[dns-operations] DNS cookies in a mixed resolver anycast environment

Ondřej Surý ondrej at sury.org
Fri May 31 09:23:28 UTC 2019

Hi Patrik,

this is something being worked on in the IETF, see:


We should have next version of the draft ready for IETF in Montreal in the summer where we hope
the draft will be accepted by the dnsop working group.

Ondřej Surý
ondrej at sury.org

> On 31 May 2019, at 09:11, Patrik Lundin <patrik at sigterm.se> wrote:
> Hello!
> I have been trying to figure out how to best deal with DNS cookies in an
> environment where you are running multiple resolver implementations. From
> what I can tell, out of BIND, Knot Resolver, PowerDNS Recursor and
> Unbound only BIND is currently implementing cookie support. Knot seemed
> to have done so previously, but as of 3.0.0 the cookie support was
> removed (https://www.knot-resolver.cz/2018-08-20-knot-resolver-3.0.0.html)
> because of some ongoing work in the IETF DNSOP.
> Reading RFC 7873 it states "If the client is expecting the response to
> contain a COOKIE option and it is missing, the response MUST be
> discarded.", which leads me to believe that having a anycast cluster of
> a set of BIND servers where cookies are enabled together with a set of
> servers where the cookies are not supported would be a bad thing,
> causing clients to discard answers.
> Yet, when looking up how one would go about to disable the sending of
> cookies in responses to clients for BIND, the documentation for
> "answer-cookie" (https://ftp.isc.org/isc/bind9/cur/9.15/doc/arm/Bv9ARM.ch05.html)
> states the following:
> "answer-cookie no is intended as a temporary measure, for use when named
> shares an IP address with other servers that do not yet support DNS
> COOKIE. A mismatch between servers on the same address is not expected
> to cause operational problems, but the option to disable COOKIE
> responses so that all servers have the same behavior is provided out of
> an abundance of caution. DNS COOKIE is an important security mechanism,
> and should not be disabled unless absolutely necessary."
> If clients are instructed to discard replies where the cookie are
> missing, how can this not cause operational problems? Am I missing
> something?
> On a related note, given that a set of BIND servers are already having
> the default cookies enabled, what is the expected fallout of setting
> "answer-cookie no" if this turns out to be the favorable approach in
> this case?
> Regards,
> Patrik Lundin
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list