Hello dnsop,
it seems that current specification of DNS cookies in RFC 7873 is not
detailed enough to allow deployment of DNS cookies in multi-vendor
anycast setup, i.e. a setup where one IP address is backed by multiple
DNS servers.
The problem is lack of standardized algorithm to generate server cookie
from a shared secret. In practice, even if users manually configure the
same shared secret, Knot DNS and BIND will use diffrent algorithm to
generate server cookie and as consequence these two cannot reliably back
the same IP address and have DNS cookies enabled.
One of root server operators told me that they are not going to enable
DNS cookies until it can work with multi-vendor anycast, and I think
this is very reasonable position.
So, vendors, would you be willing to standardize on small number of
server cookie algorithms to enable multi-vendor deployments?
--
Petr Špaček @ CZ.NIC
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
