AGH is non-compliant with RFC 7873 and RFC 9018 DNS Cookies #7183
Comments
|
Unbound has already implemented it, not sure if it applies to AGH as it's not a recursive resolver, at least it should forward the client cookies to Unbound or the Upstream DNS servers??? |
|
I'm unsure if this comment belongs here, or whether it should be considered an independent bug report or feature request, but perhaps a discussion/bump here wouldn't hurt either way. In the interim between the semi immediate future and any eventual DNS Cookie specification compliance, AGH (or dnsproxy?) doesn't need to explicitly support DNS cookies itself in order for DNS cookies to function. It could "pull a dnsmasq/FTLDNS" and be happy to forward existing OPT RRs in queries/replies unmolested, which as it stands does not seem to be the case. In this way clients can still validate the exchange provided the client themselves and AGH/dnsproxy's upstream(s) support it, and these days a good chunk of installs are likely to be paired with one or more local recursive nameservers that does. Part of the reason I'm unsure whether or not this belongs here is that that approach is less "support DNS cookies", and more "don't accidentally break DNS cookies". |
Prerequisites
I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to request a feature or enhancement and not ask a question
The problem
AdGuardHome is non-compliant with RFC 7873 and RFC 9018 DNS Cookies
Proposed solution
Create and return server cookies for clients that send client cookies.
Alternatives considered and additional information
No response
The text was updated successfully, but these errors were encountered: