| draft-ietf-dnsop-server-cookies-03.txt | draft-ietf-dnsop-server-cookies-04.txt | |||
|---|---|---|---|---|
| DNSOP Working Group O. Sury | DNSOP Working Group O. Sury | |||
| Internet-Draft Internet Systems Consortium | Internet-Draft Internet Systems Consortium | |||
| Updates: 7873 (if approved) W. Toorop | Updates: 7873 (if approved) W. Toorop | |||
| Intended status: Standards Track NLnet Labs | Intended status: Standards Track NLnet Labs | |||
| Expires: November 21, 2020 D. Eastlake 3rd | Expires: 23 May 2021 D. Eastlake 3rd | |||
| Futurewei Technologies | Futurewei Technologies | |||
| M. Andrews | M. Andrews | |||
| Internet Systems Consortium | Internet Systems Consortium | |||
| May 20, 2020 | 19 November 2020 | |||
| Interoperable Domain Name System (DNS) Server Cookies | Interoperable Domain Name System (DNS) Server Cookies | |||
| draft-ietf-dnsop-server-cookies-03 | draft-ietf-dnsop-server-cookies-04 | |||
| Abstract | Abstract | |||
| DNS cookies, as specified in RFC 7873, are a lightweight DNS | DNS Cookies, as specified in [RFC7873], are a lightweight DNS | |||
| transaction security mechanism that provides limited protection to | transaction security mechanism that provide limited protection to DNS | |||
| DNS servers and clients against a variety of denial-of-service and | servers and clients against a variety of denial-of-service and | |||
| amplification, forgery, or cache poisoning attacks by off-path | amplification, forgery, or cache poisoning attacks by off-path | |||
| attackers. | attackers. | |||
| This document provides precise directions for creating Server Cookies | This document provides precise directions for creating Server Cookies | |||
| so that an anycast server set including diverse implementations will | so that an anycast server set including diverse implementations will | |||
| interoperate with standard clients. | interoperate with standard clients. | |||
| This document updates [RFC7873] | This document updates [RFC7873] with | |||
| * suggestions for constructing Client Cookies in a privacy | ||||
| preserving fashion, | ||||
| * precise instructions for constructing Server Cookies deprecating | ||||
| the methods described in [RFC7873], and | ||||
| * suggestions on how to update a server secret. | ||||
| An IANA registry listing the methods and associated pseudo random | ||||
| function suitable for creating DNS Server cookies is created, with | ||||
| the method described in this document as the first and as of yet only | ||||
| entry. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 21, 2020. | This Internet-Draft will expire on 23 May 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | license-info) in effect on the date of publication of this document. | |||
| publication of this document. Please review these documents | Please review these documents carefully, as they describe your rights | |||
| carefully, as they describe your rights and restrictions with respect | and restrictions with respect to this document. Code Components | |||
| to this document. Code Components extracted from this document must | extracted from this document must include Simplified BSD License text | |||
| include Simplified BSD License text as described in Section 4.e of | as described in Section 4.e of the Trust Legal Provisions and are | |||
| the Trust Legal Provisions and are provided without warranty as | provided without warranty as described in the Simplified BSD License. | |||
| described in the Simplified BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Contents of this document . . . . . . . . . . . . . . . . 3 | 1.1. Contents of this document . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology and Definitions . . . . . . . . . . . . . . . 4 | |||
| 2. Changes to [RFC7873] . . . . . . . . . . . . . . . . . . . . 4 | 2. Changes to [RFC7873] . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Constructing a Client Cookie . . . . . . . . . . . . . . . . 4 | 3. Constructing a Client Cookie . . . . . . . . . . . . . . . . 4 | |||
| 4. Constructing a Server Cookie . . . . . . . . . . . . . . . . 5 | 4. Constructing a Server Cookie . . . . . . . . . . . . . . . . 5 | |||
| 4.1. The Version Sub-Field . . . . . . . . . . . . . . . . . . 6 | 4.1. The Version Sub-Field . . . . . . . . . . . . . . . . . . 6 | |||
| 4.2. The Reserved Sub-Field . . . . . . . . . . . . . . . . . 6 | 4.2. The Reserved Sub-Field . . . . . . . . . . . . . . . . . 6 | |||
| 4.3. The Timestamp Sub-Field . . . . . . . . . . . . . . . . . 6 | 4.3. The Timestamp Sub-Field . . . . . . . . . . . . . . . . . 6 | |||
| 4.4. The Hash Sub-Field . . . . . . . . . . . . . . . . . . . 6 | 4.4. The Hash Sub-Field . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Updating the Server Secret . . . . . . . . . . . . . . . . . 7 | 5. Updating the Server Secret . . . . . . . . . . . . . . . . . 7 | |||
| 6. Cookie Algorithms . . . . . . . . . . . . . . . . . . . . . . 8 | 6. Cookie Algorithms . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Security and Privacy Considerations . . . . . . . . . . . . . 9 | 8. Security and Privacy Considerations . . . . . . . . . . . . . 9 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 10. Normative References . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | 11. Informative References . . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 | Appendix A. Test vectors . . . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix B. Test vectors . . . . . . . . . . . . . . . . . . . . 11 | A.1. Learning a new Server Cookie . . . . . . . . . . . . . . 11 | |||
| B.1. Learning a new Server Cookie . . . . . . . . . . . . . . 11 | A.2. The same client learning a renewed (fresh) Server | |||
| B.2. The same client learning a renewed (fresh) Server Cookie 12 | Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| B.3. Another client learning a renewed Server Cookie . . . . . 13 | A.3. Another client learning a renewed Server Cookie . . . . . 13 | |||
| B.4. IPv6 query with rolled over secret . . . . . . . . . . . 14 | A.4. IPv6 query with rolled over secret . . . . . . . . . . . 14 | |||
| Appendix C. Implementation status . . . . . . . . . . . . . . . 15 | Appendix B. Implementation status . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| DNS cookies, as specified in [RFC7873], are a lightweight DNS | DNS Cookies, as specified in [RFC7873], are a lightweight DNS | |||
| transaction security mechanism that provides limited protection to | transaction security mechanism that provide limited protection to DNS | |||
| DNS servers and clients against a variety of denial-of-service and | servers and clients against a variety of denial-of-service and | |||
| amplification, forgery, or cache poisoning attacks by off-path | amplification, forgery, or cache poisoning attacks by off-path | |||
| attackers. This document specifies a means of producing | attackers. This document specifies a means of producing | |||
| interoperable strong cookies so that an anycast server set including | interoperable strong cookies so that an anycast server set including | |||
| diverse implementations can be easily configured to interoperate with | diverse implementations can be easily configured to interoperate with | |||
| standard clients. | standard clients. | |||
| The threats considered for DNS Cookies and the properties of the DNS | The threats considered for DNS Cookies and the properties of the DNS | |||
| Security features other than DNS Cookies are discussed in [RFC7873]. | Security features other than DNS Cookies are discussed in [RFC7873]. | |||
| In [RFC7873] in Section 6 it is "RECOMMENDED for simplicity that the | In [RFC7873] in Section 6 it is "RECOMMENDED for simplicity that the | |||
| skipping to change at page 3, line 33 ¶ | skipping to change at page 3, line 45 ¶ | |||
| by one implementation cannot generally be validated by another. | by one implementation cannot generally be validated by another. | |||
| There is no need for DNS client (resolver) Cookies to be | There is no need for DNS client (resolver) Cookies to be | |||
| interoperable across different implementations. Each client need | interoperable across different implementations. Each client need | |||
| only be able to recognize its own cookies. However, this document | only be able to recognize its own cookies. However, this document | |||
| does contain recommendations for constructing Client Cookies in a | does contain recommendations for constructing Client Cookies in a | |||
| Client protecting fashion. | Client protecting fashion. | |||
| 1.1. Contents of this document | 1.1. Contents of this document | |||
| Section Section 2 summarises the changes to [RFC7873]. | Section 2 summarises the changes to [RFC7873]. | |||
| In Section Section 3 suggestions for constructing a Client Cookie are | In Section 3 suggestions for constructing a Client Cookie are given. | |||
| given. | ||||
| In Section Section 4 instructions for constructing a Server Cookie | In Section 4 instructions for constructing a Server Cookie are given. | |||
| are given. | ||||
| In Section Section 5 instructions on updating Server Secrets are | In Section 5 instructions on updating Server Secrets are given. | |||
| given. | ||||
| In Section Section 6 the different hash functions usable for DNS | In Section 6 the different hash functions usable for DNS Cookie | |||
| Cookie construction are listed. [FNV] and HMAC-SHA-256-64 [RFC6234] | construction are listed. [FNV] and HMAC-SHA-256-64 [RFC6234] are | |||
| are deprecated and [SipHash-2.4] is introduced as a REQUIRED hash | deprecated and [SipHash-2.4] is introduced as a REQUIRED hash | |||
| function for server side DNS Cookie implementations. | function for server side DNS Cookie implementations. | |||
| IANA considerations are in Section 7. | IANA considerations are in Section 7. | |||
| Privacy and Security Considerations in Section 8. | Privacy and Security Considerations in Section 8. | |||
| Acknowledgements are in Appendix A. | Acknowledgements are in Section 9. | |||
| Test vectors are in Appendix B. | Test vectors are in Appendix A. | |||
| 1.2. Definitions | 1.2. Terminology and Definitions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "*NOT RECOMMENDED*", "MAY", | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| and "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| o "IP Address" is used herein as a length independent term covering | * "IP Address" is used herein as a length independent term covering | |||
| both IPv4 and IPv6 addresses. | both IPv4 and IPv6 addresses. | |||
| 2. Changes to [RFC7873] | 2. Changes to [RFC7873] | |||
| In its Appendices A.1 and B.1, [RFC7873] provides example "simple" | In its Appendices A.1 and B.1, [RFC7873] provides example "simple" | |||
| algorithms for computing Client and Server Cookies, respectively. | algorithms for computing Client and Server Cookies, respectively. | |||
| These algorithms MUST NOT be used as the resulting cookies are too | These algorithms MUST NOT be used as the resulting cookies are too | |||
| weak when evaluated against modern security standards. | weak when evaluated against modern security standards. | |||
| In its Appendix B.2, [RFC7873] provides an example "more complex" | In its Appendix B.2, [RFC7873] provides an example "more complex" | |||
| skipping to change at page 4, line 46 ¶ | skipping to change at page 5, line 8 ¶ | |||
| 3. Constructing a Client Cookie | 3. Constructing a Client Cookie | |||
| The Client Cookie is a cryptographic nonce and should be treated as | The Client Cookie is a cryptographic nonce and should be treated as | |||
| such. It is RECOMMENDED to create a new Client Cookie for each new | such. It is RECOMMENDED to create a new Client Cookie for each new | |||
| upstream server a Client connects to. The Client Cookie SHOULD have | upstream server a Client connects to. The Client Cookie SHOULD have | |||
| 64-bits of entropy. | 64-bits of entropy. | |||
| When a Server does not support DNS Cookies, the Client MUST NOT send | When a Server does not support DNS Cookies, the Client MUST NOT send | |||
| the same Client Cookie to that same Server again. Instead, it is | the same Client Cookie to that same Server again. Instead, it is | |||
| recommended that the Client does not send a Client Cookie to that | recommended that the Client does not send a Client Cookie to that | |||
| Server for a certain period, like for example five minutes, before it | Server for a certain period, for example five minutes, before it | |||
| retries with a new Client Cookie. | retries with a new Client Cookie. | |||
| When a Server does support DNS Cookies, the Client should store the | When a Server does support DNS Cookies, the Client should store the | |||
| Client Cookie alongside the Server Cookie it registered for that | Client Cookie alongside the Server Cookie it registered for that | |||
| Server. | Server. | |||
| Except for when the Client IP address changes, there is no need to | Except for when the Client IP address changes, there is no need to | |||
| change the Client Cookie often. It is reasonable to change the | change the Client Cookie often. It is reasonable to change the | |||
| Client Cookie then only if it has been compromised or after a | Client Cookie then only if it has been compromised or after a | |||
| relatively long period of time such as no longer than a year. Client | relatively long period of time such as no longer than a year. Client | |||
| Cookies are not expected to survive a program restart. | Cookies are not expected to survive a program restart. | |||
| Client-Cookie = 64 bits of entropy | Client-Cookie = 64 bits of entropy | |||
| Previously, the recommended algorithm to compute the Client Cookie | Previously, the recommended algorithm to compute the Client Cookie | |||
| included Client IP Address as an input to a hashing function. | included Client IP Address as an input to a hashing function. | |||
| However, when implementing the DNS Cookies, several DNS vendors found | However, when implementing the DNS Cookies, several DNS vendors found | |||
| impractical to include the Client IP as the Client Cookie is | impractical to include the Client IP as the Client Cookie is | |||
| typically computed before the Client IP address is known. Therefore, | typically computed before the Client IP address is known. Therefore, | |||
| the requirement to put Client IP address as input was removed. | the requirement to put Client IP address as input was removed. | |||
| However, for privacy reasons, in order to prevent tracking of devices | However, for privacy reasons, in order to prevent tracking of devices | |||
| across links and to not circumvent IPv6 Privacy Extensions [RFC4941], | across links and to not circumvent IPv6 Privacy Extensions [RFC4941], | |||
| skipping to change at page 5, line 42 ¶ | skipping to change at page 6, line 7 ¶ | |||
| 4. Constructing a Server Cookie | 4. Constructing a Server Cookie | |||
| The Server Cookie is effectively a Message Authentication Code (MAC) | The Server Cookie is effectively a Message Authentication Code (MAC) | |||
| and should be treated as such. The Server Cookie is calculated from | and should be treated as such. The Server Cookie is calculated from | |||
| the Client Cookie, a series of Sub-Fields specified below, the Client | the Client Cookie, a series of Sub-Fields specified below, the Client | |||
| IP address, and a Server Secret known only to the servers responding | IP address, and a Server Secret known only to the servers responding | |||
| on the same address in an anycast set. | on the same address in an anycast set. | |||
| Changing the Server Secret regularly is RECOMMENDED but, when a | Changing the Server Secret regularly is RECOMMENDED but, when a | |||
| secure pseudorandom function is used, it need not be changed too | secure pseudorandom function is used, it need not be changed too | |||
| frequent. For example once a month would be adequate. See Section 5 | frequently. For example once a month would be adequate. See | |||
| on operator and implementation guidelines for updating a Server | Section 5 on operator and implementation guidelines for updating a | |||
| Secret. | Server Secret. | |||
| The 128-bit Server Cookie consists of Sub-Fields: a 1 octet Version | The 128-bit Server Cookie consists of Sub-Fields: a 1 octet Version | |||
| Sub-Field, a 3 octet Reserved Sub-Field, a 4 octet Timestamp Sub- | Sub-Field, a 3 octet Reserved Sub-Field, a 4 octet Timestamp Sub- | |||
| Field and an 8 octet Hash Sub-Field. | Field and an 8 octet Hash Sub-Field. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Version | Reserved | | | Version | Reserved | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Timestamp | | | Timestamp | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Hash | | | Hash | | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| 4.1. The Version Sub-Field | 4.1. The Version Sub-Field | |||
| The Version Sub-Field prescribes the structure and Hash calculation | The Version Sub-Field prescribes the structure and Hash calculation | |||
| formula. This document defines Version 1 to be the structure and way | formula. This document defines Version 1 to be the structure and way | |||
| to calculate the Hash Sub-Field as defined in this Section. | to calculate the Hash Sub-Field as defined in this Section. | |||
| 4.2. The Reserved Sub-Field | 4.2. The Reserved Sub-Field | |||
| The value of the Reserved Sub-Field is reserved for future versions | The value of the Reserved Sub-Field is reserved for future versions | |||
| skipping to change at page 6, line 36 ¶ | skipping to change at page 6, line 46 ¶ | |||
| to zero octets. On Server Cookie verification the server MUST NOT | to zero octets. On Server Cookie verification the server MUST NOT | |||
| enforce those fields to be zero and the Hash should be computed with | enforce those fields to be zero and the Hash should be computed with | |||
| the received value as described in Section 4.4. | the received value as described in Section 4.4. | |||
| 4.3. The Timestamp Sub-Field | 4.3. The Timestamp Sub-Field | |||
| The Timestamp value prevents Replay Attacks and MUST be checked by | The Timestamp value prevents Replay Attacks and MUST be checked by | |||
| the server to be within a defined period of time. The DNS Server | the server to be within a defined period of time. The DNS Server | |||
| SHOULD allow Cookies within 1 hour period in the past and 5 minutes | SHOULD allow Cookies within 1 hour period in the past and 5 minutes | |||
| into the future to allow operation of low volume clients and some | into the future to allow operation of low volume clients and some | |||
| limited time skew between the DNS servers in the anycast. | limited time skew between the DNS servers in the anycast set. | |||
| The Timestamp value specifies a date and time in the form of a 32-bit | The Timestamp value specifies a date and time in the form of a 32-bit | |||
| unsigned number of seconds elapsed since 1 January 1970 00:00:00 UTC, | unsigned number of seconds elapsed since 1 January 1970 00:00:00 UTC, | |||
| ignoring leap seconds, in network byte order. All comparisons | ignoring leap seconds, in network byte order. All comparisons | |||
| involving these fields MUST use "Serial number arithmetic", as | involving these fields MUST use "Serial number arithmetic", as | |||
| defined in [RFC1982] | defined in [RFC1982] | |||
| The DNS Server SHOULD generate a new Server Cookie at least if the | The DNS Server SHOULD generate a new Server Cookie at least if the | |||
