1 Internet Engineering Task Force (IETF)                   D. Eastlake 3rd   
    2 Request for Comments: 7873                                        Huawei   
    3 Category: Standards Track                                     M. Andrews   
    4 ISSN: 2070-1721                                                      ISC   
    5                                                                 May 2016   
    6                                                                            
    7                                                                            
    8                     Domain Name System (DNS) Cookies                       
    9                                                                            
   10 Abstract                                                                   
   11                                                                            
   12    DNS Cookies are a lightweight DNS transaction security mechanism that   
   13    provides limited protection to DNS servers and clients against a        
   14    variety of increasingly common denial-of-service and amplification/     
   15    forgery or cache poisoning attacks by off-path attackers.  DNS          
   16    Cookies are tolerant of NAT, NAT-PT (Network Address Translation -      
   17    Protocol Translation), and anycast and can be incrementally deployed.   
   18    (Since DNS Cookies are only returned to the IP address from which       
   19    they were originally received, they cannot be used to generally track   
   20    Internet users.)                                                        
   21                                                                            
   22 Status of This Memo                                                        
   23                                                                            
   24    This is an Internet Standards Track document.                           
   25                                                                            
   26    This document is a product of the Internet Engineering Task Force       
   27    (IETF).  It represents the consensus of the IETF community.  It has     
   28    received public review and has been approved for publication by the     
   29    Internet Engineering Steering Group (IESG).  Further information on     
   30    Internet Standards is available in Section 2 of RFC 7841.               
   31                                                                            
   32    Information about the current status of this document, any errata,      
   33    and how to provide feedback on it may be obtained at                    
   34    http://www.rfc-editor.org/info/rfc7873.                                 
   35                                                                            
   36                                                                            
   37                                                                            
   38                                                                            
   39                                                                            
   40                                                                            
   41                                                                            
   42                                                                            
   43                                                                            
   44                                                                            
   45                                                                            
   46                                                                            
   47                                                                            
   48                                                                            
   49                                                                            
   50                                                                            
   51                                                                            
   52 Eastlake & Andrews           Standards Track                    [Page 1]   

   53 RFC 7873                       DNS Cookies                      May 2016   
   54                                                                            
   55                                                                            
   56 Copyright Notice                                                           
   57                                                                            
   58    Copyright (c) 2016 IETF Trust and the persons identified as the         
   59    document authors.  All rights reserved.                                 
   60                                                                            
   61    This document is subject to BCP 78 and the IETF Trust's Legal           
   62    Provisions Relating to IETF Documents                                   
   63    (http://trustee.ietf.org/license-info) in effect on the date of         
   64    publication of this document.  Please review these documents            
   65    carefully, as they describe your rights and restrictions with respect   
   66    to this document.  Code Components extracted from this document must    
   67    include Simplified BSD License text as described in Section 4.e of      
   68    the Trust Legal Provisions and are provided without warranty as         
   69    described in the Simplified BSD License.                                
   70                                                                            
   71                                                                            
   72                                                                            
   73                                                                            
   74                                                                            
   75                                                                            
   76                                                                            
   77                                                                            
   78                                                                            
   79                                                                            
   80                                                                            
   81                                                                            
   82                                                                            
   83                                                                            
   84                                                                            
   85                                                                            
   86                                                                            
   87                                                                            
   88                                                                            
   89                                                                            
   90                                                                            
   91                                                                            
   92                                                                            
   93                                                                            
   94                                                                            
   95                                                                            
   96                                                                            
   97                                                                            
   98                                                                            
   99                                                                            
  100                                                                            
  101                                                                            
  102                                                                            
  103                                                                            
  104                                                                            
  105                                                                            
  106                                                                            
  107 Eastlake & Andrews           Standards Track                    [Page 2]   

  108 RFC 7873                       DNS Cookies                      May 2016   
  109                                                                            
  110                                                                            
  111 Table of Contents                                                          
  112                                                                            
  113    1. Introduction ....................................................4   
  114       1.1. Contents of This Document ..................................4   
  115       1.2. Definitions ................................................5   
  116    2. Threats Considered ..............................................5   
  117       2.1. Denial-of-Service Attacks ..................................6   
  118            2.1.1. DNS Amplification Attacks ...........................6   
  119            2.1.2. DNS Server Denial of Service ........................6   
  120       2.2. Cache Poisoning and Answer Forgery Attacks .................7   
  121    3. Comments on Existing DNS Security ...............................7   
  122       3.1. Existing DNS Data Security .................................7   
  123       3.2. DNS Message/Transaction Security ...........................8   
  124       3.3. Conclusions on Existing DNS Security .......................8   
  125    4. DNS COOKIE Option ...............................................8   
  126       4.1. Client Cookie .............................................10   
  127       4.2. Server Cookie .............................................10   
  128    5. DNS Cookies Protocol Specification .............................11   
  129       5.1. Originating a Request .....................................11   
  130       5.2. Responding to a Request ...................................11   
  131            5.2.1. No OPT RR or No COOKIE Option ......................12   
  132            5.2.2. Malformed COOKIE Option ............................12   
  133            5.2.3. Only a Client Cookie ...............................12   
  134            5.2.4. A Client Cookie and an Invalid Server Cookie .......13   
  135            5.2.5. A Client Cookie and a Valid Server Cookie ..........13   
  136       5.3. Processing Responses ......................................14   
  137       5.4. Querying for a Server Cookie ..............................14   
  138    6. NAT Considerations and Anycast Server Considerations ...........15   
  139    7. Operational and Deployment Considerations ......................17   
  140       7.1. Client and Server Secret Rollover .........................17   
  141       7.2. Counters ..................................................18   
  142    8. IANA Considerations ............................................18   
  143    9. Security Considerations ........................................19   
  144       9.1. Cookie Algorithm Considerations ...........................20   
  145    10. Implementation Considerations .................................20   
  146    11. References ....................................................20   
  147       11.1. Normative References .....................................20   
  148       11.2. Informative References ...................................21   
  149    Appendix A. Example Client Cookie Algorithms ......................23   
  150       A.1. A Simple Algorithm ........................................23   
  151       A.2. A More Complex Algorithm ..................................23   
  152    Appendix B. Example Server Cookie Algorithms ......................23   
  153       B.1. A Simple Algorithm ........................................23   
  154       B.2. A More Complex Algorithm ..................................24   
  155    Acknowledgments ...................................................25   
  156    Authors' Addresses ................................................25   
  157                                                                            
  158                                                                            
  159                                                                            
  160                                                                            
  161                                                                            
  162 Eastlake & Andrews           Standards Track                    [Page 3]   

  163 RFC 7873                       DNS Cookies                      May 2016   
  164                                                                            
  165                                                                            
  166 1.  Introduction                                                           
  167                                                                            
  168    As with many core Internet protocols, the Domain Name System (DNS)      
  169    was originally designed at a time when the Internet had only a small    
  170    pool of trusted users.  As the Internet has grown exponentially to a    
  171    global information utility, the DNS has increasingly been subject to    
  172    abuse.                                                                  
  173                                                                            
  174    This document describes DNS Cookies, a lightweight DNS transaction      
  175    security mechanism specified as an OPT [RFC6891] option.  The           
  176    DNS Cookie mechanism provides limited protection to DNS servers and     
  177    clients against a variety of increasingly common abuses by off-path     
  178    attackers.  It is compatible with, and can be used in conjunction       
  179    with, other DNS transaction forgery resistance measures such as those   
  180    in [RFC5452].  (Since DNS Cookies are only returned to the IP address   
  181    from which they were originally received, they cannot be used to        
  182    generally track Internet users.)                                        
  183                                                                            
  184    The protection provided by DNS Cookies is similar to that provided by   
  185    using TCP for DNS transactions.  Bypassing the weak protection          
  186    provided by using TCP requires, among other things, that an off-path    
  187    attacker guess the 32-bit TCP sequence number in use.  Bypassing the    
  188    weak protection provided by DNS Cookies requires such an attacker to    
  189    guess a 64-bit pseudorandom "cookie" quantity.  Where DNS Cookies are   
  190    not available but TCP is, falling back to using TCP is reasonable.      
  191                                                                            
  192    If only one party to a DNS transaction supports DNS Cookies, the        
  193    mechanism does not provide a benefit or significantly interfere, but    
  194    if both support it, the additional security provided is automatically   
  195    available.                                                              
  196                                                                            
  197    The DNS Cookie mechanism is designed to work in the presence of NAT     
  198    and NAT-PT (Network Address Translation - Protocol Translation)         
  199    boxes, and guidance is provided herein on supporting the DNS Cookie     
  200    mechanism in anycast servers.                                           
  201                                                                            
  202 1.1.  Contents of This Document                                            
  203                                                                            
  204    In Section 2, we discuss the threats against which the DNS Cookie       
  205    mechanism provides some protection.                                     
  206                                                                            
  207    Section 3 describes existing DNS security mechanisms and why they are   
  208    not adequate substitutes for DNS Cookies.                               
  209                                                                            
  210    Section 4 describes the COOKIE option.                                  
  211                                                                            
  212    Section 5 provides a protocol description.                              
  213                                                                            
  214                                                                            
  215                                                                            
  216                                                                            
  217 Eastlake & Andrews           Standards Track                    [Page 4]   

