Dear All, A new draft has been submitted addressing the issue of DNS Cookies in multi-vendor anycast deployments.
DNS Cookies are currently impractical in such deployments, because one implementation - even though it shares its secret with another implementation - cannot validate the Server Cookies constructed by that other implementation, because their methods for constructing Server Cookies differ. This draft provides precise directions for creating Server Cookies to align the implementations. This draft introduces a registry for methods suitable for Cookie construction. This draft deprecates all previous methods of creating Server Cookies and introduces an inter-operable method (version 1) employing the SipHash-2.4 pseudorandom function. This is an update on draft-sury-toorop-dns-cookies-algorithms-00 draft based on the experience we gained during the hackathon at IETF105. Mark Andrews and Donald Eastlake are added as co-authors. Willem -------- Forwarded Message -------- Subject: New Version Notification for draft-sury-toorop-dnsop-server-cookies-00.txt Date: Wed, 26 Jun 2019 04:12:58 -0700 From: internet-dra...@ietf.org To: Mark Andrews <ma...@isc.org>, Willem Toorop <wil...@nlnetlabs.nl>, Donald E. Eastlake 3rd <d3e...@gmail.com>, Ondrej Sury <ond...@isc.org>, Donald Eastlake <d3e...@gmail.com> A new version of I-D, draft-sury-toorop-dnsop-server-cookies-00.txt has been successfully submitted by Willem Toorop and posted to the IETF repository. Name: draft-sury-toorop-dnsop-server-cookies Revision: 00 Title: Interoperable Domain Name System (DNS) Server Cookies Document date: 2019-06-26 Group: Individual Submission Pages: 14 URL: https://www.ietf.org/internet-drafts/draft-sury-toorop-dnsop-server-cookies-00.txt Status: https://datatracker.ietf.org/doc/draft-sury-toorop-dnsop-server-cookies/ Htmlized: https://tools.ietf.org/html/draft-sury-toorop-dnsop-server-cookies-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-sury-toorop-dnsop-server-cookies Abstract: DNS cookies, as specified in RFC 7873, are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of denial-of-service and amplification, forgery, or cache poisoning attacks by off-path attackers. This document provides precise directions for creating Server Cookies so that an anycast server set including diverse implementations will interoperate with standard clients. This document updates [RFC7873] Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
