Back in May 2016, RFC 7873 - Domain Name System (DNS) Cookies was published. This provides a mechanism that can make off path spoofing attacks impossible without all the management required by DNSSEC. This however only works if DNS servers and DNS clients implement the changes required.
For a DNS server operator there are no real risks in enabling DNS COOKIE support other than ensuring all the servers in an anycast cluster have DNS COOKIES enabled. For DNS clients there is a small risk that you will make a request to a DNS server that has a broken DNS implementation that breaks DNS resolution. That said the number of such servers have been dropping over the last 9 years and per server workarounds are rare. I would like to encourage everyone on this list to check if their DNS servers have DNS COOKIE enabled or not and if it is not enabled to enable it or upgrade the server to one which supports it. You can test whether your server supports DNS COOKIE or not using https://ednscomp.isc.org/ednscomp At a minimum please test to see if you have a broken DNS server and correct it if your do. Below is the results of testing the .AU servers. Here A.AU supports DNS COOKIES as can be see by this field in the response "docookie=ok,cookie+badcookie”. “badcookie” indicates that it is also configured to use DNS COOKIE to identify legitimate traffic when amplification attacks happen. The other servers cleanly accept requests with DNS COOKIES present but do not return DNS COOKIES so they are not providing anti-spoofing support for the clients that use those servers. The "docookie=timeout" are false negatives base on manual testing, the test is presumably hitting a rate limit. EDNS Compliance TesterChecking: 'au' as at 2025-08-14T01:59:15Z au. @65.22.199.1 (t.au.): dns=ok zflag=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (LAX3) au. @2a01:8840:c1::1 (t.au.): dns=ok zflag=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (YYZ3) au. @58.65.254.1 (a.au.): dns=ok zflag=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok,cookie+badcookie edns512tcp=ok optlist=ok,nsid,cookie+badcookie,subnet (lax2) au. @2407:6e00:254::1 (a.au.): dns=ok zflag=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok,cookie+badcookie edns512tcp=ok optlist=ok,nsid,expire,cookie+badcookie (mel3) au. @65.22.196.1 (q.au.): dns=ok zflag=timeout edns=timeout edns1=ok edns@512=ok ednsopt=timeout edns1opt=ok do=timeout ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout au. @2a01:8840:be::1 (q.au.): dns=ok zflag=timeout edns=timeout edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=timeout ednsflags=ok docookie=timeout edns512tcp=ok optlist=timeout au. @65.22.197.1 (r.au.): dns=ok zflag=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (app4.mia2.hosts.meta.redstone.afilias-nst.info-1615580861) au. @2a01:8840:bf::1 (r.au.): dns=ok zflag=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (syd3.micro.hosts.meta.redstone.afilias-nst.info-1626964915) au. @65.22.198.1 (s.au.): dns=ok zflag=ok edns=timeout edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=timeout ednsflags=ok docookie=timeout edns512tcp=ok optlist=ok,nsid,expire,subnet (sjc1.micro.hosts.meta.redstone.afilias-nst.info-1633459055) au. @2a01:8840:c0::1 (s.au.): dns=ok zflag=ok edns=timeout edns1=ok edns@512=ok ednsopt=timeout edns1opt=ok do=timeout ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid,expire,subnet (sjc1.micro.hosts.meta.redstone.afilias-nst.info-1633459055) Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ AusNOG mailing list [email protected] https://lists.ausnog.net/mailman/listinfo/ausnog
