[dns-operations] Check DNS-anycast-instances for same DNS Cookie

Mark Andrews marka at isc.org
Fri Jan 24 21:56:21 UTC 2020



> On 24 Jan 2020, at 21:36, Arsen STASIC <arsen.stasic at univie.ac.at> wrote:
> 
> Hi,
> 
> This software might be of interest for DNS anycast providers (or customers) which are running BIND.
> With BIND 9.11 and newer DNS Cookies are enabled **automatically**.

You seem surprised?  DNS COOKIE is a security feature and to be effective it needs to be enabled on both ends.  DNS COOKIE was introduced in a .0 release.  This is where feature changes are expected to occur.

> While I was searching for software to check DNS Cookies and I didn't find anything.

So “dig +cookie=<value>" was not enough?

> Therefore I wrote this small Perl script to check DNS anycast instances (over their mgmt-ip) for synchronized DNS Cookies:
> https://github.com/stasic/dns-cookies

Which assumes that all the queries are made in the same second as server cookies vary over time.  If you really want to test this you need to send the returned cookie option from the first response to all the other servers and check the rcode they return is not BADCOOKIE.  Exercise the cookie checking code in the server.

> If DNS Cookies are not the same between different DNS anycast instances it may cause warnings and intermittent query retries. Therefore I suggest either synchronize them or disable them.

This is very alarmist.  DNS COOKIE secret key mismatches (includes algorithm mismatches) where expected to occur and DNS COOKIE clients are designed to handle them.  Unsynchronised secrets/algorithms are safer for the client that disabled cookies.  Additionally this really only becomes visible with local anycast clusters which don’t have source IP address affinity.  With globally distributed anycast you tend to hit the same node.

Mark

> ISC addressed this issue in their knowledge base:
> https://kb.isc.org/docs/dns-cookies-on-servers-in-anycast-clusters
> 
> happy cookie gathering
> Arsen
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list