Domain Name System (DNS) Cookies
RFC 7873

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: "IETF-Announce" <>
Cc:,,,, "The IESG" <>,,
Subject: Protocol Action: 'Domain Name System (DNS) Cookies' to Proposed Standard (draft-ietf-dnsop-cookies-10.txt)

The IESG has approved the following document:
- 'Domain Name System (DNS) Cookies'
  (draft-ietf-dnsop-cookies-10.txt) as Proposed Standard

This document is the product of the Domain Name System Operations Working

The IESG contact persons are Benoit Claise and Joel Jaeggli.

A URL of this Internet Draft is:

Technical Summary

   DNS cookies are a lightweight DNS transaction security mechanism that
   provides limited protection to DNS servers and clients against a
   variety of increasingly common denial-of-service and amplification /
   forgery or cache poisoning attacks by off-path attackers. DNS Cookies
   are tolerant of NAT, NAT-PT, and anycast and can be incrementally

Working Group Summary

This draft was originally raised several years ago but it languished due to working group hubris.  When it was revised, the working group had broad consensus this was a relevant document.  The draft had many reviewers, and also picked up another author as the design was polished.

Initially, the draft defined the EDNS Option to have an Error Code that was returned. After much discussion, and a prototype deployment of the option, it was decided that the Error Code was not needed, and was removed. Since then a second implementation has appeared

The working group was in strong consensus behind this draft.


Document Shepherd:   Tim Wicinski
Area Director:       Joel Jaggeli