Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

[Petr Špaček <petr.spacek@nic.cz>]

On 21.6.2018 14:38, Donald Eastlake wrote:
> Hi,
> 
> As the first author of the DNS Cookies RFC, I would be happy to generate
> a draft to standardize this to improve inter vendor interoperability for
> anycast servers.

Good! Where do we start?

Right now I'm aware of couple requirements:
1. it has to be easy to configure shared parameters (obviously)
2. code to generate server side cookies must not slow down servers in
benchmarks
3. bonus points if we can standardize standardized key derivation
function so all servers can be configured using the same "master key"
and derive/rotate keys in lockstep without operator intervention and
explicit synchronization
[i.e. something along lines deriv_func(master_key, day_in_GMT) or so]

Besides these I'm eager to hear reasoning why BIND selected AES/SHA-HMAC
and other requirements which were considered during the original
implementation.

On Knot DNS side the main criterion was basically speed, that's why
Daniel Salzman ended up using SipHash algorithm.

Petr Špaček  @  CZ.NIC


> Thanks,
> Donald 
> 
> On Thu, Jun 21, 2018 at 03:54 Ondřej Surý <ondrej@isc.org
> <mailto:ondrej@isc.org>> wrote:
> 
>     > On 21 Jun 2018, at 09:24, Petr Špaček <petr.spacek@nic.cz
>     <mailto:petr.spacek@nic.cz>> wrote:
>     > So let me ask again:
>     > Are other vendors willing to work on sufficiently detailed
>     > specification? If not just say it!
> 
>     +1 from ISC. I believe that we need to improve interoperability
>     between the
>     implementation or people will not be willing to deploy DNS cookies
>     at all.
> 
>     Ondrej