Alex Mayrhofer wrote: > ---- Shane Kerr schrieb ---- > > Further, I don't think there is any possible benefit for this check. > > I think there is. It discourages the use of the payload as a covert > channel. While a high performance Auth server might not want to > check this, a firewall might definitely want to validate the payload > for security reasons.
The DNS already has other covert channels such as the message IDs. Since privacy is the goal, having a higher bandwidth one could be construed as a feature. :) I'm also wondering if there might be scenarios where the messages are compressed before encryption. If that is the case, padding with zeros is of limited value because they will mostly compress away, and the ability to send data of similar compressibility to actual payload data, or data of unpredictable compressibility, would be useful. -- Andreas Gustafsson, [email protected] _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
