Domain Name System (DNS) Cookies
draft-ietf-dnsop-cookies-01

The information below is for an old version of the document
Document Type Active Internet-Draft (dnsop WG)
Last updated 2015-02-22
Replaces draft-eastlake-dnsext-cookies
Stream IETF
Intended RFC status Internet Standard
Formats plain text pdf html bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
INTERNET-DRAFT                                           Donald Eastlake
Intended Status: Proposed Standard                                Huawei
                                                            Mark Andrews
                                                                     ISC
Expires: August 21, 2015                               February 22, 2015

                    Domain Name System (DNS) Cookies
                   <draft-ietf-dnsop-cookies-01.txt>

Abstract

   DNS cookies are a lightweight DNS transaction security mechanism that
   provides limited protection to DNS servers and clients against a
   variety of increasingly common denial-of-service and amplification /
   forgery or cache poisoning attacks by off-path attackers. DNS Cookies
   are tolerant of NAT, NAT-PT, and anycast and can be incrementally
   deployed.

Status of This Document

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Distribution of this document is unlimited. Comments should be sent
   to the author or the DNSEXT mailing list <dnsext@ietf.org>.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
   Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Donald Eastlake & Mark Andrews                                  [Page 1]
INTERNET-DRAFT                                               DNS Cookies

Table of Contents

      1. Introduction............................................4
      1.1 Contents of This Document..............................4
      1.2 Definitions............................................5

      2. Threats Considered......................................6
      2.1 Denial-of-Service Attacks..............................6
      2.1.1 DNS Amplification Attacks............................6
      2.1.2 DNS Server Denial-of-Service.........................6
      2.2 Cache Poisoning and Answer Forgery Attacks.............7

      3. Comments on Existing DNS Security.......................8
      3.1 Existing DNS Data Security.............................8
      3.2 DNS Message/Transaction Security.......................8
      3.3 Conclusions on Existing DNS Security...................8

      4. The COOKIE OPT Option...................................9
      4.1 Client Cookie.........................................10
      4.2 Server Cookie.........................................10
      4.3 Error Code............................................11

      5. DNS Cookies Protocol Description.......................12
      5.1 Originating Requests..................................12
      5.2 Responding to Requests................................12
      5.2.1 No OPT RR...........................................13
      5.2.2 No Valid Client Cookie..............................13
      5.2.3 Bad or Absent Server Cookie.........................14
      5.2.4 A Correct Server Cookie.............................14
      5.3 Processing Responses..................................15
      5.4 Client and Server Secret Rollover.....................15
      5.5 Implementation Requirement............................16

      6. Simple DNS Cookie Option...............................17
      6.1 Simple Client Cookie..................................18
      6.2 Simple Server Cookie..................................18

      7. Simple DNS Cookies Protocol Description................20
      7.1 Originating Requests (Simple).........................20
      7.2 Responding to Request (Simple)........................20
      7.2.1 No Opt RR or No COOKIE OPT option...................20
      7.2.2 Malformed COOKIE OPT option.........................21
      7.2.3 Only a CLIENT Cookie................................21
      7.2.4 A Client Cookie and Server Cookie...................21
      7.2.4.1 A Client Cookie and Invalid Server Cookie.........21
      7.2.4.2 A Client Cookie and Valid Server Cookie...........21

      8. NAT Considerations and AnyCast Server Considerations...23
      9. Deployment.............................................25

Donald Eastlake & Mark Andrews                                  [Page 2]
INTERNET-DRAFT                                               DNS Cookies

Table of Contents (continued)

      10. IANA Considerations...................................26

      11. Security Considerations...............................27
Show full document text