> On 9 Dec 2021, at 09:25, Alexander Mayrhofer <[email protected]>
> wrote:
>
> Sara, Allison, Christian,
>
> I read through the latest revision of DoQ, and i'm afraid i do have a
> comment regarding the padding section. More specifically, i think the
> second "option" of section 6.4 should refer to the base specification
> of EDNS0-Padding, rather than the Padding policies RFC. It currently
> reads as:
>
> * if padding at the QUIC level is not available or not used, DNS
> over QUIC MUST ensure that all DNS queries and responses are
> padded to a small set of fixed sizes, using the EDNS padding
> extension as specified in "Padding Policies for Extension
> Mechanisms for DNS (EDNS(0))" [RFC8467].
>
> And i do believe that - as the sentence stands - the reference should
> be RFC 7830. Note that RFC 8467 is Experimental (and was by intent, as
> the privacy properties of Padding would probably shift with more
> operational expertise). So, i feel REQUIRING that padding is used
> makes more sense than REQUIRING the use of the experimental padding
> sizes in RFC8467.
>
> I think the sentence should read "padded to a small set of fixed
> sizes, using the EDNS Padding Extension as specified in [RFC7830]."
>
> I like the "aligned with..." text in the previous bullet point, which
> could also be used here, indicating that the MUST is for the the
> padding, and not necessarily for that revision of the padding policy.
Hi Alex,
Sorry for slow response and many thanks for spotting this mistake. I agree that
the second bullet should reference RFC7830 and so propose the following update:
* if padding at the QUIC level is not available or not used, DNS
over QUIC MUST ensure that all DNS queries and responses are
padded to a small set of fixed sizes, using the EDNS padding
extension as specified in [RFC7830]. The sizes SHOULD be aligned
with the recommendations of the "Padding Policies for Extension
Mechanisms for DNS (EDNS(0))" [RFC8467].
Re-reading the whole section, I also noticed an inconsistency. The first
sentence is only a SHOULD at the moment:
“ Implementations SHOULD protect against the traffic analysis attacks
described in Section 9.5 by the judicious injection of padding. “
but given the second bullet is a MUST, I think this is also actually a MUST.
I’ve created a PR with both these changes for review:
https://github.com/huitema/dnsoquic/pull/132
Regards
Sara.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
