Domain Name System (DNS) Cookies
draft-ietf-dnsop-cookies-10

[Ballot comment]

- section 3: I think it'd have been good to mention the work
being done in dprive as another future protection that should be
compatible with DNS cookies.

- I agree with Alissa's comment (2)

- section 9: I think you should note that (particularly
cleartext) client cookies allow correlation of client requests
for the duration of the client cookie lifetime, which may affect
other things the client does to try to avoid correlation and
that the set of lifetimes of all of those kinds of thing are
really interdependent.  So e.g. if a client changes it's source
IP for privacy reasons, that may be defeated if the same client
cookie is still being used for DNS requests.

- Thanks for handling the secdir review. That seems to have
ended up [1] with client cookie values that are quite similar
when only one bit of the server IP varies. Yet, [FNV] says that
it has "high dispersion." I don't know FNV well enough to know
if what Yoav called the "disturbingly similar" values in [1]
might allow for guessing cookie values if one has ever seen a
cookie value or not, but I'd be interested in chatting about
that. (In a non-blocking sense:-) In general, I'd prefer if you
recommended HMAC-SHA256 rather than FNV myself - why isn't that
really a better thing to put in the appendices? (Yeah,
performance, I know, but is the delta between FNV and
HMAC-SHA256 really so significant these days, compared to the
time it takes to lookup the DNS data itself?)

  [1] https://www.ietf.org/mail-archive/web/secdir/current/msg06268.html

- Can't an access point/router that was once on path but is no
longer abuse the client cookie (that it once saw go by) when
that client is still using the same value later to talk to the
same server via another n/w path?  Is that worth a mention in
the security considerations? What'd be the effect? I wondered
why you didn't include e.g. the client IP in the input in
Appendix A.1 to avoid this issue?

[Ballot comment]
(1)
"To avoid
  rollover synchronization and predictability, it is RECOMMENDED that
  pseudorandom jitter in the range of plus zero to minus at least 40%
  be applied to the time until a scheduled rollover of a DNS cookie
  secret."

Why is it recommended to only vary the interval in only the shorter direction (I'm assuming that is what is meant by "plus zero")? Then the interval will only ever get shorter, it seems.

(2)
It seems like there should be a recommendation about when to delete an old client cookie (e.g., after receiving a response to an outstanding request, or after some period of time with no response).

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-dnsop-cookies-07.txt. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are two actions which IANA must complete.

First, in the DNS EDNS0 Option Codes (OPT) subregistry of the Domain Name System (DNS) Parameters registry located at:

http://www.iana.org/assignments/dns-parameters/

the value 10 has already been registered for use in this draft. Upon approval of this document the reference for:

Value: 10
Name: COOKIE
Status: Standard
Reference: [ this-draft ]

will be changed from [draft-ietf-dnsop-cookies] to [ RFC-to-be ].

Second, in the DNS RCODEs subregistry of the Domain Name System (DNS) Parameters registry located at:

http://www.iana.org/assignments/dns-parameters/

the value 23 has been subject to a temporary registration. This temporary registration is changed to a permanent registration and the reference is changed to [ RFC-to-be ].

IANA understands that these two actions are the only ones that are required to be completed upon publication of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. 

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: draft-ietf-dnsop-cookies@ietf.org, tjw.ietf@gmail.com, joelja@gmail.com, dnsop-chairs@ietf.org, dnsop@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Domain Name System (DNS) Cookies) to Proposed Standard


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document:
- 'Domain Name System (DNS) Cookies'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-12-14. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  DNS cookies are a lightweight DNS transaction security mechanism that
  provides limited protection to DNS servers and clients against a
  variety of increasingly common denial-of-service and amplification /
  forgery or cache poisoning attacks by off-path attackers. DNS Cookies
  are tolerant of NAT, NAT-PT, and anycast and can be incrementally
  deployed.





The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-cookies/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-cookies/ballot/


No IPR declarations have been submitted directly on this I-D.

1. Summary

Document Shepherd:  Tim Wicinski
Area Director:      Joel Jaggeli

Document Type: Proposed Standard

  DNS cookies are a lightweight DNS transaction security mechanism that
  provides limited protection to DNS servers and clients against a
  variety of increasingly common denial-of-service and amplification /
  forgery or cache poisoning attacks by off-path attackers. DNS Cookies
  are tolerant of NAT, NAT-PT, and anycast and can be incrementally
  deployed.

2. Review and Consensus

This draft was originally raised several years ago but it languished due to working group hubris.  When it was revised, the working group had broad consensus this was a relevant document.  The draft had many reviewers, and also picked up another author as the design was polished.

Initially, the draft defined the EDNS Option to have an Error Code that was returned. After much discussion, and a prototype deployment of the option, it was decided that the Error Code was not needed, and was removed. Since then a second implementation has appeared

The working group was in strong consensus behind this draft.

3. Intellectual Property

There is no IPR related to this document, and the authors have no direct, personal knowledge of any IPR.

4. Other Points

- Downward References

There are no downward references in this document; and the shepherd agrees with the references and their classification.

- IANA Considerations:

IANA has assigned EDNS Option Code 10 for this option, and assigned DNS Error Code 23 as an early allocation.

Explain anything else that the IESG might need to know when reviewing this document. If there is significant discontent with the document or the process, which might result in appeals to the IESG or especially bad feelings in the working group, explain this in a separate email message to the responsible Area Director.

Checklist

X- Does the shepherd stand behind the document and think the document is ready for publication?

X- Is the correct RFC type indicated in the title page header?

X- Is the abstract both brief and sufficient, and does it stand alone as a brief summary?

X- Is the intent of the document accurately and adequately explained in the introduction?

X- Have all required formal reviews (MIB Doctor, Media Type, URI, etc.) been requested and/or completed?

X- Has the shepherd performed automated checks -- idnits (see ​http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist), checks of BNF rules, XML code and schemas, MIB definitions, and so on -- and determined that the document passes the tests?

X- Has each author stated that their direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79?

X- Have all references within this document been identified as either normative or informative, and does the shepherd agree with how they have been classified?

X- Are all normative references made to documents that are ready for advancement and are otherwise in a clear state?

X- If publication of this document changes the status of any existing RFCs, are those RFCs listed on the title page header, and are the changes listed in the abstract and discussed (explained, not just mentioned) in the introduction?

X- If this is a "bis" document, have all of the errata been considered?

X- IANA Considerations: