<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">

<rfc number="9018" version="3" ipr="trust200902" docName="draft-ietf-dnsop-server-cookies-05" symRefs="true" submissionType="IETF" tocInclude="true" category="std" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" updates="7873" consensus="true" sortRefs="true">

<front>
<title abbrev="server-cookies">Interoperable Domain Name System (DNS) Server Cookies</title>

<seriesInfo value="9018" name="RFC"/>

<author initials="O." surname="Sury" fullname="Ondrej
Sury"><organization>Internet Systems
Consortium</organization><address><postal><street></street>
<country>CZ</country>
</postal><email>ondrej@isc.org</email>
</address></author>

<author initials="W." surname="Toorop" fullname="Willem Toorop"><organization>NLnet Labs</organization><address><postal><street>Science Park 400</street>
<city>Amsterdam</city>
<code>1098 XH</code>
<country>Netherlands</country>
</postal><email>willem@nlnetlabs.nl</email>
</address></author>

<author initials="D." surname="Eastlake 3rd" fullname="Donald E. Eastlake 3rd"><organization>Futurewei Technologies</organization><address><postal><street>2386 Panoramic Circle</street>
<city>Apopka</city>
<code>FL 32703</code>
<country>United States of America</country>
</postal><phone>+1-508-333-2270</phone>
<email>d3e3e3@gmail.com</email>
</address></author>

<author initials="M." surname="Andrews" fullname="Mark Andrews"><organization>Internet Systems Consortium</organization><address><postal><street>950 Charter Street</street>
<city>Redwood City</city>
<code>CA 94063</code>
<country>United States of America</country>
</postal><email>marka@isc.org</email>
</address></author>

<date year="2021" month="April"></date>

<area>Internet</area>
<workgroup>DNSOP Working Group</workgroup>

<keyword>Client</keyword>
<keyword>Hash</keyword>

<abstract>
<t>DNS Cookies, as specified in RFC 7873, are a
lightweight DNS transaction security mechanism that provide limited protection
to DNS servers and clients against a variety of denial-of-service
amplification, forgery, or cache-poisoning attacks by off-path attackers.</t>
<t>This document updates RFC 7873 with precise directions for creating Server
Cookies so that an anycast server set including diverse implementations will
interoperate with standard clients, with suggestions for constructing Client Cookies
in a privacy-preserving fashion, and with suggestions on how to update a Server
Secret.  An IANA registry listing the methods and associated pseudorandom
function suitable for creating DNS Server Cookies has been created with the method
described in this document as the first and, as of the time of publication, only entry.</t>
</abstract>

</front>

<middle>

<section anchor="introduction"><name>Introduction</name>
<t>DNS Cookies, as specified in <xref target="RFC7873"></xref>, are a
lightweight DNS transaction security mechanism that provide limited protection
to DNS servers and clients against a variety of denial-of-service
amplification, forgery, or cache-poisoning attacks by off-path attackers. This
document specifies a means of producing interoperable cookies so that an
anycast server set including diverse implementations can be easily configured
to interoperate with standard clients.  Also, single-implementation or
non-anycast services can benefit from a well-studied standardized algorithm
for which the behavioral and security characteristics are more widely
known.</t>
<t>The threats considered for DNS Cookies and the properties of the DNS
Security features other than DNS Cookies are discussed in <xref target="RFC7873"></xref>.</t>
<t>In <xref target="RFC7873" sectionFormat="of" section="6"/>, for simplicity, it is
&quot;<bcp14>RECOMMENDED</bcp14> that the same Server Secret be used by
each DNS server in a set of anycast servers.&quot; However, how precisely a
Server Cookie is calculated from this Server Secret is left to the
implementation.</t>
<t>This guidance has led to a gallimaufry of DNS Cookie implementations,
calculating the Server Cookie in different ways. As a result, DNS Cookies
are impractical to deploy on multi-vendor anycast networks because even
when all DNS Software shares the same secret, as <bcp14>RECOMMENDED</bcp14> in <xref target="RFC7873" sectionFormat="of" section="6"></xref>, the Server Cookie constructed by one implementation
cannot generally be validated by another.</t>
<t>There is no need for DNS client (resolver) Cookies to be interoperable
across different implementations. Each client need only be able to recognize
its own cookies. However, this document does contain recommendations for
constructing Client Cookies in a client-protecting fashion.</t>

<section anchor="terminology-and-definitions"><name>Terminology and Definitions</name>

        <t>
    The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
    described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here.
        </t>

<t>Note: &quot;IP address&quot; is used herein as a length-independent term covering
both IPv4 and IPv6 addresses.</t>

</section>
</section>

<section anchor="changes"><name>Changes to  RFC 7873</name>
<t>Appendices <xref target="RFC7873" sectionFormat="bare" section="A.1"/> and <xref target="RFC7873" sectionFormat="bare" section="B.1" /> of <xref target="RFC7873"></xref> provide
example &quot;simple&quot; algorithms for computing Client and Server Cookies,
respectively.  These algorithms <bcp14>MUST NOT</bcp14> be used as the
resulting cookies are too weak when evaluated against modern security
standards.</t>
<t><xref target="RFC7873" section="B.2"></xref> provides an example &quot;more complex&quot; server
algorithm. This algorithm is replaced by the interoperable specification in
<xref target="serverCookie"></xref> of this document, which <bcp14>MUST</bcp14> be used by Server Cookie
implementations.</t>
<t>This document has suggestions on Client Cookie construction in <xref target="clientCookie"></xref>.
The previous example in <xref target="RFC7873" section="A.2"/> is <bcp14>NOT RECOMMENDED</bcp14>.</t>
</section>

<section anchor="clientCookie"><name>Constructing a Client Cookie</name>
<t>The Client Cookie acts as an identifier for a given client and its IP
address and needs to be unguessable. In order to provide minimal
authentication of the targeted server, a client <bcp14>MUST</bcp14> use a
different Client Cookie for each different Server IP address. This complicates
a server's ability to spoof answers for other DNS servers. The Client Cookie
<bcp14>SHOULD</bcp14> have 64 bits of entropy.</t>
<t>When a server does not support DNS Cookies, the client <bcp14>MUST NOT</bcp14> send the same
Client Cookie to that same server again. Instead, it is recommended that the
client does not send a Client Cookie to that server for a certain period
(for example, five minutes) before it retries with a new Client Cookie.</t>
<t>When a server does support DNS Cookies, the client should store the Client
Cookie alongside the Server Cookie it registered for that server.</t>
<t>Except for when the Client IP address changes, there is no need to change the
Client Cookie often. It is then reasonable to change the Client Cookie only if
it has been compromised or after a relatively long implementation-defined
period of time.  The time period should be no longer than a year, and in any
case, Client Cookies are not expected to survive a program restart.</t>

<sourcecode type="">Client-Cookie = 64 bits of entropy
</sourcecode>
<t>Previously, the recommended algorithm to compute the Client Cookie included
the Client IP address as an input to a hashing function. However, when implementing
the DNS Cookies, several DNS vendors found it impractical to include the Client IP
as the Client Cookie is typically computed before the Client IP address is
known. Therefore, the requirement to put the Client IP address as input was
removed.</t>
<t>However, for privacy reasons, in order to prevent tracking of devices across
links and to not circumvent IPv6 Privacy Extensions <xref target="RFC4941"></xref>, clients <bcp14>MUST
NOT</bcp14> reuse a Client or Server Cookie after the Client IP address has changed.</t>
<t>One way to satisfy this requirement for non-reuse is to register the Client IP
address alongside the Server Cookie when it receives the Server Cookie.  In
subsequent queries to the server with that Server Cookie, the socket <bcp14>MUST</bcp14> be
bound to the Client IP address that was also used (and registered) when it
received the Server Cookie.  Failure to bind <bcp14>MUST</bcp14> then result in a new Client
Cookie.</t>
</section>

<section anchor="serverCookie"><name>Constructing a Server Cookie</name>
<t>The Server Cookie is effectively a Message Authentication Code (MAC). The
Server Cookie, when it occurs in a COOKIE option in a request, is intended to
weakly assure the server that the request came from a client that is both at
the source IP address of the request and using the Client Cookie included in
the option.

