Merge pull request #211 from NLnetLabs/features/padding

Down- and upstream padding a la RFC7830 & RFC8467

daemon/worker.c

@@ -1289,6 +1289,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			edns.udp_size = EDNS_ADVERTISED_SIZE;
 			edns.bits &= EDNS_DO;
 			edns.opt_list = NULL;
+			edns.padding_block_size = 0;
 			verbose(VERB_ALGO, "query with bad edns version.");
 			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
 			error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,

doc/Changelog

@@ -1,3 +1,7 @@
+22 January 2022: Willem
+	- Padding of queries and responses with DNS over TLS as specified in
+	  RFC7830 and RFC8467.
+
 22 January 2021: George
 	- Fix TTL of SOA record for negative answers (localzone and
 	  authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.

doc/example.conf.in

@@ -758,6 +758,12 @@ server:
 	# cipher setting for TLSv1.3
 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 
+	# Pad responses to padded queries received over TLS
+	# pad-responses: yes
+
+	# Padded responses will be padded to the closest multiple of this size.
+	# pad-responses-block-size: 468
+
 	# Use the SNI extension for TLS connections.  Default is yes.
 	# Changing the value requires a reload.
 	# tls-use-sni: yes
@@ -780,6 +786,12 @@ server:
 	# Add system certs to the cert bundle, from the Windows Cert Store
 	# tls-win-cert: no
 
+	# Pad queries over TLS upstreams
+	# pad-queries: yes
+
+	# Padded queries will be padded to the closest multiple of this size.
+	# pad-queries-block-size: 128
+
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
 	# tls-additional-port: portno for each of the port numbers.
 

doc/unbound.conf.5.in

@@ -564,6 +564,25 @@ and that is the default.
 Set the list of ciphersuites to allow when serving TLS.  This is for newer
 TLS 1.3 connections.  Use "" for defaults, and that is the default.
 .TP
+.B pad\-responses: \fI<yes or no>
+If enabled, TLS serviced queries that contained an EDNS Padding option will
+cause responses padded to the closest multiple of the size specified in
+\fBpad\-responses\-block\-size\fR.
+Default is yes.
+.TP
+.B pad\-responses\-block\-size: \fI<number>
+The block size with which to pad responses serviced over TLS. Only responses
+to padded queries will be padded.
+Default is 468.
+.TP
+.B pad\-queries: \fI<yes or no>
+If enabled, all queries sent over TLS upstreams will be padded to the closest
+multiple of the size specified in \fBpad\-queries\-block\-size\fR.
+Default is yes.
+.TP
+.B pad\-queries\-block\-size: \fI<number>
+The block size with which to pad queries sent over TLS upstreams.
+Default is 128.
 .B tls\-use\-sni: \fI<yes or no>
 Enable or disable sending the SNI extension on TLS connections.
 Default is yes.

libunbound/libworker.c

@@ -577,6 +577,7 @@ setup_qinfo_edns(struct libworker* w, struct ctx_query* q,
 	edns->edns_version = 0;
 	edns->bits = EDNS_DO;
 	edns->opt_list = NULL;
+	edns->padding_block_size = 0;
 	if(sldns_buffer_capacity(w->back->udp_buff) < 65535)
 		edns->udp_size = (uint16_t)sldns_buffer_capacity(
 			w->back->udp_buff);

services/authzone.c

@@ -5110,6 +5110,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
 	edns.opt_list = NULL;
+	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;
@@ -6298,6 +6299,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
 	edns.opt_list = NULL;
+	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;

services/outside_network.c

@@ -2242,7 +2242,8 @@ static struct serviced_query*
 serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	int want_dnssec, int nocaps, int tcp_upstream, int ssl_upstream,
 	char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t* zone, size_t zonelen, int qtype, struct edns_option* opt_list)
+	uint8_t* zone, size_t zonelen, int qtype, struct edns_option* opt_list,
+	size_t pad_queries_block_size)
 {
 	struct serviced_query* sq = (struct serviced_query*)malloc(sizeof(*sq));
 #ifdef UNBOUND_DEBUG
@@ -2300,6 +2301,7 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	sq->status = serviced_initial;
 	sq->retry = 0;
 	sq->to_be_deleted = 0;
+	sq->padding_block_size = pad_queries_block_size;
 #ifdef UNBOUND_DEBUG
 	ins = 
 #else
@@ -2481,6 +2483,7 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
 	if(with_edns) {
 		/* add edns section */
 		struct edns_data edns;
+		struct edns_option padding_option;
 		edns.edns_present = 1;
 		edns.ext_rcode = 0;
 		edns.edns_version = EDNS_ADVERTISED_VERSION;
@@ -2503,6 +2506,14 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
 			edns.bits = EDNS_DO;
 		if(sq->dnssec & BIT_CD)
 			LDNS_CD_SET(sldns_buffer_begin(buff));
+		if (sq->ssl_upstream && sq->padding_block_size) {
+			padding_option.opt_code = LDNS_EDNS_PADDING;
+			padding_option.opt_len = 0;
+			padding_option.opt_data = NULL;
+			padding_option.next = edns.opt_list;
+			edns.opt_list = &padding_option;
+			edns.padding_block_size = sq->padding_block_size;
+		}
 		attach_edns_record(buff, &edns);
 	}
 }
@@ -3026,7 +3037,9 @@ outnet_serviced_query(struct outside_network* outnet,
 		sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps,
 			tcp_upstream, ssl_upstream, tls_auth_name, addr,
 			addrlen, zone, zonelen, (int)qinfo->qtype,
-			qstate->edns_opts_back_out);
+			qstate->edns_opts_back_out,
+			( ssl_upstream && env->cfg->pad_queries
+			? env->cfg->pad_queries_block_size : 0 ));
 		if(!sq) {
 			free(cb);
 			return NULL;

services/outside_network.h

@@ -502,6 +502,8 @@ struct serviced_query {
 	struct service_callback* cblist;
 	/** the UDP or TCP query that is pending, see status which */
 	void* pending;
+	/** block size with which to pad encrypted queries (default: 128) */
+	size_t padding_block_size;
 };
 
 /**

testcode/fake_event.c

@@ -1229,6 +1229,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 		edns.bits = 0;
 		if(dnssec)
 			edns.bits = EDNS_DO;
+		edns.padding_block_size = 0;
 		if((client_string_addr = edns_string_addr_lookup(
 			&env->edns_strings->client_strings,
 			addr, addrlen))) {

testdata/padding.tdir/padding.conf

@@ -0,0 +1,27 @@
+server:
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+	tls-cert-bundle: "unbound_server.pem"
+	tls-upstream: yes
+
+remote-control:
+        control-enable: yes
+        control-interface: 127.0.0.1
+        control-port: @CONTROL_PORT@
+        server-key-file: "unbound_server.key"
+        server-cert-file: "unbound_server.pem"
+        control-key-file: "unbound_control.key"
+        control-cert-file: "unbound_control.pem"
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@#unbound"
+
+

testdata/padding.tdir/padding.conf2

@@ -0,0 +1,47 @@
+# this is the upstream server that has pipelining and responds to queries.
+server:
+	verbosity: 1
+	# num-threads: 1
+	interface: 127.0.0.1@@PORT@
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound2.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	tls-port: @PORT@
+	tls-service-key: "unbound_server.key"
+	tls-service-pem: "unbound_server.pem"
+	tcp-idle-timeout: 10000
+	log-queries: yes
+	log-replies: yes
+	log-identity: "upstream"
+
+remote-control:
+        control-enable: yes
+        control-interface: 127.0.0.1
+        # control-interface: ::1
+        control-port: @CONTROL_PORT2@
+        server-key-file: "unbound_server.key"
+        server-cert-file: "unbound_server.pem"
+        control-key-file: "unbound_control.key"
+        control-cert-file: "unbound_control.pem"
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
+dnstap:
+        dnstap-enable: yes
+        dnstap-socket-path: "dnstap.socket"
+        dnstap-send-identity: yes
+        dnstap-send-version: yes
+        #dnstap-identity
+        #dnstap-version
+        dnstap-log-resolver-query-messages: no
+        dnstap-log-resolver-response-messages: no
+        dnstap-log-client-query-messages: yes
+        dnstap-log-client-response-messages: yes
+        dnstap-log-forwarder-query-messages: no
+        dnstap-log-forwarder-response-messages: no

testdata/padding.tdir/padding.dsc

@@ -0,0 +1,16 @@
+BaseName: padding
+Version: 1.0
+Description: Test EDNS0 padding option (RFC7830 and RFC8467).
+CreationDate: Sun Jan 24 16:41:42 CET 2021
+Maintainer: Willem Toorop
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: padding.pre
+Post: padding.post
+Test: padding.test
+AuxFiles: 
+Passed:
+Failure:

testdata/padding.tdir/padding.msgsizes

@@ -0,0 +1,20 @@
+;; MSG SIZE  rcvd: 128
+;; MSG SIZE  rcvd: 468
+;; MSG SIZE  rcvd: 128
+;; MSG SIZE  rcvd: 936
+;; MSG SIZE  rcvd: 128
+;; MSG SIZE  rcvd: 60
+;; MSG SIZE  rcvd: 128
+;; MSG SIZE  rcvd: 502
+;; MSG SIZE  rcvd: 44
+;; MSG SIZE  rcvd: 60
+;; MSG SIZE  rcvd: 44
+;; MSG SIZE  rcvd: 502
+;; MSG SIZE  rcvd: 48
+;; MSG SIZE  rcvd: 64
+;; MSG SIZE  rcvd: 48
+;; MSG SIZE  rcvd: 512
+;; MSG SIZE  rcvd: 48
+;; MSG SIZE  rcvd: 512
+;; MSG SIZE  rcvd: 48
+;; MSG SIZE  rcvd: 512

testdata/padding.tdir/padding.post

@@ -0,0 +1,23 @@
+# #-- padding.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+PRE="../.."
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+kill_pid $DNSTAP_SOCKET_PID
+kill_pid $FWD_PID
+kill_pid `cat unbound2.pid`
+if test -f unbound2.log; then
+	echo ">>> upstream log"
+	cat unbound2.log
+fi
+#kill_pid $UNBOUND_PID
+kill_pid `cat unbound.pid`
+if test -f unbound.log; then
+	echo ">>> unbound log"
+	cat unbound.log
+fi

