Domain Name System Cookies
RFC 7873, “Domain Name System Cookies”, is a Proposed Standard document published in May 2016 by D. Eastlake 3rd, M. Andrews. It has since been updated by RFC 9018. The canonical text is published by the RFC Editor.
Abstract
DNS Cookies are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of increasingly common denial-of-service and amplification/ forgery or cache poisoning attacks by off-path attackers. DNS Cookies are tolerant of NAT, NAT-PT (Network Address Translation - Protocol Translation), and anycast and can be incrementally deployed. (Since DNS Cookies are only returned to the IP address from which they were originally received, they cannot be used to generally track Internet users.)
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 7873 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 7872 Observations on the Dropping of Packets with IPv6 Extension Headers in the Real World
- RFC 7874 WebRTC Audio Codec and Processing Requirements
- RFC 7871 Client Subnet in DNS Queries
- RFC 7875 Additional WebRTC Audio Codecs for Interoperability
- RFC 7870 Dual-Stack Lite Management Information Base for Address Family Transition Routers
- RFC 7876 UDP Return Path for Packet Loss and Delay Measurement for MPLS Networks
- RFC 7869 The "vnc" URI Scheme
- RFC 7877 Session Peering Provisioning Framework