Padding Policies for Extension Mechanisms for DNS (EDNS(0))
RFC 8467

Document Type RFC - Experimental (October 2018; No errata)
Last updated 2018-10-12
Replaces draft-mayrhofer-dprive-padding-profile
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Brian Haberman
Shepherd write-up Show (last changed 2018-02-13)
IESG IESG state RFC 8467 (Experimental)
Consensus Boilerplate Yes
Telechat date
Responsible AD Terry Manderson
Send notices to Brian Haberman <brian@innovationslab.net>, dns-privacy@ietf.org
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Internet Engineering Task Force (IETF)                      A. Mayrhofer
Request for Comments: 8467                                   nic.at GmbH
Category: Experimental                                      October 2018
ISSN: 2070-1721

      Padding Policies for Extension Mechanisms for DNS (EDNS(0))

Abstract

   RFC 7830 specifies the "Padding" option for Extension Mechanisms for
   DNS (EDNS(0)) but does not specify the actual padding length for
   specific applications.  This memo lists the possible options
   ("padding policies"), discusses the implications of each option, and
   provides a recommended (experimental) option.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for examination, experimental implementation, and
   evaluation.

   This document defines an Experimental Protocol for the Internet
   community.  This document is a product of the Internet Engineering
   Task Force (IETF).  It represents the consensus of the IETF
   community.  It has received public review and has been approved for
   publication by the Internet Engineering Steering Group (IESG).  Not
   all documents approved by the IESG are candidates for any level of
   Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8467.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Mayrhofer                     Experimental                      [Page 1]
RFC 8467              Padding Policies for EDNS(0)          October 2018

Table of Contents

   1. Introduction ....................................................2
   2. Terminology .....................................................2
   3. General Guidance ................................................3
   4. Padding Strategies ..............................................3
      4.1. Recommended Strategy: Block-Length Padding .................3
      4.2. Other Strategies ...........................................5
           4.2.1. Maximal-Length Padding ..............................5
           4.2.2. Random-Length Padding ...............................5
           4.2.3. Random-Block-Length Padding .........................6
   5. IANA Considerations .............................................6
   6. Security Considerations .........................................6
   7. References ......................................................7
      7.1. Normative References .......................................7
      7.2. Informative References .....................................7
   Appendix A.  Padding Policies That Are Not Sensible ................8
     A.1.  No Padding .................................................8
     A.2.  Fixed-Length Padding .......................................8
   Acknowledgements ...................................................9
   Author's Address ...................................................9

1.  Introduction

   [RFC7830] specifies the Extension Mechanisms for DNS (EDNS(0))
   "Padding" option, which allows DNS clients and servers to
   artificially increase the size of a DNS message by a variable number
   of bytes, hampering size-based correlation of encrypted DNS messages.

   However, RFC 7830 deliberately does not specify the actual length of
   padding to be used.  This memo discusses options regarding the actual
   size of padding, lists advantages and disadvantages of each of these
   "padding strategies", and provides a recommended (experimental)
   strategy.

   Padding DNS messages is useful only when transport is encrypted using
   protocols such as DNS over Transport Layer Security [RFC7858], DNS
   over Datagram Transport Layer Security [RFC8094], or other encrypted
   DNS transports specified in the future.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Mayrhofer                     Experimental                      [Page 2]
RFC 8467              Padding Policies for EDNS(0)          October 2018
Show full document text