testdata/padding.tdir/padding.pre

@@ -0,0 +1,69 @@
+# #-- padding.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+get_random_port 5
+UNBOUND_PORT=$RND_PORT
+UPSTREAM_PORT=$(($RND_PORT + 1))
+FWD_PORT=$(($RND_PORT + 2))
+CONTROL_PORT=$(($RND_PORT + 3))
+CONTROL_PORT2=$(($RND_PORT + 4))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "UPSTREAM_PORT=$UPSTREAM_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT2=$CONTROL_PORT2" >> .tpkg.var.test
+
+# start ldns-testnd
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT padding.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# start the dnstap log server
+# the -vvvv flag prints protocol and connection information from the
+# unbound-dnstap-socket server.
+# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
+# stderr is the '-vvvv' server logs and errors.
+# stdout is the one-line packet logs (or with -l, multiline).
+$PRE/unbound-dnstap-socket -u dnstap.socket -l -vvvv 2>tap.errlog >tap.log &
+if test $? -ne 0; then
+        echo "could not start unbound-dnstap-socket server"
+        exit 1
+fi
+DNSTAP_SOCKET_PID=$!
+echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
+# wait for the server to go up and make the dnstap.socket file
+wait_server_up "tap.errlog" "creating unix socket"
+if test ! -S dnstap.socket; then 
+        echo "the dnstap.socket file does not exist!"
+fi
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < padding.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+#$PRE/unbound -d -c ub.conf 2>&1 | tee unbound.log &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+# make upstream config file
+sed -e 's/@PORT\@/'$UPSTREAM_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT2\@/'$CONTROL_PORT2'/' < padding.conf2 > ub2.conf
+# start upstream unbound in the background
+$PRE/unbound -d -c ub2.conf >unbound2.log 2>&1 &
+#$PRE/unbound -d -c ub2.conf 2>&1 | tee unbound2.log &
+UPSTREAM_PID=$!
+echo "UPSTREAM_PID=$UPSTREAM_PID" >> .tpkg.var.test
+
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+wait_unbound_up unbound2.log
+
+cat .tpkg.var.test
+

testdata/padding.tdir/padding.test

@@ -0,0 +1,170 @@
+echo There we go...
+
+# #-- padding.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+        echo "OK"
+else
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+	cat unbound2.log 
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+
+echo "> wait for log to happen on timer"
+sleep 3
+echo "> check tap.log for dnstap info"
+# see if it logged the information in tap.log
+# wait for a moment for filesystem to catch up.
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
+if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
+else
+        echo "information not in tap.log"
+        echo "failed"
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+
+echo "> query txt.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
+echo "> check answer"
+if grep "Lorem ipsum" outfile; then
+        echo "OK"
+else
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+	cat unbound2.log 
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+echo "> check tap.log for dnstap info"
+# see if it logged the information in tap.log
+# wait for a moment for filesystem to catch up.
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 10; fi
+if grep "txt.example.com" tap.log; then echo "yes it is in tap.log";
+else
+        echo "information not in tap.log"
+        echo "failed"
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+
+echo "> flush cache entries."
+$PRE/unbound-control -c ub.conf flush_type www.example.com A
+$PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
+echo "> disable padding of responses."
+$PRE/unbound-control -c ub2.conf set_option pad-responses: no
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> query txt.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
+echo "> flush cache entries."
+$PRE/unbound-control -c ub.conf flush_type www.example.com A
+$PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
+echo "> enable padding of responses."
+$PRE/unbound-control -c ub2.conf set_option pad-responses: yes
+echo "> set pad responses block size to 64"
+$PRE/unbound-control -c ub2.conf set_option pad-responses-block-size: 64
+echo "> disable padding of queries."
+$PRE/unbound-control -c ub.conf set_option pad-queries: no
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> query txt.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
+echo "> flush cache entries."
+$PRE/unbound-control -c ub.conf flush_type www.example.com A
+$PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
+echo "> enable padding of queries."
+$PRE/unbound-control -c ub.conf set_option pad-queries: yes
+echo "> set pad queries block size to 48"
+$PRE/unbound-control -c ub.conf set_option pad-queries-block-size: 48
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> query txt.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
+echo "> flush cache entries."
+$PRE/unbound-control -c ub.conf flush_type www.example.com A
+$PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
+echo "> set pad responses block size to 512"
+$PRE/unbound-control -c ub2.conf set_option pad-responses-block-size: 512
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> query fin.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT fin.example.com. TXT | tee outfile
+echo "> check tap.log for dnstap info"
+# see if it logged the information in tap.log
+# wait for a moment for filesystem to catch up.
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 10; fi
+if grep "fini" tap.log; then echo "yes it is in tap.log";
+else
+        echo "information not in tap.log"
+        echo "failed"
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+
+grep '^;; MSG SIZE  rcvd: ' tap.log > message.sizes
+
+if diff message.sizes padding.msgsizes
+then
+	echo "OK - Message sizes matched expected sizes"
+	exit 0
+else
+        echo "unexpected message sizes"
+        echo "failed"
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi

testdata/padding.tdir/padding.testns

@@ -0,0 +1,34 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+txt	IN	TXT
+SECTION ANSWER
+txt	IN	TXT	"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." "Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." "Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur." "Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum."
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+fin	IN	TXT
+SECTION ANSWER
+fin	IN	TXT	"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." "Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." "Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur." "Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "fini"
+ENTRY_END
+

testdata/padding.tdir/unbound_control.key

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
+lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
+tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
+U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
+Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
+Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
+ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
+1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
+b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
+ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
+TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
+tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
+aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
+A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
+LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
+R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
+7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
+7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
+jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
+BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
+kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
+qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
+VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
+MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
+C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
+-----END RSA PRIVATE KEY-----

testdata/padding.tdir/unbound_control.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
+TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
+nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
+4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
+hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
+9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
+ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
+pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
+72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
+muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
+uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
+-----END CERTIFICATE-----

testdata/padding.tdir/unbound_server.key

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
+WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
+O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
+IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
+qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
+dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
+bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
+YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
+7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
+gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
+5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
+ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
+oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
+s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
+zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
+ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
+oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
+BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
+mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
+kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
+7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
+RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
+jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
+O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
+MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
+-----END RSA PRIVATE KEY-----

testdata/padding.tdir/unbound_server.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
+XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
+dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
+84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
+JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
+fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
+XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
+qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
+sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
+yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
+CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
+-----END CERTIFICATE-----

util/config_file.c

@@ -338,6 +338,10 @@ config_create(void)
 	cfg->dnscrypt_shared_secret_cache_slabs = 4;
 	cfg->dnscrypt_nonce_cache_size = 4*1024*1024;
 	cfg->dnscrypt_nonce_cache_slabs = 4;
+	cfg->pad_responses = 1;
+	cfg->pad_responses_block_size = 468; /* from RFC8467 */
+	cfg->pad_queries = 1;
+	cfg->pad_queries_block_size = 128; /* from RFC8467 */
 #ifdef USE_IPSECMOD
 	cfg->ipsecmod_enabled = 1;
 	cfg->ipsecmod_ignore_bogus = 0;
@@ -737,6 +741,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
 	else S_YNO("qname-minimisation:", qname_minimisation)
 	else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
+	else S_YNO("pad-responses:", pad_responses)
+	else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size)
+	else S_YNO("pad-queries:", pad_queries)
+	else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size)
 #ifdef USE_IPSECMOD
 	else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
 	else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
@@ -1177,6 +1185,10 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
 	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
 	else O_LS2(opt, "access-control-view", acl_view)
+	else O_YNO(opt, "pad-responses", pad_responses)
+	else O_DEC(opt, "pad-responses-block-size", pad_responses_block_size)
+	else O_YNO(opt, "pad-queries", pad_queries)
+	else O_DEC(opt, "pad-queries-block-size", pad_queries_block_size)
 	else O_LS2(opt, "edns-client-strings", edns_client_strings)
 #ifdef USE_IPSECMOD
 	else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)

util/config_file.h

@@ -600,6 +600,17 @@ struct config_file {
 	size_t dnscrypt_nonce_cache_size;
 	/** number of slabs for dnscrypt nonces cache */
 	size_t dnscrypt_nonce_cache_slabs;
+
+	/** EDNS padding according to RFC7830 and RFC8467 */
+	/** true to enable padding of responses (default: on) */
+	int pad_responses;
+	/** block size with which to pad encrypted responses (default: 468) */
+	size_t pad_responses_block_size;
+	/** true to enable padding of queries (default: on) */
+	int pad_queries;
+	/** block size with which to pad encrypted queries (default: 128) */
+	size_t pad_queries_block_size;
+
 	/** IPsec module */
 #ifdef USE_IPSECMOD
 	/** false to bypass the IPsec module */

util/configlexer.lex

@@ -510,6 +510,10 @@ dnscrypt-shared-secret-cache-slabs{COLON}	{
 		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
 dnscrypt-nonce-cache-size{COLON}	{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
 dnscrypt-nonce-cache-slabs{COLON}	{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
+pad-responses{COLON}		{ YDVAR(1, VAR_PAD_RESPONSES) }
+pad-responses-block-size{COLON}	{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) }
+pad-queries{COLON}		{ YDVAR(1, VAR_PAD_QUERIES) }
+pad-queries-block-size{COLON}	{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) }
 ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
 ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
 ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }

