Domain Name System (DNS) Cookies
draft-ietf-dnsop-cookies-10
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2016-05-19
|
10 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2016-05-16
|
10 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2016-05-11
|
10 | (System) | RFC Editor state changed to RFC-EDITOR from AUTH |
2016-05-09
|
10 | (System) | RFC Editor state changed to AUTH from EDIT |
2016-04-18
|
10 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2016-04-18
|
10 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2016-04-15
|
10 | (System) | IANA Action state changed to Waiting on Authors |
2016-04-11
|
10 | (System) | RFC Editor state changed to EDIT |
2016-04-11
|
10 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2016-04-11
|
10 | (System) | Announcement was received by RFC Editor |
2016-04-11
|
10 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2016-04-11
|
10 | Amy Vezza | IESG has approved the document |
2016-04-11
|
10 | Amy Vezza | Closed "Approve" ballot |
2016-04-11
|
10 | Amy Vezza | Ballot approval text was generated |
2016-04-11
|
10 | Joel Jaeggli | IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::Point Raised - writeup needed |
2016-04-05
|
10 | Donald Eastlake | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2016-04-05
|
10 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-10.txt |
2016-01-21
|
09 | Tero Kivinen | Request for Telechat review by SECDIR Completed: Ready. Reviewer: Yoav Nir. |
2016-01-21
|
09 | Peter Yee | Request for Telechat review by GENART Completed: Ready. Reviewer: Peter Yee. |
2016-01-21
|
09 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation |
2016-01-21
|
09 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2016-01-20
|
09 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2016-01-20
|
09 | Barry Leiba | [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba |
2016-01-20
|
09 | Cindy Morgan | Changed consensus to Yes from Unknown |
2016-01-20
|
09 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2016-01-20
|
09 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2016-01-20
|
09 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2016-01-20
|
09 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2016-01-20
|
09 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2016-01-20
|
09 | Stephen Farrell | [Ballot comment] - section 3: I think it'd have been good to mention the work being done in dprive as another future protection that should … [Ballot comment] - section 3: I think it'd have been good to mention the work being done in dprive as another future protection that should be compatible with DNS cookies. - I agree with Alissa's comment (2) - section 9: I think you should note that (particularly cleartext) client cookies allow correlation of client requests for the duration of the client cookie lifetime, which may affect other things the client does to try to avoid correlation and that the set of lifetimes of all of those kinds of thing are really interdependent. So e.g. if a client changes it's source IP for privacy reasons, that may be defeated if the same client cookie is still being used for DNS requests. - Thanks for handling the secdir review. That seems to have ended up [1] with client cookie values that are quite similar when only one bit of the server IP varies. Yet, [FNV] says that it has "high dispersion." I don't know FNV well enough to know if what Yoav called the "disturbingly similar" values in [1] might allow for guessing cookie values if one has ever seen a cookie value or not, but I'd be interested in chatting about that. (In a non-blocking sense:-) In general, I'd prefer if you recommended HMAC-SHA256 rather than FNV myself - why isn't that really a better thing to put in the appendices? (Yeah, performance, I know, but is the delta between FNV and HMAC-SHA256 really so significant these days, compared to the time it takes to lookup the DNS data itself?) [1] https://www.ietf.org/mail-archive/web/secdir/current/msg06268.html - Can't an access point/router that was once on path but is no longer abuse the client cookie (that it once saw go by) when that client is still using the same value later to talk to the same server via another n/w path? Is that worth a mention in the security considerations? What'd be the effect? I wondered why you didn't include e.g. the client IP in the input in Appendix A.1 to avoid this issue? |
2016-01-20
|
09 | Stephen Farrell | [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell |
2016-01-19
|
09 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2016-01-19
|
09 | Alissa Cooper | [Ballot comment] (1) "To avoid rollover synchronization and predictability, it is RECOMMENDED that pseudorandom jitter in the range of plus zero to minus … [Ballot comment] (1) "To avoid rollover synchronization and predictability, it is RECOMMENDED that pseudorandom jitter in the range of plus zero to minus at least 40% be applied to the time until a scheduled rollover of a DNS cookie secret." Why is it recommended to only vary the interval in only the shorter direction (I'm assuming that is what is meant by "plus zero")? Then the interval will only ever get shorter, it seems. (2) It seems like there should be a recommendation about when to delete an old client cookie (e.g., after receiving a response to an outstanding request, or after some period of time with no response). |
