Interoperable Domain Name System (DNS) Server Cookies
draft-ietf-dnsop-server-cookies-05
Document | Type | Active Internet-Draft (dnsop WG) | ||
---|---|---|---|---|
Authors | Ondřej Surý , Willem Toorop , Donald Eastlake , Mark Andrews | |||
Last updated | 2021-02-04 (latest revision 2021-01-13) | |||
Replaces | draft-eastlake-dnsop-server-cookies, draft-sury-toorop-dnsop-server-cookies | |||
Stream | IETF | |||
Intended RFC status | Proposed Standard | |||
Formats | plain text html xml pdf htmlized (tools) htmlized bibtex | |||
Reviews | ||||
Stream | WG state | Submitted to IESG for Publication | ||
Document shepherd | Tim Wicinski | |||
Shepherd write-up | Show (last changed 2020-11-19) | |||
IESG | IESG state | RFC Ed Queue | ||
Action Holders |
(None)
|
|||
Consensus Boilerplate | Yes | |||
Telechat date | ||||
Responsible AD | Warren Kumari | |||
Send notices to | tjw.ietf@gmail.com | |||
IANA | IANA review state | Version Changed - Review Needed | ||
IANA action state | RFC-Ed-Ack | |||
RFC Editor | RFC Editor state | RFC-EDITOR | ||
Details |
DNSOP Working Group O. Sury Internet-Draft Internet Systems Consortium Updates: 7873 (if approved) W. Toorop Intended status: Standards Track NLnet Labs Expires: 17 July 2021 D. Eastlake 3rd Futurewei Technologies M. Andrews Internet Systems Consortium 13 January 2021 Interoperable Domain Name System (DNS) Server Cookies draft-ietf-dnsop-server-cookies-05 Abstract DNS Cookies, as specified in [RFC7873], are a lightweight DNS transaction security mechanism that provide limited protection to DNS servers and clients against a variety of amplification denial of service, forgery, or cache poisoning attacks by off-path attackers. This document updates [RFC7873] with precise directions for creating Server Cookies so that an anycast server set including diverse implementations will interoperate with standard clients, suggestions for constructing Client Cookies in a privacy preserving fashion, and suggestions on how to update a Server Secret. An IANA registry listing the methods and associated pseudo random function suitable for creating DNS Server Cookies is created, with the method described in this document as the first and as of yet only entry. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 17 July 2021. Sury, et al. Expires 17 July 2021 [Page 1] Internet-Draft server-cookies January 2021 Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology and Definitions . . . . . . . . . . . . . . . 3 2. Changes to [RFC7873] . . . . . . . . . . . . . . . . . . . . 4 3. Constructing a Client Cookie . . . . . . . . . . . . . . . . 4 4. Constructing a Server Cookie . . . . . . . . . . . . . . . . 5 4.1. The Version Sub-Field . . . . . . . . . . . . . . . . . . 6 4.2. The Reserved Sub-Field . . . . . . . . . . . . . . . . . 6 4.3. The Timestamp Sub-Field . . . . . . . . . . . . . . . . . 6 4.4. The Hash Sub-Field . . . . . . . . . . . . . . . . . . . 7 5. Updating the Server Secret . . . . . . . . . . . . . . . . . 8 6. Cookie Algorithms . . . . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. Security and Privacy Considerations . . . . . . . . . . . . . 10 8.1. Client Cookie construction . . . . . . . . . . . . . . . 10 8.2. Server Cookie construction . . . . . . . . . . . . . . . 11 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 10. Normative References . . . . . . . . . . . . . . . . . . . . 12 11. Informative References . . . . . . . . . . . . . . . . . . . 13 Appendix A. Test vectors . . . . . . . . . . . . . . . . . . . . 13 A.1. Learning a new Server Cookie . . . . . . . . . . . . . . 13 A.2. The same client learning a renewed (fresh) Server Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 14 A.3. Another client learning a renewed Server Cookie . . . . . 15 A.4. IPv6 query with rolled over secret . . . . . . . . . . . 16 Appendix B. Implementation status . . . . . . . . . . . . . . . 17Show full document text