Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 07 July 2017 11:48 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 650D5129B4B for <dns-privacy@ietfa.amsl.com>; Fri, 7 Jul 2017 04:48:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1RzF5olGNZGP for <dns-privacy@ietfa.amsl.com>; Fri, 7 Jul 2017 04:48:17 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 086FD1288B8 for <dns-privacy@ietf.org>; Fri, 7 Jul 2017 04:48:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id D56B120C29 for <dns-privacy@ietf.org>; Fri, 7 Jul 2017 14:48:14 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id M-wqPXFK4yP8 for <dns-privacy@ietf.org>; Fri, 7 Jul 2017 14:48:14 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 880EC286 for <dns-privacy@ietf.org>; Fri, 7 Jul 2017 14:48:13 +0300 (EEST)
Date: Fri, 07 Jul 2017 14:48:13 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: dns-privacy@ietf.org
Message-ID: <20170707114813.ifz3ml2g4527xwpk@LK-Perkele-VII>
References: <149911712731.22782.2792826496381014188@ietfa.amsl.com> <CAHXf=0pDy9+vp-gfEAfMwb27w8fc8WqSfBL4eC4LZZzLG+XLOw@mail.gmail.com> <1499157602.2629.1.camel@env.dtu.dk> <20170707095819.233ef89c@earth.zonnestelsel.tk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20170707095819.233ef89c@earth.zonnestelsel.tk>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/0F_e2FjQEC_g4ky9msGIMtd_w-4>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 11:48:19 -0000
On Fri, Jul 07, 2017 at 09:58:19AM +0000, Shane Kerr wrote: > Hugo, > > I'm curious what you mean by this. Do you really mean to propose an > option to pad every query and response message to 65K bytes? I guess I > don't object it for the sake of completion, but it seems a bit crazy. > > OTOH, people use Tor for browsing, so maybe someone will actually > want to do this? ;) > > Seriously though, on the query side padding beyond a few hundred bytes > is not helpful, because no queries are longer than that. Maybe on the > response side it is indeed more privacy-protecting. On query side, one could always pad to 286 (288 for TCP) bytes, AFAICT the maximal query in practice is: xx xx: Query length (TCP only). xx xx: Query ID. 01: Query, requesting recursion. 00: DNSSEC errors are fatal. 00 01: 1 query 00 00: No answers 00 00: No authority 00 01: 1 additional record <255 bytes>: QNAME xx xx: QTYPE 00 01: QCLASS (1=IN). 00: Dummy domain (root) 00 29: OPT 04 B0: Maximum UDP response size (1200 bytes). 00 00 80 00: EDNS0, DNSSEC supported. 00 04: 4 bytes of EDNS data 00 12: Padding 00 00: 0 bytes of padding However, responses are thornier issue. This is recursive, so it might need to relay all kinds of responses. I could provke one ccTLD to return a 3651 byte response with normal QTYPE (ZSK rollover plus healthy amount of authoritative nameservers, most available over IPv6). That kind of response when sent over UDP gets fragmented at IP layer (not good) or triggers a fallback to TCP (not good). -Ilari
- [dns-privacy] I-D Action: draft-ietf-dprive-paddi… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Alexander Mayrhofer
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Hugo Connery
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Paul Hoffman
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Shane Kerr
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Shane Kerr
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Tony Finch
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Ilari Liusvaara
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Stephane Bortzmeyer
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Stephane Bortzmeyer