[dns-operations] Mixed DNS cookie support in anycast cluster issue?
Sven Van Dyck
svenvd at dnsbelgium.be
Thu May 17 17:15:35 UTC 2018
We currently operate some anycast clusters. Each anycast cluster runs
different nodes. We use a couple of different DNS software within one
Now, one of those DNS software needs a major upgrade, with the upgrade
also comes the enabling of DNS cookies, but only for that particular DNS
Where we see a potential issue is in the scenario when the client is
falling back to a non DNS cookie speaking node (due to maintenance, bgp
changes, ...) after previously setup a valid DNS cookie session with
another node in the same anycast cluster. Will the response packets be
discarded by the DNS cookie aware resolver? What are the operational
point of views on this setup? Is this practically a problem?
More specifically following paragraph from the rfc7873 ( Section 5.3.
Processing Responses )
"If the client is expecting the response to
contain a COOKIE option and it is missing, the response MUST be
Any other thing we need to be aware for this particular setup, apart
from keeping the server cookie secret the same on all nodes that support
DNS cookies? It would be best that all DNS software in the anycast
cluster have cookie support and the same server cookie secret, but today
not all DNS software supports DNS cookies yet.
*Sven Van Dyck*
+32 16 28 49 74
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations