Domain Name System (DNS) Cookies
draft-ietf-dnsop-cookies-09

The information below is for an old version of the document
Document Type Active Internet-Draft (dnsop WG)
Last updated 2016-01-21 (latest revision 2016-01-12)
Replaces draft-eastlake-dnsext-cookies
Stream IETF
Intended RFC status Proposed Standard
Formats plain text pdf html bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Tim Wicinski
Shepherd write-up Show (last changed 2015-11-03)
IESG IESG state Approved-announcement to be sent::Point Raised - writeup needed
Consensus Boilerplate Yes
Telechat date
Responsible AD Joel Jaeggli
Send notices to (None)
IANA IANA review state IANA OK - Actions Needed
IANA action state None
INTERNET-DRAFT                                           Donald Eastlake
Intended Status: Proposed Standard                                Huawei
                                                            Mark Andrews
                                                                     ISC
Expires: July 11, 2016                                  January 12, 2016

                    Domain Name System (DNS) Cookies
                   <draft-ietf-dnsop-cookies-09.txt>

Abstract

   DNS cookies are a lightweight DNS transaction security mechanism that
   provides limited protection to DNS servers and clients against a
   variety of increasingly common denial-of-service and amplification /
   forgery or cache poisoning attacks by off-path attackers. DNS Cookies
   are tolerant of NAT, NAT-PT, and anycast and can be incrementally
   deployed. (Since DNS Cookies are only returned to the IP address from
   which they were originally received, they cannot be used to generally
   track Internet users.)

Status of This Document

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Distribution of this document is unlimited. Comments should be sent
   to the author or the DNSEXT mailing list <dnsext@ietf.org>.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
   Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Donald Eastlake & Mark Andrews                                  [Page 1]
INTERNET-DRAFT                                               DNS Cookies

Table of Contents

      1. Introduction............................................4
      1.1 Contents of This Document..............................4
      1.2 Definitions............................................5

      2. Threats Considered......................................6
      2.1 Denial-of-Service Attacks..............................6
      2.1.1 DNS Amplification Attacks............................6
      2.1.2 DNS Server Denial-of-Service.........................7
      2.2 Cache Poisoning and Answer Forgery Attacks.............7

      3. Comments on Existing DNS Security.......................8
      3.1 Existing DNS Data Security.............................8
      3.2 DNS Message/Transaction Security.......................8
      3.3 Conclusions on Existing DNS Security...................8

      4. DNS Cookie Option......................................10
      4.1 Client Cookie.........................................11
      4.2 Server Cookie.........................................11

      5. DNS Cookies Protocol Specification.....................12
      5.1 Originating Requests..................................12
      5.2 Responding to Request.................................12
      5.2.1 No Opt RR or No COOKIE OPT option...................13
      5.2.2 Malformed COOKIE OPT option.........................13
      5.2.3 Only a Client Cookie................................13
      5.2.4 A Client Cookie and an Invalid Server Cookie........14
      5.2.5 A Client Cookie and a Valid Server Cookie...........14
      5.3 Processing Responses..................................15
      5.4 QUERYing for a Server Cookie..........................15

      6. NAT Considerations and AnyCast Server Considerations...17

      7. Operational and Deployment Considerations..............19
      7.1 Client and Server Secret Rollover.....................19
      7.2 Counters..............................................20

      8. IANA Considerations....................................21

      9. Security Considerations................................22
      9.1 Cookie Algorithm Considerations.......................22

      10. Implementation Considerations.........................24

      Normative References......................................25
      Informative References....................................25

      Acknowledgements..........................................27

Donald Eastlake & Mark Andrews                                  [Page 2]
INTERNET-DRAFT                                               DNS Cookies

Table of Contents (continued)

      Appendix A: Example Client Cookie Algorithms..............28
      A.1 A Simple Algorithm....................................28
      A.2 A More Complex Algorithm..............................28

      Appendix B: Example Server Cookie Algorithms..............29
Show full document text