[dns-operations] rfc7873#5.4 - Server Cookie Queries - any implementations at all?

Mark Andrews marka at isc.org
Mon Mar 14 08:27:46 UTC 2022



> On 14 Mar 2022, at 18:49, Mark Delany <b9w at charlie.emu.st> wrote:
> 
> For reference: https://datatracker.ietf.org/doc/html/rfc7873#section-5.4
> 
> Over the last couple of months I've been purposely tracking "Querying for a Server Cookie"
> as described in the link above.
> 
> And I have seen zero such queries. Nada. Zilch. Nothinkski.
> 
> As best I can tell, "dig" is incapable of issuing such a query so one presumes that even
> ISC don't think it a very important use-case even tho their name is on the RFC.
> 
> Furthermore, my DNS decoder of choice (github.com/miekg/dns) discards inbound queries with
> QD!=1 (but it at least offers an escape hatch which I used for the aforementioned
> tracking).
> 
> In short, QD=0 is an odd query which is not well supported. Furthermore, I suspect that
> most middleware and some firewalls are going to drop them with prejudice, all of which
> means that a #5.4 query has a number of barriers to overcome.
> 
> But zero such queries after watching for months? That's surprising. I'm obviously
> suspicion of my tracking code, but I've checked as best I can.
> 
> Two questions: a) Are there known #5.4 implementations out there? b) Have others seen
> such queries in the wild?

Dig with the right arguments can make such queries.

[ant-3375:~/git/bind9] marka% dig +header-only +qr 

; <<>> DiG 9.17.22 <<>> +header-only +qr
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4563
;; flags: rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3287f6d53f729366
;; QUESTION SECTION:

;; QUERY SIZE: 35

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4563
;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3287f6d53f72936601000000622efc5c2711df6261e3a30d (good)
;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon Mar 14 19:27:08 AEDT 2022
;; MSG SIZE  rcvd: 51

[ant-3375:~/git/bind9] marka% 


> I guess a final question: Are DNS Cookies considered BCP and thus I should be expecting
> #5.4 queries now or in the near future? I've read a few dissenting views is why I ask.
> 
> 
> Mark.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the dns-operations mailing list