Skip to content
Snippets Groups Projects
Commit 9e0346b7 authored by Daniel Kahn Gillmor's avatar Daniel Kahn Gillmor Committed by Daniel Salzman
Browse files

Implement sensible default EDNS(0) padding policy.

At NDSS 2017's DNS privacy workshop, I presented an empirical study of
DNS padding policies:

https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme#session3

The slide deck is here:
https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf

The resulting recommendation from the research is that a simple
padding policy is relatively cheap and still protective of metadata
when DNS traffic is encrypted:

 * queries should be padded to a multiple of 128 octets
 * responses should be padded to a multiple of 468 octets

Since future research could propose even better policies, and future
DNS traffic characteristics might evolve, I've implemented this
recommendation as a new function in libknot:
knot_edns_default_padding_size()

This changeset also modifies kdig to use this padding policy by
default when doing queries over TLS, and defines +padding (with no
argument) as a kdig option that forces the use of the default padding
policy.

With this changeset, any libknot user who wants to use "a sensible DNS
padding policy" can just rely on the library; this means that if a
better padding policy is determined in the future, it can be
distributed to all users by upgrading libknot.
parent 9ba4d4bf
No related merge requests found
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment