[dns-operations] DNS cookies in a mixed resolver anycast environment

Patrik Lundin patrik at sigterm.se
Tue Jun 4 06:39:44 UTC 2019


On Fri, May 31, 2019 at 06:15:29PM +1000, Mark Andrews wrote:
> As for discarding replies without DNS COOKIEs once the recursive server
> learns that the server supports DNS COOKIEs there is only a issue if the
> operator has configured a anycast server cluster for a given client with
> servers that both support and don’t support DNS COOKIE.  The client thinks
> it is seeing spoofed responses when it see non-DNS COOKIE responses.  If
> you are configuring a anycast server it’s just one more thing you need to
> ensure is consistent across the server set for a given client.
> 

What is the expected fallback in the case of a missing DNS COOKIE?
Retrying over TCP? You mention recursive servers learning the cookie
above but I am currently more interested in the effects on stub
resolvers at this point, since I'm looking at this from the perspective
of a resolver service, not an authoritative service.

Thanks for taking the time to respond!

-- 
Patrik Lundin



More information about the dns-operations mailing list