  218 RFC 7873                       DNS Cookies                      May 2016   
  219                                                                            
  220                                                                            
  221    Section 6 discusses some NAT considerations and anycast-related         
  222    DNS Cookies design considerations.                                      
  223                                                                            
  224    Section 7 discusses incremental deployment considerations.              
  225                                                                            
  226    Sections 8 and 9 describe IANA considerations and security              
  227    considerations, respectively.                                           
  228                                                                            
  229 1.2.  Definitions                                                          
  230                                                                            
  231    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",     
  232    "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and    
  233    "OPTIONAL" in this document are to be interpreted as described in       
  234    [RFC2119].                                                              
  235                                                                            
  236    "Off-path attacker", for a particular DNS client and server, is         
  237       defined as an attacker who cannot observe the DNS request and        
  238       response messages between that client and server.                    
  239                                                                            
  240    "Soft state" indicates information that is learned or derived by a      
  241       host and that may be discarded when indicated by the policies of     
  242       that host but can be re-instantiated later if needed.  For           
  243       example, it could be discarded after a period of time or when        
  244       storage for caching such data becomes full.  If operations that      
  245       require soft state continue after the information has been           
  246       discarded, the information will be automatically regenerated,        
  247       albeit at some cost.                                                 
  248                                                                            
  249    "Silently discarded" indicates that there are no DNS protocol message   
  250       consequences.                                                        
  251                                                                            
  252    "IP address" is used herein as a length-independent term and includes   
  253       both IPv4 and IPv6 addresses.                                        
  254                                                                            
  255 2.  Threats Considered                                                     
  256                                                                            
  257    DNS Cookies are intended to provide significant but limited             
  258    protection against certain attacks by off-path attackers, as            
  259    described below.  These attacks include denial of service, cache        
  260    poisoning, and answer forgery.                                          
  261                                                                            
  262                                                                            
  263                                                                            
  264                                                                            
  265                                                                            
  266                                                                            
  267                                                                            
  268                                                                            
  269                                                                            
  270                                                                            
  271                                                                            
  272 Eastlake & Andrews           Standards Track                    [Page 5]   

  273 RFC 7873                       DNS Cookies                      May 2016   
  274                                                                            
  275                                                                            
  276 2.1.  Denial-of-Service Attacks                                            
  277                                                                            
  278    The typical form of the denial-of-service attacks considered herein     
  279    is to send DNS requests with forged source IP addresses to a server.    
  280    The intent can be to attack that server or some other selected host,    
  281    as described below.                                                     
  282                                                                            
  283    There are also on-path denial-of-service attacks that attempt to        
  284    saturate a server with DNS requests having correct source addresses.    
  285    Cookies do not protect against such attacks, but successful cookie      
  286    validation improves the probability that the correct source IP          
  287    address for the requests is known.  This facilitates contacting the     
  288    managers of the networks from which the requests originate or taking    
  289    other actions for those networks.                                       
  290                                                                            
  291 2.1.1.  DNS Amplification Attacks                                          
  292                                                                            
  293    A request with a forged source IP address generally causes a response   
  294    to be sent to that forged IP address.  Thus, the forging of many such   
  295    requests with a particular source IP address can result in enough       
  296    traffic being sent to the forged IP address to interfere with service   
  297    to the host at the IP address.  Furthermore, it is generally easy in    
  298    the DNS to create short requests that produce much longer responses,    
  299    thus amplifying the attack.                                             
  300                                                                            
  301    The DNS Cookie mechanism can severely limit the traffic amplification   
  302    obtained by requests from an attacker that is off the path between      
  303    the server and the request's source address.  Enforced DNS Cookies      
  304    would make it hard for an off-path attacker to cause any more than      
  305    rate-limited short error responses to be sent to a forged IP address,   
  306    so the attack would be attenuated rather than amplified.  DNS Cookies   
  307    make it more effective to implement a rate-limiting scheme for error    
  308    responses from the server.  Such a scheme would further restrict        
  309    selected host denial-of-service traffic from that server.               
  310                                                                            
  311 2.1.2.  DNS Server Denial of Service                                       
  312                                                                            
  313    DNS requests that are accepted cause work on the part of DNS servers.   
  314    This is particularly true for recursive servers that may issue one or   
  315    more requests and process the responses thereto, in order to            
  316    determine their response to the initial request; the situation can be   
  317    even worse for recursive servers implementing DNSSEC [RFC4033]          
  318    [RFC4034] [RFC4035], because they may be induced to perform             
  319    burdensome cryptographic computations in attempts to verify the         
  320    authenticity of data they retrieve in trying to answer the request.     
  321                                                                            
  322                                                                            
  323                                                                            
  324                                                                            
  325                                                                            
  326                                                                            
  327 Eastlake & Andrews           Standards Track                    [Page 6]   

  328 RFC 7873                       DNS Cookies                      May 2016   
  329                                                                            
  330                                                                            
  331    The computational or communications burden caused by such requests      
  332    may not depend on a forged source IP address, but the use of such       
  333    addresses makes                                                         
  334                                                                            
  335    + the source of the requests causing the denial-of-service attack       
  336      harder to find and                                                    
  337                                                                            
  338    + restriction of the IP addresses from which such requests should be    
  339      honored hard or impossible to specify or verify.                      
  340                                                                            
  341    The use of DNS Cookies should enable a server to reject forged          
  342    requests from an off-path attacker with relative ease and before any    
  343    recursive queries or public key cryptographic operations are            
  344    performed.                                                              
  345                                                                            
  346 2.2.  Cache Poisoning and Answer Forgery Attacks                           
  347                                                                            
  348    The form of the cache poisoning attacks considered is to send forged    
  349    replies to a resolver.  Modern network speeds for well-connected        
  350    hosts are such that, by forging replies from the IP addresses of a      
  351    DNS server to a resolver for names that resolver has been induced to    
  352    resolve or for common names whose resource records have short           
  353    time-to-live values, there can be an unacceptably high probability of   
  354    randomly coming up with a reply that will be accepted and cause false   
  355    DNS information to be cached by that resolver (the Dan Kaminsky         
  356    attack [Kaminsky]).  This can be used to facilitate phishing attacks    
  357    and other diversions of legitimate traffic to a compromised or          
  358    malicious host such as a web server.                                    
  359                                                                            
  360    With the use of DNS Cookies, a resolver can generally reject such       
  361    forged replies.                                                         
  362                                                                            
  363 3.  Comments on Existing DNS Security                                      
  364                                                                            
  365    Two forms of security have been added to DNS: data security and         
  366    message/transaction security.                                           
  367                                                                            
  368 3.1.  Existing DNS Data Security                                           
  369                                                                            
  370    DNS data security is one part of DNSSEC and is described in             
  371    [RFC4033], [RFC4034], [RFC4035], and updates thereto.  It provides      
  372    data origin authentication and authenticated denial of existence.       
  373    DNSSEC is being deployed and can provide strong protection against      
  374    forged data and cache poisoning; however, it has the unintended         
  375    effect of making some denial-of-service attacks worse because of the    
  376    cryptographic computational load it can require and the increased       
  377    size in DNS response packets that it tends to produce.                  
  378                                                                            
  379                                                                            
  380                                                                            
  381                                                                            
  382 Eastlake & Andrews           Standards Track                    [Page 7]   

