Configuring edns-cookie causes BADCOOKIE responses

[NielsH]

Hi,

I'm trying to configure edns-cookie-secret on a authoritative powerdns server.
I am getting BADCOOKIE responses when testing with a dig. I am not sure if I am doing something wrong or misunderstanding something.

My configuration is:

/etc/powerdns/pdns.conf:

/etc/powerdns/pdns.conf
config-dir=/etc/powerdns
setuid=pdns
setgid=pdns

local-address-nonexist-fail=no
local-address=10.40.66.36
local-port=5353
edns-cookie-secret=random
launch=lmdb
lmdb-filename=/var/lib/powerdns/pdns.lmdb
lmdb-shards=1
lmdb-lightning-stream=yes

dig response:

dig dnsdist.test @10.40.66.36 -p 5353
;; BADCOOKIE, retrying.

; <<>> DiG 9.20.13 <<>> dnsdist.test @10.40.66.36 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22695
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 68583534c15854f401000000694473d125239ebcd4fd011f (good)
;; QUESTION SECTION:
;dnsdist.test.			IN	A

;; ANSWER SECTION:
dnsdist.test.		300	IN	A	127.0.0.1

;; Query time: 14 msec
;; SERVER: 10.40.66.36#5353(10.40.66.36) (UDP)
;; WHEN: Thu Dec 18 22:36:17 CET 2025
;; MSG SIZE  rcvd: 85

I think that the retry works, as it does show a COOKIE in the response - at least I am not seeing any error except that very first line, but it happens every single lookup and for all domains.

tcpdump:

23:02:41.967114 lo    In  IP 10.40.66.36.59950 > 10.40.66.36.5353: 43911+ [1au] A (QM)? dnsdist.test. (53)
23:02:41.967217 lo    In  IP 10.40.66.36.5353 > 10.40.66.36.59950: 43911 BadCookie*- 0/0/1 (69)
23:02:41.967297 lo    In  IP 10.40.66.36.51841 > 10.40.66.36.5353: 55327+ [1au] A (QM)? dnsdist.test. (69)
23:02:41.967402 lo    In  IP 10.40.66.36.5353 > 10.40.66.36.51841: 55327*- 1/0/1 A 127.0.0.1 (85)

I am using powerdns 5.0.1. Is there anything I can do to figure out what causes this?

[rgacogne]

Looks like we have implemented option 2/ of https://www.rfc-editor.org/rfc/rfc7873#section-5.2.3. While it's a nice choice when the server is under attack, I'm not sure it makes sense to do that by default, because in effect it penalizes clients that support EDNS cookies which is quite the opposite of what we want.