[dns-operations] DNS cookies in a mixed resolver anycast environment

Patrik Lundin patrik at sigterm.se
Tue Jun 4 06:44:58 UTC 2019

On Fri, May 31, 2019 at 10:26:16AM +0000, Hellqvist, Björn wrote:
> Hi,
> Just to respond with our experience regarding DNS Cookie, which we
> tried enabling in autumn 2017.
> At that time we figured out that the "world" was not ready for that
> feature and we got quite some complaints both by our customers and
> owners of domains.
> The problem was that the Authoritative parts were not responding
> properly to queries using DNS Cookie. Several important domains
> stopped working for our customers.
> Ever since then we have had to disable DNS Cookies upstream to the
> Authoritative servers.

Thanks for sharing your experience, while in this case I am looking at
the effects downstream to stubs, I believe the sending of cookies upstream
to auths has met similar problems for this setup in the past. It is
indeed tricky to defend when public services are not showing the same

Patrik Lundin

More information about the dns-operations mailing list