> On 24 Jan 2020, at 21:36, Arsen STASIC <[email protected]> wrote: > > Hi, > > This software might be of interest for DNS anycast providers (or customers) > which are running BIND. > With BIND 9.11 and newer DNS Cookies are enabled **automatically**.
You seem surprised? DNS COOKIE is a security feature and to be effective it needs to be enabled on both ends. DNS COOKIE was introduced in a .0 release. This is where feature changes are expected to occur. > While I was searching for software to check DNS Cookies and I didn't find > anything. So “dig +cookie=<value>" was not enough? > Therefore I wrote this small Perl script to check DNS anycast instances (over > their mgmt-ip) for synchronized DNS Cookies: > https://github.com/stasic/dns-cookies Which assumes that all the queries are made in the same second as server cookies vary over time. If you really want to test this you need to send the returned cookie option from the first response to all the other servers and check the rcode they return is not BADCOOKIE. Exercise the cookie checking code in the server. > If DNS Cookies are not the same between different DNS anycast instances it > may cause warnings and intermittent query retries. Therefore I suggest either > synchronize them or disable them. This is very alarmist. DNS COOKIE secret key mismatches (includes algorithm mismatches) where expected to occur and DNS COOKIE clients are designed to handle them. Unsynchronised secrets/algorithms are safer for the client that disabled cookies. Additionally this really only becomes visible with local anycast clusters which don’t have source IP address affinity. With globally distributed anycast you tend to hit the same node. Mark > ISC addressed this issue in their knowledge base: > https://kb.isc.org/docs/dns-cookies-on-servers-in-anycast-clusters > > happy cookie gathering > Arsen > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
