On Fri, Jul 07, 2017 at 09:58:19AM +0000, Shane Kerr wrote: > Hugo, > > I'm curious what you mean by this. Do you really mean to propose an > option to pad every query and response message to 65K bytes? I guess I > don't object it for the sake of completion, but it seems a bit crazy. > > OTOH, people use Tor for browsing, so maybe someone will actually > want to do this? ;) > > Seriously though, on the query side padding beyond a few hundred bytes > is not helpful, because no queries are longer than that. Maybe on the > response side it is indeed more privacy-protecting.
On query side, one could always pad to 286 (288 for TCP) bytes, AFAICT the maximal query in practice is: xx xx: Query length (TCP only). xx xx: Query ID. 01: Query, requesting recursion. 00: DNSSEC errors are fatal. 00 01: 1 query 00 00: No answers 00 00: No authority 00 01: 1 additional record <255 bytes>: QNAME xx xx: QTYPE 00 01: QCLASS (1=IN). 00: Dummy domain (root) 00 29: OPT 04 B0: Maximum UDP response size (1200 bytes). 00 00 80 00: EDNS0, DNSSEC supported. 00 04: 4 bytes of EDNS data 00 12: Padding 00 00: 0 bytes of padding However, responses are thornier issue. This is recursive, so it might need to relay all kinds of responses. I could provke one ccTLD to return a 3651 byte response with normal QTYPE (ZSK rollover plus healthy amount of authoritative nameservers, most available over IPv6). That kind of response when sent over UDP gets fragmented at IP layer (not good) or triggers a fallback to TCP (not good). -Ilari _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