util/configparser.h

@@ -301,60 +301,64 @@ extern int yydebug;
     VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
     VAR_DNSCRYPT_NONCE_CACHE_SIZE = 503, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
     VAR_DNSCRYPT_NONCE_CACHE_SLABS = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
-    VAR_IPSECMOD_ENABLED = 505,    /* VAR_IPSECMOD_ENABLED  */
-    VAR_IPSECMOD_HOOK = 506,       /* VAR_IPSECMOD_HOOK  */
-    VAR_IPSECMOD_IGNORE_BOGUS = 507, /* VAR_IPSECMOD_IGNORE_BOGUS  */
-    VAR_IPSECMOD_MAX_TTL = 508,    /* VAR_IPSECMOD_MAX_TTL  */
-    VAR_IPSECMOD_WHITELIST = 509,  /* VAR_IPSECMOD_WHITELIST  */
-    VAR_IPSECMOD_STRICT = 510,     /* VAR_IPSECMOD_STRICT  */
-    VAR_CACHEDB = 511,             /* VAR_CACHEDB  */
-    VAR_CACHEDB_BACKEND = 512,     /* VAR_CACHEDB_BACKEND  */
-    VAR_CACHEDB_SECRETSEED = 513,  /* VAR_CACHEDB_SECRETSEED  */
-    VAR_CACHEDB_REDISHOST = 514,   /* VAR_CACHEDB_REDISHOST  */
-    VAR_CACHEDB_REDISPORT = 515,   /* VAR_CACHEDB_REDISPORT  */
-    VAR_CACHEDB_REDISTIMEOUT = 516, /* VAR_CACHEDB_REDISTIMEOUT  */
-    VAR_CACHEDB_REDISEXPIRERECORDS = 517, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 518, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
-    VAR_FOR_UPSTREAM = 519,        /* VAR_FOR_UPSTREAM  */
-    VAR_AUTH_ZONE = 520,           /* VAR_AUTH_ZONE  */
-    VAR_ZONEFILE = 521,            /* VAR_ZONEFILE  */
-    VAR_MASTER = 522,              /* VAR_MASTER  */
-    VAR_URL = 523,                 /* VAR_URL  */
-    VAR_FOR_DOWNSTREAM = 524,      /* VAR_FOR_DOWNSTREAM  */
-    VAR_FALLBACK_ENABLED = 525,    /* VAR_FALLBACK_ENABLED  */
-    VAR_TLS_ADDITIONAL_PORT = 526, /* VAR_TLS_ADDITIONAL_PORT  */
-    VAR_LOW_RTT = 527,             /* VAR_LOW_RTT  */
-    VAR_LOW_RTT_PERMIL = 528,      /* VAR_LOW_RTT_PERMIL  */
-    VAR_FAST_SERVER_PERMIL = 529,  /* VAR_FAST_SERVER_PERMIL  */
-    VAR_FAST_SERVER_NUM = 530,     /* VAR_FAST_SERVER_NUM  */
-    VAR_ALLOW_NOTIFY = 531,        /* VAR_ALLOW_NOTIFY  */
-    VAR_TLS_WIN_CERT = 532,        /* VAR_TLS_WIN_CERT  */
-    VAR_TCP_CONNECTION_LIMIT = 533, /* VAR_TCP_CONNECTION_LIMIT  */
-    VAR_FORWARD_NO_CACHE = 534,    /* VAR_FORWARD_NO_CACHE  */
-    VAR_STUB_NO_CACHE = 535,       /* VAR_STUB_NO_CACHE  */
-    VAR_LOG_SERVFAIL = 536,        /* VAR_LOG_SERVFAIL  */
-    VAR_DENY_ANY = 537,            /* VAR_DENY_ANY  */
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 538, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
-    VAR_LOG_TAG_QUERYREPLY = 539,  /* VAR_LOG_TAG_QUERYREPLY  */
-    VAR_STREAM_WAIT_SIZE = 540,    /* VAR_STREAM_WAIT_SIZE  */
-    VAR_TLS_CIPHERS = 541,         /* VAR_TLS_CIPHERS  */
-    VAR_TLS_CIPHERSUITES = 542,    /* VAR_TLS_CIPHERSUITES  */
-    VAR_TLS_USE_SNI = 543,         /* VAR_TLS_USE_SNI  */
-    VAR_IPSET = 544,               /* VAR_IPSET  */
-    VAR_IPSET_NAME_V4 = 545,       /* VAR_IPSET_NAME_V4  */
-    VAR_IPSET_NAME_V6 = 546,       /* VAR_IPSET_NAME_V6  */
-    VAR_TLS_SESSION_TICKET_KEYS = 547, /* VAR_TLS_SESSION_TICKET_KEYS  */
-    VAR_RPZ = 548,                 /* VAR_RPZ  */
-    VAR_TAGS = 549,                /* VAR_TAGS  */
-    VAR_RPZ_ACTION_OVERRIDE = 550, /* VAR_RPZ_ACTION_OVERRIDE  */
-    VAR_RPZ_CNAME_OVERRIDE = 551,  /* VAR_RPZ_CNAME_OVERRIDE  */
-    VAR_RPZ_LOG = 552,             /* VAR_RPZ_LOG  */
-    VAR_RPZ_LOG_NAME = 553,        /* VAR_RPZ_LOG_NAME  */
-    VAR_DYNLIB = 554,              /* VAR_DYNLIB  */
-    VAR_DYNLIB_FILE = 555,         /* VAR_DYNLIB_FILE  */
-    VAR_EDNS_CLIENT_STRING = 556,  /* VAR_EDNS_CLIENT_STRING  */
-    VAR_EDNS_CLIENT_STRING_OPCODE = 557, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
-    VAR_NSID = 558                 /* VAR_NSID  */
+    VAR_PAD_RESPONSES = 505,       /* VAR_PAD_RESPONSES  */
+    VAR_PAD_RESPONSES_BLOCK_SIZE = 506, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
+    VAR_PAD_QUERIES = 507,         /* VAR_PAD_QUERIES  */
+    VAR_PAD_QUERIES_BLOCK_SIZE = 508, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
+    VAR_IPSECMOD_ENABLED = 509,    /* VAR_IPSECMOD_ENABLED  */
+    VAR_IPSECMOD_HOOK = 510,       /* VAR_IPSECMOD_HOOK  */
+    VAR_IPSECMOD_IGNORE_BOGUS = 511, /* VAR_IPSECMOD_IGNORE_BOGUS  */
+    VAR_IPSECMOD_MAX_TTL = 512,    /* VAR_IPSECMOD_MAX_TTL  */
+    VAR_IPSECMOD_WHITELIST = 513,  /* VAR_IPSECMOD_WHITELIST  */
+    VAR_IPSECMOD_STRICT = 514,     /* VAR_IPSECMOD_STRICT  */
+    VAR_CACHEDB = 515,             /* VAR_CACHEDB  */
+    VAR_CACHEDB_BACKEND = 516,     /* VAR_CACHEDB_BACKEND  */
+    VAR_CACHEDB_SECRETSEED = 517,  /* VAR_CACHEDB_SECRETSEED  */