 This assurance is provided by the Server Cookie that the server (or any other
 server from the anycast set) sent to that client in an earlier response and
 that appears as the Server Cookie field in the weakly authenticated request
 (see <xref sectionFormat="of" section="5.2" target="RFC7873"/>).</t>

<t>DNS Cookies do not provide protection against &quot;on-path&quot;
adversaries (see <xref sectionFormat="of" section="9" target="RFC7873"/>). An
on-path observer that has seen a Server Cookie for a client can abuse that
Server Cookie to spoof request for that client within the time span a Server
Cookie is valid (see <xref target="timestampField"></xref>).</t>
<t>

  The Server Cookie is calculated from the Client Cookie, a series of
  Sub-Fields specified below, the Client IP address, and a Server
  Secret that is known only to the server or only to the set of servers
  at the same anycast address.
</t>

<t>For calculation of the Server Cookie, a pseudorandom function is
<bcp14>RECOMMENDED</bcp14> with the property that an attacker that does not
know the Server Secret, cannot find (any information about) the Server Secret,
and cannot create a Server Cookie for any combination of the Client Cookie,
the series of Sub-Fields specified below, and the client IP address, for which
it has not seen a Server Cookie before.

Because DNS servers need to use the pseudorandom function in order to verify
Server Cookies, it is <bcp14>RECOMMENDED</bcp14> that it be efficient to
calculate.

The pseudorandom function described in <xref target="SipHash-2-4"></xref> and
introduced in <xref target="hashField"></xref> of this document fits these
recommendations.</t>
<t>Changing the Server Secret regularly is <bcp14>RECOMMENDED</bcp14> but,
when a secure pseudorandom function is used, it need not be changed too
frequently.  Once a month, for example, would be adequate.  See <xref
target="rollingSecret"></xref> on operator and implementation guidelines for
updating a Server Secret.</t>
<t>The 128-bit Server Cookie consists of the following Sub-Fields: a 1-octet Version Sub-Field,
a 3-octet Reserved Sub-Field, a 4-octet Timestamp Sub-Field, and an 8-octet Hash
Sub-Field.</t>

<artwork type="ascii-art"> 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Version    |                   Reserved                    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           Timestamp                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             Hash                              |
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>

<section anchor="the-version-sub-field"><name>The Version Sub-Field</name>
<t>The Version Sub-Field prescribes the structure and Hash calculation formula.
This document defines Version 1 to be the structure and way to calculate the
Hash Sub-Field as defined in this section.</t>
</section>

<section anchor="the-reserved-sub-field"><name>The Reserved Sub-Field</name>
<t>The value of the Reserved Sub-Field is reserved for future versions of
server-side cookie construction.  On construction, it <bcp14>MUST</bcp14> be
set to zero octets.  On Server Cookie verification, the server <bcp14>MUST
NOT</bcp14> enforce those fields to be zero, and the Hash should be computed
with the received value as described in <xref target="hashField"></xref>.</t>
</section>

<section anchor="timestampField"><name>The Timestamp Sub-Field</name>
<t>The Timestamp value prevents Replay Attacks and <bcp14>MUST</bcp14> be
checked by the server to be within a defined period of time.  The DNS server
<bcp14>SHOULD</bcp14> allow cookies within a 1-hour period in the past and a
5-minute period into the future to allow operation of low-volume clients and
some limited time skew between the DNS servers in the anycast set.</t>
<t>The Timestamp value specifies a date and time in the form of a 32-bit
<strong>unsigned</strong> number of seconds elapsed since 1 January 1970
00:00:00 UTC, ignoring leap seconds, in network byte order.  All comparisons
involving these fields <bcp14>MUST</bcp14> use &quot;Serial number
arithmetic&quot;, as defined in <xref target="RFC1982"></xref>. <xref
target="RFC1982"></xref> specifies how the differences should be handled. This
handles any relative time window less than 68 years, at any time in the future
(2038, 2106, 2256, 22209, or later.)</t>
<t>The DNS server <bcp14>SHOULD</bcp14> generate a new Server Cookie at least if the received
Server Cookie from the client is more than half an hour old, but it <bcp14>MAY</bcp14>
generate a new cookie more often than that.</t>
</section>

<section anchor="hashField"><name>The Hash Sub-Field</name>
<t>It's important that all the DNS servers use the same algorithm for computing
the Server Cookie.  This document defines the Version 1 of the server-side
algorithm to be:</t>

