git.ipfire.org Git - thirdparty/knot-resolver.git/commit

author	Daniel Kahn Gillmor <dkg@fifthhorseman.net>
	Sat, 25 Mar 2017 22:00:53 +0000 (17:00 -0500)
committer	Daniel Kahn Gillmor <dkg@fifthhorseman.net>
	Sat, 25 Mar 2017 22:00:53 +0000 (17:00 -0500)
commit	3e7b76608442619a67ae1c69bfa8423857572893
tree	fdde957c501666c1056dbd2d32b8d67d64511d67	tree
parent	894281c008f9a73a3e6c88eb6b0584b78b94e26c	commit \| diff

Improve default padding of responses.

At NDSS 2017's DNS privacy workshop, I presented an empirical study of
DNS padding policies:

https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme#session3

The slide deck is here:
https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf

The resulting recommendation from the research is that a simple
padding policy is relatively cheap and still protective of metadata
when DNS traffic is encrypted:

* queries should be padded to a multiple of 128 octets
* responses should be padded to a multiple of 468 octets

This change adjusts the default policy to match these recommendations.

I recently proposed a similar change to libknot to define a standard
policy in a centralized place:

https://gitlab.labs.nic.cz/labs/knot/merge_requests/692

I'll submit a followup request to make use of that centralized policy
(once kresd is willing to depend on a newer version of libknot), but
please consider this proposed change first.