[dns-operations] DNS cookies in a mixed resolver anycast environment

Tony Finch dot at dotat.at
Mon Jun 3 16:34:12 UTC 2019

Hellqvist, Björn <bjorn.hellqvist at teliacompany.com> wrote:
> The problem was that the Authoritative parts were not responding
> properly to queries using DNS Cookie. Several important domains stopped
> working for our customers.
> Ever since then we have had to disable DNS Cookies upstream to the
> Authoritative servers.

Instead of turning it off completely, I added a cookie bad list.

	server ... { send-cookie no; };

The main problem was sauthns[12].qwest.net which hosts a lot of prominent
domains. I noticed in April that they now work OK, yay! All I have left in
my nocookie list is a bad loadbalancer at a bank.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
oppose all forms of entrenched privilege and inequality

More information about the dns-operations mailing list