[dns-operations] DNS cookies in a mixed resolver anycast environment
patrik at sigterm.se
Tue Jun 4 06:39:44 UTC 2019
On Fri, May 31, 2019 at 06:15:29PM +1000, Mark Andrews wrote:
> As for discarding replies without DNS COOKIEs once the recursive server
> learns that the server supports DNS COOKIEs there is only a issue if the
> operator has configured a anycast server cluster for a given client with
> servers that both support and don’t support DNS COOKIE. The client thinks
> it is seeing spoofed responses when it see non-DNS COOKIE responses. If
> you are configuring a anycast server it’s just one more thing you need to
> ensure is consistent across the server set for a given client.
What is the expected fallback in the case of a missing DNS COOKIE?
Retrying over TCP? You mention recursive servers learning the cookie
above but I am currently more interested in the effects on stub
resolvers at this point, since I'm looking at this from the perspective
of a resolver service, not an authoritative service.
Thanks for taking the time to respond!
More information about the dns-operations