[dns-operations] DNS cookies in a mixed resolver anycast environment

Patrik Lundin patrik at sigterm.se
Fri May 31 07:11:19 UTC 2019


Hello!

I have been trying to figure out how to best deal with DNS cookies in an
environment where you are running multiple resolver implementations. From
what I can tell, out of BIND, Knot Resolver, PowerDNS Recursor and
Unbound only BIND is currently implementing cookie support. Knot seemed
to have done so previously, but as of 3.0.0 the cookie support was
removed (https://www.knot-resolver.cz/2018-08-20-knot-resolver-3.0.0.html)
because of some ongoing work in the IETF DNSOP.

Reading RFC 7873 it states "If the client is expecting the response to
contain a COOKIE option and it is missing, the response MUST be
discarded.", which leads me to believe that having a anycast cluster of
a set of BIND servers where cookies are enabled together with a set of
servers where the cookies are not supported would be a bad thing,
causing clients to discard answers.

Yet, when looking up how one would go about to disable the sending of
cookies in responses to clients for BIND, the documentation for
"answer-cookie" (https://ftp.isc.org/isc/bind9/cur/9.15/doc/arm/Bv9ARM.ch05.html)
states the following:

"answer-cookie no is intended as a temporary measure, for use when named
shares an IP address with other servers that do not yet support DNS
COOKIE. A mismatch between servers on the same address is not expected
to cause operational problems, but the option to disable COOKIE
responses so that all servers have the same behavior is provided out of
an abundance of caution. DNS COOKIE is an important security mechanism,
and should not be disabled unless absolutely necessary."

If clients are instructed to discard replies where the cookie are
missing, how can this not cause operational problems? Am I missing
something?

On a related note, given that a set of BIND servers are already having
the default cookies enabled, what is the expected fallout of setting
"answer-cookie no" if this turns out to be the favorable approach in
this case?

Regards,
Patrik Lundin



More information about the dns-operations mailing list