<sourcecode type="">Hash = SipHash-2-4(
    Client Cookie | Version | Reserved | Timestamp | Client-IP,
    Server Secret )
</sourcecode>
<t>where &quot;|&quot; indicates concatenation.</t>
<t>Notice that Client-IP is used for hash generation even though it is not
included in the cookie value itself. Client-IP can be either 4 bytes for IPv4
or 16 bytes for IPv6. The length of all the concatenated elements (the input
into <xref target="SipHash-2-4"></xref>) <bcp14>MUST</bcp14> be either precisely 20 bytes in case of an IPv4
Client-IP or precisely 32 bytes in case of an IPv6 Client-IP.</t>
<t>When a DNS server receives a Server Cookie version 1 for validation, the length
of the received COOKIE option <bcp14>MUST</bcp14> be precisely 24 bytes: 8 bytes for the
Client Cookie plus 16 bytes for the Server Cookie. Verification of the length
of the received COOKIE option is <bcp14>REQUIRED</bcp14> to guarantee the length of the input
into <xref target="SipHash-2-4"></xref> to be precisely 20 bytes in the case of an IPv4 Client-IP and
precisely 32 bytes in the case of an IPv6 Client-IP. This ensures that the input
into <xref target="SipHash-2-4"></xref> is an injective function of the elements making up the
input, and thereby prevents data substitution attacks.  More specifically, this
prevents a 36-byte COOKIE option coming from an IPv4 Client-IP to be validated
as if it were coming from an IPv6 Client-IP.</t>
<t>The Server Secret <bcp14>MUST</bcp14> be configurable to make sure that servers in an anycast
network return consistent results.</t>
</section>
</section>

<section anchor="rollingSecret"><name>Updating the Server Secret</name>
<t>Changing the Server Secret regularly is <bcp14>RECOMMENDED</bcp14>.  All servers in an anycast
set must be able to verify the Server Cookies constructed by all other servers
in that anycast set at all times.  Therefore, it is vital that the Server Secret
is shared among all servers before it is used to generate Server Cookies on any
server.</t>
<t>Also, to maximize maintaining established relationships between clients and
servers, an old Server Secret should be valid for verification purposes for a
specific period.</t>
<t>To facilitate this, deployment of a new Server Secret <bcp14>MUST</bcp14> be done in three
stages:</t>

<dl newline="true">
<dt>Stage 1</dt>
<dd><t>
The new Server Secret is deployed on all the servers in an anycast set by
the operator.</t>
<t>Each server learns the new Server Secret but keeps using the previous Server
Secret to generate Server Cookies.</t>
<t>Server Cookies constructed with both the new Server Secret and the previous
Server Secret are considered valid when verifying.</t>
<t>After stage 1 is completed, all the servers in the anycast set have learned the
new Server Secret and can verify Server Cookies constructed with it, but keep
generating Server Cookies with the old Server Secret.</t></dd>
<dt>Stage 2</dt>
<dd><t>
This stage is initiated by the operator after the Server Cookie is present
on all members in the anycast set.</t>
<t>When entering Stage 2, servers start generating Server Cookies with the new
Server Secret. The previous Server Secret is not yet removed/forgotten.</t>
<t>Server Cookies constructed with both the new Server Secret and the
previous Server Secret are considered valid when verifying.</t></dd>
<dt>Stage 3</dt>
<dd><t>
This stage is initiated by the operator when it can be assumed that most
clients have obtained a Server Cookie derived from the new Server Secret.</t>
<t>With this stage, the previous Server Secret can be removed and <bcp14>MUST NOT</bcp14> be
used anymore for verifying.</t>

<t>It is <bcp14>RECOMMENDED</bcp14> that the operator wait, after initiating Stage 2
  and before initiating Stage 3, at least a period of time equal to
  the longest TTL in the zones served by the server plus 1 hour.
</t>

<t>The operator <bcp14>SHOULD</bcp14> wait at least longer than the period clients are allowed
to use the same Server Cookie, which <bcp14>SHOULD</bcp14> be 1 hour (see <xref target="timestampField"></xref>).</t></dd>
</dl>
</section>

<section anchor="cookieAlgorithms"><name>Cookie Algorithms</name>
<t><xref target="SipHash-2-4"></xref> is a pseudorandom function suitable as a Message Authentication
Code.  It is <bcp14>REQUIRED</bcp14> that a compliant DNS server use SipHash-2-4 as a
mandatory and default algorithm for DNS Cookies to ensure interoperability
between the DNS Implementations.</t>
<t>The construction method and pseudorandom function used in calculating and
verifying the Server Cookies are determined by the initial version byte and by
the length of the Server Cookie. Additional pseudorandom or construction
algorithms for Server Cookies might be added in the future.</t>
</section>

<section anchor="ianaConsiderations"><name>IANA Considerations</name>
<t>IANA has created a registry under the &quot;Domain Name System (DNS) Parameters&quot; heading as follows:</t>

<dl>

<dt>Registry Name:
</dt>
<dd>DNS Server Cookie Methods
</dd>

<dt>Assignment Policy:
</dt>
<dd>Expert Review
</dd>

<dt>Reference:
</dt>
<dd>[RFC9018], <xref target="RFC7873"/>
</dd>

<dt>Note:
</dt>
<dd>A Server Cookie method (construction and pseudorandom algorithm) is
determined by the Version in the first byte of the cookie and by the cookie
size. Server Cookie size is limited to the inclusive range of 8 to 32 bytes.
</dd>

</dl>

<table>
  <name>DNS Server Cookie Methods</name>
<thead>
<tr>
<th align="right">Version</th>
<th align="right">Size</th>
<th align="left">Method</th>
</tr>
</thead>

<tbody>
<tr>
<td align="right">0</td>
<td align="right">8-32</td>
<td align="left">Reserved</td>
</tr>

<tr>
<td align="right">1</td>
<td align="right">8-15</td>
<td align="left">Unassigned</td>
</tr>

<tr>
<td align="right">1</td>
<td align="right">16</td>
<td align="left">SipHash-2-4 [RFC9018] <xref target="serverCookie"></xref></td>
</tr>

<tr>
<td align="right">1</td>
<td align="right">17-32</td>
<td align="left">Unassigned</td>
</tr>

<tr>
<td align="right">2-239</td>
<td align="right">8-32</td>
<td align="left">Unassigned</td>
</tr>

<tr>
<td align="right">240-254</td>
<td align="right">8-32</td>
<td align="left">Reserved for Private Use</td>
</tr>

<tr>
<td align="right">255</td>
<td align="right">8-32</td>
<td align="left">Reserved</td>
</tr>
</tbody>
</table></section>

<section anchor="securityConsiderations"><name>Security and Privacy Considerations</name>
<t>DNS Cookies provide limited protection to DNS servers and clients against a
variety of denial-of-service amplification, forgery, or cache-poisoning attacks
by off-path attackers. They provide no protection against on-path adversaries
that can observe the plaintext DNS traffic. An on-path adversary that can
observe a Server Cookie for a client and server interaction can use that
Server Cookie for denial-of-service amplification, forgery, or cache-poisoning
attacks directed at that client for the lifetime of the Server Cookie.</t>

<section anchor="client-cookie-construction"><name>Client Cookie Construction</name>
<t>In <xref target="RFC7873"></xref>, it was <bcp14>RECOMMENDED</bcp14> to construct a Client Cookie by using a
pseudorandom function of the Client IP address, the Server IP address, and a
secret quantity known only to the client. The Client IP address was included to
ensure that a client could not be tracked if its IP address changes due to
privacy mechanisms or otherwise.</t>
<t>In this document, we changed Client Cookie construction to be just 64 bits of
entropy newly created for each new upstream server the client connects to.
As a consequence, additional care needs to be taken to prevent tracking of
clients.  To prevent tracking, a new Client Cookie for a server <bcp14>MUST</bcp14> be created
whenever the Client IP address changes.</t>
<t>Unfortunately, tracking Client IP address changes is impractical with servers
that do not support DNS Cookies. To prevent tracking of clients with non-DNS
Cookie-supporting servers, a client <bcp14>MUST NOT</bcp14> send a previously sent Client
Cookie to a server not known to support DNS Cookies. To prevent the creation of
a new Client Cookie for each query to a non-DNS Cookie-supporting server, it
is <bcp14>RECOMMENDED</bcp14> to not send a Client Cookie to that server for a certain period,
for example five minutes.</t>
<t>Summarizing:</t>

<ul>
<li><t>In order to provide minimal authentication, a client <bcp14>MUST</bcp14> use a
different Client Cookie for each different Server IP address.</t>
</li>
<li><t>To prevent tracking of clients, a new Client Cookie <bcp14>MUST</bcp14> be created
when the Client IP address changes.</t>
</li>
<li><t>To prevent tracking of clients by a non-DNS Cookie-supporting server,
a client <bcp14>MUST NOT</bcp14> send a previously sent Client Cookie to a server in the
absence of an associated Server Cookie.</t>
</li>
</ul>
<t>Note that it is infeasible for a client to detect a change in the public IP
address when the client is behind a routing device performing Network Address
Translation (NAT).  A server may track the public IP address of that routing
device performing the NAT. Preventing tracking of the public IP of a
NAT-performing routing device is beyond the scope of this document.</t>
</section>

<section anchor="server-cookie-construction"><name>Server Cookie Construction</name>
<t><xref target="RFC7873"></xref> did not give a precise recipe for constructing Server Cookies, but
it did recommend usage of a pseudorandom function strong enough to prevent
the guessing of cookies. In this document, SipHash-2-4 is assigned as the
pseudorandom function to be used for version 1 Server Cookies. SipHash-2-4 is
considered sufficiently strong for the immediate future, but predictions about
future development in cryptography and cryptanalysis are beyond the scope of
this document.</t>
<t>The precise structure of version 1 Server Cookies is defined in this
document.  A portion of the structure is made up of unhashed data elements
that are exposed in cleartext to an on-path observer. These unhashed data
elements are taken along as input to the SipHash-2-4 function of which the
result is the other portion of the Server Cookie, so the unhashed portion of
the Server Cookie cannot be changed by an on-path attacker without also
recalculating the hashed portion for which the Server Secret needs to be
known.

</t>
<t>One of the elements in the unhashed portion of version 1 Server Cookies is
a Timestamp used to prevent Replay Attacks.  Servers verifying version 1
Server Cookies need to have access to a reliable time value, one that cannot
be altered by an attacker, to compare with the Timestamp value. Furthermore,
all servers participating in an anycast set that validate version 1 Server
Cookies need to have their clocks synchronized.</t>
<t>
For an on-path adversary observing a Server Cookie (as mentioned in the first
paragraph of <xref target="securityConsiderations"/>), the cleartext Timestamp data element reveals the
lifetime during which the observed Server Cookie can be used to attack the
client.
</t>
<t>In addition to the Security Considerations in this section, the Security
Considerations section of <xref target="RFC7873"></xref> still applies.</t>
</section>
</section>

</middle>

<back>
  <references><name>References</name>
<references><name>Normative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1982.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3339.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7873.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>

<reference anchor="SipHash-2-4" target="https://doi.org/10.1007/978-3-642-34931-7_28">
  <front>
    <title>SipHash: A Fast Short-Input PRF</title>
    <author fullname="Jean-Philippe Aumasson" initials="J." surname="Aumasson"></author>
    <author fullname="Daniel J. Bernstein" initials="D. J." surname="Bernstein"></author>
    <date year="2012" month="December"/>
  </front>

<refcontent>Progress in Cryptology - INDOCRYPT 2012</refcontent>
<refcontent>Lecture Notes in Computer Science, vol. 7668</refcontent>
</reference>

</references>

<references><name>Informative References</name>

<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4941.xml"/>
</references>
  </references>

<section anchor="testVectors"><name>Test Vectors</name>

<section anchor="learning-a-new-server-cookie"><name>Learning a New Server Cookie</name>
<t>A resolver (client) sending from IPv4 address 198.51.100.100 sends a query for
<tt>example.com</tt> to an authoritative server listening on 192.0.2.53 from
which it has not yet learned the server cookie.</t>
<t>The DNS requests and replies shown in this appendix are in a &quot;dig&quot;-like format.
The content of the DNS COOKIE Option is shown in hexadecimal format after
<tt>; COOKIE:</tt>.</t>

<sourcecode type="">;; Sending:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 57406
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2464c4abcf10c957
;; QUESTION SECTION:
;example.com.                IN      A

;; QUERY SIZE: 52
</sourcecode>
<t>The authoritative nameserver (server) is configured with the following secret:
e5e973e5a6b2a43f48e7dc849e37bfcf (as hex data).</t>
<t>It receives the query on Wed Jun  5 10:53:05 UTC 2019.</t>
<t>The content of the DNS COOKIE Option that the server will return is shown
below in hexadecimal format after <tt>; COOKIE:</tt>.</t>
<t>The Timestamp field <xref target="timestampField"></xref> in the returned Server Cookie has value
1559731985. In the format described in <xref target="RFC3339"></xref>, this is 2019-06-05 10:53:05+00:00.</t>

<sourcecode type="">;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 57406
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2464c4abcf10c957010000005cf79f111f8130c3eee29480 (good)
;; QUESTION SECTION:
;example.com.                IN      A

;; ANSWER SECTION:
example.com.         86400   IN      A       192.0.2.34

;; Query time: 6 msec
;; SERVER: 192.0.2.53#53(192.0.2.53)
;; WHEN: Wed Jun  5 10:53:05 UTC 2019
;; MSD SIZE  rcvd: 84
</sourcecode>
</section>

<section anchor="the-same-client-learning-a-renewed-fresh-server-cookie"><name>The Same Client Learning a Renewed (Fresh) Server Cookie</name>
<t>40 minutes later, the same resolver (client) queries the same server for
<tt>example.org</tt>. It reuses the Server Cookie it learned in the previous
query.</t>
<t>The Timestamp field in that previously learned Server Cookie, which is now sent
along in the request, was and is 1559731985. In the format of <xref target="RFC3339"></xref>, this is
2019-06-05 10:53:05+00:00.</t>

<sourcecode type="">;; Sending:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 50939
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2464c4abcf10c957010000005cf79f111f8130c3eee29480
;; QUESTION SECTION:
;example.org.                IN      A

;; QUERY SIZE: 52
</sourcecode>
<t>The authoritative nameserver (server) now generates a new Server Cookie.
The server <bcp14>SHOULD</bcp14> do this because it can see the Server Cookie
sent by the client is older than half an hour (<xref
target="timestampField"></xref>), but it is also fine for a server to generate
a new Server Cookie sooner or even for every answer.</t>
<t>The Timestamp field in the returned new Server Cookie has value 1559734385,
which, in the format of <xref target="RFC3339"></xref>, is 2019-06-05 11:33:05+00:00.</t>

<sourcecode type="">;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 50939
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2464c4abcf10c957010000005cf7a871d4a564a1442aca77 (good)
;; QUESTION SECTION:
;example.org.                IN      A

;; ANSWER SECTION:
example.org.         86400   IN      A       192.0.2.34

;; Query time: 6 msec
;; SERVER: 192.0.2.53#53(192.0.2.53)
;; WHEN: Wed Jun  5 11:33:05 UTC 2019
;; MSD SIZE  rcvd: 84
</sourcecode>
</section>

<section anchor="another-client-learning-a-renewed-server-cookie"><name>Another Client Learning a Renewed Server Cookie</name>
<t>Another resolver (client) with IPv4 address 203.0.113.203 sends a request to
the same server with a valid Server Cookie that it learned before
(on Wed Jun  5 09:46:25 UTC 2019).</t>
<t>The Timestamp field of the Server Cookie in the request has value 1559727985,
which, in the format of <xref target="RFC3339"></xref>, is 2019-06-05 09:46:25+00:00.</t>
<t>Note that the Server Cookie has Reserved bytes set but is still valid with the
configured secret; the Hash part is calculated taking along the Reserved bytes.</t>

<sourcecode type="">;; Sending:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 34736
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fc93fc62807ddb8601abcdef5cf78f71a314227b6679ebf5
;; QUESTION SECTION:
;example.com.                IN      A

;; QUERY SIZE: 52
</sourcecode>
<t>The authoritative nameserver (server) replies with a freshly generated Server
Cookie for this client conformant with this specification, i.e., with the Reserved
bits set to zero.</t>
<t>The Timestamp field in the returned new Server Cookie has value 1559734700,
which, in the format of <xref target="RFC3339"></xref>, is 2019-06-05 11:38:20+00:00.</t>

<sourcecode type="">;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 34736
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fc93fc62807ddb86010000005cf7a9acf73a7810aca2381e (good)
;; QUESTION SECTION:
;example.com.                IN      A

;; ANSWER SECTION:
example.com.         86400   IN      A       192.0.2.34

;; Query time: 6 msec
;; SERVER: 192.0.2.53#53(192.0.2.53)
;; WHEN: Wed Jun  5 11:38:20 UTC 2019
;; MSD SIZE  rcvd: 84
</sourcecode>
</section>

<section anchor="ipv6-query-with-rolled-over-secret"><name>IPv6 Query with Rolled Over Secret</name>
<t>The query below is from a client with IPv6 address 2001:db8:220:1:59de:d0f4:8769:82b8 to a server
with IPv6 address 2001:db8:8f::53.  The client has learned a valid Server Cookie
before (on Wed Jun  5 13:36:57 UTC 2019) when the Server had the secret:
dd3bdf9344b678b185a6f5cb60fca715.  The server now uses a new secret, but it can still validate
the Server Cookie provided by the client as the old secret has not expired yet.</t>
<t>The Timestamp field in the Server Cookie in the request has value
1559741817, which, in the format of <xref target="RFC3339"></xref>, is 2019-06-05 13:36:57+00:00.</t>

<sourcecode type="">;; Sending:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 6774
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 22681ab97d52c298010000005cf7c57926556bd0934c72f8
;; QUESTION SECTION:
;example.net.                IN      A

;; QUERY SIZE: 52
</sourcecode>
<t>The authoritative nameserver (server) replies with a freshly generated server
cookie for this client with its new secret: 445536bcd2513298075a5d379663c962.</t>
<t>The Timestamp field in the returned new Server Cookie has value 1559741961,
which, in the format of <xref target="RFC3339"></xref>, is
2019-06-05 13:39:21+00:00.</t>

<sourcecode type="">;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 6774
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 22681ab97d52c298010000005cf7c609a6bb79d16625507a (good)
;; QUESTION SECTION:
;example.net.                IN      A

;; ANSWER SECTION:
example.net.         86400   IN      A       192.0.2.34

;; Query time: 6 msec
;; SERVER: 2001:db8:8f::53#53(2001:db8:8f::53)
;; WHEN: Wed Jun  5 13:36:57 UTC 2019
;; MSD SIZE  rcvd: 84
</sourcecode>
</section>
</section>

<section anchor="implementation-status"><name>Implementation Status</name>
<t>At the time of writing, BIND from version 9.16 and Knot DNS from version 2.9.0
create Server Cookies according to the recipe described in this document. Unbound
and NSD have a Proof-of-Concept implementation that has been tested for
interoperability during the hackathon at IETF 104 in Prague.  Construction
of privacy maintaining Client Cookies according to the directions in this document
have been implemented in the getdns library and will be in the upcoming
getdns-1.6.1 release and in Stubby version 0.3.1.</t>
</section>

<section anchor="acknowledgements" numbered="false"><name>Acknowledgements</name>
<t>Thanks to <contact fullname="Witold Krecicki"/> and <contact
fullname="Pieter Lexis"/> for valuable input, suggestions, text, and above
all for implementing a prototype of an interoperable DNS Cookie in Bind9, Knot,
and PowerDNS during the hackathon at IETF 104 in Prague.  Thanks for valuable
input and suggestions go to <contact fullname="Ralph Dolmans"/>, <contact
fullname="Bob Harold"/>, <contact fullname="Daniel Salzman"/>, <contact
fullname="Martin Hoffmann"/>, <contact fullname="Mukund Sivaraman"/>, <contact
fullname="Petr Spacek"/>, <contact fullname="Loganaden Velvindron"/>, <contact
fullname="Bob Harold"/>, <contact fullname="Philip Homburg"/>, <contact
fullname="Tim Wicinski"/>, and <contact fullname="Brian Dickson"/>.</t>
</section>

</back>

</rfc>