Re: [DNSOP] Review of draft: draft-ietf-dnsop-cookies

Mon, 20 Jul 2015 22:20:13 -0700 

Hosnieh, below is a real life use of cookies showing how they are used.

Establish a cookie pair.  Dig chooses a random value for the client
cookie.  The server returns the client cookie along with the server
cookie.  The client cookie is checked and as it matched "good" is
displayed.

; <<>> DiG 9.11.0pre-alpha <<>> +qr +header-only +cookie
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55152
;; flags: rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e9
;; QUESTION SECTION:

;; QUERY SIZE: 35

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55152
;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e9e0be33ca55adca652422864a7cc8b23b (good)
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 21 14:28:21 EST 2015
;; MSG SIZE  rcvd: 51

Ask for isc.org using the cookie pair established above.  You will not
the that client cookie is returned but there is a new server cookie.  The
client cookie is checked to confirm that it the expected value and "good"
is printed.

; <<>> DiG 9.11.0pre-alpha <<>> 
+cookie=9310320f2fa1e6e9e0be33ca55adca652422864a7cc8b23b isc.org +nobadcookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39845
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e90eebb3b455adcabf6153631b35e9055f (good)
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                59      IN      A       149.20.64.69

;; Query time: 109 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 21 14:29:51 EST 2015
;; MSG SIZE  rcvd: 80

Ask for ietf.org using the initial cookie pair established above.  Again
we get a new server cookie but the client cookie remains unchanged.

; <<>> DiG 9.11.0pre-alpha <<>> 
+cookie=9310320f2fa1e6e9e0be33ca55adca652422864a7cc8b23b ietf.org +nobadcookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10176
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e9d3a8b98e55adcb18873b8a4389876d3e (good)
;; QUESTION SECTION:
;ietf.org.                      IN      A

;; ANSWER SECTION:
ietf.org.               1562    IN      A       4.31.198.44

;; Query time: 243 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 21 14:31:20 EST 2015
;; MSG SIZE  rcvd: 81

Ask for isc.org using the cookie from the ietf.org transaction.

; <<>> DiG 9.11.0pre-alpha <<>> 
+cookie=9310320f2fa1e6e9e0be33ca55adca652422864a7cc8b23b isc.org +nobadcookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25652
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e9c721e37455adcb65ddaab534d313d697 (good)
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                46      IN      A       149.20.64.69

;; Query time: 98 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 21 14:32:37 EST 2015
;; MSG SIZE  rcvd: 80

Now if I was to wait long enough before retrying the server would
return BADCOOKIE as the server cookie will have expired.  dig could
then just resend the query with the server cookie.

Now there server can rate limit the BADCOOKIE responses or accept
that it can be used as a reflector.  Note you are no longer a
amplifier.

Now while the client has a valid server cookie it is not subject
to rate limiting or response size limiting unless the server has
otherwise been configured to do so.

Now if I send a deliberately bad server cookie (7 changed to 8 at
end) I will get BADCOOKIE returned (currently #ifdef out until we
get a badcookie code point in the git repository).

; <<>> DiG 9.11.0pre-alpha <<>> 
+cookie=9310320f2fa1e6e9c721e37455adcb65ddaab534d313d698 +nobadcookie isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADCOOKIE, id: 59408
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e9694856ae55add44dfa9fce2ea17b916a (good)
;; QUESTION SECTION:
;isc.org.                       IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 21 15:10:37 EST 2015
;; MSG SIZE  rcvd: 64

And if I let dig retry on BADCOOKIE showing the queries.

; <<>> DiG 9.11.0pre-alpha <<>> 
+cookie=9310320f2fa1e6e9c721e37455adcb65ddaab534d313d698 isc.org +qr
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14321
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e9c721e37455adcb65ddaab534d313d698
;; QUESTION SECTION:
;isc.org.                       IN      A

;; QUERY SIZE: 64

;; BADCOOKIE, retrying.
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45311
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e9d2dbffae55add4d6e80616c008c6ab6a
;; QUESTION SECTION:
;isc.org.                       IN      A

;; QUERY SIZE: 64

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45311
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9310320f2fa1e6e975a21e9055add4d67e2fec58601d0df4 (good)
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                59      IN      A       149.20.64.69

;; Query time: 108 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 21 15:12:54 EST 2015
;; MSG SIZE  rcvd: 80

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to