On Wed, 20 Jun 2018, Petr Špaček wrote:
it seems that current specification of DNS cookies in RFC 7873 is not
detailed enough to allow deployment of DNS cookies in multi-vendor anycast
setup, i.e. a setup where one IP address is backed by multiple DNS servers.
The problem is lack of standardized algorithm to generate server cookie from
a shared secret. In practice, even if users manually configure the same
shared secret, Knot DNS and BIND will use diffrent algorithm to generate
server cookie and as consequence these two cannot reliably back the same IP
address and have DNS cookies enabled.
One of root server operators told me that they are not going to enable DNS
cookies until it can work with multi-vendor anycast, and I think this is very
reasonable position.
So, vendors, would you be willing to standardize on small number of server
cookie algorithms to enable multi-vendor deployments?
I think this is a good idea but there are already two examples in RFC
7873 for cookie generation. Is there a problem with those examples, or
is there only a lack of options in the implementation to configure
these? If the latter, than no new IETF work would be needed.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
