Domain Name System (DNS) Cookies
RFC 7873

Document Type RFC - Proposed Standard (May 2016; No errata)
Last updated 2016-05-27
Replaces draft-eastlake-dnsext-cookies
Stream IETF
Formats plain text pdf html bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Tim Wicinski
Shepherd write-up Show (last changed 2015-11-03)
IESG IESG state RFC 7873 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Joel Jaeggli
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                   D. Eastlake 3rd
Request for Comments: 7873                                        Huawei
Category: Standards Track                                     M. Andrews
ISSN: 2070-1721                                                      ISC
                                                                May 2016

                    Domain Name System (DNS) Cookies

Abstract

   DNS Cookies are a lightweight DNS transaction security mechanism that
   provides limited protection to DNS servers and clients against a
   variety of increasingly common denial-of-service and amplification/
   forgery or cache poisoning attacks by off-path attackers.  DNS
   Cookies are tolerant of NAT, NAT-PT (Network Address Translation -
   Protocol Translation), and anycast and can be incrementally deployed.
   (Since DNS Cookies are only returned to the IP address from which
   they were originally received, they cannot be used to generally track
   Internet users.)

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7873.

Eastlake & Andrews           Standards Track                    [Page 1]
RFC 7873                       DNS Cookies                      May 2016

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Eastlake & Andrews           Standards Track                    [Page 2]
RFC 7873                       DNS Cookies                      May 2016

Table of Contents

   1. Introduction ....................................................4
      1.1. Contents of This Document ..................................4
      1.2. Definitions ................................................5
   2. Threats Considered ..............................................5
      2.1. Denial-of-Service Attacks ..................................6
           2.1.1. DNS Amplification Attacks ...........................6
           2.1.2. DNS Server Denial of Service ........................6
      2.2. Cache Poisoning and Answer Forgery Attacks .................7
   3. Comments on Existing DNS Security ...............................7
      3.1. Existing DNS Data Security .................................7
      3.2. DNS Message/Transaction Security ...........................8
      3.3. Conclusions on Existing DNS Security .......................8
   4. DNS COOKIE Option ...............................................8
      4.1. Client Cookie .............................................10
      4.2. Server Cookie .............................................10
   5. DNS Cookies Protocol Specification .............................11
      5.1. Originating a Request .....................................11
      5.2. Responding to a Request ...................................11
           5.2.1. No OPT RR or No COOKIE Option ......................12
           5.2.2. Malformed COOKIE Option ............................12
           5.2.3. Only a Client Cookie ...............................12
           5.2.4. A Client Cookie and an Invalid Server Cookie .......13
           5.2.5. A Client Cookie and a Valid Server Cookie ..........13
      5.3. Processing Responses ......................................14
      5.4. Querying for a Server Cookie ..............................14
   6. NAT Considerations and Anycast Server Considerations ...........15
   7. Operational and Deployment Considerations ......................17
      7.1. Client and Server Secret Rollover .........................17
      7.2. Counters ..................................................18
   8. IANA Considerations ............................................18
Show full document text