mirror of
https://github.com/hickory-dns/hickory-dns.git
synced 2026-04-25 03:05:51 +03:00
[GH-ISSUE #2075] DNS cookies #874
Labels
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/hickory-dns#874
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @jpds on GitHub (Oct 21, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2075
Describe the solution you'd like
Server and client-side support for DNS Cookies:
More information at this video from CIRA (3:24 onwards)
@bluejekyll commented on GitHub (Oct 24, 2023):
Reading through this, it should be fairly straightforward to implement. Getting the client and server cookie creation correct looks like the most complicated part.
The only question I have is, given that we have encrypted options available with TLS, h2, h3, and quic, what is the priority of this RFC?
@djc commented on GitHub (Oct 24, 2023):
Do we enable DoT/DoH/DoH3/DoQ by default, though, or do most configurations in the wild still end up with UDP/TCP?
@bluejekyll commented on GitHub (Oct 24, 2023):
no, you need to enable all-features to get those.
I’m just trying to an understanding of how big the community of cookie users there are.
overall, this seems somewhat straightforward to implement, but my point was that it’s a bit redundant to these other options is all.
@bluejekyll commented on GitHub (Oct 24, 2023):
Here's some good discussion into the usage of Cookies, https://blog.apnic.net/2023/02/23/notes-from-dns-oarc-40/, and a presentation from Google on the same: https://indico.dns-oarc.net/event/46/contributions/978/attachments/947/1754/Cache%20Poisoning%20Protection%20-%20Deployment%20Experience.pdf
@jpds commented on GitHub (Oct 24, 2023):
BIND has had support since 7 years ago: https://gitlab.isc.org/isc-projects/bind9/-/tags/v9.11.0 / https://kb.isc.org/docs/aa-01387
Unbound gained support in the last few months: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0
@bluejekyll commented on GitHub (Oct 25, 2023):
Yup, I don't think this is a problem to implement. Are you interested in taking a stab at it? I think it could be broken up into two PRs. One to add the parsing to the
EdnsOptionenum:github.com/hickory-dns/hickory-dns@bb20324562/crates/proto/src/rr/rdata/opt.rs (L447C10-L447C10)And then another to put this logic into the resolver and server implementations. This one will be the more interesting logic to write... I'm guessing that we only want it on the UDP implementations. The server side logic is perhaps simpler, as the Client needs to determine if the server supports Cookies or not. If it doesn't, then it needs to drop the Cookies from future requests... And based on the above links, it looks like there are some servers out there that fail in the presence of Cookies.