-
Daniel Kahn Gillmor authored
At NDSS 2017's DNS privacy workshop, I presented an empirical study of DNS padding policies: https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme#session3 The slide deck is here: https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf The resulting recommendation from the research is that a simple padding policy is relatively cheap and still protective of metadata when DNS traffic is encrypted: * queries should be padded to a multiple of 128 octets * responses should be padded to a multiple of 468 octets This change adjusts the default policy to match these recommendations. I recently proposed a similar change to libknot to define a standard policy in a centralized place: https://gitlab.labs.nic.cz/labs/knot/merge_requests/692 I'll submit a followup request to make use of that centralized policy (once kresd is willing to depend on a newer version of libknot), but please consider this proposed change first.
3e7b7660