pad-queries default yes

doc/example.conf.in

@@ -771,7 +771,7 @@ server:
 	# tls-win-cert: no
 
 	# Pad queries over TLS upstreams
-	# pad-queries: no
+	# pad-queries: yes
 
 	# Padded queries will be padded to the closest multiple of this size.
 	# pad-queries-block-size: 128

doc/unbound.conf.5.in

@@ -560,7 +560,7 @@ Default is 468.
 .B pad\-queries: \fI<yes or no>
 If enabled, all queries sent over TLS upstreams will be padded to the closest
 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
-Default is no.
+Default is yes.
 .TP
 .B pad\-queries\-block\-size: \fI<number>
 The block size with which to pad queries sent over TLS upstreams.

util/config_file.c

@@ -324,7 +324,7 @@ config_create(void)
 	cfg->dnscrypt_nonce_cache_slabs = 4;
 	cfg->pad_responses = 1;
 	cfg->pad_responses_block_size = 468; /* from RFC8467 */
-	cfg->pad_queries = 0;
+	cfg->pad_queries = 1;
 	cfg->pad_queries_block_size = 128; /* from RFC8467 */
 #ifdef USE_IPSECMOD
 	cfg->ipsecmod_enabled = 1;

util/data/msgencode.c

@@ -843,8 +843,7 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns,
 
 		/* By use of calc_edns_field_size, calling functions should
 		 * have made sure that there is enough space for at least a
-		 * zero sized padding option, but it cannot harm to leave it
-		 * out if there isn't.
+		 * zero sized padding option.
 		 */
 		log_assert(pad_pos + 4 <= msg_sz);