On Tue 2015-11-24 07:19:47 -0500, Alex Mayrhofer wrote:
> I've submitted a new version of the EDNS0 padding draft. The only major
> change is that it does now allow for non-0x00 padding octets. I think
> this was the (rough) consensus of the respective WG list discussion.
Thanks Alex! a couple more comments...
-------
The PADDING octets SHOULD be set to 0x00. Application developers who
are concerned about misguided lower layer compression MAY instead
fill the PADDING octets with the output of a cryptographic random
number generator. Responders MUST NOT reject messages containing
non-0x00 PADDING octets.
I'm thinking we could add a sentence just before the last one here
"Applications MUST NOT send uninitialized memory in the padding octets."
to try to stave off another heartbleed opportunity.
(not that it will stop wilfully bad programmers, but at least we'll be
able to say "I told you so")
-------
Responders MUST pad DNS responses when the respective DNS query
included the 'Padding' option, unless doing so would violate the
maximum UDP payload size.
I'm not sure about this directive. Without telling responders how much
to pad (e.g. by multiples of 512-octet blocks? by powers of two? by
some other statistical distribution?), this requirement doesn't provide
any additional metadata protection, and it's just an additional 4
octets on each packet.
I don't think this draft should try to tell implementers how much to pad
(i'd prefer to keep the draft simple and have it describe mechanism and
not policy), so i think this requirement is out of place. I think it
could be dropped altogether. But if it is not dropped, it should be
converted to a much weaker statement than this MUST.
Regards,
--dkg
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
