem either. UDP is probably a bit faster, but resolver-authoritative communication shouldn't be that much as things can be cached.

Not everyone agrees that TCP support is required for DNS: https://twitter.com/RichFelker/status/994667677112156161

Though I don't personally agree with that reading of the RFC.

This would make the perfect TBBT episode title.