Technical Summary
DNS cookies are a lightweight DNS transaction security mechanism that
provides limited protection to DNS servers and clients against a
variety of increasingly common denial-of-service and amplification /
forgery or cache poisoning attacks by off-path attackers. DNS Cookies
are tolerant of NAT, NAT-PT, and anycast and can be incrementally
deployed.
Working Group Summary
This draft was originally raised several years ago but it languished due to working group hubris. When it was revised, the working group had broad consensus this was a relevant document. The draft had many reviewers, and also picked up another author as the design was polished.
Initially, the draft defined the EDNS Option to have an Error Code that was returned. After much discussion, and a prototype deployment of the option, it was decided that the Error Code was not needed, and was removed. Since then a second implementation has appeared
The working group was in strong consensus behind this draft.
Personnel
Document Shepherd: Tim Wicinski
Area Director: Joel Jaggeli