| received Server Cookie from the Client is more than half an hour old. | received Server Cookie from the Client is more than half an hour old. | |||
| 4.4. The Hash Sub-Field | 4.4. The Hash Sub-Field | |||
| It's important that all the DNS servers use the same algorithm for | It's important that all the DNS servers use the same algorithm for | |||
| computing the Server Cookie. This document defines the Version 1 of | computing the Server Cookie. This document defines the Version 1 of | |||
| the Server Side algorithm to be: | the Server Side algorithm to be: | |||
| Hash = SipHash2.4( | Hash = SipHash2.4( | |||
| Client Cookie | Version | Reserved | Timestamp | Client-IP, | Client Cookie | Version | Reserved | Timestamp | Client-IP, | |||
| Server Secret ) | Server Secret ) | |||
| where "|" indicates concatenation. | where "|" indicates concatenation. | |||
| Notice that Client-IP is used for hash generation even though it's | Notice that Client-IP is used for hash generation even though it's | |||
| not included in the cookie value itself. Client-IP can be either 4 | not included in the cookie value itself. Client-IP can be either 4 | |||
| bytes for IPv4 or 16 bytes for IPv6. | bytes for IPv4 or 16 bytes for IPv6. | |||
| The Server Secret MUST be configurable to make sure that servers in | The Server Secret MUST be configurable to make sure that servers in | |||
| an anycast network return consistent results. | an anycast network return consistent results. | |||
| 5. Updating the Server Secret | 5. Updating the Server Secret | |||
| All servers in an anycast group must be able to verify the Server | All servers in an anycast set must be able to verify the Server | |||
| Cookies constructed by all other servers in that anycast set at all | Cookies constructed by all other servers in that anycast set at all | |||
| times. Therefore it is vital that the Server Secret is shared among | times. Therefore it is vital that the Server Secret is shared among | |||
| all servers before it us used to generate Server Cookies. | all servers before it is used to generate Server Cookies. | |||
| Also, to maximize maintaining established relationships between | Also, to maximize maintaining established relationships between | |||
| clients and servers, an old Server Secret should be valid for | clients and servers, an old Server Secret should be valid for | |||
| verification purposes for a specific period. | verification purposes for a specific period. | |||
| To facilitate this, deployment of a new Server Secret MUST be done in | To facilitate this, deployment of a new Server Secret MUST be done in | |||
| three stages: | three stages: | |||
| Stage 1 | Stage 1 The new Server Secret is deployed on all the servers in an | |||
| The new Server Secret is deployed on all the servers in an anycast | anycast set by the operator. | |||
| set by the operator. | ||||
| Each server learns the new Server Secret, but keeps using the | ||||
| previous Server Secret to generate Server Cookies. | ||||
| Server Cookies constructed with the both the new Server Secret and | ||||
| with the previous Server Secret are considered valid when | ||||
| verifying. | ||||
| After stage 1 completed, all the servers in the anycast set have | ||||
| learned the new Server Secret, and can verify Server Cookies | ||||
| constructed with it, but keep generating Server Cookies with the | ||||
| old Server Secret. | ||||
| Stage 2 | ||||
| This stage is initiated by the operator after the Server Cookie is | ||||
| present on all members in the anycast set. | ||||
| When entering Stage 2, servers start generating Server Cookies | ||||
| with the new Server Secret. The previous Server Secret is not yet | ||||
| removed/forgotten about. | ||||
| Server Cookies constructed with the both the new Server Secret and | | Each server learns the new Server Secret, but keeps using the | |||
| with the previous Server Secret are considered valid when | | previous Server Secret to generate Server Cookies. | |||
| verifying. | | | |||
| | Server Cookies constructed with the both the new Server Secret and | ||||
| | with the previous Server Secret are considered valid when | ||||
| | verifying. | ||||
| | | ||||
| | After stage 1 completed, all the servers in the anycast set have | ||||
| | learned the new Server Secret, and can verify Server Cookies | ||||
| | constructed with it, but keep generating Server Cookies with the | ||||
| | old Server Secret. | ||||
| Stage 3 | Stage 2 This stage is initiated by the operator after the Server | |||
| This stage is initiated by the operator when it can be assumed | Cookie is present on all members in the anycast set. | |||
| that most clients have learned the new Server Secret. | ||||
| With this stage, the previous Server Secret can be removed and | | When entering Stage 2, servers start generating Server Cookies | |||
| MUST NOT be used anymore for verifying. | | with the new Server Secret. The previous Server Secret is not yet | |||
| | removed/forgotten about. | ||||
| | | ||||
| | Server Cookies constructed with the both the new Server Secret and | ||||
| | with the previous Server Secret are considered valid when | ||||
| | verifying. | ||||
| We RECOMMEND the operator to wait at least a period to be the | Stage 3 This stage is initiated by the operator when it can be | |||
| longest TTL in the zones served by the server plus half an hour | assumed that most clients have learned the new Server Secret. | |||
| after it initiated Stage 2, before initiating Stage 3. | ||||
| The operator SHOULD wait at least longer than the period clients | | With this stage, the previous Server Secret can be removed and | |||
| are allowed to use the same Server Cookie, which SHOULD be half an | | MUST NOT be used anymore for verifying. | |||
| hour, see Section 4.3. | | | |||
| | We RECOMMEND the operator to wait at least a period to be the | ||||
| | longest TTL in the zones served by the server plus half an hour | ||||
| | after it initiated Stage 2, before initiating Stage 3. | ||||
| | | ||||
| | The operator SHOULD wait at least longer than the period clients | ||||
| | are allowed to use the same Server Cookie, which SHOULD be half an | ||||
| | hour, see Section 4.3. | ||||
| 6. Cookie Algorithms | 6. Cookie Algorithms | |||
| [SipHash-2.4] is a pseudorandom function suitable as Message | [SipHash-2.4] is a pseudorandom function suitable as Message | |||
| Authentication Code. This document REQUIRES compliant DNS Server to | Authentication Code. This document REQUIRES compliant DNS Server to | |||
