• Daniel Kahn Gillmor's avatar
    Implement sensible default EDNS(0) padding policy. · 2dd9f406
    Daniel Kahn Gillmor authored
    At NDSS 2017's DNS privacy workshop, I presented an empirical study of
    DNS padding policies:
    The slide deck is here:
    The resulting recommendation from the research is that a simple
    padding policy is relatively cheap and still protective of metadata
    when DNS traffic is encrypted:
     * queries should be padded to a multiple of 128 octets
     * responses should be padded to a multiple of 468 octets
    Since future research could propose even better policies, and future
    DNS traffic characteristics might evolve, I've implemented this
    recommendation as a new function in libknot:
    This changeset also modifies kdig to use this padding policy by
    default when doing queries over TLS, and defines +padding (with no
    argument) as a kdig option that forces the use of the default padding
    With this changeset, any libknot user who wants to use "a sensible DNS
    padding policy" can just rely on the library; this means that if a
    better padding policy is determined in the future, it can be
    distributed to all users by upgrading libknot.
Last commit
Last update
compr.c Loading commit data...
compr.h Loading commit data...
pkt.c Loading commit data...
pkt.h Loading commit data...
rrset-wire.c Loading commit data...
rrset-wire.h Loading commit data...
wire.c Loading commit data...
wire.h Loading commit data...