  383 RFC 7873                       DNS Cookies                      May 2016   
  384                                                                            
  385                                                                            
  386 3.2.  DNS Message/Transaction Security                                     
  387                                                                            
  388    The second form of security that has been added to DNS provides         
  389    "transaction" security through TSIG [RFC2845] or SIG(0) [RFC2931].      
  390    TSIG could provide strong protection against the attacks for which      
  391    the DNS Cookie mechanism provides weaker protection; however, TSIG is   
  392    non-trivial to deploy in the general Internet because of the burdens    
  393    it imposes.  Among these burdens are pre-agreement and key              
  394    distribution between client and server, keeping track of server-side    
  395    key state, and required time synchronization between client and         
  396    server.                                                                 
  397                                                                            
  398    TKEY [RFC2930] can solve the problem of key distribution for TSIG,      
  399    but some modes of TKEY impose a substantial cryptographic computation   
  400    load and can be dependent on the deployment of DNS data security (see   
  401    Section 3.1).                                                           
  402                                                                            
  403    SIG(0) [RFC2931] provides less denial-of-service protection than TSIG   
  404    or, in one way, even DNS Cookies, because it authenticates complete     
  405    transactions but does not authenticate requests.  In any case, it       
  406    also depends on the deployment of DNS data security and requires        
  407    computationally burdensome public key cryptographic operations.         
  408                                                                            
  409 3.3.  Conclusions on Existing DNS Security                                 
  410                                                                            
  411    The existing DNS security mechanisms do not provide the services        
  412    provided by the DNS Cookie mechanism: lightweight message               
  413    authentication of DNS requests and responses with no requirement for    
  414    pre-configuration or per-client server-side state.                      
  415                                                                            
  416 4.  DNS COOKIE Option                                                      
  417                                                                            
  418    The DNS COOKIE option is an OPT RR [RFC6891] option that can be         
  419    included in the RDATA portion of an OPT RR in DNS requests and          
  420    responses.  The option length varies, depending on the circumstances    
  421    in which it is being used.  There are two cases, as described below.    
  422    Both use the same OPTION-CODE; they are distinguished by their          
  423    length.                                                                 
  424                                                                            
  425                                                                            
  426                                                                            
  427                                                                            
  428                                                                            
  429                                                                            
  430                                                                            
  431                                                                            
  432                                                                            
  433                                                                            
  434                                                                            
  435                                                                            
  436                                                                            
  437 Eastlake & Andrews           Standards Track                    [Page 8]   

  438 RFC 7873                       DNS Cookies                      May 2016   
  439                                                                            
  440                                                                            
  441    In a request sent by a client to a server when the client does not      
  442    know the server's cookie, its length is 8, consisting of an 8-byte      
  443    Client Cookie, as shown in Figure 1.                                    
  444                                                                            
  445                          1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3       
  446      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1       
  447     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+      
  448     |        OPTION-CODE = 10      |       OPTION-LENGTH = 8        |      
  449     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+      
  450     |                                                               |      
  451     +-+-    Client Cookie (fixed size, 8 bytes)              -+-+-+-+      
  452     |                                                               |      
  453     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+      
  454                                                                            
  455               Figure 1: COOKIE Option, Unknown Server Cookie               
  456                                                                            
  457    In a request sent by a client when a Server Cookie is known, and in     
  458    all responses to such a request, the length is variable -- from 16 to   
  459    40 bytes, consisting of an 8-byte Client Cookie followed by the         
  460    variable-length (8 bytes to 32 bytes) Server Cookie, as shown in        
  461    Figure 2.  The variability of the option length stems from the          
  462    variable-length Server Cookie.  The Server Cookie is an integer         
  463    number of bytes, with a minimum size of 8 bytes for security and a      
  464    maximum size of 32 bytes for convenience of implementation.             
  465                                                                            
  466                          1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3       
  467      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1       
  468     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+      
  469     |        OPTION-CODE = 10      |   OPTION-LENGTH >= 16, <= 40   |      
  470     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+      
  471     |                                                               |      
  472     +-+-    Client Cookie (fixed size, 8 bytes)              -+-+-+-+      
  473     |                                                               |      
  474     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+      
  475     |                                                               |      
  476     /       Server Cookie  (variable size, 8 to 32 bytes)           /      
  477     /                                                               /      
  478     +-+-+-+-...                                                            
  479                                                                            
  480                Figure 2: COOKIE Option, Known Server Cookie                
  481                                                                            
  482                                                                            
  483                                                                            
  484                                                                            
  485                                                                            
  486                                                                            
  487                                                                            
  488                                                                            
  489                                                                            
  490                                                                            
  491                                                                            
  492 Eastlake & Andrews           Standards Track                    [Page 9]   

  493 RFC 7873                       DNS Cookies                      May 2016   
  494                                                                            
  495                                                                            
  496 4.1.  Client Cookie                                                        
  497                                                                            
  498    The Client Cookie SHOULD be a pseudorandom function of the Client IP    
  499    Address, the Server IP Address, and a secret quantity known only to     
  500    the client.  This Client Secret SHOULD have at least 64 bits of         
  501    entropy [RFC4086] and be changed periodically (see Section 7.1).  The   
  502    selection of the pseudorandom function is a matter private to the       
  503    client, as only the client needs to recognize its own DNS Cookies.      
  504                                                                            
  505    The Client IP Address is included so that the Client Cookie cannot be   
  506    used to (1) track a client if the Client IP Address changes due to      
  507    privacy mechanisms or (2) impersonate the client by some network        
  508    device that was formerly on path but is no longer on path when the      
  509    Client IP Address changes due to mobility.  However, if the Client IP   
  510    Address is being changed very often, it may be necessary to fix the     
  511    Client Cookie for a particular server for several requests, to avoid    
  512    undue inefficiency due to retries caused by that server not             
  513    recognizing the Client Cookie.                                          
  514                                                                            
  515    For further discussion of the Client Cookie field, see Section 5.1.     
  516    For example methods of determining a Client Cookie, see Appendix A.     
  517                                                                            
  518    In order to provide minimal authentication, a client MUST send          
  519    Client Cookies that will usually be different for any two servers at    
  520    different IP addresses.                                                 
  521                                                                            
  522 4.2.  Server Cookie                                                        
  523                                                                            
  524    The Server Cookie SHOULD consist of or include a 64-bit or larger       
  525    pseudorandom function of the request source (client) IP address, a      
  526    secret quantity known only to the server, and the request               
  527    Client Cookie.  (See Section 6 for a discussion of why the              
  528    Client Cookie is used as input to the Server Cookie but the             
  529    Server Cookie is not used as an input to the Client Cookie.)  This      
  530    Server Secret SHOULD have at least 64 bits of entropy [RFC4086] and     
  531    be changed periodically (see Section 7.1).  The selection of the        
  532    pseudorandom function is a matter private to the server, as only the    
  533    server needs to recognize its own DNS Cookies.                          
  534                                                                            
  535    For further discussion of the Server Cookie field, see Section 5.2.     
  536    For example methods of determining a Server Cookie, see Appendix B.     
  537    When implemented as recommended, the server need not maintain any       
  538    cookie-related per-client state.                                        
  539                                                                            
  540    In order to provide minimal authentication, a server MUST send          
  541    Server Cookies that will usually be different for clients at any two    
  542    different IP addresses or with different Client Cookies.                
  543                                                                            
  544                                                                            
  545                                                                            
  546                                                                            
  547 Eastlake & Andrews           Standards Track                   [Page 10]   

