DNS/cookies/5.3について、ここに記述してください。
TCPでretryする話もある。
5.3. Processing Responses The Client Cookie, when it occurs in a COOKIE option in a DNS reply, is intended to weakly assure the client that the reply came from a server at the source IP address used in the response packet, because the Client Cookie value is the value that client would send to that server in a request. In a DNS reply with multiple COOKIE options, all but the first (the one closest to the DNS header) are ignored. A DNS client where DNS Cookies are implemented and enabled examines the response for DNS Cookies and MUST discard the response if it contains an illegal COOKIE option length or an incorrect Client Cookie value. If the client is expecting the response to contain a COOKIE option and it is missing, the response MUST be discarded. If the COOKIE option Client Cookie is correct, the client caches the Server Cookie provided, even if the response is an error response (RCODE non-zero). If the extended RCODE in the reply is BADCOOKIE and the Client Cookie in the reply matches what was sent, it means that the server was unwilling to process the request because it did not have the correct Server Cookie in it. The client SHOULD retry the request using the new Server Cookie from the response. Repeated BADCOOKIE responses to requests that use the Server Cookie provided in the previous response may be an indication that either the shared secrets or the method for generating secrets in an anycast cluster of servers is inconsistent.
If the reply to a retried request with a fresh Server Cookie is BADCOOKIE, the client SHOULD retry using TCP as the transport, since the server will likely process the request normally based on the security provided by TCP (see Section 5.2.3). If the RCODE is some value other than BADCOOKIE, including zero, the further processing of the response proceeds normally.
偽返答であることを検出したときの動作は? BADCOOKIEと同様に扱うのか。-- ToshinoriMaeno 2020-11-19 09:37:50