| use SipHash-2.4 as a mandatory and default algorithm for DNS Cookies | use SipHash-2.4 as a mandatory and default algorithm for DNS Cookies | |||
| to ensure interoperability between the DNS Implementations. | to ensure interoperability between the DNS Implementations. | |||
| The construction method and pseudorandom function used in calculating | The construction method and pseudorandom function used in calculating | |||
| and verifying the Server Cookies are determined by the initial | and verifying the Server Cookies are determined by the initial | |||
| version byte and by the length of the Server Cookie. Additional | version byte and by the length of the Server Cookie. Additional | |||
| pseudorandom or construction algorithms for Server Cookies might be | pseudorandom or construction algorithms for Server Cookies might be | |||
| added in the future. | added in the future. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| IANA is requested to create a registry on the "Domain Name System | IANA is requested to create a registry on the "Domain Name System | |||
| (DNS) Parameters" IANA web page as follows: | (DNS) Parameters" IANA web page as follows: | |||
| Registry Name: DNS Server Cookie Methods | Registry Name: DNS Server Cookie Methods\ Assignment Policy: Expert | |||
| Assignment Policy: Expert Review | Review\ Reference: [this document], [RFC7873]\ Note: Server Cookie | |||
| Reference: [this document], [RFC7873] | method (construction and pseudorandom algorithm) are determined by | |||
| Note: Server Cookie method (construction and pseudorandom algorithm) | the Version in the first byte of the Cookie and by the Cookie size. | |||
| are determined by the Version in the first byte of the Cookie and by | Server Cookie size is limited to the inclusive range of 8 to 32 | |||
| the Cookie size. Server Cookie size is limited to the inclusive | bytes. | |||
| range of 8 to 32 bytes. | ||||
| Implementation recommendations for Cookie Algorithms [DNSCOOKIE- | ||||
| IANA]: | ||||
| +---------+-------+---------------------------------------+ | +=========+=======+=======================================+ | |||
| | Version | Size | Method | | | Version | Size | Method | | |||
| +---------+-------+---------------------------------------+ | +=========+=======+=======================================+ | |||
| | 0 | 8-32 | reserved | | | 0 | 8-32 | reserved | | |||
| | 1 | 8-15 | unassiged | | +---------+-------+---------------------------------------+ | |||
| | 1 | 8-15 | unassigned | | ||||
| +---------+-------+---------------------------------------+ | ||||
| | 1 | 16 | SipHash-2.4 [this document] Section 4 | | | 1 | 16 | SipHash-2.4 [this document] Section 4 | | |||
| +---------+-------+---------------------------------------+ | ||||
| | 1 | 17-32 | unassigned | | | 1 | 17-32 | unassigned | | |||
| +---------+-------+---------------------------------------+ | ||||
| | 2-239 | 8-32 | unassigned | | | 2-239 | 8-32 | unassigned | | |||
| +---------+-------+---------------------------------------+ | ||||
| | 240-254 | 8-32 | private use | | | 240-254 | 8-32 | private use | | |||
| +---------+-------+---------------------------------------+ | ||||
| | 255 | 8-32 | reserved | | | 255 | 8-32 | reserved | | |||
| +---------+-------+---------------------------------------+ | +---------+-------+---------------------------------------+ | |||
| Table 1 | ||||
| 8. Security and Privacy Considerations | 8. Security and Privacy Considerations | |||
| DNS Cookies provides limited protection to DNS servers and clients | DNS Cookies provide limited protection to DNS servers and clients | |||
| against a variety of denial-of-service and amplification/forgery or | against a variety of denial-of-service and amplification/forgery or | |||
| cache poisoning attacks by off-path attackers. They provide no | cache poisoning attacks by off-path attackers. They provide no | |||
| protection against on-path adversaries that can observe the plaintext | protection against on-path adversaries that can observe the plaintext | |||
| DNS traffic. An on-path adversary that can observe a Server Cookie | DNS traffic. An on-path adversary that can observe a Server Cookie | |||
| for a client and server interaction, can use that Server Cookie for | for a client and server interaction, can use that Server Cookie for | |||
| amplification and denial-of-service forgery attacks for the lifetime | amplification and denial-of-service forgery attacks for the lifetime | |||
| of the Server Cookie. | of the Server Cookie. | |||
| In [RFC7873] it was RECOMMENDED to construct a Client Cookie by using | In [RFC7873] it was RECOMMENDED to construct a Client Cookie by using | |||
| a pseudorandom function of the Client IP Address, the Server IP | a pseudorandom function of the Client IP Address, the Server IP | |||
| skipping to change at page 9, line 50 ¶ | skipping to change at page 10, line 18 ¶ | |||
| prevent tracking of clients. To prevent tracking, a new Client | prevent tracking of clients. To prevent tracking, a new Client | |||
| Cookie for a server MUST be created whenever the Client IP Address | Cookie for a server MUST be created whenever the Client IP Address | |||
| changes. | changes. | |||
| Unfortunately, tracking Client IP Address Changes is impractical with | Unfortunately, tracking Client IP Address Changes is impractical with | |||
| servers that do not support DNS Cookies. To prevent tracking of | servers that do not support DNS Cookies. To prevent tracking of | |||
| clients with non DNS Cookie supporting servers, a client MUST NOT | clients with non DNS Cookie supporting servers, a client MUST NOT | |||
| send a previously sent Client Cookie. To prevent the creation of a | send a previously sent Client Cookie. To prevent the creation of a | |||
| new Client Cookie for each query to an non DNS Cookies supporting | new Client Cookie for each query to an non DNS Cookies supporting | |||
| server, it is RECOMMENDED to not send a Client Cookie to that server | server, it is RECOMMENDED to not send a Client Cookie to that server | |||
| for a certain period, like for example five minute. | for a certain period, for example five minute. | |||
| Summarizing: | Summarizing: | |||
| o In order to provide minimal authentication, a client MUST use a | * In order to provide minimal authentication, a client MUST use a | |||
| different Client Cookie for each different Server IP Address. | different Client Cookie for each different Server IP Address. | |||
| o To prevent tracking of clients, a new Client Cookie MUST be | * To prevent tracking of clients, a new Client Cookie MUST be | |||
| created when the Client IP Address changes. | created when the Client IP Address changes. | |||
| o To prevent tracking of clients for a non DNS Cookie supporting | * To prevent tracking of clients for a non DNS Cookie supporting | |||
| server, a client MUST NOT send a previously sent Client Cookie to | server, a client MUST NOT send a previously sent Client Cookie to | |||
| that server, unless it can track Client IP Address changes for | that server, unless it can track Client IP Address changes for | |||
| those servers too. | those servers too. | |||
| Besides the Client Cookie construction, this update on [RFC7873] does | Besides the Client Cookie construction, this update on [RFC7873] does | |||
| not introduce any new characteristics to DNS Cookies operations and | not introduce any new characteristics to DNS Cookies operations and | |||
| the Security Considerations section of [RFC7873] still applies. | the Security Considerations section of [RFC7873] still applies. | |||
| 9. References | 9. Acknowledgements | |||
| 9.1. Normative References | Thanks to Witold Krecicki and Pieter Lexis for valuable input, | |||
| suggestions and text and above all for implementing a prototype of an | ||||
| interoperable DNS Cookie in Bind9, Knot and PowerDNS during the | ||||
| hackathon of IETF104 in Prague. Thanks for valuable input and | ||||
| suggestions go to Ralph Dolmans, Bob Harold, Daniel Salzman, Martin | ||||
| Hoffmann, Mukund Sivaraman, Petr Spacek, Loganaden Velvindron, Bob | ||||
| Harold, Philip Homburg, Tim Wicinski and Brian Dickson. | ||||
| 10. Normative References | ||||
| [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, | [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, | |||
| DOI 10.17487/RFC1982, August 1996, | DOI 10.17487/RFC1982, August 1996, | |||
| <https://www.rfc-editor.org/info/rfc1982>. | <https://www.rfc-editor.org/info/rfc1982>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) | [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) | |||
| Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, | Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, | |||
| <https://www.rfc-editor.org/info/rfc7873>. | <https://www.rfc-editor.org/info/rfc7873>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [SipHash-2.4] | [SipHash-2.4] | |||
| Aumasson, J. and D. Bernstein, "SipHash: a fast short- | Aumasson, J. and D. J. Bernstein, "SipHash: a fast short- | |||
| input PRF", 2012, <https://131002.net/siphash/>. | input PRF", 2012, <https://131002.net/siphash/>. | |||
| 9.2. Informative References | 11. Informative References | |||
| [FNV] Fowler, G., Noll, L., Vo, K., Eastlake, D., and T. Hansen, | [FNV] Fowler, G., Noll, L., Vo, K., Eastlake, D., and T. Hansen, | |||
| "The FNV Non-Cryptographic Hash Algorithm", | "The FNV Non-Cryptographic Hash Algorithm", | |||
| <https://datatracker.ietf.org/doc/draft-eastlake-fnv>. | <https://datatracker.ietf.org/doc/draft-eastlake-fnv>. | |||
| [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy | ||||
| Extensions for Stateless Address Autoconfiguration in | ||||
| IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, | ||||
| <https://www.rfc-editor.org/info/rfc4941>. | ||||
| [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | |||
| (SHA and SHA-based HMAC and HKDF)", RFC 6234, | (SHA and SHA-based HMAC and HKDF)", RFC 6234, | |||
| DOI 10.17487/RFC6234, May 2011, | DOI 10.17487/RFC6234, May 2011, | |||
| <https://www.rfc-editor.org/info/rfc6234>. | <https://www.rfc-editor.org/info/rfc6234>. | |||
| Appendix A. Acknowledgements | Appendix A. Test vectors | |||
| Thanks to Witold Krecicki and Pieter Lexis for valuable input, | ||||
| suggestions and text and above all for implementing a prototype of an | ||||
| interoperable DNS Cookie in Bind9, Knot and PowerDNS during the | ||||
| hackathon of IETF104 in Prague. Thanks for valuable input and | ||||
| suggestions go to Ralph Dolmans, Bob Harold, Daniel Salzman, Martin | ||||
| Hoffmann, Mukund Sivaraman, Petr Spacek, Loganaden Velvindron, Bob | ||||
| Harold and Philip Homburg | ||||
| Appendix B. Test vectors | ||||
| B.1. Learning a new Server Cookie | A.1. Learning a new Server Cookie | |||
| A resolver (client) sending from IPv4 address 198.51.100.100, sends a | A resolver (client) sending from IPv4 address 198.51.100.100, sends a | |||
| query for "example.com" to an authoritative server listening on | query for "example.com" to an authoritative server listening on | |||
| 192.0.2.53 from which it has not yet learned the server cookie. | 192.0.2.53 from which it has not yet learned the server cookie. | |||
| The DNS requests and replies shown in this Appendix, are in a "dig" | The DNS requests and replies shown in this Appendix, are in a "dig" | |||
| like format. The content of the DNS COOKIE Option is shown in | like format. The content of the DNS COOKIE Option is shown in | |||
| hexadecimal format after "; COOKIE:". | hexadecimal format after "; COOKIE:". | |||
| ;; Sending: | ;; Sending: | |||
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57406 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57406 | |||
| ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 | ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 | |||
| ;; OPT PSEUDOSECTION: | ;; OPT PSEUDOSECTION: | |||
| ; EDNS: version: 0, flags:; udp: 4096 | ; EDNS: version: 0, flags:; udp: 4096 | |||
| ; COOKIE: 2464c4abcf10c957 | ; COOKIE: 2464c4abcf10c957 | |||
| ;; QUESTION SECTION: | ;; QUESTION SECTION: | |||
| ;example.com. IN A | ;example.com. IN A | |||
| ;; QUERY SIZE: 52 | ;; QUERY SIZE: 52 | |||
| The authoritative nameserver (server) is configured with the | The authoritative nameserver (server) is configured with the | |||
| following secret: e5e973e5a6b2a43f48e7dc849e37bfcf (as hex data). | following secret: e5e973e5a6b2a43f48e7dc849e37bfcf (as hex data). | |||
| It receives the query at Wed Jun 5 10:53:05 UTC 2019. | It receives the query at Wed Jun 5 10:53:05 UTC 2019. | |||
| The content of the DNS COOKIE Option that the server will return is | The content of the DNS COOKIE Option that the server will return is | |||
| shown below in hexadecimal format after "; COOKIE:" | shown below in hexadecimal format after "; COOKIE:" | |||
| ;; Got answer: | ||||
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57406 | ||||
| ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | ||||
| ;; OPT PSEUDOSECTION: | ;; Got answer: | |||
| ; EDNS: version: 0, flags:; udp: 4096 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57406 | |||
