Re: [dns-privacy] [DNSOP] [core] WGA call for draft-lenders-dns-over-coap

Alexander Mayrhofer <> Mon, 12 September 2022 06:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B6249C152592 for <>; Sun, 11 Sep 2022 23:08:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z1ICyxfZgHoq for <>; Sun, 11 Sep 2022 23:08:51 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 5A15BC1522C3 for <>; Sun, 11 Sep 2022 23:08:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=it2019; h=From:From:To:CC:Subject:Date:Message-Id:Content-Type:Received:Received:Received; bh=IKqhpyqQxb2SpJUqreUev/N9x2s4jJimjM4+hn7l2E8=; b=nC7+7UceDCsVI1mM5lIAwrHgeSSwagisQXzLFYB5uuNCNnkz4qHwaw2sZwp4MYZvsZhU1wvptiWk+O0Yv60RN+G4IDYofjAhnlcOWPGr7HNlv1FqVKw8r5pINWtbwjyA4v1lF4T9iUIloT8pLvMcuu40lWKoqhpwbtbU+t1utFS0Jziu5rja8rKPWaQteN061b1ESm5wWPesm8CVPOcz2HgkKRVD0ej1ZjSNJls839CXRAR3FCjWzSv+yOqK7a9jyRx+lYN1W3e12RA5+ds4DpEsgHHnRAaicUdrPO2KzziLqOV9Nhj+Vjidy1HLPHKAix0t+wUQGe4x/CCPOTlTAA==;
Received: from ([]) by over TLS secured channel (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) with XWall v3.56 ; Mon, 12 Sep 2022 08:08:46 +0200
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.12; Mon, 12 Sep 2022 08:08:45 +0200
Received: from ([fe80::3079:e311:a6d4:792b]) by ([fe80::3079:e311:a6d4:792b%2]) with mapi id 15.01.2507.012; Mon, 12 Sep 2022 08:08:45 +0200
Thread-Topic: [dns-privacy] [DNSOP] [core] WGA call for draft-lenders-dns-over-coap
Thread-Index: AQHYwgJfsf5o3v1Exk+HOAqhY76y463XKA2AgAQuTHA=
References: <> <> <> <>
In-Reply-To: <>
x-originating-ip: []
From: Alexander Mayrhofer <>
To: =?utf-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <> , Ben Schwartz <>
Cc: "" <> , DNS Privacy Working Group <> , dnsop <> , =?utf-8?B?SmFpbWUgSmltw6luZXo=?= <>
Date: Mon, 12 Sep 2022 08:08:45 +0200
X-Assembled-By: XWall v3.56
Message-ID: <>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="_NextPart_1_5wzusth2OtpFjSLShuyKOILxweH"
Archived-At: <>
Subject: Re: [dns-privacy] [DNSOP] [core] WGA call for draft-lenders-dns-over-coap
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Sep 2022 06:08:55 -0000

Hello everyone,

Speking as the author of RFC 7830 – there was some discussion whether the document should say “SHOULD NOT” or “MUST NOT” when padding DNS packets over unencrypted packets. We couldn’t come up with any other use case (maybe except testing of the feature over unencrypted transport), so the consensus of the group was that we should be strict, especially as padding might be an easy way to bloat packets. I do agree that this connects DNS answer behaviour with transport choice – hence creates a dependency that’s probably not very wise in a protocol that has already pretty complex dependencies.

If the community believes that this requirement should be relaxed (and it’s worth the effort), I’m up for creating a revision of RFC 7830. This might also be a chance to step up EDNS Padding to Internet Standard – I think it’s widely deployed on billions of devices (Android..).



Von: dns-privacy <> Im Auftrag von Vladimír Cunát
Gesendet: Freitag, 9. September 2022 18:11
An: Ben Schwartz <>
Cc:; DNS Privacy Working Group <>; dnsop <>; Jaime Jiménez <>
Betreff: Re: [dns-privacy] [DNSOP] [core] WGA call for draft-lenders-dns-over-coap

On 06/09/2022 17.06, Ben Schwartz wrote:
The choice of transport is independent of the DNS server's answering behavior, which must not be modified by the transport.

Nit: there's a very specific counter-example of EDNS padding which is meant to be added depending on transport encryption.

There might be some others (in future, too), as encryption does change some considerations, but yes - not basic stuff like following CNAMEs.

--Vladimir |