Interoperable Domain Name System Server Cookies
RFC 9018, “Interoperable Domain Name System Server Cookies”, is a Proposed Standard document published in April 2021 by O. Sury, W. Toorop, D. Eastlake 3rd, M. Andrews. It updates RFC 7873. The canonical text is published by the RFC Editor.
Abstract
DNS Cookies, as specified in RFC 7873, are a lightweight DNS transaction security mechanism that provide limited protection to DNS servers and clients against a variety of denial-of-service amplification, forgery, or cache-poisoning attacks by off-path attackers.
This document updates RFC 7873 with precise directions for creating Server Cookies so that an anycast server set including diverse implementations will interoperate with standard clients, with suggestions for constructing Client Cookies in a privacy-preserving fashion, and with suggestions on how to update a Server Secret. An IANA registry listing the methods and associated pseudorandom function suitable for creating DNS Server Cookies has been created with the method described in this document as the first and, as of the time of publication, only entry.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9018 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9017 Special-Purpose Label Terminology
- RFC 9019 A Firmware Update Architecture for Internet of Things
- RFC 9016 Flow and Service Information Model for Deterministic Networking
- RFC 9020 YANG Data Model for Segment Routing
- RFC 9015 BGP Control Plane for the Network Service Header in Service Function Chaining
- RFC 9021 Use of the Walnut Digital Signature Algorithm with CBOR Object Signing and Encryption
- RFC 9014 Interconnect Solution for Ethernet VPN Overlay Networks
- RFC 9022 Domain Name Registration Data Objects Mapping