| ; COOKIE: 2464c4abcf10c957010000005cf79f111f8130c3eee29480 (good) | ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | |||
| ;; QUESTION SECTION: | ||||
| ;example.com. IN A | ||||
| ;; ANSWER SECTION: | ;; OPT PSEUDOSECTION: | |||
| example.com. 86400 IN A 192.0.2.34 | ; EDNS: version: 0, flags:; udp: 4096 | |||
| ; COOKIE: 2464c4abcf10c957010000005cf79f111f8130c3eee29480 (good) | ||||
| ;; QUESTION SECTION: | ||||
| ;example.com. IN A | ||||
| ;; Query time: 6 msec | ;; ANSWER SECTION: | |||
| ;; SERVER: 192.0.2.53#53(192.0.2.53) | example.com. 86400 IN A 192.0.2.34 | |||
| ;; WHEN: Wed Jun 5 10:53:05 UTC 2019 | ||||
| ;; MSD SIZE rcvd: 84 | ||||
| B.2. The same client learning a renewed (fresh) Server Cookie | ;; Query time: 6 msec | |||
| ;; SERVER: 192.0.2.53#53(192.0.2.53) | ||||
| ;; WHEN: Wed Jun 5 10:53:05 UTC 2019 | ||||
| ;; MSD SIZE rcvd: 84 | ||||
| A.2. The same client learning a renewed (fresh) Server Cookie | ||||
| 40 minutes later, the same resolver (client) queries the same server | 40 minutes later, the same resolver (client) queries the same server | |||
| for for "example.org" : | for for "example.org" : | |||
| ;; Sending: | ;; Sending: | |||
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50939 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50939 | |||
| ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 | ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 | |||
| ;; OPT PSEUDOSECTION: | ;; OPT PSEUDOSECTION: | |||
| ; EDNS: version: 0, flags:; udp: 4096 | ; EDNS: version: 0, flags:; udp: 4096 | |||
| ; COOKIE: 2464c4abcf10c957010000005cf79f111f8130c3eee29480 | ; COOKIE: 2464c4abcf10c957010000005cf79f111f8130c3eee29480 | |||
| ;; QUESTION SECTION: | ;; QUESTION SECTION: | |||
| ;example.org. IN A | ;example.org. IN A | |||
| ;; QUERY SIZE: 52 | ;; QUERY SIZE: 52 | |||
| The authoritative nameserver (server) now generates a new Server | The authoritative nameserver (server) now generates a new Server | |||
| Cookie. The server SHOULD do this because it can see the Server | Cookie. The server SHOULD do this because it can see the Server | |||
| Cookie send by the client is older than half an hour Section 4.3, but | Cookie send by the client is older than half an hour Section 4.3, but | |||
| it is also fine for a server to generate a new Server Cookie sooner, | it is also fine for a server to generate a new Server Cookie sooner, | |||
| or even for every answer. | or even for every answer. | |||
| ;; Got answer: | ;; Got answer: | |||
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50939 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50939 | |||
| ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | |||
| ;; OPT PSEUDOSECTION: | ;; OPT PSEUDOSECTION: | |||
| ; EDNS: version: 0, flags:; udp: 4096 | ; EDNS: version: 0, flags:; udp: 4096 | |||
| ; COOKIE: 2464c4abcf10c957010000005cf7a871d4a564a1442aca77 (good) | ; COOKIE: 2464c4abcf10c957010000005cf7a871d4a564a1442aca77 (good) | |||
| ;; QUESTION SECTION: | ;; QUESTION SECTION: | |||
| ;example.org. IN A | ;example.org. IN A | |||
| ;; ANSWER SECTION: | ;; ANSWER SECTION: | |||
| example.org. 86400 IN A 192.0.2.34 | example.org. 86400 IN A 192.0.2.34 | |||
| ;; Query time: 6 msec | ;; Query time: 6 msec | |||
| ;; SERVER: 192.0.2.53#53(192.0.2.53) | ;; SERVER: 192.0.2.53#53(192.0.2.53) | |||
| ;; WHEN: Wed Jun 5 11:33:05 UTC 2019 | ;; WHEN: Wed Jun 5 11:33:05 UTC 2019 | |||
| ;; MSD SIZE rcvd: 84 | ;; MSD SIZE rcvd: 84 | |||
| B.3. Another client learning a renewed Server Cookie | A.3. Another client learning a renewed Server Cookie | |||
| Another resolver (client) with IPv4 address 203.0.113.203 sends a | Another resolver (client) with IPv4 address 203.0.113.203 sends a | |||
| request to the same server with a valid Server Cookie that it learned | request to the same server with a valid Server Cookie that it learned | |||
| before (at Wed Jun 5 09:46:25 UTC 2019). Note that the Server Cookie | before (at Wed Jun 5 09:46:25 UTC 2019). Note that the Server Cookie | |||
| has Reserved bytes set, but is still valid with the configured | has Reserved bytes set, but is still valid with the configured | |||
| secret; the Hash part is calculated taking along the Reserved bytes. | secret; the Hash part is calculated taking along the Reserved bytes. | |||
| ;; Sending: | ;; Sending: | |||
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34736 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34736 | |||
| ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 | ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 | |||
| ;; OPT PSEUDOSECTION: | ;; OPT PSEUDOSECTION: | |||
| ; EDNS: version: 0, flags:; udp: 4096 | ; EDNS: version: 0, flags:; udp: 4096 | |||
| ; COOKIE: fc93fc62807ddb8601abcdef5cf78f71a314227b6679ebf5 | ; COOKIE: fc93fc62807ddb8601abcdef5cf78f71a314227b6679ebf5 | |||
| ;; QUESTION SECTION: | ;; QUESTION SECTION: | |||
| ;example.com. IN A | ;example.com. IN A | |||
| ;; QUERY SIZE: 52 | ;; QUERY SIZE: 52 | |||
| The authoritative nameserver (server) replies with a freshly | The authoritative nameserver (server) replies with a freshly | |||
| generated Server Cookie for this client conformant with this | generated Server Cookie for this client conformant with this | |||
| specification; so with the Reserved bits set to zero. | specification; so with the Reserved bits set to zero. | |||
| ;; Got answer: | ;; Got answer: | |||
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34736 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34736 | |||
| ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | |||
| ;; OPT PSEUDOSECTION: | ;; OPT PSEUDOSECTION: | |||
| ; EDNS: version: 0, flags:; udp: 4096 | ; EDNS: version: 0, flags:; udp: 4096 | |||
| ; COOKIE: fc93fc62807ddb86010000005cf7a9acf73a7810aca2381e (good) | ; COOKIE: fc93fc62807ddb86010000005cf7a9acf73a7810aca2381e (good) | |||
| ;; QUESTION SECTION: | ;; QUESTION SECTION: | |||
| ;example.com. IN A | ;example.com. IN A | |||
| ;; ANSWER SECTION: | ;; ANSWER SECTION: | |||
| example.com. 86400 IN A 192.0.2.34 | example.com. 86400 IN A 192.0.2.34 | |||
| ;; Query time: 6 msec | ;; Query time: 6 msec | |||
| ;; SERVER: 192.0.2.53#53(192.0.2.53) | ;; SERVER: 192.0.2.53#53(192.0.2.53) | |||
| ;; WHEN: Wed Jun 5 11:38:20 UTC 2019 | ;; WHEN: Wed Jun 5 11:38:20 UTC 2019 | |||
| ;; MSD SIZE rcvd: 84 | ;; MSD SIZE rcvd: 84 | |||
| B.4. IPv6 query with rolled over secret | A.4. IPv6 query with rolled over secret | |||
| The query below is from a client with IPv6 address | The query below is from a client with IPv6 address | |||