2016-01-19
|
09 | Alissa Cooper | [Ballot Position Update] New position, Yes, has been recorded for Alissa Cooper |
2016-01-19
|
09 | Brian Haberman | [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman |
2016-01-18
|
09 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2016-01-14
|
09 | Jean Mahoney | Request for Telechat review by GENART is assigned to Peter Yee |
2016-01-14
|
09 | Jean Mahoney | Request for Telechat review by GENART is assigned to Peter Yee |
2016-01-13
|
09 | (System) | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2016-01-12
|
09 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-09.txt |
2016-01-07
|
08 | Tero Kivinen | Request for Telechat review by SECDIR is assigned to Yoav Nir |
2016-01-07
|
08 | Tero Kivinen | Request for Telechat review by SECDIR is assigned to Yoav Nir |
2016-01-04
|
08 | Joel Jaeggli | Placed on agenda for telechat - 2016-01-21 |
2016-01-04
|
08 | Joel Jaeggli | IESG state changed to IESG Evaluation from Waiting for Writeup |
2016-01-04
|
08 | Joel Jaeggli | Ballot has been issued |
2016-01-04
|
08 | Joel Jaeggli | [Ballot Position Update] New position, Yes, has been recorded for Joel Jaeggli |
2016-01-04
|
08 | Joel Jaeggli | Created "Approve" ballot |
2016-01-04
|
08 | Joel Jaeggli | Ballot writeup was changed |
2015-12-25
|
08 | Peter Yee | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Peter Yee. |
2015-12-24
|
08 | Donald Eastlake | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2015-12-24
|
08 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-08.txt |
2015-12-22
|
07 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Dan Romascanu. |
2015-12-14
|
07 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2015-12-11
|
07 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2015-12-11
|
07 | Sabrina Tanamal | (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-ietf-dnsop-cookies-07.txt. If any part of this review is inaccurate, please let us know. IANA … (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-ietf-dnsop-cookies-07.txt. If any part of this review is inaccurate, please let us know. IANA understands that, upon approval of this document, there are two actions which IANA must complete. First, in the DNS EDNS0 Option Codes (OPT) subregistry of the Domain Name System (DNS) Parameters registry located at: http://www.iana.org/assignments/dns-parameters/ the value 10 has already been registered for use in this draft. Upon approval of this document the reference for: Value: 10 Name: COOKIE Status: Standard Reference: [ this-draft ] will be changed from [draft-ietf-dnsop-cookies] to [ RFC-to-be ]. Second, in the DNS RCODEs subregistry of the Domain Name System (DNS) Parameters registry located at: http://www.iana.org/assignments/dns-parameters/ the value 23 has been subject to a temporary registration. This temporary registration is changed to a permanent registration and the reference is changed to [ RFC-to-be ]. IANA understands that these two actions are the only ones that are required to be completed upon publication of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. Thank you, Sabrina Tanamal IANA Specialist ICANN |
2015-12-10
|
07 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Yoav Nir. |
2015-12-04
|
07 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Dan Romascanu |
2015-12-04
|
07 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Dan Romascanu |
2015-12-03
|
07 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Yoav Nir |
2015-12-03
|
07 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Yoav Nir |
2015-11-30
|
07 | Jean Mahoney | Request for Last Call review by GENART is assigned to Peter Yee |
2015-11-30
|
07 | Jean Mahoney | Request for Last Call review by GENART is assigned to Peter Yee |
2015-11-30
|
07 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2015-11-30
|
07 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: draft-ietf-dnsop-cookies@ietf.org, tjw.ietf@gmail.com, joelja@gmail.com, dnsop-chairs@ietf.org, dnsop@ietf.org Reply-To: ietf@ietf.org … The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: draft-ietf-dnsop-cookies@ietf.org, tjw.ietf@gmail.com, joelja@gmail.com, dnsop-chairs@ietf.org, dnsop@ietf.org Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Domain Name System (DNS) Cookies) to Proposed Standard The IESG has received a request from the Domain Name System Operations WG (dnsop) to consider the following document: - 'Domain Name System (DNS) Cookies' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2015-12-14. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract DNS cookies are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of increasingly common denial-of-service and amplification / forgery or cache poisoning attacks by off-path attackers. DNS Cookies are tolerant of NAT, NAT-PT, and anycast and can be incrementally deployed. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-dnsop-cookies/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-dnsop-cookies/ballot/ No IPR declarations have been submitted directly on this I-D. |
2015-11-30
|
07 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2015-11-30
|
07 | Amy Vezza | Last call announcement was changed |
2015-11-27
|
07 | Joel Jaeggli | Last call was requested |
2015-11-27
|
07 | Joel Jaeggli | Last call announcement was generated |
2015-11-27
|
07 | Joel Jaeggli | Ballot approval text was generated |
2015-11-27
|
07 | Joel Jaeggli | Ballot writeup was generated |
2015-11-27
|
07 | Joel Jaeggli | IESG state changed to Last Call Requested from AD Evaluation |
2015-11-05
|
07 | Joel Jaeggli | IESG state changed to AD Evaluation from Publication Requested |
2015-11-03
|
07 | Tim Wicinski | 1. Summary Document Shepherd: Tim Wicinski Area Director: Joel Jaggeli Document Type: Proposed Standard DNS cookies are a lightweight DNS transaction security … 1. Summary Document Shepherd: Tim Wicinski Area Director: Joel Jaggeli Document Type: Proposed Standard DNS cookies are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of increasingly common denial-of-service and amplification / forgery or cache poisoning attacks by off-path attackers. DNS Cookies are tolerant of NAT, NAT-PT, and anycast and can be incrementally deployed. 2. Review and Consensus This draft was originally raised several years ago but it languished due to working group hubris. When it was revised, the working group had broad consensus this was a relevant document. The draft had many reviewers, and also picked up another author as the design was polished. Initially, the draft defined the EDNS Option to have an Error Code that was returned. After much discussion, and a prototype deployment of the option, it was decided that the Error Code was not needed, and was removed. Since then a second implementation has appeared The working group was in strong consensus behind this draft. 3. Intellectual Property There is no IPR related to this document, and the authors have no direct, personal knowledge of any IPR. 4. Other Points - Downward References There are no downward references in this document; and the shepherd agrees with the references and their classification. - IANA Considerations: IANA has assigned EDNS Option Code 10 for this option, and assigned DNS Error Code 23 as an early allocation. Explain anything else that the IESG might need to know when reviewing this document. If there is significant discontent with the document or the process, which might result in appeals to the IESG or especially bad feelings in the working group, explain this in a separate email message to the responsible Area Director. Checklist X- Does the shepherd stand behind the document and think the document is ready for publication? X- Is the correct RFC type indicated in the title page header? X- Is the abstract both brief and sufficient, and does it stand alone as a brief summary? X- Is the intent of the document accurately and adequately explained in the introduction? X- Have all required formal reviews (MIB Doctor, Media Type, URI, etc.) been requested and/or completed? X- Has the shepherd performed automated checks -- idnits (see http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist), checks of BNF rules, XML code and schemas, MIB definitions, and so on -- and determined that the document passes the tests? X- Has each author stated that their direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79? X- Have all references within this document been identified as either normative or informative, and does the shepherd agree with how they have been classified? X- Are all normative references made to documents that are ready for advancement and are otherwise in a clear state? X- If publication of this document changes the status of any existing RFCs, are those RFCs listed on the title page header, and are the changes listed in the abstract and discussed (explained, not just mentioned) in the introduction? X- If this is a "bis" document, have all of the errata been considered? X- IANA Considerations: |
2015-11-03
|
07 | Tim Wicinski | Responsible AD changed to Joel Jaeggli |
2015-11-03
|
07 | Tim Wicinski | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2015-11-03
|
07 | Tim Wicinski | IESG state changed to Publication Requested |
2015-11-03
|
07 | Tim Wicinski | IESG process started in state Publication Requested |
2015-11-03
|
07 | Tim Wicinski | Changed document writeup |
2015-11-02
|
07 | Tim Wicinski | IETF WG state changed to WG Consensus: Waiting for Write-Up from WG Document |
2015-11-01
|
07 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-07.txt |
2015-10-19
|
06 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-06.txt |
2015-10-14
|
05 | (System) | Notify list changed from "Tim Wicinski" to (None) |
2015-10-05
|
05 | Tim Wicinski | Notification list changed to "Tim Wicinski" <tjw.ietf@gmail.com> |
2015-10-05
|
05 | Tim Wicinski | Document shepherd changed to Tim Wicinski |
2015-08-01
|
05 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-05.txt |
2015-07-01
|
04 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-04.txt |
2015-07-01
|
03 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-03.txt |
2015-06-22
|
02 | Tim Wicinski | Intended Status changed to Proposed Standard from Internet Standard |
2015-06-16
|
02 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-02.txt |
2015-02-22
|
01 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-01.txt |
2014-11-30
|
00 | Tim Wicinski | Intended Status changed to Internet Standard from None |
2014-11-30
|
00 | Tim Wicinski | This document now replaces draft-eastlake-dnsext-cookies instead of None |
2014-11-30
|
00 | Donald Eastlake | New version available: draft-ietf-dnsop-cookies-00.txt |