Docs and setting (edns-padding-out, defaults to "yes").

diff --git a/pdns/lwres.cc b/pdns/lwres.cc
index 4cef99eb609117a0079b50171b148492da5cfe00..7cc80f4e5961c58379e3dea697db168fe496369c 100644 (file)
--- a/pdns/lwres.cc
+++ b/pdns/lwres.cc
@@ -57,6 +57,7 @@
 
 thread_local TCPOutConnectionManager t_tcp_manager;
 std::shared_ptr<Logr::Logger> g_slogout;
+bool g_paddingOutgoing;
 
 void remoteLoggerQueueData(RemoteLoggerInterface& r, const std::string& data)
 {
@@ -423,7 +424,7 @@ static LWResult::Result asyncresolve(const ComboAddress& ip, const DNSName& doma
       weWantEDNSSubnet=true;
     }
 
-    if (dnsOverTLS /* and other conditions? */) {
+    if (dnsOverTLS && g_paddingOutgoing) {
       addPadding(pw, bufsize, opts);
     }
 

diff --git a/pdns/lwres.hh b/pdns/lwres.hh
index 97e8d015982f679372aa15e7d319ca7f25b98a71..38a8817a1e9adf0d952f29a11a6134696b5f5d94 100644 (file)
--- a/pdns/lwres.hh
+++ b/pdns/lwres.hh
@@ -50,6 +50,7 @@
 void remoteLoggerQueueData(RemoteLoggerInterface&, const std::string&);
 
 extern std::shared_ptr<Logr::Logger> g_slogout;
+extern bool g_paddingOutgoing;
 
 class LWResException : public PDNSException
 {

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 529d0b4d82115854bb7a9c7dd26f1fba3b3484ce..bd8374cfb9602a57a05df8ea627bae81866c7687 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -703,6 +703,17 @@ List of netmasks (proxy IP in case of XPF or proxy-protocol presence, client IP
 Whether to add EDNS padding to all responses (``always``) or only to responses for queries containing the EDNS padding option (``padded-queries-only``, the default).
 In both modes, padding will only be added to responses for queries coming from `edns-padding-from`_ sources.
 
+.. _setting-edns-padding-out:
+
+``edns-padding-out``
+--------------------
+.. versionadded:: 4.8.0
+
+- Boolean
+- Default: yes
+
+Whether to add EDNS padding to outgoing DoT queries.
+
 .. _setting-edns-padding-tag:
 
 ``edns-padding-tag``

diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc
index 595903de261811878adce01d880ed0b3fd67dd76..2401ae7dbf09719b6e7e420c9e2ab0e958171cb8 100644 (file)
--- a/pdns/recursordist/rec-main.cc
+++ b/pdns/recursordist/rec-main.cc
@@ -1636,6 +1636,7 @@ static int serviceMain(int argc, char* argv[], Logr::log_t log)
     exit(1);
   }
   g_paddingTag = ::arg().asNum("edns-padding-tag");
+  g_paddingOutgoing = ::arg().mustDo("edns-padding-out");
 
   RecThreadInfo::setNumDistributorThreads(::arg().asNum("distributor-threads"));
   RecThreadInfo::setNumWorkerThreads(::arg().asNum("threads"));
@@ -2792,6 +2793,7 @@ int main(int argc, char** argv)
     ::arg().set("edns-padding-from", "List of netmasks (proxy IP in case of XPF or proxy-protocol presence, client IP otherwise) for which EDNS padding will be enabled in responses, provided that 'edns-padding-mode' applies") = "";
     ::arg().set("edns-padding-mode", "Whether to add EDNS padding to all responses ('always') or only to responses for queries containing the EDNS padding option ('padded-queries-only', the default). In both modes, padding will only be added to responses for queries coming from `edns-padding-from`_ sources") = "padded-queries-only";
     ::arg().set("edns-padding-tag", "Packetcache tag associated to responses sent with EDNS padding, to prevent sending these to clients for which padding is not enabled.") = "7830";
+    ::arg().setSwitch("edns-padding-out", "Whether to add EDNS padding to outgoing DoT messages") = "yes";
 
     ::arg().setSwitch("dot-to-port-853", "Force DoT connection to target port 853 if DoT compiled in") = "yes";
     ::arg().set("dot-to-auth-names", "Use DoT to authoritative servers with these names or suffixes") = "";