Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.
At NDSS 2017's DNS privacy workshop, I presented an empirical study of DNS padding policies:
The slide deck is here: https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf
The resulting recommendation from the research is that a simple padding policy is relatively cheap and still protective of metadata when DNS traffic is encrypted:
Since future research could propose even better policies, and future DNS traffic characteristics might evolve, I've implemented this recommendation as a new function in libknot: knot_edns_default_padding_size()
This changeset also modifies kdig to use this padding policy by default when doing queries over TLS, and defines +padding (with no argument) as a kdig option that forces the use of the default padding policy.
With this changeset, any libknot user who wants to use "a sensible DNS padding policy" can just rely on the library; this means that if a better padding policy is determined in the future, it can be distributed to all users by upgrading libknot.