On Tue 2015-11-24 07:19:47 -0500, Alex Mayrhofer wrote: > I've submitted a new version of the EDNS0 padding draft. The only major > change is that it does now allow for non-0x00 padding octets. I think > this was the (rough) consensus of the respective WG list discussion.
Thanks Alex! a couple more comments... ------- The PADDING octets SHOULD be set to 0x00. Application developers who are concerned about misguided lower layer compression MAY instead fill the PADDING octets with the output of a cryptographic random number generator. Responders MUST NOT reject messages containing non-0x00 PADDING octets. I'm thinking we could add a sentence just before the last one here "Applications MUST NOT send uninitialized memory in the padding octets." to try to stave off another heartbleed opportunity. (not that it will stop wilfully bad programmers, but at least we'll be able to say "I told you so") ------- Responders MUST pad DNS responses when the respective DNS query included the 'Padding' option, unless doing so would violate the maximum UDP payload size. I'm not sure about this directive. Without telling responders how much to pad (e.g. by multiples of 512-octet blocks? by powers of two? by some other statistical distribution?), this requirement doesn't provide any additional metadata protection, and it's just an additional 4 octets on each packet. I don't think this draft should try to tell implementers how much to pad (i'd prefer to keep the draft simple and have it describe mechanism and not policy), so i think this requirement is out of place. I think it could be dropped altogether. But if it is not dropped, it should be converted to a much weaker statement than this MUST. Regards, --dkg _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy