[dns-operations] DNS cookies in a mixed resolver anycast environment

[Mark Andrews]

> On 4 Jun 2019, at 4:39 pm, Patrik Lundin <patrik at sigterm.se> wrote:
> 
> On Fri, May 31, 2019 at 06:15:29PM +1000, Mark Andrews wrote:
>> As for discarding replies without DNS COOKIEs once the recursive server
>> learns that the server supports DNS COOKIEs there is only a issue if the
>> operator has configured a anycast server cluster for a given client with
>> servers that both support and don’t support DNS COOKIE.  The client thinks
>> it is seeing spoofed responses when it see non-DNS COOKIE responses.  If
>> you are configuring a anycast server it’s just one more thing you need to
>> ensure is consistent across the server set for a given client.
>> 
> 
> What is the expected fallback in the case of a missing DNS COOKIE?
> Retrying over TCP? You mention recursive servers learning the cookie
> above but I am currently more interested in the effects on stub
> resolvers at this point, since I'm looking at this from the perspective
> of a resolver service, not an authoritative service.

If you don’t get back a COOKIE response is it treated as a FORGERY.  This is anti-
spoofing code.  The code waits for the legitimate response.  It will retry after
timing out.

If you put up a broken service expect lookups to fail. Inconsistent server behaviour
is broken behaviour.

If you put up multiple servers with different server cookie algorithms the client
can still see its own cookies in the response (and will determine that they are
legitimate) and will switch to TCP after a couple of attempts if the error code
is BADCOOKIE.

> Thanks for taking the time to respond!
> 
> -- 
> Patrik Lundin

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org