From: Vladimír Čunát Date: Sun, 13 Aug 2023 15:34:46 +0000 (+0200) Subject: docs: fix padding descriptions X-Git-Tag: v6.0.2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09dd255d222c6b331c762ff85a5a1d6c37518f18;p=thirdparty%2Fknot-resolver.git docs: fix padding descriptions Mentioning just answers is misleading. Padding is very important for queries as well; for us that applies during forwarding over TLS. Also describe /tls/auto_discovery as experimental in the configuration schema. It's a rather dead experiment from long ago. I hope it can't be confused with more recent things like https://datatracker.ietf.org/doc/draft-ietf-dprive-unilateral-probing/ --- diff --git a/daemon/bindings/net_tlssrv.rst b/daemon/bindings/net_tlssrv.rst index f496cd70e..96391e232 100644 --- a/daemon/bindings/net_tlssrv.rst +++ b/daemon/bindings/net_tlssrv.rst @@ -155,8 +155,8 @@ by a trusted CA. This is done using function :c:func:`net.tls()`. .. function:: net.tls_padding([true | false]) - Get/set EDNS(0) padding of answers to queries that arrive over TLS - transport. If set to `true` (the default), it will use a sensible + Get/set EDNS(0) padding of queries and answers sent over an encrypted + channel. If set to `true` (the default), it will use a sensible default padding scheme, as implemented by libknot if available at compile time. If set to a numeric value >= 2 it will pad the answers to nearest *padding* boundary, e.g. if set to `64`, the diff --git a/doc/config-network-server-tls.rst b/doc/config-network-server-tls.rst index 75175d4ad..b74617540 100644 --- a/doc/config-network-server-tls.rst +++ b/doc/config-network-server-tls.rst @@ -157,8 +157,8 @@ For serious deployments it is strongly recommended to configure your own TLS cer :default: true - EDNS(0) padding of answers to queries that arrive over TLS - transport. If set to ``true`` (the default), it will use a sensible + EDNS(0) padding of answers of queries and answers sent over an encrypted + channel. If set to ``true`` (the default), it will use a sensible default padding scheme, as implemented by libknot if available at compile time. If set to a numeric value >= 2 it will pad the answers to nearest *padding* boundary, e.g. if set to ``64``, the diff --git a/manager/knot_resolver_manager/datamodel/network_schema.py b/manager/knot_resolver_manager/datamodel/network_schema.py index e59fe4137..289104b82 100644 --- a/manager/knot_resolver_manager/datamodel/network_schema.py +++ b/manager/knot_resolver_manager/datamodel/network_schema.py @@ -58,8 +58,8 @@ class TLSSchema(ConfigSchema): key_file: Path to certificate key file. sticket_secret: Secret for TLS session resumption via tickets. (RFC 5077). sticket_secret_file: Path to file with secret for TLS session resumption via tickets. (RFC 5077). - auto_discovery: Automatic discovery of authoritative servers supporting DNS-over-TLS. - padding: EDNS(0) padding of answers to queries that arrive over TLS transport. + auto_discovery: Experimental automatic discovery of authoritative servers supporting DNS-over-TLS. + padding: EDNS(0) padding of queries and answers sent over an encrypted channel. """ cert_file: Optional[File] = None