+    VAR_CACHEDB_REDISHOST = 518,   /* VAR_CACHEDB_REDISHOST  */
+    VAR_CACHEDB_REDISPORT = 519,   /* VAR_CACHEDB_REDISPORT  */
+    VAR_CACHEDB_REDISTIMEOUT = 520, /* VAR_CACHEDB_REDISTIMEOUT  */
+    VAR_CACHEDB_REDISEXPIRERECORDS = 521, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 522, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
+    VAR_FOR_UPSTREAM = 523,        /* VAR_FOR_UPSTREAM  */
+    VAR_AUTH_ZONE = 524,           /* VAR_AUTH_ZONE  */
+    VAR_ZONEFILE = 525,            /* VAR_ZONEFILE  */
+    VAR_MASTER = 526,              /* VAR_MASTER  */
+    VAR_URL = 527,                 /* VAR_URL  */
+    VAR_FOR_DOWNSTREAM = 528,      /* VAR_FOR_DOWNSTREAM  */
+    VAR_FALLBACK_ENABLED = 529,    /* VAR_FALLBACK_ENABLED  */
+    VAR_TLS_ADDITIONAL_PORT = 530, /* VAR_TLS_ADDITIONAL_PORT  */
+    VAR_LOW_RTT = 531,             /* VAR_LOW_RTT  */
+    VAR_LOW_RTT_PERMIL = 532,      /* VAR_LOW_RTT_PERMIL  */
+    VAR_FAST_SERVER_PERMIL = 533,  /* VAR_FAST_SERVER_PERMIL  */
+    VAR_FAST_SERVER_NUM = 534,     /* VAR_FAST_SERVER_NUM  */
+    VAR_ALLOW_NOTIFY = 535,        /* VAR_ALLOW_NOTIFY  */
+    VAR_TLS_WIN_CERT = 536,        /* VAR_TLS_WIN_CERT  */
+    VAR_TCP_CONNECTION_LIMIT = 537, /* VAR_TCP_CONNECTION_LIMIT  */
+    VAR_FORWARD_NO_CACHE = 538,    /* VAR_FORWARD_NO_CACHE  */
+    VAR_STUB_NO_CACHE = 539,       /* VAR_STUB_NO_CACHE  */
+    VAR_LOG_SERVFAIL = 540,        /* VAR_LOG_SERVFAIL  */
+    VAR_DENY_ANY = 541,            /* VAR_DENY_ANY  */
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 542, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
+    VAR_LOG_TAG_QUERYREPLY = 543,  /* VAR_LOG_TAG_QUERYREPLY  */
+    VAR_STREAM_WAIT_SIZE = 544,    /* VAR_STREAM_WAIT_SIZE  */
+    VAR_TLS_CIPHERS = 545,         /* VAR_TLS_CIPHERS  */
+    VAR_TLS_CIPHERSUITES = 546,    /* VAR_TLS_CIPHERSUITES  */
+    VAR_TLS_USE_SNI = 547,         /* VAR_TLS_USE_SNI  */
+    VAR_IPSET = 548,               /* VAR_IPSET  */
+    VAR_IPSET_NAME_V4 = 549,       /* VAR_IPSET_NAME_V4  */
+    VAR_IPSET_NAME_V6 = 550,       /* VAR_IPSET_NAME_V6  */
+    VAR_TLS_SESSION_TICKET_KEYS = 551, /* VAR_TLS_SESSION_TICKET_KEYS  */
+    VAR_RPZ = 552,                 /* VAR_RPZ  */
+    VAR_TAGS = 553,                /* VAR_TAGS  */
+    VAR_RPZ_ACTION_OVERRIDE = 554, /* VAR_RPZ_ACTION_OVERRIDE  */
+    VAR_RPZ_CNAME_OVERRIDE = 555,  /* VAR_RPZ_CNAME_OVERRIDE  */
+    VAR_RPZ_LOG = 556,             /* VAR_RPZ_LOG  */
+    VAR_RPZ_LOG_NAME = 557,        /* VAR_RPZ_LOG_NAME  */
+    VAR_DYNLIB = 558,              /* VAR_DYNLIB  */
+    VAR_DYNLIB_FILE = 559,         /* VAR_DYNLIB_FILE  */
+    VAR_EDNS_CLIENT_STRING = 560,  /* VAR_EDNS_CLIENT_STRING  */
+    VAR_EDNS_CLIENT_STRING_OPCODE = 561, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
+    VAR_NSID = 562                 /* VAR_NSID  */
   };
   typedef enum yytokentype yytoken_kind_t;
 #endif
@@ -609,60 +613,64 @@ extern int yydebug;
 #define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 502
 #define VAR_DNSCRYPT_NONCE_CACHE_SIZE 503
 #define VAR_DNSCRYPT_NONCE_CACHE_SLABS 504
-#define VAR_IPSECMOD_ENABLED 505
-#define VAR_IPSECMOD_HOOK 506
-#define VAR_IPSECMOD_IGNORE_BOGUS 507
-#define VAR_IPSECMOD_MAX_TTL 508
-#define VAR_IPSECMOD_WHITELIST 509
-#define VAR_IPSECMOD_STRICT 510
-#define VAR_CACHEDB 511
-#define VAR_CACHEDB_BACKEND 512
-#define VAR_CACHEDB_SECRETSEED 513
-#define VAR_CACHEDB_REDISHOST 514
-#define VAR_CACHEDB_REDISPORT 515
-#define VAR_CACHEDB_REDISTIMEOUT 516
-#define VAR_CACHEDB_REDISEXPIRERECORDS 517
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 518
-#define VAR_FOR_UPSTREAM 519
-#define VAR_AUTH_ZONE 520
-#define VAR_ZONEFILE 521
-#define VAR_MASTER 522
-#define VAR_URL 523
-#define VAR_FOR_DOWNSTREAM 524
-#define VAR_FALLBACK_ENABLED 525
-#define VAR_TLS_ADDITIONAL_PORT 526
-#define VAR_LOW_RTT 527
-#define VAR_LOW_RTT_PERMIL 528
-#define VAR_FAST_SERVER_PERMIL 529
-#define VAR_FAST_SERVER_NUM 530
-#define VAR_ALLOW_NOTIFY 531
-#define VAR_TLS_WIN_CERT 532
-#define VAR_TCP_CONNECTION_LIMIT 533
-#define VAR_FORWARD_NO_CACHE 534
-#define VAR_STUB_NO_CACHE 535
-#define VAR_LOG_SERVFAIL 536
-#define VAR_DENY_ANY 537
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 538
-#define VAR_LOG_TAG_QUERYREPLY 539
-#define VAR_STREAM_WAIT_SIZE 540
-#define VAR_TLS_CIPHERS 541
-#define VAR_TLS_CIPHERSUITES 542
-#define VAR_TLS_USE_SNI 543
-#define VAR_IPSET 544
-#define VAR_IPSET_NAME_V4 545
-#define VAR_IPSET_NAME_V6 546
-#define VAR_TLS_SESSION_TICKET_KEYS 547
-#define VAR_RPZ 548
-#define VAR_TAGS 549
-#define VAR_RPZ_ACTION_OVERRIDE 550
-#define VAR_RPZ_CNAME_OVERRIDE 551
-#define VAR_RPZ_LOG 552
-#define VAR_RPZ_LOG_NAME 553
-#define VAR_DYNLIB 554
-#define VAR_DYNLIB_FILE 555
-#define VAR_EDNS_CLIENT_STRING 556
-#define VAR_EDNS_CLIENT_STRING_OPCODE 557
-#define VAR_NSID 558
+#define VAR_PAD_RESPONSES 505
+#define VAR_PAD_RESPONSES_BLOCK_SIZE 506
+#define VAR_PAD_QUERIES 507
+#define VAR_PAD_QUERIES_BLOCK_SIZE 508
+#define VAR_IPSECMOD_ENABLED 509
+#define VAR_IPSECMOD_HOOK 510
+#define VAR_IPSECMOD_IGNORE_BOGUS 511
+#define VAR_IPSECMOD_MAX_TTL 512
+#define VAR_IPSECMOD_WHITELIST 513
+#define VAR_IPSECMOD_STRICT 514
+#define VAR_CACHEDB 515
+#define VAR_CACHEDB_BACKEND 516
+#define VAR_CACHEDB_SECRETSEED 517
+#define VAR_CACHEDB_REDISHOST 518
+#define VAR_CACHEDB_REDISPORT 519
+#define VAR_CACHEDB_REDISTIMEOUT 520
+#define VAR_CACHEDB_REDISEXPIRERECORDS 521
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 522
+#define VAR_FOR_UPSTREAM 523
+#define VAR_AUTH_ZONE 524
+#define VAR_ZONEFILE 525
+#define VAR_MASTER 526
+#define VAR_URL 527
+#define VAR_FOR_DOWNSTREAM 528
+#define VAR_FALLBACK_ENABLED 529
+#define VAR_TLS_ADDITIONAL_PORT 530
+#define VAR_LOW_RTT 531
+#define VAR_LOW_RTT_PERMIL 532
+#define VAR_FAST_SERVER_PERMIL 533
+#define VAR_FAST_SERVER_NUM 534
+#define VAR_ALLOW_NOTIFY 535
+#define VAR_TLS_WIN_CERT 536
+#define VAR_TCP_CONNECTION_LIMIT 537
+#define VAR_FORWARD_NO_CACHE 538
+#define VAR_STUB_NO_CACHE 539
+#define VAR_LOG_SERVFAIL 540
+#define VAR_DENY_ANY 541
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 542
+#define VAR_LOG_TAG_QUERYREPLY 543
+#define VAR_STREAM_WAIT_SIZE 544
+#define VAR_TLS_CIPHERS 545
+#define VAR_TLS_CIPHERSUITES 546
+#define VAR_TLS_USE_SNI 547
+#define VAR_IPSET 548
+#define VAR_IPSET_NAME_V4 549
+#define VAR_IPSET_NAME_V6 550
+#define VAR_TLS_SESSION_TICKET_KEYS 551
+#define VAR_RPZ 552
+#define VAR_TAGS 553
+#define VAR_RPZ_ACTION_OVERRIDE 554
+#define VAR_RPZ_CNAME_OVERRIDE 555
+#define VAR_RPZ_LOG 556
+#define VAR_RPZ_LOG_NAME 557
+#define VAR_DYNLIB 558
+#define VAR_DYNLIB_FILE 559
+#define VAR_EDNS_CLIENT_STRING 560
+#define VAR_EDNS_CLIENT_STRING_OPCODE 561
+#define VAR_NSID 562
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -672,7 +680,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 676 "util/configparser.h"
+#line 684 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -162,6 +162,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
 %token VAR_DNSCRYPT_NONCE_CACHE_SIZE
 %token VAR_DNSCRYPT_NONCE_CACHE_SLABS
+%token VAR_PAD_RESPONSES VAR_PAD_RESPONSES_BLOCK_SIZE
+%token VAR_PAD_QUERIES VAR_PAD_QUERIES_BLOCK_SIZE
 %token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
 %token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
 %token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
@@ -274,7 +276,10 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_disable_dnssec_lame_check | server_access_control_tag |
 	server_local_zone_override | server_access_control_tag_action |
 	server_access_control_tag_data | server_access_control_view |
-	server_qname_minimisation_strict | server_serve_expired |
+	server_qname_minimisation_strict |
+	server_pad_responses | server_pad_responses_block_size |
+	server_pad_queries | server_pad_queries_block_size |
+	server_serve_expired |
 	server_serve_expired_ttl | server_serve_expired_ttl_reset |
 	server_serve_expired_reply_ttl | server_serve_expired_client_timeout |
 	server_fake_dsa | server_log_identity | server_use_systemd |
@@ -2436,6 +2441,44 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
 		free($2);
 	}
 	;
+server_pad_responses: VAR_PAD_RESPONSES STRING_ARG
+	{
+		OUTYY(("P(server_pad_responses:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->pad_responses = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
+server_pad_responses_block_size: VAR_PAD_RESPONSES_BLOCK_SIZE STRING_ARG
+	{
+		OUTYY(("P(server_pad_responses_block_size:%s)\n", $2));
+		if(atoi($2) == 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->pad_responses_block_size = atoi($2);
+		free($2);
+	}
+	;
+server_pad_queries: VAR_PAD_QUERIES STRING_ARG
+	{
+		OUTYY(("P(server_pad_queries:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->pad_queries = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
+server_pad_queries_block_size: VAR_PAD_QUERIES_BLOCK_SIZE STRING_ARG
+	{
+		OUTYY(("P(server_pad_queries_block_size:%s)\n", $2));
+		if(atoi($2) == 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->pad_queries_block_size = atoi($2);
+		free($2);
+	}
+	;
 server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG
 	{
 	#ifdef USE_IPSECMOD

util/data/msgencode.c

@@ -801,14 +801,14 @@ calc_edns_field_size(struct edns_data* edns)
 	return 1 + 2 + 2 + 4 + 2 + rdatalen;
 }
 
-void
-attach_edns_record(sldns_buffer* pkt, struct edns_data* edns)
+static void
+attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns,
+	uint16_t max_msg_sz)
 {
 	size_t len;
 	size_t rdatapos;
 	struct edns_option* opt;
-	if(!edns || !edns->edns_present)
-		return;
+	struct edns_option* padding_option = NULL;
 	/* inc additional count */
 	sldns_buffer_write_u16_at(pkt, 10,
 		sldns_buffer_read_u16_at(pkt, 10) + 1);
@@ -826,17 +826,52 @@ attach_edns_record(sldns_buffer* pkt, struct edns_data* edns)
 	sldns_buffer_write_u16(pkt, 0); /* rdatalen */
 	/* write rdata */
 	for(opt=edns->opt_list; opt; opt=opt->next) {
+		if (opt->opt_code == LDNS_EDNS_PADDING) {
+			padding_option = opt;
+			continue;
+		}
 		sldns_buffer_write_u16(pkt, opt->opt_code);
 		sldns_buffer_write_u16(pkt, opt->opt_len);
 		if(opt->opt_len != 0)
 			sldns_buffer_write(pkt, opt->opt_data, opt->opt_len);
 	}
+	if (padding_option && edns->padding_block_size ) {
+		size_t pad_pos = sldns_buffer_position(pkt);
+		size_t msg_sz = ((pad_pos + 3) / edns->padding_block_size + 1)
+		                               * edns->padding_block_size;
+		size_t pad_sz;
+		
+		if (msg_sz > max_msg_sz)
+			msg_sz = max_msg_sz;
+
+		/* By use of calc_edns_field_size, calling functions should
+		 * have made sure that there is enough space for at least a
+		 * zero sized padding option.
+		 */
+		log_assert(pad_pos + 4 <= msg_sz);
+
+		pad_sz = msg_sz - pad_pos - 4;
+		sldns_buffer_write_u16(pkt, LDNS_EDNS_PADDING);
+		sldns_buffer_write_u16(pkt, pad_sz);
+		if (pad_sz) {
+			memset(sldns_buffer_current(pkt), 0, pad_sz);
+			sldns_buffer_skip(pkt, pad_sz);
+		}
+	}
 	if(edns->opt_list)
 		sldns_buffer_write_u16_at(pkt, rdatapos, 
 			sldns_buffer_position(pkt)-rdatapos-2);
 	sldns_buffer_flip(pkt);
 }
 
+void
+attach_edns_record(sldns_buffer* pkt, struct edns_data* edns)
+{
+	if(!edns || !edns->edns_present)
+		return;
+	attach_edns_record_max_msg_sz(pkt, edns, edns->udp_size);
+}
+
 int 
 reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, 
 	uint16_t id, uint16_t qflags, sldns_buffer* pkt, time_t timenow,
@@ -885,7 +920,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
 	}
 	if(attach_edns && sldns_buffer_capacity(pkt) >=
 		sldns_buffer_limit(pkt)+attach_edns)
-		attach_edns_record(pkt, edns);
+		attach_edns_record_max_msg_sz(pkt, edns, udpsize+attach_edns);
 	return 1;
 }
 

util/data/msgparse.c

@@ -1020,6 +1020,7 @@ parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
 	edns->bits = sldns_read_uint16(&found->rr_last->ttl_data[2]);
 	edns->udp_size = ntohs(found->rrset_class);
 	edns->opt_list = NULL;
+	edns->padding_block_size = 0;
 
 	/* take the options */
 	rdata_len = found->rr_first->size-2;
@@ -1093,6 +1094,7 @@ parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns,
 	edns->edns_version = sldns_buffer_read_u8(pkt);
 	edns->bits = sldns_buffer_read_u16(pkt);
 	edns->opt_list = NULL;
+	edns->padding_block_size = 0;
 
 	/* take the options */
 	rdata_len = sldns_buffer_read_u16(pkt);

util/data/msgparse.h

@@ -225,6 +225,8 @@ struct edns_data {
 	uint16_t udp_size;
 	/** rdata element list, or NULL if none */
 	struct edns_option* opt_list;
+	/** block size to pad */
+	uint16_t padding_block_size;
 };
 
 /**

util/edns.c

@@ -165,5 +165,15 @@ int apply_edns_options(struct edns_data* edns_out, struct edns_data* edns_in,
 			LDNS_EDNS_NSID, cfg->nsid_len, cfg->nsid, region))
 		return 0;
 
+	if(!cfg->pad_responses || c->type != comm_tcp || !c->ssl
+	|| !edns_opt_list_find(edns_in->opt_list, LDNS_EDNS_PADDING))
+	       ; /* pass */
+
+	else if(!edns_opt_list_append(&edns_out->opt_list, LDNS_EDNS_PADDING
+	                                                 , 0, NULL, region))
+		return 0;
+	else
+		edns_out->padding_block_size = cfg->pad_responses_block_size;
+
 	return 1;
 }

validator/autotrust.c

@@ -2365,6 +2365,7 @@ probe_anchor(struct module_env* env, struct trust_anchor* tp)
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
 	edns.opt_list = NULL;
+	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;