| 2001:db8:220:1:59de:d0f4:8769:82b8 to a server with IPv6 address | 2001:db8:220:1:59de:d0f4:8769:82b8 to a server with IPv6 address | |||
| 2001:db8:8f::53. The client has learned a valid Server Cookie before | 2001:db8:8f::53. The client has learned a valid Server Cookie before | |||
| when the Server had secret: dd3bdf9344b678b185a6f5cb60fca715. The | when the Server had the secret: dd3bdf9344b678b185a6f5cb60fca715. | |||
| server now uses a new secret, but it can still validate the Server | The server now uses a new secret, but it can still validate the | |||
| Cookie provided by the client as the old secret has not expired yet. | Server Cookie provided by the client as the old secret has not | |||
| expired yet. | ||||
| ;; Sending: | ;; Sending: | |||
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6774 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6774 | |||
| ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 | ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 | |||
| ;; OPT PSEUDOSECTION: | ;; OPT PSEUDOSECTION: | |||
| ; EDNS: version: 0, flags:; udp: 4096 | ; EDNS: version: 0, flags:; udp: 4096 | |||
| ; COOKIE: 22681ab97d52c298010000005cf7c57926556bd0934c72f8 | ; COOKIE: 22681ab97d52c298010000005cf7c57926556bd0934c72f8 | |||
| ;; QUESTION SECTION: | ;; QUESTION SECTION: | |||
| ;example.net. IN A | ;example.net. IN A | |||
| ;; QUERY SIZE: 52 | ;; QUERY SIZE: 52 | |||
| The authoritative nameserver (server) replies with a freshly | The authoritative nameserver (server) replies with a freshly | |||
| generated server cookie for this client with its new secret: | generated server cookie for this client with its new secret: | |||
| 445536bcd2513298075a5d379663c962 | 445536bcd2513298075a5d379663c962 | |||
| ;; Got answer: | ||||
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6774 | ||||
| ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | ||||
| ;; OPT PSEUDOSECTION: | ;; Got answer: | |||
| ; EDNS: version: 0, flags:; udp: 4096 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6774 | |||
| ; COOKIE: 22681ab97d52c298010000005cf7c609a6bb79d16625507a (good) | ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | |||
| ;; QUESTION SECTION: | ||||
| ;example.net. IN A | ||||
| ;; ANSWER SECTION: | ;; OPT PSEUDOSECTION: | |||
| example.net. 86400 IN A 192.0.2.34 | ; EDNS: version: 0, flags:; udp: 4096 | |||
| ; COOKIE: 22681ab97d52c298010000005cf7c609a6bb79d16625507a (good) | ||||
| ;; QUESTION SECTION: | ||||
| ;example.net. IN A | ||||
| ;; Query time: 6 msec | ;; ANSWER SECTION: | |||
| ;; SERVER: 2001:db8:8f::53#53(2001:db8:8f::53) | example.net. 86400 IN A 192.0.2.34 | |||
| ;; WHEN: Wed Jun 5 13:36:57 UTC 2019 | ||||
| ;; MSD SIZE rcvd: 84 | ||||
| Appendix C. Implementation status | ;; Query time: 6 msec | |||
| ;; SERVER: 2001:db8:8f::53#53(2001:db8:8f::53) | ||||
| ;; WHEN: Wed Jun 5 13:36:57 UTC 2019 | ||||
| ;; MSD SIZE rcvd: 84 | ||||
| Appendix B. Implementation status | ||||
| At the time of writing, BIND from version 9.16 and Knot DNS from | At the time of writing, BIND from version 9.16 and Knot DNS from | |||
| version 2.9.0 create Server Cookies according to the recipe described | version 2.9.0 create Server Cookies according to the recipe described | |||
| in this draft. Unbound and NSD have an Proof of Concept | in this draft. Unbound and NSD have an Proof of Concept | |||
| implementation that has been tested for interoperability during the | implementation that has been tested for interoperability during the | |||
| hackathon at the IETF104 in Prague. Construction of privacy | hackathon at the IETF104 in Prague. Construction of privacy | |||
| maintaining Client Cookies according to the directions in this draft | maintaining Client Cookies according to the directions in this draft | |||
| have been implemented in the getdns library and will be in the | have been implemented in the getdns library and will be in the | |||
| upcoming getdns-1.6.1 release and in Stubby version 0.3.1. | upcoming getdns-1.6.1 release and in Stubby version 0.3.1. | |||
| skipping to change at page 15, line 34 ¶ | skipping to change at page 16, line 4 ¶ | |||
| At the time of writing, BIND from version 9.16 and Knot DNS from | At the time of writing, BIND from version 9.16 and Knot DNS from | |||
| version 2.9.0 create Server Cookies according to the recipe described | version 2.9.0 create Server Cookies according to the recipe described | |||
| in this draft. Unbound and NSD have an Proof of Concept | in this draft. Unbound and NSD have an Proof of Concept | |||
| implementation that has been tested for interoperability during the | implementation that has been tested for interoperability during the | |||
| hackathon at the IETF104 in Prague. Construction of privacy | hackathon at the IETF104 in Prague. Construction of privacy | |||
| maintaining Client Cookies according to the directions in this draft | maintaining Client Cookies according to the directions in this draft | |||
| have been implemented in the getdns library and will be in the | have been implemented in the getdns library and will be in the | |||
| upcoming getdns-1.6.1 release and in Stubby version 0.3.1. | upcoming getdns-1.6.1 release and in Stubby version 0.3.1. | |||
| Authors' Addresses | Authors' Addresses | |||
| Ondrej Sury | Ondrej Sury | |||
| Internet Systems Consortium | Internet Systems Consortium | |||
| CZ | Czechia | |||
| Email: ondrej@isc.org | Email: ondrej@isc.org | |||
| Willem Toorop | Willem Toorop | |||
| NLnet Labs | NLnet Labs | |||
| Science Park 400 | Science Park 400 | |||
| Amsterdam 1098 XH | 1098 XH Amsterdam | |||
| Netherlands | Netherlands | |||
| Email: willem@nlnetlabs.nl | Email: willem@nlnetlabs.nl | |||
| Donald E. Eastlake 3rd | Donald E. Eastlake 3rd | |||
| Futurewei Technologies | Futurewei Technologies | |||
| 1424 Pro Shop Court | 1424 Pro Shop Court | |||
| Davenport FL 33896 | Davenport, FL 33896 | |||
| USA | United States of America | |||
| Phone: +1-508-333-2270 | Phone: +1-508-333-2270 | |||
| Email: d3e3e3@gmail.com | Email: d3e3e3@gmail.com | |||
| Mark Andrews | Mark Andrews | |||
| Internet Systems Consortium | Internet Systems Consortium | |||
| 950 Charter Street | 950 Charter Street | |||
| Redwood City CA 94063 | Redwood City, CA 94063 | |||
| USA | United States of America | |||
| Email: marka@isc.org | Email: marka@isc.org | |||
| End of changes. 97 change blocks. | ||||
| 248 lines changed or deleted | 263 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||