.. function:: net.tls_padding([true | false])
- Get/set EDNS(0) padding of answers to queries that arrive over TLS
- transport. If set to `true` (the default), it will use a sensible
+ Get/set padding of answers to queries that arrive over TLS
+ transport, as defined in :rfc:`7830`.
+
+ If set to `true` (the default), it will use a sensible
default padding scheme, as implemented by libknot if available at
compile time. If set to a numeric value >= 2 it will pad the
answers to nearest *padding* boundary, e.g. if set to `64`, the
answer will have size of a multiple of 64 (64, 128, 192, ...). If
set to `false` (or a number < 2), it will disable padding entirely.
+ You may force padding even on unencrypted answers via ``policy.FLAGS('FORCE_PADDING')``,
+ e.g. in conditioned on the request coming from a TLS-stripping proxy.
+
.. function:: net.tls_sticket_secret([string with pre-shared secret])
Set secret for TLS session resumption via tickets, by :rfc:`5077`.
* module because of better access. */
struct kr_cookie_ctx cookie_ctx;
kr_cookie_lru_t *cache_cookie;
- int32_t tls_padding; /**< See net.tls_padding in ../daemon/README.rst -- -1 is "true" (default policy), 0 is "false" (no padding) */
+ int32_t tls_padding; /**< See net.tls_padding in ../daemon/bindings/net.rst -- -1 is "true" (default policy), 0 is "false" (no padding) */
knot_mm_t *pool;
};
bool DNS64_MARK : 1; /**< Internal mark for dns64 module. */
bool CACHE_TRIED : 1; /**< Internal to cache module. */
bool NO_NS_FOUND : 1; /**< No valid NS found during last PRODUCE stage. */
+ bool FORCE_PADDING : 1; /**< Force use of EDNS(0) padding even if TLS isn't used. */
};
/** Combine flags together. This means set union for simple flags. */
projects / thirdparty / knot-resolver.git / commitdiff