  548 RFC 7873                       DNS Cookies                      May 2016   
  549                                                                            
  550                                                                            
  551 5.  DNS Cookies Protocol Specification                                     
  552                                                                            
  553    This section discusses using DNS Cookies in the DNS protocol.  The      
  554    cycle of originating a request, responding to that request, and         
  555    processing responses is covered in Sections 5.1, 5.2, and 5.3.  A       
  556    de facto extension to QUERY to allow the prefetching of a               
  557    Server Cookie is specified in Section 5.4.  Rollover of the Client      
  558    Secrets and Server Secrets, and transient retention of the old cookie   
  559    or secret, are covered in Section 7.1.                                  
  560                                                                            
  561    DNS clients and servers SHOULD implement DNS Cookies to decrease        
  562    their vulnerability to the threats discussed in Section 2.              
  563                                                                            
  564 5.1.  Originating a Request                                                
  565                                                                            
  566    A DNS client that implements DNS Cookies includes one DNS               
  567    COOKIE option containing a Client Cookie in every DNS request           
  568    it sends, unless DNS Cookies are disabled.                              
  569                                                                            
  570    If the client has a cached Server Cookie for the server against its     
  571    IP address, it uses the longer cookie form and includes that            
  572    Server Cookie in the option along with the Client Cookie (Figure 2).    
  573    Otherwise, it just sends the shorter-form option with a Client Cookie   
  574    (Figure 1).                                                             
  575                                                                            
  576 5.2.  Responding to a Request                                              
  577                                                                            
  578    The Server Cookie, when it occurs in a COOKIE option in a request, is   
  579    intended to weakly assure the server that the request came from a       
  580    client that is both at the source IP address of the request and using   
  581    the Client Cookie included in the option.  This assurance is provided   
  582    by the Server Cookie that server sent to that client in an earlier      
  583    response appearing as the Server Cookie field in the request.           
  584                                                                            
  585    At a server where DNS Cookies are not implemented and enabled, the      
  586    presence of a COOKIE option is ignored and the server responds as if    
  587    no COOKIE option had been included in the request.                      
  588                                                                            
  589    When DNS Cookies are implemented and enabled, there are five            
  590    possibilities:                                                          
  591                                                                            
  592    (1) There is no OPT RR at all in the request, or there is an OPT RR     
  593        but the COOKIE option is absent from the OPT RR.                    
  594                                                                            
  595    (2) A COOKIE option is present but is not a legal length or is          
  596        otherwise malformed.                                                
  597                                                                            
  598                                                                            
  599                                                                            
  600                                                                            
  601                                                                            
  602 Eastlake & Andrews           Standards Track                   [Page 11]   

  603 RFC 7873                       DNS Cookies                      May 2016   
  604                                                                            
  605                                                                            
  606    (3) There is a COOKIE option of valid length in the request with no     
  607        Server Cookie.                                                      
  608                                                                            
  609    (4) There is a COOKIE option of valid length in the request with a      
  610        Server Cookie, but that Server Cookie is invalid.                   
  611                                                                            
  612    (5) There is a COOKIE option of valid length in the request with a      
  613        correct Server Cookie.                                              
  614                                                                            
  615    These five possibilities are discussed in the subsections below.        
  616                                                                            
  617    In all cases of multiple COOKIE options in a request, only the first    
  618    (the one closest to the DNS header) is considered.  All others are      
  619    ignored.                                                                
  620                                                                            
  621 5.2.1.  No OPT RR or No COOKIE Option                                      
  622                                                                            
  623    If there is no OPT record or no COOKIE option present in the request,   
  624    then the server responds to the request as if the server doesn't        
  625    implement the COOKIE option.                                            
  626                                                                            
  627 5.2.2.  Malformed COOKIE Option                                            
  628                                                                            
  629    If the COOKIE option is too short to contain a Client Cookie, then      
  630    FORMERR is generated.  If the COOKIE option is longer than that         
  631    required to hold a COOKIE option with just a Client Cookie (8 bytes)    
  632    but is shorter than the minimum COOKIE option with both a               
  633    Client Cookie and a Server Cookie (16 bytes), then FORMERR is           
  634    generated.  If the COOKIE option is longer than the maximum valid       
  635    COOKIE option (40 bytes), then FORMERR is generated.                    
  636                                                                            
  637    In summary, valid cookie lengths are 8 and 16 to 40 inclusive.          
  638                                                                            
  639 5.2.3.  Only a Client Cookie                                               
  640                                                                            
  641    Based on server policy, including rate limiting, the server chooses     
  642    one of the following:                                                   
  643                                                                            
  644    (1) Silently discard the request.                                       
  645                                                                            
  646    (2) Send a BADCOOKIE error response.                                    
  647                                                                            
  648    (3) Process the request and provide a normal response.  The RCODE is    
  649        NOERROR, unless some non-cookie error occurs in processing the      
  650        request.                                                            
  651                                                                            
  652                                                                            
  653                                                                            
  654                                                                            
  655                                                                            
  656                                                                            
  657 Eastlake & Andrews           Standards Track                   [Page 12]   

  658 RFC 7873                       DNS Cookies                      May 2016   
  659                                                                            
  660                                                                            
  661    If the server responds choosing (2) or (3) above, it SHALL generate     
  662    its own COOKIE option containing both the Client Cookie copied from     
  663    the request and a Server Cookie it has generated, and it will add       
  664    this COOKIE option to the response's OPT record.  Servers MUST, at      
  665    least occasionally, respond to such requests to inform the client of    
  666    the correct Server Cookie.  This is necessary so that such a client     
  667    can bootstrap to the more secure state where requests and responses     
  668    have recognized Server Cookies and Client Cookies.  A server is not     
  669    expected to maintain per-client state to achieve this.  For example,    
  670    it could respond to every Nth request across all clients.               
  671                                                                            
  672    If the request was received over TCP, the server SHOULD take the        
  673    authentication provided by the use of TCP into account and SHOULD       
  674    choose (3).  In this case, if the server is not willing to accept the   
  675    security provided by TCP as a substitute for the security provided by   
  676    DNS Cookies but instead chooses (2), there is some danger of an         
  677    indefinite loop of retries (see Section 5.3).                           
  678                                                                            
  679 5.2.4.  A Client Cookie and an Invalid Server Cookie                       
  680                                                                            
  681    The server examines the Server Cookie to determine if it is a valid     
  682    Server Cookie that it had generated previously.  This determination     
  683    normally involves recalculating the Server Cookie (or the Hash part     
  684    thereof) based on the Server Secret (or the previous Server Secret,     
  685    if it has just changed); the received Client Cookie; the Client IP      
  686    Address; and, possibly, other fields.  See Appendix B.2 for an          
  687    example.  If the cookie is invalid, it could be because                 
  688                                                                            
  689    + it is too old                                                         
  690                                                                            
  691    + a client's IP address or Client Cookie changed, and the DNS server    
  692      is not aware of the change                                            
  693                                                                            
  694    + an anycast cluster of servers is not consistently configured, or      
  695                                                                            
  696    + an attempt to spoof the client has occurred                           
  697                                                                            
  698    The server SHALL process the request as if the invalid Server Cookie    
  699    was not present, as described in Section 5.2.3.                         
  700                                                                            
  701 5.2.5.  A Client Cookie and a Valid Server Cookie                          
  702                                                                            
  703    When a valid Server Cookie is present in the request, the server can    
  704    assume that the request is from a client that it has talked to before   
  705    and defensive measures for spoofed UDP requests, if any, are no         
  706    longer required.                                                        
  707                                                                            
  708                                                                            
  709                                                                            
  710                                                                            
  711                                                                            
  712 Eastlake & Andrews           Standards Track                   [Page 13]   

  713 RFC 7873                       DNS Cookies                      May 2016   
  714                                                                            
  715                                                                            
  716    The server SHALL process the request and include a COOKIE option in     
  717    the response by (a) copying the complete COOKIE option from the         
  718    request or (b) generating a new COOKIE option containing both the       
  719    Client Cookie copied from the request and a valid Server Cookie it      
  720    has generated.                                                          
  721                                                                            
  722 5.3.  Processing Responses                                                 
  723                                                                            
  724    The Client Cookie, when it occurs in a COOKIE option in a DNS reply,    
  725    is intended to weakly assure the client that the reply came from a      
  726    server at the source IP address used in the response packet, because    
  727    the Client Cookie value is the value that client would send to that     
  728    server in a request.  In a DNS reply with multiple COOKIE options,      
  729    all but the first (the one closest to the DNS header) are ignored.      
  730                                                                            
  731    A DNS client where DNS Cookies are implemented and enabled examines     
  732    the response for DNS Cookies and MUST discard the response if it        
  733    contains an illegal COOKIE option length or an incorrect                
  734    Client Cookie value.  If the client is expecting the response to        
  735    contain a COOKIE option and it is missing, the response MUST be         
  736    discarded.  If the COOKIE option Client Cookie is correct, the client   
  737    caches the Server Cookie provided, even if the response is an error     
  738    response (RCODE non-zero).                                              
  739                                                                            
  740    If the extended RCODE in the reply is BADCOOKIE and the Client Cookie   
  741    in the reply matches what was sent, it means that the server was        
  742    unwilling to process the request because it did not have the correct    
  743    Server Cookie in it.  The client SHOULD retry the request using the     
  744    new Server Cookie from the response.  Repeated BADCOOKIE responses to   
  745    requests that use the Server Cookie provided in the previous response   
  746    may be an indication that either the shared secrets or the method for   
  747    generating secrets in an anycast cluster of servers is inconsistent.    
  748    If the reply to a retried request with a fresh Server Cookie is         
  749    BADCOOKIE, the client SHOULD retry using TCP as the transport, since    
  750    the server will likely process the request normally based on the        
  751    security provided by TCP (see Section 5.2.3).                           
  752                                                                            
  753    If the RCODE is some value other than BADCOOKIE, including zero, the    
  754    further processing of the response proceeds normally.                   
  755                                                                            
  756 5.4.  Querying for a Server Cookie                                         
  757                                                                            
  758    In many cases, a client will learn the Server Cookie for a server as    
  759    the "side effect" of another transaction; however, there may be times   
  760    when this is not desirable.  Therefore, a means is provided for         
  761    obtaining a Server Cookie through an extension to the QUERY opcode      
  762    for which opcode most existing implementations require that QDCOUNT     
  763    be one (1) (see Section 4.1.2 of [RFC1035]).                            
  764                                                                            
  765                                                                            
  766                                                                            
  767 Eastlake & Andrews           Standards Track                   [Page 14]   

  768 RFC 7873                       DNS Cookies                      May 2016   
  769                                                                            
  770                                                                            
  771    For servers with DNS Cookies enabled, the QUERY opcode behavior is      
  772    extended to support queries with an empty Question Section (a QDCOUNT   
  773    of zero (0)), provided that an OPT record is present with a COOKIE      
  774    option.  Such servers will send a reply that has an empty               
  775    Answer Section and has a COOKIE option containing the Client Cookie     
  776    and a valid Server Cookie.                                              
  777                                                                            
  778    If such a query provided just a Client Cookie and no Server Cookie,     
  779    the response SHALL have the RCODE NOERROR.                              
  780                                                                            
  781    This mechanism can also be used to confirm/re-establish an existing     
  782    Server Cookie by sending a cached Server Cookie with the                
  783    Client Cookie.  In this case, the response SHALL have the RCODE         
  784    BADCOOKIE if the Server Cookie sent with the query was invalid and      
  785    the RCODE NOERROR if it was valid.                                      
  786                                                                            
  787    Servers that don't support the COOKIE option will normally send         
  788    FORMERR in response to such a query, though REFUSED, NOTIMP, and        
  789    NOERROR without a COOKIE option are also possible in such responses.    
  790                                                                            
  791 6.  NAT Considerations and Anycast Server Considerations                   
  792                                                                            
  793    In the classic Internet, DNS Cookies could simply be a pseudorandom     
  794    function of the Client IP Address and a Server Secret or the Server     
  795    IP Address and a Client Secret.  You would want to compute the          
  796    Server Cookie that way, so a client could cache its Server Cookie for   
  797    a particular server for an indefinite amount of time and the server     
  798    could easily regenerate and check it.  You could consider the           
  799    Client Cookie to be a weak client signature over the Server IP          
  800    Address that the client checks in replies, and you could extend this    
  801    signature to cover the request ID, for example, or any other            
  802    information that is returned unchanged in the reply.                    
  803                                                                            
  804    But we have this reality called "NAT" [RFC3022] (including, for the     
  805    purposes of this document, NAT-PT, which has been declared Historic     
  806    [RFC4966]).  There is no problem with DNS transactions between          
  807    clients and servers behind a NAT box using local IP addresses.  Nor     
  808    is there a problem with NAT translation of internal addresses to        
  809    external addresses or translations between IPv4 and IPv6 addresses,     
  810    as long as the address mapping is relatively stable.  Should the        
  811    external IP address to which an internal client is being mapped         
  812    change occasionally, the disruption is little more than when a client   
  813    rolls over its COOKIE secret.  Also, external access to a DNS server    
  814    behind a NAT box is normally handled by a fixed mapping that forwards   
  815    externally received DNS requests to a specific host.                    
  816                                                                            
  817                                                                            
  818                                                                            
  819                                                                            
  820                                                                            
  821                                                                            
  822 Eastlake & Andrews           Standards Track                   [Page 15]   

  823 RFC 7873                       DNS Cookies                      May 2016   
  824                                                                            
  825                                                                            
  826    However, NAT devices sometimes also map ports.  This can cause          
  827    multiple DNS requests and responses from multiple internal hosts to     
  828    be mapped to a smaller number of external IP addresses, such as one     
  829    address.  Thus, there could be many clients behind a NAT box that       
  830    appear to come from the same source IP address to a server outside      
  831    that NAT box.  If one of these were an attacker (think "zombie" or      
  832    "botnet") behind a NAT box, that attacker could get the Server Cookie   
  833    for some server for the outgoing IP address by just making some         
  834    random request to that server.  It could then include that              
  835    Server Cookie in the COOKIE option of requests to the server with the   
  836    forged local IP address of some other host and/or client behind the     
  837    NAT box.  (An attacker's possession of this Server Cookie will not      
  838    help in forging responses to cause cache poisoning, as such responses   
  839    are protected by the required Client Cookie.)                           
  840                                                                            
  841    To fix this potential defect, it is necessary to distinguish            
  842    different clients behind a NAT box from the point of view of the        
  843    server.  This is why the Server Cookie is specified as a pseudorandom   
  844    function of both the request source IP address and the Client Cookie.   
  845    From this inclusion of the Client Cookie in the calculation of the      
  846    Server Cookie, it follows that, for any particular server, a stable     
  847    Client Cookie is needed.  If, for example, the request ID was           
  848    included in the calculation of the Client Cookie, it would normally     
  849    change with each request to a particular server.  This would mean       
  850    that each request would have to be sent twice: first, to learn the      
  851    new Server Cookie based on this new Client Cookie based on the new      
  852    ID, and then again using this new Client Cookie to actually get an      
  853    answer.  Thus, the input to the Client Cookie computation must be       
  854    limited to the Server IP Address and one or more things that change     
  855    slowly, such as the Client Secret.                                      
  856                                                                            
  857    In principle, there could be a similar problem for servers, not due     
  858    to NAT but due to mechanisms like anycast that may cause requests to    
  859    a DNS server at an IP address to be delivered to any one of several     
  860    machines.  (External requests to a DNS server behind a NAT box          
  861    usually occur via port forwarding such that all such requests go to     
  862    one host.)  However, it is impossible to solve this in the way that     
  863    the similar problem was solved for NATed clients; if the                
  864    Server Cookie was included in the calculation of the Client Cookie in   
  865    the same way that the Client Cookie is included in the Server Cookie,   
  866    you would just get an almost infinite series of errors as a request     
  867    was repeatedly retried.                                                 
  868                                                                            
  869    For servers accessed via anycast, to successfully support               
  870    DNS Cookies, either (1) the server clones must all use the same         
  871    Server Secret or (2) the mechanism that distributes requests to the     
  872    server clones must cause the requests from a particular client to go    
  873    to a particular server for a sufficiently long period of time that      
  874                                                                            
  875                                                                            
  876                                                                            
  877 Eastlake & Andrews           Standards Track                   [Page 16]   

  878 RFC 7873                       DNS Cookies                      May 2016   
  879                                                                            
  880                                                                            
  881    extra requests due to changes in Server Cookies resulting from          
  882    accessing different server machines are not unduly burdensome.  (When   
  883    such anycast-accessed servers act as recursive servers or otherwise     
  884    act as clients, they normally use a different unique address to         
  885    source their requests, to avoid confusion in the delivery of            
  886    responses.)                                                             
  887                                                                            
  888    For simplicity, it is RECOMMENDED that the same Server Secret be used   
  889    by each DNS server in a set of anycast servers.  If there is limited    
  890    time skew in updating this secret in different anycast servers, this    
  891    can be handled by a server accepting requests containing a              
  892    Server Cookie based on either its old or new secret for the maximum     
  893    likely time period of such time skew (see also Section 7.1).            
  894                                                                            
  895 7.  Operational and Deployment Considerations                              
  896                                                                            
  897    The DNS Cookie mechanism is designed for incremental deployment and     
  898    to complement the orthogonal techniques in [RFC5452].  Either or both   
  899    techniques can be deployed independently at each DNS server and         
  900    client.  Thus, installation at the client and server end need not be    
  901    synchronized.                                                           
  902                                                                            
  903    In particular, a DNS server or client that implements the DNS Cookie    
  904    mechanism can interoperate successfully with a DNS client or server     
  905    that does not implement this mechanism, although, of course, in this    
  906    case it will not get the benefit of the mechanism and the server        
  907    involved might choose to severely rate-limit responses.  When such a    
  908    server or client interoperates with a client or server that also        
  909    implements the DNS Cookie mechanism, these servers and clients get      
  910    the security benefits of the DNS Cookie mechanism.                      
  911                                                                            
  912 7.1.  Client and Server Secret Rollover                                    
  913                                                                            
  914    The longer a secret is used, the higher the probability that it has     
  915    been compromised.  Thus, clients and servers are configured with a      
  916    lifetime setting for their secret, and they roll over to a new secret   
  917    when that lifetime expires, or earlier due to deliberate jitter as      
  918    described below.  The default lifetime is one day, and the maximum      
  919    permitted is one month.  To be precise and to make it practical to      
  920    stay within limits despite long holiday weekends, daylight saving       
  921    time shifts, and the like, clients and servers MUST NOT continue to     
  922    use the same secret in new requests and responses for more than         
  923    36 days and SHOULD NOT continue to do so for more than 26 hours.        
  924                                                                            
  925    Many clients rolling over their secret at the same time could briefly   
  926    increase server traffic, and exactly predictable rollover times for     
  927    clients or servers might facilitate guessing attacks.  For example,     
  928    an attacker might increase the priority of attacking secrets they       
  929                                                                            
  930                                                                            
  931                                                                            
  932 Eastlake & Andrews           Standards Track                   [Page 17]   

  933 RFC 7873                       DNS Cookies                      May 2016   
  934                                                                            
  935                                                                            
  936    believe will be in effect for an extended period of time.  To avoid     
  937    rollover synchronization and predictability, it is RECOMMENDED that     
  938    pseudorandom jitter in the range of plus zero to minus at least 40%     
  939    be applied to the time until a scheduled rollover of a COOKIE secret.   
  940                                                                            
  941    It is RECOMMENDED that a client keep the Client Cookie it is            
  942    expecting in a reply until there is no longer an outstanding request    
  943    associated with that Client Cookie that the client is tracking.  This   
  944    avoids rejection of replies due to a bad Client Cookie right after a    
  945    change in the Client Secret.                                            
  946                                                                            
  947    It is RECOMMENDED that a server retain its previous secret after a      
  948    rollover to a new secret for a configurable period of time not less     
  949    than 1 second or more than 300 seconds, with a default configuration    
  950    of 150 seconds.  Requests with Server Cookies based on its previous     
  951    secret are treated as a correct Server Cookie during that time.  When   
  952    a server responds to a request containing an old Server Cookie that     
  953    the server is treating as correct, the server MUST include a new        
  954    Server Cookie in its response.                                          
  955                                                                            
  956 7.2.  Counters                                                             
  957                                                                            
  958    It is RECOMMENDED that implementations include counters of the          
  959    occurrences of the various types of requests and responses described    
  960    in Section 5.                                                           
  961                                                                            
  962 8.  IANA Considerations                                                    
  963                                                                            
  964    IANA has assigned the following DNS EDNS0 option code:                  
  965                                                                            
  966        Value       Name      Status        Reference                       
  967       --------    ------    --------    ---------------                    
  968          10       COOKIE    Standard       RFC 7873                        
  969                                                                            
  970    IANA has assigned the following DNS error code as an early allocation   
  971    per [RFC7120]:                                                          
  972                                                                            
  973        RCODE       Name       Description                 Reference        
  974       --------  ---------  -------------------------   ---------------     
  975          23     BADCOOKIE  Bad/missing Server Cookie      RFC 7873         
  976                                                                            
  977                                                                            
  978                                                                            
  979                                                                            
  980                                                                            
  981                                                                            
  982                                                                            
  983                                                                            
  984                                                                            
  985                                                                            
  986                                                                            
  987 Eastlake & Andrews           Standards Track                   [Page 18]   

  988 RFC 7873                       DNS Cookies                      May 2016   
  989                                                                            
  990                                                                            
  991 9.  Security Considerations                                                
  992                                                                            
  993    DNS Cookies provide a weak form of authentication of DNS requests and   
  994    responses.  In particular, they provide no protection against           
  995    "on-path" adversaries; that is, they provide no protection against      
  996    any adversary that can observe the plaintext DNS traffic, such as an    
  997    on-path router, bridge, or any device on an on-path shared link         
  998    (unless the DNS traffic in question on that path is encrypted).         
  999                                                                            
 1000    For example, if a host is connected via an unsecured IEEE Std. 802.11   
 1001    link (Wi-Fi), any device in the vicinity that could receive and         
 1002    decode the 802.11 transmissions must be considered "on path".  On the   
 1003    other hand, in a similar situation but one where 802.11 Robust          
 1004    Security (WPA2, also called "Wi-Fi Protected Access 2") is              
 1005    appropriately deployed on the Wi-Fi network nodes, only the             
 1006    Access Point via which the host is connecting is "on path" as far as    
 1007    the 802.11 link is concerned.                                           
 1008                                                                            
 1009    Despite these limitations, deployment of DNS Cookies on the global      
 1010    Internet is expected to provide a significant reduction in the          
 1011    available launch points for the traffic amplification and denial-of-    
 1012    service forgery attacks described in Section 2 above.                   
 1013                                                                            
 1014    Work is underway in the IETF DPRIVE working group to provide            
 1015    confidentiality for DNS requests and responses that would be            
 1016    compatible with DNS Cookies.                                            
 1017                                                                            
 1018    Should stronger message/transaction security be desired, it is          
 1019    suggested that TSIG or SIG(0) security be used (see Section 3.2);       
 1020    however, it may be useful to use DNS Cookies in conjunction with        
 1021    these features.  In particular, DNS Cookies could screen out many DNS   
 1022    messages before the cryptographic computations of TSIG or SIG(0) are    
 1023    required, and if SIG(0) is in use, DNS Cookies could usefully screen    
 1024    out many requests given that SIG(0) does not screen requests but only   
 1025    authenticates the response of complete transactions.                    
 1026                                                                            
 1027    An attacker that does not know the Server Cookie could do a variety     
 1028    of things, such as omitting the COOKIE option or sending a random       
 1029    Server Cookie.  In general, DNS servers need to take other measures,    
 1030    including rate-limiting responses, to protect from abuse in such        
 1031    cases.  See further information in Section 5.2.                         
 1032                                                                            
 1033    When a server or client starts receiving an increased level of          
 1034    requests with bad Server Cookies or replies with bad Client Cookies,    
 1035    it would be reasonable for it to believe that it is likely under        
 1036    attack, and it should consider a more frequent rollover of its          
 1037    secret.  More rapid rollover decreases the benefit to a                 
 1038    cookie-guessing attacker if they succeed in guessing a cookie.          
 1039                                                                            
 1040                                                                            
 1041                                                                            
 1042 Eastlake & Andrews           Standards Track                   [Page 19]   

 1043 RFC 7873                       DNS Cookies                      May 2016   
 1044                                                                            
 1045                                                                            
 1046 9.1.  Cookie Algorithm Considerations                                      
 1047                                                                            
 1048    The cookie computation algorithm for use in DNS Cookies SHOULD be       
 1049    based on a pseudorandom function at least as strong as 64-bit FNV       
 1050    (Fowler/Noll/Vo [FNV]), because an excessively weak or trivial          
 1051    algorithm could enable adversaries to guess cookies.  However, in       
 1052    light of the lightweight plaintext token security provided by           
 1053    DNS Cookies, a strong cryptography hash algorithm may not be            
 1054    warranted in many cases and would cause an increased computational      
 1055    burden.  Nevertheless, there is nothing wrong with using something      
 1056    stronger -- for example, HMAC-SHA-256 [RFC6234] truncated to 64 bits,   
 1057    assuming that a DNS processor has adequate computational resources      
 1058    available.  DNS implementations or applications that need somewhat      
 1059    stronger security without a significant increase in computational       
 1060    load should consider more frequent changes in their client and/or       
 1061    Server Secret; however, this does require more frequent generation of   
 1062    a cryptographically strong random number [RFC4086].  See Appendices A   
 1063    and B for specific examples of cookie computation algorithms.           
 1064                                                                            
 1065 10.  Implementation Considerations                                         
 1066                                                                            
 1067    The DNS COOKIE option specified herein is implemented in BIND 9.10      
 1068    using an experimental option code.  BIND 9.10.3 (and later) use the     
 1069    allocated option code.                                                  
 1070                                                                            
 1071 11.  References                                                            
 1072                                                                            
 1073 11.1.  Normative References                                                
 1074                                                                            
 1075    [RFC1035]  Mockapetris, P., "Domain names - implementation and          
 1076               specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,      
 1077               November 1987, <http://www.rfc-editor.org/info/rfc1035>.     
 1078                                                                            
 1079    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate          
 1080               Requirement Levels", BCP 14, RFC 2119,                       
 1081               DOI 10.17487/RFC2119, March 1997,                            
 1082               <http://www.rfc-editor.org/info/rfc2119>.                    
 1083                                                                            
 1084    [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,              
 1085               "Randomness Requirements for Security", BCP 106, RFC 4086,   
 1086               DOI 10.17487/RFC4086, June 2005,                             
 1087               <http://www.rfc-editor.org/info/rfc4086>.                    
 1088                                                                            
 1089                                                                            
 1090                                                                            
 1091                                                                            
 1092                                                                            
 1093                                                                            
 1094                                                                            
 1095                                                                            
 1096                                                                            
 1097 Eastlake & Andrews           Standards Track                   [Page 20]   

 1098 RFC 7873                       DNS Cookies                      May 2016   
 1099                                                                            
 1100                                                                            
 1101    [RFC6891]  Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms    
 1102               for DNS (EDNS(0))", STD 75, RFC 6891,                        
 1103               DOI 10.17487/RFC6891, April 2013,                            
 1104               <http://www.rfc-editor.org/info/rfc6891>.                    
 1105                                                                            
 1106    [RFC7120]  Cotton, M., "Early IANA Allocation of Standards Track Code   
 1107               Points", BCP 100, RFC 7120, DOI 10.17487/RFC7120,            
 1108               January 2014, <http://www.rfc-editor.org/info/rfc7120>.      
 1109                                                                            
 1110 11.2.  Informative References                                              
 1111                                                                            
 1112    [FNV]      Fowler, G., Noll, L., Vo, K., and D. Eastlake 3rd, "The      
 1113               FNV Non-Cryptographic Hash Algorithm", Work in Progress,     
 1114               draft-eastlake-fnv-10, October 2015.                         
 1115                                                                            
 1116    [Kaminsky] Olney, M., Mullen, P., and K. Miklavcic, "Dan Kaminsky's     
 1117               2008 DNS Vulnerability", July 2008, <https://www.ietf.org/   
 1118               mail-archive/web/dnsop/current/pdf2jgx6rzxN4.pdf>.           
 1119                                                                            
 1120    [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.         
 1121               Wellington, "Secret Key Transaction Authentication for DNS   
 1122               (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000,           
 1123               <http://www.rfc-editor.org/info/rfc2845>.                    
 1124                                                                            
 1125    [RFC2930]  Eastlake 3rd, D., "Secret Key Establishment for DNS          
 1126               (TKEY RR)", RFC 2930, DOI 10.17487/RFC2930,                  
 1127               September 2000, <http://www.rfc-editor.org/info/rfc2930>.    
 1128                                                                            
 1129    [RFC2931]  Eastlake 3rd, D., "DNS Request and Transaction Signatures    
 1130               ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931,                
 1131               September 2000, <http://www.rfc-editor.org/info/rfc2931>.    
 1132                                                                            
 1133    [RFC3022]  Srisuresh, P. and K. Egevang, "Traditional IP Network        
 1134               Address Translator (Traditional NAT)", RFC 3022,             
 1135               DOI 10.17487/RFC3022, January 2001,                          
 1136               <http://www.rfc-editor.org/info/rfc3022>.                    
 1137                                                                            
 1138    [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
 1139               Rose, "DNS Security Introduction and Requirements",          
 1140               RFC 4033, DOI 10.17487/RFC4033, March 2005,                  
 1141               <http://www.rfc-editor.org/info/rfc4033>.                    
 1142                                                                            
 1143    [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
 1144               Rose, "Resource Records for the DNS Security Extensions",    
 1145               RFC 4034, DOI 10.17487/RFC4034, March 2005,                  
 1146               <http://www.rfc-editor.org/info/rfc4034>.                    
 1147                                                                            
 1148                                                                            
 1149                                                                            
 1150                                                                            
 1151                                                                            
 1152 Eastlake & Andrews           Standards Track                   [Page 21]   

 1153 RFC 7873                       DNS Cookies                      May 2016   
 1154                                                                            
 1155                                                                            
 1156    [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
 1157               Rose, "Protocol Modifications for the DNS Security           
 1158               Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,     
 1159               <http://www.rfc-editor.org/info/rfc4035>.                    
 1160                                                                            
 1161    [RFC4966]  Aoun, C. and E. Davies, "Reasons to Move the Network         
 1162               Address Translator - Protocol Translator (NAT-PT) to         
 1163               Historic Status", RFC 4966, DOI 10.17487/RFC4966,            
 1164               July 2007, <http://www.rfc-editor.org/info/rfc4966>.         
 1165                                                                            
 1166    [RFC5452]  Hubert, A. and R. van Mook, "Measures for Making DNS         
 1167               More Resilient against Forged Answers", RFC 5452,            
 1168               DOI 10.17487/RFC5452, January 2009,                          
 1169               <http://www.rfc-editor.org/info/rfc5452>.                    
 1170                                                                            
 1171    [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms   
 1172               (SHA and SHA-based HMAC and HKDF)", RFC 6234,                
 1173               DOI 10.17487/RFC6234, May 2011,                              
 1174               <http://www.rfc-editor.org/info/rfc6234>.                    
 1175                                                                            
 1176                                                                            
 1177                                                                            
 1178                                                                            
 1179                                                                            
 1180                                                                            
 1181                                                                            
 1182                                                                            
 1183                                                                            
 1184                                                                            
 1185                                                                            
 1186                                                                            
 1187                                                                            
 1188                                                                            
 1189                                                                            
 1190                                                                            
 1191                                                                            
 1192                                                                            
 1193                                                                            
 1194                                                                            
 1195                                                                            
 1196                                                                            
 1197                                                                            
 1198                                                                            
 1199                                                                            
 1200                                                                            
 1201                                                                            
 1202                                                                            
 1203                                                                            
 1204                                                                            
 1205                                                                            
 1206                                                                            
 1207 Eastlake & Andrews           Standards Track                   [Page 22]   

