[dns-operations] DNS cookies in a mixed resolver anycast environment

Ondřej Surý ondrej at sury.org
Fri May 31 09:23:28 UTC 2019


Hi Patrik,

this is something being worked on in the IETF, see:

https://tools.ietf.org/html/draft-sury-toorop-dns-cookies-algorithms-00

We should have next version of the draft ready for IETF in Montreal in the summer where we hope
the draft will be accepted by the dnsop working group.

Ondrej
--
Ondřej Surý
ondrej at sury.org



> On 31 May 2019, at 09:11, Patrik Lundin <patrik at sigterm.se> wrote:
> 
> Hello!
> 
> I have been trying to figure out how to best deal with DNS cookies in an
> environment where you are running multiple resolver implementations. From
> what I can tell, out of BIND, Knot Resolver, PowerDNS Recursor and
> Unbound only BIND is currently implementing cookie support. Knot seemed
> to have done so previously, but as of 3.0.0 the cookie support was
> removed (https://www.knot-resolver.cz/2018-08-20-knot-resolver-3.0.0.html)
> because of some ongoing work in the IETF DNSOP.
> 
> Reading RFC 7873 it states "If the client is expecting the response to
> contain a COOKIE option and it is missing, the response MUST be
> discarded.", which leads me to believe that having a anycast cluster of
> a set of BIND servers where cookies are enabled together with a set of
> servers where the cookies are not supported would be a bad thing,
> causing clients to discard answers.
> 
> Yet, when looking up how one would go about to disable the sending of
> cookies in responses to clients for BIND, the documentation for
> "answer-cookie" (https://ftp.isc.org/isc/bind9/cur/9.15/doc/arm/Bv9ARM.ch05.html)
> states the following:
> 
> "answer-cookie no is intended as a temporary measure, for use when named
> shares an IP address with other servers that do not yet support DNS
> COOKIE. A mismatch between servers on the same address is not expected
> to cause operational problems, but the option to disable COOKIE
> responses so that all servers have the same behavior is provided out of
> an abundance of caution. DNS COOKIE is an important security mechanism,
> and should not be disabled unless absolutely necessary."
> 
> If clients are instructed to discard replies where the cookie are
> missing, how can this not cause operational problems? Am I missing
> something?
> 
> On a related note, given that a set of BIND servers are already having
> the default cookies enabled, what is the expected fallout of setting
> "answer-cookie no" if this turns out to be the favorable approach in
> this case?
> 
> Regards,
> Patrik Lundin
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations





More information about the dns-operations mailing list