 1208 RFC 7873                       DNS Cookies                      May 2016   
 1209                                                                            
 1210                                                                            
 1211 Appendix A.  Example Client Cookie Algorithms                              
 1212                                                                            
 1213 A.1.  A Simple Algorithm                                                   
 1214                                                                            
 1215    A simple example method to compute Client Cookies is the FNV64 [FNV]    
 1216    of the Client IP Address, the Server IP Address, and the Client         
 1217    Secret:                                                                 
 1218                                                                            
 1219       Client Cookie =                                                      
 1220          FNV64( Client IP Address | Server IP Address | Client Secret )    
 1221                                                                            
 1222    where "|" indicates concatenation.  Some computational resources may    
 1223    be saved by pre-computing FNV64 through the Client IP Address.  (If     
 1224    the order of the items concatenated above is changed to put the         
 1225    Server IP Address last, it might be possible to further reduce the      
 1226    computational effort by pre-computing FNV64 through the bytes of both   
 1227    the Client IP Address and the Client Secret, but this would reduce      
 1228    the strength of the Client Cookie and is NOT RECOMMENDED.)              
 1229                                                                            
 1230 A.2.  A More Complex Algorithm                                             
 1231                                                                            
 1232    A more complex algorithm to calculate Client Cookies is given below.    
 1233    It uses more computational resources than the simpler algorithm shown   
 1234    in Appendix A.1.                                                        
 1235                                                                            
 1236       Client Cookie =                                                      
 1237          HMAC-SHA256-64( Client IP Address | Server IP Address,            
 1238                           Client Secret )                                  
 1239                                                                            
 1240 Appendix B.  Example Server Cookie Algorithms                              
 1241                                                                            
 1242 B.1.  A Simple Algorithm                                                   
 1243                                                                            
 1244    An example of a simple method producing a 64-bit Server Cookie is the   
 1245    FNV64 [FNV] of the request IP address, the Client Cookie, and the       
 1246    Server Secret.                                                          
 1247                                                                            
 1248       Server Cookie =                                                      
 1249          FNV64( Client IP Address | Client Cookie | Server Secret )        
 1250                                                                            
 1251    where "|" represents concatenation.  (If the order of the items         
 1252    concatenated was changed, it might be possible to reduce the            
 1253    computational effort by pre-computing FNV64 through the bytes of the    
 1254    Server Secret and Client Cookie, but this would reduce the strength     
 1255    of the Server Cookie and is NOT RECOMMENDED.)                           
 1256                                                                            
 1257                                                                            
 1258                                                                            
 1259                                                                            
 1260                                                                            
 1261                                                                            
 1262 Eastlake & Andrews           Standards Track                   [Page 23]   

 1263 RFC 7873                       DNS Cookies                      May 2016   
 1264                                                                            
 1265                                                                            
 1266 B.2.  A More Complex Algorithm                                             
 1267                                                                            
 1268    Since the Server Cookie has a variable size, the server can store       
 1269    various information in that field as long as it is hard for an          
 1270    adversary to guess the entire quantity used for authentication.         
 1271    There should be 64 bits of entropy in the Server Cookie; for example,   
 1272    it could have a sub-field of 64 bits computed pseudorandomly with the   
 1273    Server Secret as one of the inputs to the pseudorandom function.        
 1274    Types of additional information that could be stored include a          
 1275    timestamp and/or a nonce.                                               
 1276                                                                            
 1277    The example below is one variation of the Server Cookie that has been   
 1278    implemented in BIND 9.10.3 (and later) releases, where the              
 1279    Server Cookie is 128 bits, composed as follows:                         
 1280                                                                            
 1281          Sub-field      Size                                               
 1282          ---------   ---------                                             
 1283            Nonce      32 bits                                              
 1284            Time       32 bits                                              
 1285            Hash       64 bits                                              
 1286                                                                            
 1287    With this algorithm, the server sends a new 128-bit cookie back with    
 1288    every request.  The Nonce field assures a low probability that there    
 1289    would be a duplicate.                                                   
 1290                                                                            
 1291    The Time field gives the server time and makes it easy to reject old    
 1292    cookies.                                                                
 1293                                                                            
 1294    The Hash part of the Server Cookie is the part that is hard to guess.   
 1295    In BIND 9.10.3 (and later), its computation can be configured to use    
 1296    AES, HMAC-SHA-1, or, as shown below, HMAC-SHA-256:                      
 1297                                                                            
 1298        hash =                                                              
 1299            HMAC-SHA256-64( Server Secret,                                  
 1300                (Client Cookie | Nonce | Time | Client IP Address) )        
 1301                                                                            
 1302    where "|" represents concatenation.                                     
 1303                                                                            
 1304                                                                            
 1305                                                                            
 1306                                                                            
 1307                                                                            
 1308                                                                            
 1309                                                                            
 1310                                                                            
 1311                                                                            
 1312                                                                            
 1313                                                                            
 1314                                                                            
 1315                                                                            
 1316                                                                            
 1317 Eastlake & Andrews           Standards Track                   [Page 24]   

 1318 RFC 7873                       DNS Cookies                      May 2016   
 1319                                                                            
 1320                                                                            
 1321 Acknowledgments                                                            
 1322                                                                            
 1323    The suggestions and contributions of the following are gratefully       
 1324    acknowledged:                                                           
 1325                                                                            
 1326       Alissa Cooper, Bob Harold, Paul Hoffman, David Malone, Yoav Nir,     
 1327       Gayle Noble, Dan Romascanu, Tim Wicinski, and Peter Yee              
 1328                                                                            
 1329 Authors' Addresses                                                         
 1330                                                                            
 1331    Donald E. Eastlake 3rd                                                  
 1332    Huawei Technologies                                                     
 1333    155 Beaver Street                                                       
 1334    Milford, MA  01757                                                      
 1335    United States                                                           
 1336                                                                            
 1337    Phone: +1-508-333-2270                                                  
 1338    Email: d3e3e3@gmail.com                                                 
 1339                                                                            
 1340                                                                            
 1341    Mark Andrews                                                            
 1342    Internet Systems Consortium                                             
 1343    950 Charter Street                                                      
 1344    Redwood City, CA  94063                                                 
 1345    United States                                                           
 1346                                                                            
 1347    Email: marka@isc.org                                                    
 1348                                                                            
 1349                                                                            
 1350                                                                            
 1351                                                                            
 1352                                                                            
 1353                                                                            
 1354                                                                            
 1355                                                                            
 1356                                                                            
 1357                                                                            
 1358                                                                            
 1359                                                                            
 1360                                                                            
 1361                                                                            
 1362                                                                            
 1363                                                                            
 1364                                                                            
 1365                                                                            
 1366                                                                            
 1367                                                                            
 1368                                                                            
 1369                                                                            
 1370                                                                            
 1371                                                                            
 1372 Eastlake & Andrews           Standards Track                   [Page 25]   
 1373                                                                            

The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.

This RFC is included in the DNS RFCs annotation project whose home page is here.

RFC9018 is a significant update throughout this document. As the abstract of RFC 9018 says:

This document updates RFC 7873 with precise directions for creating
Server Cookies so that an anycast server set including diverse
implementations will interoperate with standard clients, with
suggestions for constructing Client Cookies in a privacy-preserving
fashion, and with suggestions on how to update a Server Secret.